[GUIDE] Re-locking the bootloader on the OnePlus 8t with a self-signed build of LOS 18.1

Search This thread

antonyjr

Member
Jan 16, 2022
33
6
@WhitbyGreg, did you hear somewhere on the internet is there any way to replace recovery or bootloader partitions bypassing Android signature checks using some Qualcomm-specific flash tool?
How do you evaluate a possibility manufacturer can leave some backdoor to do signature bypass using some private tool?
You can't. The manufacturer already has a lot of backdoor in the firmware and binary blobs which are used even in LineageOS. So LineageOS only protects you to some extent but the firmware by oneplus definitely spys you.

There are even specific attacks by the government to gain full access to your phone through the SIM. And every
android device allows this.

The only way you could truly attain freedom is to use something like Librem 5 or Pine phone which is not great
for daily driver and are overpriced for the hardware they provide.
 

antonyjr

Member
Jan 16, 2022
33
6
I believe the scope of this guide is to protect others from tampering with your custom os. Like installing a keylogger through the TWRP or Lineage recovery.
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
@WhitbyGreg I reverted back to unlocked bootloader and lineage os signed builds. The vendor.img along with the locked bootloader is causing qualcom crash dumps and my wifi/modem stopped working for some reason. In the 220104 build i had no issues like this. Maybe this is because the vendor.img is modified?

Or something I did wrong. Because I built this with a 8gb ram laptop xD. I had to do a lot of hacks in linux to make
it past the build. Failed multiple times. Took me 2 days. With an amazing AMD Ryzen 4800H which has 8c/16t but is bottlenecked by the RAM.

Update 1: I freshly installed my build again and locked the bootloader. When the phone boots it shows a unique ID which I can identify that only my bulid is booting (For now, I have no enemies who can bypass that ..xD). Everything is working again. I did copy partition and other stuff this time. in which I used my signed vender image instead of the stock vendor image. I know 'Apply Update' would do this by itself. But still I also flashed vbmeta to both partition. Also some tweaks to the network settings. The wifi sometimes turns off (due to power saving?) but the IMEI and baseband is not affected and no crashes for now (I'm talking 0 day tested so I can't be sure when the errors will start showing up).

Widevine is L3 but Google Pay other such app is working without complaining. Only Whatsapp warned I'm using a custom ROM. Build the GAPPS and F-Droid (Priv. Extensions) directly into the ROM. So F-Droid works just like Google Play Store.
Yes, you need to include vendor.img in the vbmeta and sign it appropriately for the bootloader to be locked successfully. "Apply update" won't do this by itself, you have to include the vendor in the OTA file as well as part of your built.

As I recall, older devices like enchilada wipe the widevine L1 keys on bootloader unlock, newer oneplus devices don't do thise, so I have L1 working on my 8T without issue. I beleive you could have backed up the L1 keys before unlocking the bootloader, but now its too late.

Locking the bootloader isn't a silver bullet, there are apps that will still complain because of the wrong OS name/fingerprint/etc. It's just what we have to live with using a custom rom.
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
@WhitbyGreg, did you hear somewhere on the internet is there any way to replace recovery or bootloader partitions bypassing Android signature checks using some Qualcomm-specific flash tool?
How do you evaluate a possibility manufacturer can leave some backdoor to do signature bypass using some private tool?
For example, booting OnePlus 8T into EDL mode
Yes, EDL mode can bypass everything, it's at a much lower level than Android or the Recovery. That's how the MSM Tool allows you to recover your device back to stock, including locked bootloader.

I've never seen anything other that the MSM Tool, and the protocol itself isn't documented, so it seems like a pretty low probability to be used in an evil maid style attack.

Practically speaking, if it's the manufacturer that you're worried about, they have simpler ways to backdoor you, like through the modem OS or any of the firmware/blob files.
 
  • Like
Reactions: xHasKx

hasan4791

Senior Member
Nov 2, 2011
1,801
610
Gurgaon
Yes, you need to include vendor.img in the vbmeta and sign it appropriately for the bootloader to be locked successfully. "Apply update" won't do this by itself, you have to include the vendor in the OTA file as well as part of your built.

As I recall, older devices like enchilada wipe the widevine L1 keys on bootloader unlock, newer oneplus devices don't do thise, so I have L1 working on my 8T without issue. I beleive you could have backed up the L1 keys before unlocking the bootloader, but now its too late.

Locking the bootloader isn't a silver bullet, there are apps that will still complain because of the wrong OS name/fingerprint/etc. It's just what we have to live with using a custom rom.

