How To Guide Guide to Lock Bootloader while using Rooted GrapheneOS (Magisk Root)

Search This thread

nujackk

Senior Member
Jun 16, 2008
645
127
Kent
OnePlus 8T
OnePlus 9
and the preinit device name for the Pixel 6 Pro, for GrapheneOS at least is metadata
If anyone could please share the correct preinit device name for the Pixel 6 that would be appreciated

This hasn't changed, it's mostly an issue that Graphene isn't going to fix
hopefully a solution like the universal safetynet fix will be updated to work with Graphene
So is the preint device name different for each rom? I'm currently using this method on CalxysOS but unable to update to magisk 26 as I have no way to get the the preint deivce name with current 25.2 and locked bootloader.
 

i_bl00dy

Member
Feb 7, 2023
15
6
Google Pixel 4a 5G
So is the preint device name different for each rom?

Its not likely to be different from phone to phone using the same ROM, but different ROMs have the potential to use different values, so it must be checked on each phone individually. This is also because android phones have a large variety of hardware, and magisk aims to support as many of them as they can .

I'm currently using this method on CalxysOS but unable to update to magisk 26 as I have no way to get the the preint deivce name with current 25.2 and locked bootloader.

Read full documentation here on how to get it: avbroot#magisk-preinit-device

TLDR:
Extract boot.img from OTA update zip
Copy boot.img from computer to phone
Install Magisk V26.1.apk on phone (just runs as app, not root)
Patch the boot.img from the magisk app on phone
Copy the resulting magisk_patched-26100.img from phone to computer
Run the command "python3 avbroot.py magisk-info --image magisk_patched-26100.img" to get the PREINITDEVICE=<name>

Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.
 
Last edited:
  • Like
Reactions: FireRattus

FireRattus

Senior Member
Feb 26, 2022
198
134
Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.
Unfortunately not, I tried using older versions to see if I had any success with those but I was not able to get it to work at all
I was able to get a shortcut for LSPosed on the home screen, which when clicked to open the manager, it would cause my phone to act sort of like there was something invisible open on the screen, until I would swipe back or to home
It would be great if someone could figure out why exactly it doesn't work on GrapheneOS as I believe it used to in the past
 

sn00x

Senior Member
Oct 9, 2006
153
80
Xiaomi Poco F3
Google Pixel 7 Pro
Thanks for the guide!

I'm using an alternative method after building GrapheneOS from source, though. In fact you can simply use the following commands right after the build process:

Bash:
AVBROOT=/path/to/avbroot.py
MAGISK=/path/to/Magisk-v26.1.apk
MAGISK_PREINIT_DEVICE=persist
cd $ANDROID_BUILD_TOP
if [ ! -f keys/$TARGET_PRODUCT/releasekey.pem ] ; then openssl pkcs8 -topk8 -inform DER -in keys/$TARGET_PRODUCT/releasekey.pk8 -out keys/$TARGET_PRODUCT/releasekey.pem ; fi
python $AVBROOT patch \
    --input out/release-$TARGET_PRODUCT-$BUILD_NUMBER/$TARGET_PRODUCT-ota_update-$BUILD_NUMBER.zip \
    --privkey-avb keys/$TARGET_PRODUCT/avb.pem \
    --privkey-ota keys/$TARGET_PRODUCT/releasekey.pem \
    --cert-ota keys/$TARGET_PRODUCT/releasekey.x509.pem \
    --magisk $MAGISK \
    --magisk-preinit-device=$MAGISK_PREINIT_DEVICE

Just be sure to set valid values for AVBROOT, MAGISK and MAGISK_PREINIT_DEVICE. (See Magisk preinit device section for details on how to get the correct name of your preinit-device. For my Pixel 7 Pro it's "persist", but for your's it can be different).

If you didn't just finish the build process, you need to set up your environment variables first (just set DEVICE to the codename of your device):
Bash:
DEVICE=cheetah
cd /path/to/android-build-top
source script/envsetup.sh
choosecombo release $DEVICE user

The big advantage of this method is, that no new keys need to be generated, but the build keys are used. That means you can switch between the original and rooted OTAs on the fly without having to unlock the bootloader. So you can even keep the bootloader locked (and thus avoid wiping your data) even if you never used Magisk before.
 

