• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

How To Guide Firmware is out! Get your root on!

Search This thread

snovvman

Senior Member
Jun 6, 2008
1,530
511
The potential workaround, which doesn't seem to be solid, is to sideload the OTA, then immediately enter fastboot, and flash /vbmeta and /boot. Sometimes you'll still end up in Rescue Party, where you can either flash back to stock and try again, or give up and wipe. We are still testing over at the Pixel 5 forum.

Thanks V. I am running this test today:

1) P6P as shipped
2) Setup w/o network so it won't update
3) Download latest OTA image
4) Patch boot and sideload OTA
5) After OTA, boot directly into bootloader
6) Flash verity with flags
7) Flash patched boot
8) Boot
9) See what happens

If this works would show that, at least this time, we can sideload an OTA and get perm boot w/o wiping.

///

In another thread, I was going to run some tests w/ P3XL and P4XL but things got busy. Did you still need me to try anything? It seems like pre P4a root is now well understood and the focus is on >P4a. Let me know if you need something.
 

rester555

Senior Member
Oct 27, 2010
365
88
So I tried flashing the factory image and when I get to the part of loading into fastbootd, it says error: failed to boot into userspace fastboot; one or more components might not be bootable... Anyone run into this before?
 
Thanks V. I am running this test today:

1) P6P as shipped
2) Setup w/o network so it won't update
3) Download latest OTA image
4) Patch boot and sideload OTA
5) After OTA, boot directly into bootloader
6) Flash verity with flags
7) Flash patched boot
8) Boot
9) See what happens

If this works would show that, at least this time, we can sideload an OTA and get perm boot w/o wiping.

///

In another thread, I was going to run some tests w/ P3XL and P4XL but things got busy. Did you still need me to try anything? It seems like pre P4a root is now well understood and the focus is on >P4a. Let me know if you need something.
No - after OTA, you want to go directly into FASTBOOT. Not bootloader. When the OTA finishes it will dump you in the recovery menu. Select "Enter Fastboot" and flash /vbmeta and /boot from there.
 
I plan to flash the full 0.15 to go back to it, then root 0.15, and see if I can OTA that way and update root with magisk.
I'm also using a fork of magisk by vvb2060 which reportedly has MagiskDenyList which passes safetynet.. we'll see how this turns out later on.
If it works, please post it!
 

snovvman

Senior Member
Jun 6, 2008
1,530
511
No - after OTA, you want to go directly into FASTBOOT. Not bootloader. When the OTA finishes it will dump you in the recovery menu. Select "Enter Fastboot" and flash /vbmeta and /boot from there.

Thanks for that. I'm seeing that Magisk 23001 does not work to patch the P6P boot. I thought that I read in another thread that I need to go to 23010. I'll first figure out how to pass safetynet with 23010 on my P4XL before coming back to the P6P test.
 

THEbigSWEEN

Senior Member
Mar 5, 2012
679
378
Just got mine today and getting it unlocked and rooted. Wanted to also confirm that when taking the OTA before flashing vbmeta and patched boot that I had to factory reset before it would boot. So far it does seem that root is working as intended, which I'm stoked about because I thought I wouldn't have root the day I got this bad boy. Thanks to everyone for their trial and error, because coming from a 2 XL it would've taken me WAY longer to try and figure this all out, if at all.
 
  • Like
Reactions: roirraW "edor" ehT
Thanks for that. I'm seeing that Magisk 23001 does not work to patch the P6P boot. I thought that I read in another thread that I need to go to 23010. I'll first figure out how to pass safetynet with 23010 on my P4XL before coming back to the P6P test.
It should, it was working for me on the P5.
 
So something screwed up in my windows environment when I flashed. I got the factory image to flash. ugh, I should have never updated to W11
Yeah, I'll be staying with Windows 10. I didn't upgrade from 7 Ultimate until I discovered Enterprise LTSC.
 

rester555

Senior Member
Oct 27, 2010
365
88
@V0latyle I ended up flashing the factory image. Then I patched in latest canary magisk the boot.img. Then I went into fastboot bootloader. where I flashed the disable verity and verification where I used --slot=all. I then immediately flashed the patched magisk image. It failed to boot and went into recovery. I ended up having to factory wipe and now I am setting up the phone again... This process still seems finicky when having to patch the magisk boot.img.