First of all, thank you for this amazing guide. I've a follow up question regarding the L1. Basically where the L1 keys are stored? If its stored in any partition, can we not sideload though adb. If that doesn't work, why not include it in the build package itself. Would it work?
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
First of all, thank you for this amazing guide. I've a follow up question regarding the L1. Basically where the L1 keys are stored? If its stored in any partition, can we not sideload though adb. If that doesn't work, why not include it in the build package itself. Would it work?
From my understanding they are stored in a partition, once you unlock the bootloader they are wiped on older oneplus devices, so you cannot recover them. One newer devices this is not the case and relocking the bootloader restores L1 functionality.

On the 8T, the keys are not wiped, so no need to include them in the build.
 

antonyjr

Member
Jan 16, 2022
33
6
@WhitbyGreg is it safe to distribute the pkmd.bin file (which I assume is the public key)? (i.e) There is no need to keep pkmd.bin safe right? We only need to keep the files under .android-certs secure which has the private key.
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
@WhitbyGreg is it safe to distribute the pkmd.bin file (which I assume is the public key)? (i.e) There is no need to keep pkmd.bin safe right? We only need to keep the files under .android-certs secure which has the private key.
Correct, the public key is... well.. public.

Even if you don't distribute it separately, it can be extracted from an OTA file.
 

antonyjr

Member
Jan 16, 2022
33
6
Correct, the public key is... well.. public.

Even if you don't distribute it separately, it can be extracted from an OTA file.
Awesome.

In the reddit discussion on bootloader and in this thread you recommend a user build. I get that nobody can flash unsigned packages from recovery when it's a user build. But it will not prevent someone from factory resetting my phone without any form of authentication, right?

So if we are using custom rom like lineage os we give anyone the power to destroy our data anytime. I think it's not bad as getting the unencrypted data but it is still destructive which can be avoided if we used a stock rom.

So is there a way to prevent this kind of damage in custom roms?

Imagine this, You leave your OnePlus 8t just for a minute, I can quickly boot into recovery and destroy all your data. It's very likely that you lose data which you did not backup. And will take a lot of time to recovery from that damage.
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
Awesome.

In the reddit discussion on bootloader and in this thread you recommend a user build. I get that nobody can flash unsigned packages from recovery when it's a user build. But it will not prevent someone from factory resetting my phone without any form of authentication, right?

So if we are using custom rom like lineage os we give anyone the power to destroy our data anytime. I think it's not bad as getting the unencrypted data but it is still destructive which can be avoided if we used a stock rom.

So is there a way to prevent this kind of damage in custom roms?

Imagine this, You leave your OnePlus 8t just for a minute, I can quickly boot into recovery and destroy all your data. It's very likely that you lose data which you did not backup. And will take a lot of time to recovery from that damage.
Most stock ROM's let you do this as well (including Oneplus), and you can do it through fastboot anyway, so removing it from recovery doesn't get you anywhere.

Let's face it, there are faster and easier ways for someone to "wipe" your phone if they have physical access to it... aka phone meet hammer.

The point of AVBv2 isn't to avoid data loss, but prevent data exfiltration and tampering.

In your example, while you might lose the data, someone else didn't get it and you definitely know someone tampered with your device.
 

antonyjr

Member
Jan 16, 2022
33
6
Most stock ROM's let you do this as well (including Oneplus), and you can do it through fastboot anyway, so removing it from recovery doesn't get you anywhere.

Let's face it, there are faster and easier ways for someone to "wipe" your phone if they have physical access to it... aka phone meet hammer.

The point of AVBv2 isn't to avoid data loss, but prevent data exfiltration and tampering.

In your example, while you might lose the data, someone else didn't get it and you definitely know someone tampered with your device.

Thank you for the reply. I found a guide online on how to reset the phone with forgot password in recovery in oneplus stock rom, stupid me for asking the question.
 
  • Like
Reactions: WhitbyGreg

antonyjr

Member
Jan 16, 2022
33
6
Will this work for Lineage OS 19 (with Google's GSI ****). I really hate that, instead of mainlining the android kernel with the Linux Kernel project and standardizing everything they are keen on moving further away from Linux. But the idea seems interesting though.

But OnePlus 6 has linux mainline(v5.16.x??) support thanks to PostmarketOS folks. Sad thing is that there is no mechanism like AVB but FDE works. So there is some hope. But I think real linux os for modern android phones is going to be hard. (And not to mention driver support nightmare).
 

