How To Guide Guide to Lock Bootloader while using Rooted GrapheneOS (Magisk Root)

[FireRattus]

This guide is intended to help people to achieve having a Pixel 6 Pro using GrapheneOS with Root (using Magisk) and a Locked Boot Loader
Though it should be possible to do this with any device that GrapheneOS officially supports.

Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root. This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition. In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed. This effectively renders the device hard bricked.

I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.

Simple method without building from source Although I highly recommend building Graphene yourself,

All you really need to do is patch the official OTA released by graphene using AVBRoot
Follow steps 1-6 in the usage section after the prerequisites are complete
Simply flash the official factory graphene build, then your patched OTA using
adb sideload /PATH/TO/patched_ota.zip
Then flash the avb_pkmd.bin
fastboot erase avb_custom_key
fastboot flash avb_custom_key /PATH/TO/avb_pkmd.bin
And now you can lock the bootloader, with patched rooted graphene.
You will need to patch each new OTA to update and sideload the update as explained HERE Flash it to Both Slots

Better Method, But requires more time and a decent computer
Only Recommended for people with experience things building from source

The first step is to build GrapheneOS from its sources or to use AVBRoot on official builds. I will include some of the information specific for Pixel 6 Pro to help with the build process

Part one, follow this guide to build GrapheneOS from source

You will want to build a Stable Release using the TAG_NAME 2023071100 this an EXAMPLE Tag for the Pixel 6 Pro
Find the Latest tag on the Releases page https://grapheneos.org/releases

When it comes to the step of "Extracting vendor files for Pixel devices"
The DEVICE for the 6 Pro is raven and an Example of the BUILD_ID is tp1a.221105.002
You can obtain the correct BUILD_ID from build/make/core/build_id.mk

Continue to follow the guide until completion, creating your own Keys during the process
I do recommend testing to Lock the Boot Loader, Just to see if you are able to
In my experience if the pixel does not detect a valid signed boot etc, it will not allow you to lock the bootloader
So if it brings up the screen on your phone where you can confirm the locking of the bootloader
at this stage you can just select No / Do not lock

To build with a specific BUILD_NUMBER use the command export BUILD_NUMBER=2022112500Replacing the number with what matches the version you are attempting to build

Remove the encryption from keys/raven/avb.pem that was created for Graphene so that you can use it with AVBRoot

Use the script script/decrypt_keys.sh https://grapheneos.org/build#encrypting-keys
And set a copy of the key aside for the next steps.

Use the following process to create the correct keys for AVBRoot & GrapheneOS

Use the avb.pem you decrypted in the last step
Convert the avb.pem to avb.key with the following command
openssl rsa -in avb.pem -out avb.key
Then clone the avb.key and rename it to ota.key

as it says "The boot-related components are signed with an AVB key and OTA-related components are signed with an OTA key. They can be the same RSA keypair, though the following steps show how to generate two separate keys."

Continue by following the instructions for generating the keys for AVBRoot using the avb.key and ota.key you now have

I am not entirely certain what other of the keys I should use instead, I think this is the best approach for now
as it creates all the keys it requires and this process works for me

Copy the OTA (raven-ota_update-*.zip) from the folder where you have your own Factory Graphene Build and use this with AVBRoot
Then you will have all the keys and files you need to continue the guide and use the AVBRoot script

Now it's time to follow the instructions Here https://github.com/chenxiaolong/avbroot

To create a full factory installer, Intall it and lock the bootloader.

When you are done with AVBRoot and you have the boot.img, vbmeta.img and vendor_boot.img
All patched and signed by AVBRoot, Take a factory image from your Graphene Build and Extract it anywhere
Open the image-raven-*.zip with an Archive manager
Delete the existing boot.img, vbmeta.img and vendor_boot.img files and replace them the patched ones
also replace the avb_pkmd.bin with the one you have created in the previous steps for AVBRoot (might work without this step)

Finally, you are able to run the flash-all.sh and then lock the bootloader
./flash-all.sh
fastboot flashing lock

Updating is very simple, Once you use AVBRoot to create the Patched OTA.zip
you can reboot to recovery and flash the patched ota.zip with adb sideload

adb sideload raven-ota_update-*.zip.patched
https://grapheneos.org/usage#updates-sideloading

Creating the patched full factory installer is not required if you simply flash the avb custom key and the patched OTA zip before locking the bootloader, after flashing the unpatched full system install build

This for me allowed me after much struggle to achieve a Rooted, Locked Boot Loader using GrapheneOS and Magisk
Now though with this guide worked out, I think it should be quite easy for anyone with basic terminal knowledge to accomplish.

Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity

To Be Clear, Although it already should be, This is NOT Modifying the official Graphene OS Sources, it is simply using them as a SOURCE for a GUIDE, You build it using unmodified grapheneOS source code so it is an unnofficial build according to their website

Sources: GrapheneOS, AVBRoot, Magisk

PayPal Donation Link

 

[FireRattus]

I highly recommend using your own build that is signed with your own keys that you can keep secure!
I make no promises to provide any updates to this rom at this time

Here more as a proof of concept that it works and updates are possible
Latest builds moved to: Unofficial GrapheneOS, Magisk Patched for Pixel 6 / 6 Pro

 

[Spl4tt]

This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!

How would you update the rom? Repeat the whole process?

 

[FireRattus]

This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!

How would you update the rom? Repeat the whole process?

I haven't worked out updating yet but all it requires is patching an updated OTA with AVBRoot in theory
I have been quite busy irl and haven't had much time to play around with it, if you do figure it out then please let me know

 

[FireRattus]

This really is quite cool man. Maybe I'll try this on my new P7P. This way we have everything. Well Done!

How would you update the rom? Repeat the whole process?

now that I have had time to do it, Updating was very easy
I have also updated and improved the process for getting and creating the correct keys used for signing
After updating it booted normally, still rooted, no apparent problems or issues

 

[FireRattus]

New Release 2022111000

Changes since the 2022110800 release:

• remove TrustCor Certificate Authority due to malicious domain squatting and ties to entites involved in surveillance which should have very little impact on web compatibility due to this CA barely being used by anyone other than a specific dynamic DNS provider
• ignore wireless alert channels being marked as always-on to prevent channel configuration overriding presidential alert toggle
• GmsCompatConfig: change app label from "GmsCompat config" to "GmsCompatConfig"
• GmsCompatConfig: disable TelecomTaskService to resolve sandboxed Google Play services crash caused by feature flag
• kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a): update base kernel to Android 13 QPR1 Beta 3 to ship the December security update early
• Vanadium: update Chromium base to 107.0.5304.105

Download Moved to https://forum.xda-developers.com/t/...magisk-patched-13-raven.4518953/post-87728629

 

[holofractal]

Hey, thanks for the excellent guide, this is all about to be applicable to me

I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error

openssl rsa -outform der -in avb.pem -out avb.key

routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate

I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.

Thanks!

 

[EonOfBlack]

Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.

 

[FireRattus]

Hey, thanks for the excellent guide, this is all about to be applicable to me

I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error

openssl rsa -outform der -in avb.pem -out avb.key

routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate

I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.

Thanks!

Thank you, I am glad that it has been helpful for you, I have not encountered that error myself but I did use a password initially for the steps to create the keys for Graphene, I don't think this should matter though
If you don't mind and are able to, can you create another copy of the avb.pem, see if the problem still occurs and share it with me if it does, so I can test if I get the same error when I use your .pem

Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.

I do clearly say in the first post
> Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
I don't believe just using magisk is really such an issue, you are able to deny root from any applications you don't want to use it
it is possible there are unknown security vulnerabilities in magisk, but that's the same with anything.
Even though it may introduce some potential security vulnerabilities that Graphene combats against
I believe it should be everyones choice to use root and lock their boot loader if they choose to do so

 

[FireRattus]

routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
Unable to load certificate

This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920

 

[mouran_y]

A great and helpful guide!
Thank you, dear FireRattus

​

 

[holofractal]

This problem appears to be related to this https://github.com/openssl/openssl/issues/14100#issuecomment-847125920

openssl x509 -outform der -in avb.pem -out avb.crt

It was this command

openssl x509 -outform der -in avb.pem -out avb.crt
Could not read cert etc. of certificate from avb.pem
4087C8C0777F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:

Following grapheneos's guide, that is generated with:

openssl genrsa 4096 | openssl pkcs8 -topk8 -scrypt -out avb.pem

 

[holofractal]

I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.

At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?