EDIT: I have the P6 Pro sorta sunny 128gb. Windows 11 environment. usb a to c cable. latest platform tools 31.0.3. using canary magisk 23010.
 
so is newest magisk canary not possible to pass saftynet with until they update the module?
You can, it's just a bit more complicated because you have to use an older version of Universal SafetyNet Fix (2.0.0 if I remember correctly) as Riru doesn't work with Zygisk; you also have to use MagiskHide Props Config.

Personally I found it easier to just use 23001.
 
@V0latyle I ended up flashing the factory image. Then I patched in latest canary magisk the boot.img. Then I went into fastboot bootloader. where I flashed the disable verity and verification where I used --slot=all. I then immediately flashed the patched magisk image. It failed to boot and went into recovery. I ended up having to factory wipe and now I am setting up the phone again... This process still seems finicky when having to patch the magisk boot.img.

EDIT: I have the P6 Pro sorta sunny 128gb. Windows 11 environment. usb a to c cable. latest platform tools 31.0.3. using canary magisk 23010.
If it makes you feel better, I just did a full factory reflash with wipe too. Couldn't get root working after using the OTA sideload method, although that may have just been me being a dumbass
 
  • Like
Reactions: roirraW "edor" ehT

Pekempy

Senior Member
Aug 22, 2011
654
285
UK
Google Pixel 6 Pro
I plan to flash the full 0.15 to go back to it, then root 0.15, and see if I can OTA that way and update root with magisk.
I'm also using a fork of magisk by vvb2060 which reportedly has MagiskDenyList which passes safetynet.. we'll see how this turns out later on.

Update:
Unfortunately didn't work, I have root working with this version but no Safetynet (both flags failing).
I've got one last hail mary to try though...

Edit: Not looking good :( Still can't pass SafetyNet

Update2:
Basic Integrity passing now, but CTS failing

Screenshot (28 Oct 2021 23 45 14).png


Basic integrity seems to disappear after a reboot :/ strange
Final edit for the night, yup Basic integrity I can't get back now it's started failing again damn.
 
Last edited:

Pekempy

Senior Member
Aug 22, 2011
654
285
UK
Google Pixel 6 Pro
Just found out John works for Google now. Wonder how the development of Magisk will go, seems some conflict of interest between Google and Magisk.
This is why MagiskHide is dead, because it's a conflict of interest working on the security team and developing a bypass to that security.. but I think MagiskDenyList is the hope, when we can pass safetynet.

I have magisk deny list working, but just SafetyNet won't pass
 

Top Liked Posts

  • 2
    This is a question for the OP. I have a new in box pixel 6 pro. Should I put my sim card in and set it up with Google, etc before I follow your procedure, or can I just straight up update and root it as is, in its virgin state with no sim card?

    Hopefully I have my posting skills adjusted correctly.
    Update and root as is without a SIM card. You can do either way, but might as well since you're starting fresh already.
    1
    @GivIn2It you don't need to quote the entire OP. Did you have a question?
  • 5
    Thanks. I guess I will have to make sure that the original boot image is on my device?
    Until the slot detection fix lands (likely canary 23014), the uninstall function will only work if you are on slot A. The uninstaller restores the stock boot image then runs the following command to delete its files:

    rm -rf \ /cache/*magisk* /cache/unblock /data/*magisk* /data/cache/*magisk* /data/property/*magisk* \ /data/Magisk.apk /data/busybox /data/custom_ramdisk_patch.sh /data/adb/*magisk* \ /data/adb/post-fs-data.d /data/adb/service.d /data/adb/modules* \ /data/unencrypted/magisk /metadata/magisk /persist/magisk /mnt/vendor/persist/magisk

    If the uninstaller doesn't work for you, you can delete the files manually, then flash the stock boot image from fastboot.

    Also, if Magisk didn't backup the original boot image, and you want to add it manually, it expects it to be at /data/magisk_backup_$sha1/boot.img.gz, where $sha1 is the SHA1 of the boot image. You can get the SHA1 with sha1sum and can make it a .img.gz file with gzip.

    Edit: I hadn't planned to release it for a few days, but here's a tool I made to help take delta OTAs from System Update, but it will let you pick the stock boot image from somewhere on your phone and place it in Magisk's backup location. It will run a few checks, like verifying its SHA1 matches the one saved by Magisk. Note that this is the first alpha release, so don't expect it to have robust error handling:
    5
    Mod Edit: Quote removed since post removed. Part of message relating to quote also removed.

    Remember that most of us are here on our free time - we all have jobs and other responsibilities, and most of us get absolutely nothing for all we do for the Android community. None of us -have- to spend our time and energy on this; we don't exist to support you or anyone else, and you are entitled to none of our work.