WhitbyGreg

Senior Member
Jul 23, 2009
114
66
Samsung Galaxy Tab S2
OnePlus 5T
Will this work for Lineage OS 19 (with Google's GSI ****). I really hate that, instead of mainlining the android kernel with the Linux Kernel project and standardizing everything they are keen on moving further away from Linux. But the idea seems interesting though.

But OnePlus 6 has linux mainline(v5.16.x??) support thanks to PostmarketOS folks. Sad thing is that there is no mechanism like AVB but FDE works. So there is some hope. But I think real linux os for modern android phones is going to be hard. (And not to mention driver support nightmare).
Google is working towards mainlining all of their changes, but it is a long involved process, so it won't happen anytime soon.

I haven't ported the script changes over to LineageOS 19 yet, as that's not officially released, but I will when it is.

As for GSI's, no, as GSI's by definition don't include anything but the system partitions, so you can't build a proper vbmeta image to flash to the phone so that the bootloader can check the critical partitons.

As for using a mainline kernel, yes it should work as AVBv2 is primarily in the bootloader, before the kernel starts up, from my understanding.

If you really want a mainline Linux kernel for your phone right now, you're better off going with a full Linux OS on the phone, but from what I've seen, those aren't really ready for prime time yet. Otherwise wait for Google to finish their work on moving their changes to the mainline kernel.
 

namhoang235

Senior Member
Feb 10, 2018
193
47
hatay - Viet Nam
Nah, this is bone stock 18.1. Lineage doesnt do signed builds so theres occasionally little hiccups on these steps. I think it has to do with recent FCM changes tho, in the full context of it it happens with ota_from_target_packages tripping on FCM VNDK API 30 vs null. Ill post my fix

EDIT: Full stdout if interested
have you fixed this?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 10
    What is this tutorial?
    This tutorial will:
    • Creating an unofficial build of LineageOS 18.1 suitable for using to re-lock the bootloader on a OnePlus 8t
    • Take you through the process of re-locking your bootloader after installing the above

    This tutorial will NOT:
    • Remove *all* warning messages during boot (the yellow "Custom OS" message will be present though the orange "Unlocked bootloader" message will not)
    • Allow you to use official builds of LineageOS 18.1 on your device with a re-locked bootloader (more details near the end of the tutorial)
    This tutorial will assume you are working on an Ubuntu 18.04 installation, if you are using Windows or another Linux distro, the commands may be different.

    Supported devices:
    The following devices have been tested and confirmed to work:
    • OnePlus 7 Pro (guacamole)
    • OnePlus 8t (kebab)
    • Pixel 4 (flame)
    Other OnePlus devices that support AVBv2 (OnePlus 6t and newer as well as most Pixel devices) and LineageOS 18.1 (see current support list over on the LineageOS download page) should work as well.

    For simplicities sake, all further references will only be to the 8t (kebab).

    Pre-requisites:
    • a mid level knowledge of terminal commands and features
    • a supported phone
    • a PC with enough CPU/RAM to build LineageOS 18.1 (recommended 8 cores, 24g of RAM)
    • a working USB cable
    • fastboot/adb installed and functional
    • LineageOS 18.1 source code downloaded
    • at least one successful build of LineageOS
    • at least one successful signing of your build with your own keys

    Misc. notes:
    • the basics of building/signing of LineageOS is outside the scope of this tutorial, refer to the LineageOS Wiki for details on how to complete these tasks
    • you'll be modifying some code in LineageOS, so if you are not comfortable using basic editing utilities as well as patch, do not proceed any further
    • the path to your LineageOS source code is going to be assumed to be ~/android/lineageos, if it is somewhere else, substitute the correct path in the tutorial
    • the path to your private certificate files is going to be assumed to be ~/android-certs, if it is somewhere else, substitute the correct path in the tutorial


    *** WARNING ****
    This process may brick your device. Do not proceed unless you are comfortable taking this risk.


    *** WARNING ****
    This process will delete all data on your phone! Do not proceed unless you have backed up your data!


    *** WARNING ****
    Make sure you have read through this entire process at least once before attempting, if you are uncomfortable with any steps include in this guide, do not continue.



    And now on with the show!

    Step 1: Basic setup

    You need a few places to store things, so create some working directories:
    Code:
    mkdir ~/android/kebab
    mkdir ~/android/kebab/patches
    mkdir ~/android/kebab/pkmd
    You also need to add "~/android/lineageos/out/host/linux-x86/bin" to your shell's profile path. Make sure to close and restart your session afterwards otherwise the signing will fail later on with a "file not found" error message (this may no longer be required).