PiXinCreate

Member
Dec 21, 2017
49
16
As an intermediate user, I find this a bit too confusing. It would be great if you could address my concerns and questions:
- Q1: I'm running GrapheneOS with bootloader locked. To get root access in grapheneOS, do I need to unlock bootloader first, patch with AVBRoot, flash, lock the bootloader again while having OEN Unlock enabled to have root?
- Q2: Once installed with AVBRoot, I can directly update right without unlocking and unlocking the bootloader? (I intentionally stopped reading the documentation as it felt a bit too long to get the context and started to get confused with what is written in this thread)
- Q3: Like, if I were to just root GrapheneOS and pass PIA or SafetyNet, I can instead use AVB given by Google for the stock ROM and use it in GOS. Would that pass PIA?
- Q4: What makes GOS different from LOS that makes it impossible to pass PIA?

All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.
I'll dig into this to understand what's happening beneath it to have clear picture.
 

sn00x

Senior Member
Oct 9, 2006
153
80
Xiaomi Poco F3
Google Pixel 7 Pro
I've recently patched Android Auto into my GrapheneOs build. Furthermore the patch bypasses a behaviour change of Android 13 that made Screen2Auto crash when starting some apps. Last but not least, my changes enable mirroring of Netflix and other media apps. It doesn't require root.
This is what I did: https://gist.github.com/sn-00-x/9bd0b0143139c7efdae5507ad845ed86
 

sn00x

Senior Member
Oct 9, 2006
153
80
Xiaomi Poco F3
Google Pixel 7 Pro
@PiXinCreate do you run the official GrapheneOS images? Then you definitely have to unlock the bootloader and thus wipe your data.
If you built the rom yourself, you could simply use your existing signing key to sign a patched init_boot image without having to wipe (but you'd have to do it like I described a few posts ago and not follow the thread's howto guide).
Without root, you should be able to get a yellow state in PIA. I didn't try with root, yet or if USNF with MagiskHide work. It may, or may not, I don't know and didn't bothered trying, cause my goal is to patch everything I need directly into the rom without requiring Magisk and only flash a patched init_boot img in an emergency.
What definitely doesn't work in GrapheneOS is LSPosed and therefor Shamiko can't be enabled.
 

FireRattus

Senior Member
Feb 26, 2022
198
134
As an intermediate user, I find this a bit too confusing. It would be great if you could address my concerns and questions:
- Q1: I'm running GrapheneOS with bootloader locked. To get root access in grapheneOS, do I need to unlock bootloader first, patch with AVBRoot, flash, lock the bootloader again while having OEN Unlock enabled to have root?
Yes, because GrapheneOS is signed with their own keys, to use your own patched version of GrapheneOS with root and a locked boot loader, You will need to unlock the bootloader to flash the patched version, then you can lock it again, Leaving the OEM Unlock option enabled, will allow you to Unlock the bootloader and recover the device in the case of a soft brick, You can still lose your data but your phone should be recoverable
- Q2: Once installed with AVBRoot, I can directly update right without unlocking and unlocking the bootloader? (I intentionally stopped reading the documentation as it felt a bit too long to get the context and started to get confused with what is written in this thread)
Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed
As long as you use AVBRoot to patch updates with the same keys then you should have no issues with updates
- Q3: Like, if I were to just root GrapheneOS and pass PIA or SafetyNet, I can instead use AVB given by Google for the stock ROM and use it in GOS. Would that pass PIA?
- Q4: What makes GOS different from LOS that makes it impossible to pass PIA?

All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.
I'll dig into this to understand what's happening beneath it to have clear picture.
Unfortunately I am not sure what is causing GOS to not pass safetynet, It can pass only the basic integrity
I don't know any way currently to pass safetynet with GOS

Although I do have no issues using 3 different banking apps on my own phone, without passing safetynet
 

i_bl00dy

Member
Feb 7, 2023
15
6
Google Pixel 4a 5G
The big advantage of this method is, that no new keys need to be generated, but the build keys are used.
Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?

I've recently patched Android Auto into my GrapheneOS build.
How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?


All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.
The only Banking app that absolutely refused to work for me is the Citi Mobile app. (what ever they are doing, they are anal about security. I couldnt even use their app on my jailbroken iphone.)
On Graphene OS, using the latest Safetynet Patch _Mod 1.2 allows me to to use all the other apps. But this is a SafetyNet patch, I dont think any of my apps require PIA. I have working AmEx, Wells Fargo, Schwab, Local FCU, Cash App. (without the patch I couldnt set up biometric login on a few of them)
 

spida_singh

Senior Member
Mar 3, 2011
584
214
Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?


How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?