    Either learn some patience, or show some real support for someone who has done so much for our community. It's the least you could do.
    5
    I think you made the same mistake as me, you extracted the factory image archive, and tried to patch the resulting bootloader-raven-slider-XXXXX.img directly thinking it was the file to patch as it began by "boot" and had the ".img" extension.
    If that's the case, from the factory archive extraction you have to then extract the image-raven-XXXXXXX.zip archive, containing the final "boot.img" file to patch.

    @V0latyle you may want to develop a little bit this part in the OT tutorial, as we might won't be the only ones making this mistake ;)
    In all fairness, this is exactly what my instructions are:
    1. Download the factory image. Extract it, then extract the raven-image.zip inside it
    2. Copy boot.img to your phone. Patch with Magisk, then copy patched image back to PC.

    I'm not really trying to make something idiot proof, there's a certain point where limited knowledge and experience is a good reason to NOT try something. If you're unlocking your phone and messing with software, you SHOULD know what you're doing, and at the very least how to fix it if something goes wrong. This forum is not official support, no one here bears any liability whatsoever, and I don't want to give inexperienced and unfamiliar people the impression they can do something that's way outside of their realm of understanding - just like I wouldn't tell someone how to service their brakes if they don't know the difference between a jack and a jackstand.

    I guess what I'm saying is, if you mistake the bootloader image for the boot image, you probably shouldn't be doing any modifications to your device.
    4
    Legend! Thanks, that worked. @V0latyle can you add that to your instructions please.

    Now on to flashing Kirisakura kernel again!
    Yeah, bootloader has to be rebooted for the update to "see" the new bootloader version. I'll update it now.
    4
    I already clicked OK on that popup for like 5 times. It still pops up the next time i start the app after the reboot !?
    I'll bet you are on slot B. There is currently a bug in slot detection in Magisk on Pixel 6. A solution has been accepted, but it won't be available until 23014. In the meantime, you'll have to fastboot flash boot_b.

    Could I open a CMD terminal within platform tools, copy and paste the delete code, and then flash the stock boot image?
    Be careful with the syntax with rm -rf, if you aren't familiar with its usage. You can do some damage to your data if you mess around with it. But to answer your question, yes, there's no reason you couldn't perform the same steps manually. If you're trying to go back to stock and lock your bootloader, you'll have to flash stock vbmeta, as well. At that point, you would have to wipe your data to root again, later.
  • 44
    On Android 12, boot verification must be disabled in order to run a patched boot image. Unfortunately, if you have never disabled it before, it will require you to wipe data. To be clear:
    ***************************************************

    PERMANENT ROOT CURRENTLY REQUIRES A DATA WIPE.
    ***************************************************
    However, if you don't want to lose your data, you can "live boot" the patched image as long as /vbmeta and /boot are stock. This will allow you to use temporary root. DO NOT attempt to Direct Install Magisk to the boot image.

    For subsequent updates, it is imperative that you do not allow the device to boot into system before you have disabled Verified Boot.

    What this means: If you sideload the OTA, IMMEDIATELY reboot to bootloader and reflash /vbmeta with --disable-verity and --disable-verification. If you dirty flash the factory image, make sure you add these two switches to the command.

    If you fail to do this, and allow the device to boot into system, you WILL have to wipe data to disable it again.
    IF YOU ARE ROOTED, DO NOT USE AUTOMATIC UPDATES AS THIS WILL REFLASH /VBMETA WITHOUT DISABLING BOOT VERIFICATION!



    Factory Images

    OTA Images

    Latest Magisk Canary

    1. On your device, enable Developer Options (tap build number 8 times), and enable the OEM Unlocking toggle. Reboot to bootloader:
    2. Code:
      adb reboot bootloader
    3. Unlock bootloader:
      Code:
      fastboot flashing unlock
    4. Download the latest factory image and extract it. Inside, you will find the bootloader image, the radio image, and the image-device-buildnumber.zip. Extract boot.img and vbmeta.img from this zip.
    5. Flash vbmeta:
      Code:
      fastboot flash vbmeta --disable-verity --disable-verification <drag and drop vbmeta.img>
    6. Allow the device to boot into Android. Once you have Magisk installed, copy the boot.img and patch it in Magisk, then copy it back to your PC.
    7. Reboot to bootloader.
    8. Flash patched boot image:
      Code:
      fastboot flash boot <drag and drop magisk_patched-23xxx_xxxxx.img>
    9. Reboot into system.