    Step 2: Update kebab's BoardConfig.mk

    You will need to add a few parameters to the end of ~/android/lineageos/device/oneplus/kebab/BoardConfig.mk, they are:

    Code:
    BOARD_AVB_ALGORITHM := SHA256_RSA2048
    BOARD_AVB_KEY_PATH := /home/<userid>/.android-certs/releasekey.key
    Note you cannot use "~" in the path names above to signify your home directory, so give the full absolute path to make sure the files are found.

    Step 3: Update sm8250-common's BoardConfigCommon.mk

    LineageOS by default disables Android Verified Boot's partition verification, but you can enable it now as all the required parts will be in place.

    To enable partition verification do the following:

    Code:
    cd ~/android/lineageos/device/oneplus/sm8250-common
    sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' BoardConfigCommon.mk
    sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/' BoardConfigCommon.mk
    sed -i 's/^BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external\/avb\/test\/data\/testkey_rsa2048.pem/BOARD_AVB_KEY_PATH := \/home\/<userid>\/.android-certs\/releasekey.key/' BoardConfigCommon.mk

    Don't forget to replace your <userid> in the third sed command above with your current logged in user id.

    Step 4: Patch the AOSP and Device Makefile

    You also need to patch the Makefile included with AOSP as it will otherwise fail during the build.

    The required patch can be found here:

    Download it and store in ~/android/kebab/patches.

    Now apply it with the following command:

    Code:
    cd ~/android/lineageos/build/core
    patch Makefile ~/android/kebab/patches/core-Makefile-fix-18.1.patch

    If you would like to know more about this patch, see the additional info at the bottom of this post.

    There is also a small addition to the device's common.mk required to enable the OEM unlock option in developers options, do this via the following commands:

    Code:
    cd ~/android/lineageos/device/oneplus/sm8250-common
    sed -i 's/^# OMX/# OEM Unlock reporting\nPRODUCT_DEFAULT_PROPERTY_OVERRIDES += \\\n    ro.oem_unlock_supported=1\n\n# OMX/' common.mk

    Step 5: Build LineageOS

    You are now ready to build:

    Code:
    cd ~/android/lineageos
    breakfast kebab
    source build/envsetup.sh
    croot
    mka target-files-package otatools

    Step 6: Sign the APKs

    You are now ready to sign the apks with sign_target_files_apks:

    Code:
    ./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip

    Step 7: Build the OTA

    Now it is time to complete the OTA package:

    Code:
    ./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block signed-target_files.zip lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip

    Note, replace [date] with today's date in YYYYMMDD format.

    Step 8: Create pkmd.bin for your phone

    Before you can lock your phone, you have to tell it what your public key is so it knows it can trust your build.

    To do this you need to create a pkmd.bin file:

    Code:
    ~/android/lineageos/external/avb/avbtool extract_public_key --key ~/.android-certs/releasekey.key --output ~/android/kebab/pkmd/pkmd.bin

    Step 9: Flashing your LineageOS build

    It's time to flash your build to your phone. The following steps assume you have already unlocked your phone and have flashed an official version of LineageOS to it. You don't need to have flashed LineageOS yet, you could use TWRP through "fastboot boot" if you prefer. Or, if you want to use the recovery that was just created, it is located in ~/android/lineageos/out/target/product/kebab and is called recovery.img.

    • Reboot your phone in to recovery mode
    • In LineageOS Recovery return to the main menu and select "Apply update"
    • From your PC, run:
    Code:
    adb sideload ~/android/lineageos/lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip

    When the sideload is complete, reboot in to LineageOS. Make sure everything looks good with your build.

    You may also need to format your data partition at this time depending on what you had installed on your phone previously.

    Step 10: Flashing your signing key

    Now it's time to add your signing key to the Android Verified Boot process. To do so, do the following:

    • Reboot your phone in to fastboot mode
    • From your PC, run:
    Code:
    fastboot flash avb_custom_key ~/android/kebab/pkmd/pkmd.bin
    fastboot reboot bootloader
    fastboot oem lock
    • On your phone, confirm you want to re-lock and it will reboot

    Your phone will then factory reset and then reboot in to LineageOS.

    Which of course means you have to go through the first time setup wizard, so do so now.

    Step 11: Disable OEM unlock

    Congratulations! Your boot loader is now locked, but you can still unlock it again using fastboot, so it's time to disable that as well.

    • Unlock you phone and go to Settings->About phone
    • Scroll to the bottom and find "Build number"
    • Tap on it you enable the developer options
    • Go to Settings->System->Advanced->Developer options
    • Disable the "OEM unlocking" slider
    • Reboot

    Step 12: Profit!