The only Banking app that absolutely refused to work for me is the Citi Mobile app. (what ever they are doing, they are anal about security. I couldnt even use their app on my jailbroken iphone.)
On Graphene OS, using the latest Safetynet Patch _Mod 1.2 allows me to to use all the other apps. But this is a SafetyNet patch, I dont think any of my apps require PIA. I have working AmEx, Wells Fargo, Schwab, Local FCU, Cash App. (without the patch I couldnt set up biometric login on a few of them)
Does the safety net patch by displax work ok for you in GrapheneOS? And you pass both BASIC and DEVICE PI checks?
 

i_bl00dy

Member
Feb 7, 2023
15
6
Google Pixel 4a 5G
Does the safety net patch by displax work ok for you in GrapheneOS? And you pass both BASIC and DEVICE PI checks?
The SafetyNet Patch 2.4.0-mod_1.2 by Displax allows my device (Pixel 4a5G) with graphene OS to pass the Safetynet BASIC, where without the patch even the BASIC would fail. The CTS profile match is still a fail (probably why citi doesnt work)

Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity
Play Integrity on my Device doesn't work at all.

Something to keep in mind is that Google is in the process of deprecating Safetynet. Timeline So I hope that the Custom Rom/Android Devs can come up with a way to at least pass PI MEETS_BASIC_INTEGRITY in the next year...

Compare Safety Net vs Play Integrity
 

spida_singh

Senior Member
Mar 3, 2011
584
214
The SafetyNet Patch 2.4.0-mod_1.2 by Displax allows my device (Pixel 4a5G) with graphene OS to pass the Safetynet BASIC, where without the patch even the BASIC would fail. The CTS profile match is still a fail (probably why citi doesnt work)


Play Integrity on my Device doesn't work at all.

Something to keep in mind is that Google is in the process of deprecating Safetynet. Timeline So I hope that the Custom Rom/Android Devs can come up with a way to at least pass PI MEETS_BASIC_INTEGRITY in the next year...

Compare Safety Net vs Play Integrity
Thanks

I ran GrapheneOS for some time. It always passed basic and never device out of the box. Installing the displax module broke basic for me.

The module needs to be adapted for GrapheneOS or you bake it in from source wit some tweaks.
 
  • Like
Reactions: FireRattus

Sredna76

Senior Member
Nov 20, 2006
78
20
OnePlus 6T
OnePlus 8T
I am sorry if my question is not in the correct thread but i will ask anyway.
1. Will this procedure work for Pixel 7 Pro?
2. Can Pixel flasher be used for this?
3. Must the bootloader be locked for using Graphene OS.

I have been using Lineage with microG but like to try Graphene with root.
 

sn00x

Senior Member
Oct 9, 2006
153
80
Xiaomi Poco F3
Google Pixel 7 Pro
Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?
Of course they don't ship the official keys. I was referring to the build keys that are generated when following their build instructions.

How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?
Android Auto needs elevated permissions, so a normal app won't be possible. It has to be a privileged system app.

When using Magisk, it is possible to overlay a priv-app stub into the OS with the help of a Magisk module. I've created such a module: aa4mg
It works great on other roms, but GrapheneOS has introduced fs-verity for system app updates and therefor won't allow updating the stub (i.e. you won't be able to install the actual Android Auto app).

Well, you could still use aa4mg and replace the AndroidAuto stub with the actual AA app.
To do that, follow these steps:

- In a temp directory with just the contents of the aa4mg zip (assuming you're on linux, otherwise use win equivalents):
Code:
rm system/product/priv-app/AndroidAutoStubPrebuilt -rf
mkdir -p system/product/priv-app/AndroidAuto
cp <path to downloaded real AA .apk> system/product/priv-app/AndroidAuto/AndroidAuto.apk
unzip -d system/product/priv-app/AndroidAuto system/product/priv-app/AndroidAuto/AndroidAuto.apk lib/*
mv system/product/priv-app/AndroidAuto/lib/arm64-v8a system/product/priv-app/AndroidAuto/lib/arm64
sed -i '$ d' module.prop
rm aa4mg-v0.6.1.zip
zip aa4mg-v0.6.1-graphene.zip -9r *
(the sed line removes the last line of module.prop. That is to prevent an accidental update through magisk, which would overwrite AA with a stub you can't update under GrapheneOS)
- install aa4mg-v0.6-graphene.zip through magisk manager and reboot
 

FireRattus

Senior Member
Feb 26, 2022
198
134
I am sorry if my question is not in the correct thread but i will ask anyway.
1. Will this procedure work for Pixel 7 Pro?
Yes
2. Can Pixel flasher be used for this?
I believe that it would work essentially the same as the flash-all.bat / flash-all.sh
But you may need to make sure you properly flash the AVB Keys so you can lock the bootloader, if you wanted to do that
3. Must the bootloader be locked for using Graphene OS.
No, you can use it with an unlocked bootloader, it's just less secure
 