So if I read over everything right, I believe the solution here would be to use

openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'

But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.

 

[FireRattus]

I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you

 

[holofractal]

I may have accidentally made a mistake like that in the guide, I am not able to test it at the moment but would love to know what works for you

So you don't even need that last section.

There are some small differences for the pixel 7 though, but it was easy enough.

I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.

This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.

This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.

I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!

 

[FireRattus]

So you don't even need that last section.

There are some small differences for the pixel 7 though, but it was easy enough.

I have to say, building grapheneos was the easiest time I've ever had building a ROM. Not once did I have to go on Google fishing for answers. Flashing the ROM and relocking the bootloader took less than 10m, even with root.

This is why I switched to a pixel. I am too old and don't have the time to sit here and fiddle with my phone for hours on end anymore. I need things to just work.

This is as close as you are going to get to first party level support with aftermarket software, but I still care about privacy.

I'll do a write up later so other's don't have the same issues as me, but thanks for getting me started!

I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time

Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices

and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.

 

[FireRattus]

I think the root of this issue is that the pkcs8 avb.pem is an RSA private key, and the command you specified is expecting a certificate.

At any point in time do you use the crt made by Copy the avb.pem and convert it to .crt with this command step?

So if I read over everything right, I believe the solution here would be to use

openssl req -new -x509 -sha256 -key avb.key -out avb.crt -days 10000 -subj '/CN=AVB/'

But since avb and ota can be the same key, then presumably avb.crt and ota.crt could be the same as well? I get my pixel 7 tonight. I'll try and report back.

I have tested it now and the last command I had to create the files was an unnecessary step I left in by mistake, I have updated and corrected the guide so that now people should be able to use those commands without error to create the required files for AVBRoot
there should be no need to have an avb.crt and if there is, then the ota.crt should suffice
I believe it was this change to AVBRoot which led to me making this mistake

Merge pull request #3 from tnagorran/master · chenxiaolong/avbroot@8ad906d

Update README.md

github.com

 

[holofractal]

I am really glad that the process could be made so smooth and simple for you
I did spend a long time trying to get a rooted grapheneOS with a locked boot loader before I managed to finally work it out, thanks mostly to the developer of AVBRoot, their script is the essential part which has made this so easy
with my internet troubles as well it ended up taking me a few weeks from when I initially started trying to when I was able to lock the booloader with root successfully
Now that I have it all worked out though, I can update and patch it in very little time

Although I did write this guide for the Pixel 6 I would be happy to include any additional information which could be helpful for people using other pixels, I am just not able to test and verify the information myself on other devices

and you don't need the last section? the part where I create a full patched installer ? I did think about this, just using the patched OTA to update the rom should also work to get you root with a locked bootloader if you first flash the full installer you built yourself
I think this is possibly a better way of doing it, but I like also having the patched full installer
I would like to hear peoples opinions and what works best for them.

Oh I meant the part about avb.crt.

As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.

I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.

 

[FireRattus]

Oh I meant the part about avb.crt.

As for differences, if you follow the pixel 7 section on grapheneos build guide, that will suffice. Also, instead of boot.img, you flash init_boot.img.

I did also make myself an OTA and flashed it through adb, and that worked great. I want to try making my own OTA server to do away with flashing via PC. I have other family on graphene now too, so it wouldn't be all that effort just for myself.

I did end up figuring out that is what you probably meant. since the differences for the pixel 7 are essentially in the graphene build guide, I don't think any changes are really necessary for the guide, I do recommend just following the official guide for that part, I just include some information to help make that process a bit easier for peoples first time building the rom
for me, it wasn't very clear what the TAG_NAME and BUILD_ID were supposed to be as they didn't provide examples, but a little bit of trial and error helped me work it out

Although, since you flash init_boot, does that init_boot get patched by avbroot?

I would also like to setup an OTA server, although I don't really have the funds to do that at the moment

 

[FireRattus]

Guide has been updated with a much simpler method thanks to https://forum.xda-developers.com/m/boom15.11870611/
I haven't tested it myself but it was pointed out, that for those who want to
All you need to do is use AVBRoot to patch the official OTA's provided by Graphene following the instructions in the readme here https://github.com/chenxiaolong/avbroot

I did think this should be possible, but I still recommend building it from source yourself if you are able to