    Other things

    • The above will build a standard USERDEBUG version of LineageOS, however this will still allow LineageOS Recovery to sideload non-signed files as well as give you root shell access through ADB. Step 3/4 above protects your system/vendor/boot/dtbo/etc. partitions, but none of the others. Likewise USERDEBUG builds will allow for rolling back to a previous builds/versions of LineageOS. To increase security and disallow both of these scenarios you may want to build a USER version of LineageOS to install. However this brings in other issues, such as flashing newer firmware from OnePlus so make sure you understand the implications of both choices. For more details on build types, see https://source.android.com/setup/develop/new-device#build-variants.
    • In the above example the releasekey from your LineageOS install has been used to sign AVB, but AVB supports other key strengths up to SHA512_RSA8192. You could create a key just for signing AVB that used different options than the default keys generated to sign LineageOS.
    • If you want to remove you signing key from your phone, you can do it by running "fastboot erase avb_custom_key".
    • The changes you made to the AOSP Makefile may conflict with future updates that you pull from LineageOS through repo sync, if you have to reset the file to get repo sync to complete successfully, you'll have to reapply the changes afterwards.

    So why can't I do this with official LineageOS builds?

    NEW: You can! See this thread for more details.

    For Android Verified Boot (AVB) to work, it must have the hash values for each of the system/vendor/boot/dtbo/etc. partitions stored in vbmeta. Official LineageOS builds for kebab do include the vendor.img in them along with everything else that is needed, however that is not true for all phones.

    There are two "issues" that stop someone from using the official kebab builds:
    • LineageOS does not provide a pkmd.bin file to flash to your phone to include the public key in your AVB process (NEW: this thread shows you how to extract the key).
    • AVB is enabled in the official LineageOS builds but does not validate the hash trees during boot which limits the protection offered.
    Ok, what messages do I see during the boot process then?

    During a boot you will of course see the standard OnePlus power up screen, followed by the yellow "custom os" message and then the standard LineageOS boot animation.

    For more details on AVB boot messages, see https://source.android.com/security/verifiedboot/boot-flow

    So what does that patch to the Makefile do?

    AOSP's default Makefile makes an assumption that when AVB is enabled, that all the img files will be available well before vbmeta.img is created. This is simply NOT true and AOSP seems to know this as well from the following comment in the Makefile:

    Code:
    # Not using INSTALLED_VBMETA_SYSTEMIMAGE_TARGET as it won't be set yet.
    ifdef BOARD_AVB_VBMETA_SYSTEM
    $(eval $(call check-and-set-avb-args,vbmeta_system))
    endif
    
    ifdef BOARD_AVB_VBMETA_VENDOR
    $(eval $(call check-and-set-avb-args,vbmeta_vendor))
    endif

    These two calls eventual evaluate to returning the path to the partitions based upon the INSTALLED_*IMAGE_TARGET variable, which isn't created until later in the build process.

    Because of this, the command to build vbmeta.img gets corrupted due to the missing make variable being empty and an invalid command line is passed to avbtool near the end of the build.

    The corruption happens due to the fact that the following line from the original Makefile:

    Code:
    --include_descriptors_from_image $(call images-for-partitions,$(1))))))

    Gets added to the avbtool call even if "$(call images-for-partitions,$(1))" turns out to be an empty string. Avbtool then throws an error message as it is expecting a parameter after the "--include_descriptors_from_image" flag that is added for the "empty" partition path.

    The fix is to call "$(call images-for-partitions,$(1))" earlier, set it to a variable and check to make sure it isn't an empty string before letting the "--include_descriptors_from_image" be added to the avbtool command line to be used later.

    This technically generates an incomplete vbmeta.img file during the build process, but since the signing process recreates it from scratch anyway; no harm, no foul.

    Thank You's
    2
    Also, if you disable OEM unlock, that's pretty secure, but if something goes wrong with your phone, i.e., you can't boot in recovery and system, the only way to restore the phone is flashing with MSM tool. I had it once on my Oneplus 5. I had a paranoid TWRP, with Cancel button removed. So, all of a sudden, TWRP refused to recognize my password. So, you can't press cancel to access system to do a factory reset. All right, I thought, I am just going to boot into system and enable OEM unlock. Well, no can do: the phone refused to boot into system and instead booted into TWRP with the password prompt. Bootloader locked, remote flashing is not allowed. The only option - MSM tool. I set up Windows on my virtual machine, but forget it, MSM tool can't connect to the phone no matter what I tried. So, I had to find on old laptop with Windows and then it worked... .
    Correct, once OEM unlocking is disabled, just like with OxygenOS, if something goes horribly wrong, you're using MSM to get back to stock and re-installing.