    1. Download the latest factory image and extract it. Inside, you will find the bootloader image, the radio image, and the image-device-buildnumber.zip. Extract boot.img from this zip.
    2. Reboot to bootloader.
    3. Update bootloader and radio if they are out of date. BE CAREFUL, A MISTAKE CAN BRICK YOUR DEVICE! If you update the bootloader, remember to reboot back to bootloader so that the update reads the correct bootloader version.
    4. Update system:
      Code:
      fastboot update --disable-verity --disable-verification <drag and drop image-device-buildnumber.zip here>
      Note: If you get an error for bootloader/radio version, this means you need to update bootloader and/or radio; go back to step 3.
    5. Allow the device to boot into Android. Copy the boot.img and patch it in Magisk, then copy it back to your PC.
    6. Reboot to bootloader.
    7. Flash patched boot image:
      Code:
      fastboot flash boot <drag and drop magisk_patched-23xxx_xxxxx.img>
    8. Reboot into system.

    I personally do not recommend updating via OTA Sideload, as you would have to download and extract the factory zip anyway. AUTOMATIC OTA WILL LOSE ROOT AND REQUIRE A WIPE TO ROOT AGAIN.
    1. Sideload the OTA. When complete, IMMEDIATELY reboot to bootloader.
    2. Reflash vbmeta:
      Code:
      fastboot flash vbmeta --disable-verity --disable-verification <vbmeta.img>
    3. Boot to system and allow the update to complete.
    4. Patch and flash the boot image.

    Note: If you run into a bootloader message
    failed to load/verify boot images
    this means you forgot to disable verity and verification. Reflash vbmeta with the --disable options.

    If you run into this recovery message
    1636658711744.png

    This means that verity and verification were not disabled before, and a wipe is required to proceed.
    11
    So, what exactly are then the steps to flash the OTA without losing root and without wiping everything again? :D
    Currently I'm with Magisk Alpha (Safetynet passed) on .015 firmware.
    1. Download both the OTA AND the factory zips.
    2. Extract boot.img and vbmeta.img from the factory zip.
    3. Patch the new boot.img in Magisk and copy it back to your PC.
    4. Reboot into recovery and sideload the OTA
    Code:
    adb reboot sideload
    adb sideload ota.zip
    5. When the update completes, you'll still be in recovery. DO NOT REBOOT. Select "Enter fastboot"
    6. In fastboot, flash vbmeta:
    Code:
    fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
    7. Now flash boot:
    Code:
    fastboot flash boot magisk_patched-23xxx_xxxxx.img
    8. Reboot, you should come into the new update with root.

    Remember: You get ONE CHANCE, and ONE CHANCE ONLY to flash /vbmeta while in fastboot. If you do something wrong, you will either have to wipe data, or go without root.
    7
    015 rooted to 036 no wipe update
    1. Download the factory image.
    2. Copy boot.img to your phone. Patch with Magisk.
    3. Edit Flash-all.bat
      remove -w and add --disable
      fastboot update --disable-verity --disable-verification image-raven-sd1a.210817.036.zip
    4. Run Flash-all.bat
    5. Boot (don't flash) patched image
      fastboot boot magisk_patched-xxxxx.img
    6. Launch Magisk and tap Install, then Direct Install.
    5
    I think you made the same mistake as me, you extracted the factory image archive, and tried to patch the resulting bootloader-raven-slider-XXXXX.img directly thinking it was the file to patch as it began by "boot" and had the ".img" extension.
    If that's the case, from the factory archive extraction you have to then extract the image-raven-XXXXXXX.zip archive, containing the final "boot.img" file to patch.

    @V0latyle you may want to develop a little bit this part in the OT tutorial, as we might won't be the only ones making this mistake ;)
    In all fairness, this is exactly what my instructions are:
    1. Download the factory image. Extract it, then extract the raven-image.zip inside it
    2. Copy boot.img to your phone. Patch with Magisk, then copy patched image back to PC.

    I'm not really trying to make something idiot proof, there's a certain point where limited knowledge and experience is a good reason to NOT try something. If you're unlocking your phone and messing with software, you SHOULD know what you're doing, and at the very least how to fix it if something goes wrong. This forum is not official support, no one here bears any liability whatsoever, and I don't want to give inexperienced and unfamiliar people the impression they can do something that's way outside of their realm of understanding - just like I wouldn't tell someone how to service their brakes if they don't know the difference between a jack and a jackstand.

    I guess what I'm saying is, if you mistake the bootloader image for the boot image, you probably shouldn't be doing any modifications to your device.