    I don't use TWRP, and build both LineageOS and Lineage Recovery in user mode. Building recvoery in user mode (and only with my certificates) also means you can't "rollback" to an older version of Lineage as it won't flash older zips.

    As I said in my reddit post, most people don't really want to do this. Too much risk, too little reward. But if you're wiling to take the risk, you do get as close to a "stock" security footprint as you can without using the OEM's OS.
    2
    What is this tutorial?
    This tutorial will:
    • Creating an unofficial build of LineageOS 18.1 suitable for using to re-lock the bootloader on a OnePlus 8t
    • Take you through the process of re-locking your bootloader after installing the above

    This tutorial will NOT:
    • Remove *all* warning messages during boot (the yellow "Custom OS" message will be present though the orange "Unlocked bootloader" message will not)
    • Allow you to use official builds of LineageOS 18.1 on your device with a re-locked bootloader (more details near the end of the tutorial)
    This tutorial will assume you are working on an Ubuntu 18.04 installation, if you are using Windows or another Linux distro, the commands may be different.

    Supported devices:
    The following devices have been tested and confirmed to work:
    • OnePlus 7 Pro (guacamole)
    • OnePlus 8t (kebab)
    • Pixel 4 (flame)
    Other OnePlus devices that support AVBv2 (OnePlus 6t and newer as well as most Pixel devices) and LineageOS 18.1 (see current support list over on the LineageOS download page) should work as well.

    For simplicities sake, all further references will only be to the 8t (kebab).

    Pre-requisites:
    • a mid level knowledge of terminal commands and features
    • a supported phone
    • a PC with enough CPU/RAM to build LineageOS 18.1 (recommended 8 cores, 24g of RAM)
    • a working USB cable
    • fastboot/adb installed and functional
    • LineageOS 18.1 source code downloaded
    • at least one successful build of LineageOS
    • at least one successful signing of your build with your own keys

    Misc. notes:
    • the basics of building/signing of LineageOS is outside the scope of this tutorial, refer to the LineageOS Wiki for details on how to complete these tasks
    • you'll be modifying some code in LineageOS, so if you are not comfortable using basic editing utilities as well as patch, do not proceed any further
    • the path to your LineageOS source code is going to be assumed to be ~/android/lineageos, if it is somewhere else, substitute the correct path in the tutorial
    • the path to your private certificate files is going to be assumed to be ~/android-certs, if it is somewhere else, substitute the correct path in the tutorial


    *** WARNING ****
    This process may brick your device. Do not proceed unless you are comfortable taking this risk.


    *** WARNING ****
    This process will delete all data on your phone! Do not proceed unless you have backed up your data!


    *** WARNING ****
    Make sure you have read through this entire process at least once before attempting, if you are uncomfortable with any steps include in this guide, do not continue.


    And now on with the show!

    Step 1: Basic setup

    You need a few places to store things, so create some working directories:
    Code:
    mkdir ~/android/kebab
    mkdir ~/android/kebab/patches
    mkdir ~/android/kebab/pkmd
    You also need to add "~/android/lineageos/out/host/linux-x86/bin" to your shell's profile path. Make sure to close and restart your session afterwards otherwise the signing will fail later on with a "file not found" error message (this may no longer be required).

    Step 2: Update kebab's BoardConfig.mk

    You will need to add a few parameters to the end of ~/android/lineageos/device/oneplus/kebab/BoardConfig.mk, they are:

    Code:
    BOARD_AVB_ALGORITHM := SHA256_RSA2048
    BOARD_AVB_KEY_PATH := /home/<userid>/.android-certs/releasekey.key
    Note you cannot use "~" in the path names above to signify your home directory, so give the full absolute path to make sure the files are found.

    Step 3: Update sm8250-common's BoardConfigCommon.mk

    LineageOS by default disables Android Verified Boot's partition verification, but you can enable it now as all the required parts will be in place.

    To enable partition verification do the following:

    Code:
    cd ~/android/lineageos/device/oneplus/sm8250-common
    sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' BoardConfigCommon.mk
    sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/' BoardConfigCommon.mk
    sed -i 's/^BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external\/avb\/test\/data\/testkey_rsa2048.pem/BOARD_AVB_KEY_PATH := \/home\/<userid>\/.android-certs\/releasekey.key/' BoardConfigCommon.mk

    Don't forget to replace your <userid> in the third sed command above with your current logged in user id.

    Step 4: Patch the AOSP and Device Makefile

    You also need to patch the Makefile included with AOSP as it will otherwise fail during the build.

    The required patch can be found here:

    Download it and store in ~/android/kebab/patches.

    Now apply it with the following command:

    Code:
    cd ~/android/lineageos/build/core
    patch Makefile ~/android/kebab/patches/core-Makefile-fix-18.1.patch

    If you would like to know more about this patch, see the additional info at the bottom of this post.

    There is also a small addition to the device's common.mk required to enable the OEM unlock option in developers options, do this via the following commands:

    Code:
    cd ~/android/lineageos/device/oneplus/sm8250-common
    sed -i 's/^# OMX/# OEM Unlock reporting\nPRODUCT_DEFAULT_PROPERTY_OVERRIDES += \\\n    ro.oem_unlock_supported=1\n\n# OMX/' common.mk

    Step 5: Build LineageOS

    You are now ready to build:

    Code:
    cd ~/android/lineageos
    breakfast kebab
    source build/envsetup.sh
    croot
    mka target-files-package otatools

    Step 6: Sign the APKs

    You are now ready to sign the apks with sign_target_files_apks:

    Code:
    ./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip

    Step 7: Build the OTA

    Now it is time to complete the OTA package:

    Code:
    ./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block signed-target_files.zip lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip

    Note, replace [date] with today's date in YYYYMMDD format.

    Step 8: Create pkmd.bin for your phone

    Before you can lock your phone, you have to tell it what your public key is so it knows it can trust your build.

    To do this you need to create a pkmd.bin file:

    Code:
    ~/android/lineageos/external/avb/avbtool extract_public_key --key ~/.android-certs/releasekey.key --output ~/android/kebab/pkmd/pkmd.bin

    Step 9: Flashing your LineageOS build

    It's time to flash your build to your phone. The following steps assume you have already unlocked your phone and have flashed an official version of LineageOS to it. You don't need to have flashed LineageOS yet, you could use TWRP through "fastboot boot" if you prefer. Or, if you want to use the recovery that was just created, it is located in ~/android/lineageos/out/target/product/kebab and is called recovery.img.

    • Reboot your phone in to recovery mode
    • In LineageOS Recovery return to the main menu and select "Apply update"
    • From your PC, run:
    Code:
    adb sideload ~/android/lineageos/lineage-18.1-[date]-UNOFFICIAL-kebab-signed.zip

    When the sideload is complete, reboot in to LineageOS. Make sure everything looks good with your build.

    You may also need to format your data partition at this time depending on what you had installed on your phone previously.

    Step 10: Flashing your signing key

    Now it's time to add your signing key to the Android Verified Boot process. To do so, do the following:

    • Reboot your phone in to fastboot mode
    • From your PC, run:
    Code:
    fastboot flash avb_custom_key ~/android/kebab/pkmd/pkmd.bin
    fastboot reboot bootloader
    fastboot oem lock
    • On your phone, confirm you want to re-lock and it will reboot

    Your phone will then factory reset and then reboot in to LineageOS.

    Which of course means you have to go through the first time setup wizard, so do so now.

    Step 11: Disable OEM unlock

    Congratulations! Your boot loader is now locked, but you can still unlock it again using fastboot, so it's time to disable that as well.

    • Unlock you phone and go to Settings->About phone
    • Scroll to the bottom and find "Build number"
    • Tap on it you enable the developer options
    • Go to Settings->System->Advanced->Developer options
    • Disable the "OEM unlocking" slider
    • Reboot

    Step 12: Profit!


    Other things
    • The above will build a standard USERDEBUG version of LineageOS, however this will still allow LineageOS Recovery to sideload non-signed files as well as give you root shell access through ADB. Step 3/4 above protects your system/vendor/boot/dtbo/etc. partitions, but none of the others. Likewise USERDEBUG builds will allow for rolling back to a previous builds/versions of LineageOS. To increase security and disallow both of these scenarios you may want to build a USER version of LineageOS to install. However this brings in other issues, such as flashing newer firmware from OnePlus so make sure you understand the implications of both choices. For more details on build types, see https://source.android.com/setup/develop/new-device#build-variants.
    • In the above example the releasekey from your LineageOS install has been used to sign AVB, but AVB supports other key strengths up to SHA512_RSA8192. You could create a key just for signing AVB that used different options than the default keys generated to sign LineageOS.
    • If you want to remove you signing key from your phone, you can do it by running "fastboot erase avb_custom_key".
    • The changes you made to the AOSP Makefile may conflict with future updates that you pull from LineageOS through repo sync, if you have to reset the file to get repo sync to complete successfully, you'll have to reapply the changes afterwards.

    So why can't I do this with official LineageOS builds?

    NEW: You can! See this thread for more details.

    For Android Verified Boot (AVB) to work, it must have the hash values for each of the system/vendor/boot/dtbo/etc. partitions stored in vbmeta. Official LineageOS builds for kebab do include the vendor.img in them along with everything else that is needed, however that is not true for all phones.

    There are two "issues" that stop someone from using the official kebab builds:
    • LineageOS does not provide a pkmd.bin file to flash to your phone to include the public key in your AVB process (NEW: this thread shows you how to extract the key).
    • AVB is enabled in the official LineageOS builds but does not validate the hash trees during boot which limits the protection offered.
    Ok, what messages do I see during the boot process then?

    During a boot you will of course see the standard OnePlus power up screen, followed by the yellow "custom os" message and then the standard LineageOS boot animation.

    For more details on AVB boot messages, see https://source.android.com/security/verifiedboot/boot-flow

    So what does that patch to the Makefile do?

    AOSP's default Makefile makes an assumption that when AVB is enabled, that all the img files will be available well before vbmeta.img is created. This is simply NOT true and AOSP seems to know this as well from the following comment in the Makefile:

    Code:
    # Not using INSTALLED_VBMETA_SYSTEMIMAGE_TARGET as it won't be set yet.
    ifdef BOARD_AVB_VBMETA_SYSTEM
    $(eval $(call check-and-set-avb-args,vbmeta_system))
    endif
    
    ifdef BOARD_AVB_VBMETA_VENDOR
    $(eval $(call check-and-set-avb-args,vbmeta_vendor))
    endif

    These two calls eventual evaluate to returning the path to the partitions based upon the INSTALLED_*IMAGE_TARGET variable, which isn't created until later in the build process.

    Because of this, the command to build vbmeta.img gets corrupted due to the missing make variable being empty and an invalid command line is passed to avbtool near the end of the build.

    The corruption happens due to the fact that the following line from the original Makefile:

    Code:
    --include_descriptors_from_image $(call images-for-partitions,$(1))))))

    Gets added to the avbtool call even if "$(call images-for-partitions,$(1))" turns out to be an empty string. Avbtool then throws an error message as it is expecting a parameter after the "--include_descriptors_from_image" flag that is added for the "empty" partition path.

    The fix is to call "$(call images-for-partitions,$(1))" earlier, set it to a variable and check to make sure it isn't an empty string before letting the "--include_descriptors_from_image" be added to the avbtool command line to be used later.

    This technically generates an incomplete vbmeta.img file during the build process, but since the signing process recreates it from scratch anyway; no harm, no foul.

    Thank You's
    thanks for the guide. ps regarding the path requirements and the absolutely annoying signapk.jar issues when on the signing step, one can simple add a flag to the command like so
    Code:
    ./build/tools/releasetools/sign_target_files_apks -p out/host/linux-x86/ -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip
    the addition of -p out/host/linux-x86/ takes care of the pathing issues
    If anyone runs into the unicode encoding error with common.py, run repopick 305886
    which will cherry-pick https://review.lineageos.org/c/LineageOS/android_build/+/305886 and fix that error.

    Aside from those 2 things, (y) 🍻
    2
    Hello,

    Just to share with you.

    I successfully built a LineageOS 4 MicroG with OEM unlock support, the build is user build.

    I merged your guide with the needed steps from the build.sh script in the docker-lineage-cicd src/ directory.

    Now, my OnePlus 7 Pro, has lineageos 4 microg installed with OEM unlock support in developer options menu, same as CalyxOS on Pixel phones. 😁

    Thank You again, I really appreciate your shared information.🙏

    Wish you a blessed life.
    1
    Hello,

    I did extract the proprietary blobs from payload-based.

    Do you mean I should compile LinageOS successfully first using:
    source build/envsetup.sh
    breakfast guacamole
    croot
    brunch guacamole

    before i follow the steps listed here in this guide??

    Thank You
    Check the extraction script for errors or switch to the muppets, sometimes the extraction script isn't up to date.

    In general, yes, make sure you have a version of LineageOS that compiles successfully, that way you know you have a valid base to start from.

    Pre-requisites:
    • at least one successful build of LineageOS
    • at least one successful signing of your build with your own keys