PiXinCreate

Member
Dec 21, 2017
49
16
@PiXinCreate do you run the official GrapheneOS images? Then you definitely have to unlock the bootloader and thus wipe your data.
If you built the rom yourself, you could simply use your existing signing key to sign a patched init_boot image without having to wipe (but you'd have to do it like I described a few posts ago and not follow the thread's howto guide).
Without root, you should be able to get a yellow state in PIA. I didn't try with root, yet or if USNF with MagiskHide work. It may, or may not, I don't know and didn't bothered trying, cause my goal is to patch everything I need directly into the rom without requiring Magisk and only flash a patched init_boot img in an emergency.
What definitely doesn't work in GrapheneOS is LSPosed and therefor Shamiko can't be enabled.
Yes, all that I want is root access on GraphenOS just like any other ROM. But the problem that arised for me is that, as you said, LSPosed never worked and the play integrity api, even it claimed it passed the tests, banking apps kept detecting root access. Since then I've been looking for options as to how can I achieve my goal.
Building the ROM from applying patches is a no go for me given that the performance of my PC is next to god mode.
 

PiXinCreate

Member
Dec 21, 2017
49
16
Yes, because GrapheneOS is signed with their own keys, to use your own patched version of GrapheneOS with root and a locked boot loader, You will need to unlock the bootloader to flash the patched version, then you can lock it again, Leaving the OEM Unlock option enabled, will allow you to Unlock the bootloader and recover the device in the case of a soft brick, You can still lose your data but your phone should be recoverable

Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed
As long as you use AVBRoot to patch updates with the same keys then you should have no issues with updates

Unfortunately I am not sure what is causing GOS to not pass safetynet, It can pass only the basic integrity
I don't know any way currently to pass safetynet with GOS

Although I do have no issues using 3 different banking apps on my own phone, without passing safetynet

> Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed

With this, I feel like we can do something here to support OTA updates instead of sideloading. Once the ROM is downloaded, an automated shell script with the help of Root, snoop into the ROM, make necessary changes to have root. Change the signing key (I feel I'm wrong here, as the entire rOM has to be built from scratch and just changing signing key f*** whole thing up)

While I had root for 3 days, in the beginning, I tried literally everything possible from my end and could never get the banking app working. PIA used to claim that it is passing except hardware attestation as the bl was unlocked.
Once I relocked the bl and started to use GOS as usual, PIA still fails, the device it claims to be uncertified, but banking apps work flawlessly.

I'm not sure like how the apps are detecting root. I couldn't understand the logs exactly as I was using an android app that logs only basic infos
 

PiXinCreate

Member
Dec 21, 2017
49
16
What makes GOS different from other ROMs like LineageOS? It is really hard to get thigns working GOS if the device is rooted. Like LSPosed doesn't work, bank apps detect root and many more!

Edit:
Will installing AVBRoot on locked bootloader greys out OEM unlocking? Having that would be really useful as it prevents accidental touches to it!

Edit: Ok, [here](https://forum.xda-developers.com/t/grapheneos-is-available-for-the-pixel6-6pro.4377019/post-86252913) I read that GOS uses heavily modified kernel for increased security.
So, IMO, reverting back some changes or make some more changes would help get LSPosed working and KernelSU (unsure whether it works on GOS)
 
Last edited:

nujackk

Senior Member
Jun 16, 2008
645
127
Kent
OnePlus 8T
OnePlus 9
Its not likely to be different from phone to phone using the same ROM, but different ROMs have the potential to use different values, so it must be checked on each phone individually. This is also because android phones have a large variety of hardware, and magisk aims to support as many of them as they can .



Read full documentation here on how to get it: avbroot#magisk-preinit-device

TLDR:
Extract boot.img from OTA update zip
Copy boot.img from computer to phone
Install Magisk V26.1.apk on phone (just runs as app, not root)
Patch the boot.img from the magisk app on phone
Copy the resulting magisk_patched-26100.img from phone to computer
Run the command "python3 avbroot.py magisk-info --image magisk_patched-26100.img" to get the PREINITDEVICE=<name>

Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.
Than you soo Much , got absurdly busy just getting back to checking on this.
Hadn't thought about just using the apk.
 

nujackk

Senior Member
Jun 16, 2008
645
127
Kent
OnePlus 8T
OnePlus 9
I am having 1 problem the instructions are not clear on how I pass the preinit device name.
DO i do it when patching the ota? or when sideloading?
and please give detailed example as i've tried doing it when patching by adding the line after the magisk location but always get unrecognized argument error. And not sure how to do so when sideloading.

Also would simply using a prepatched image eliminate the need for this ?
Thank you
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Would you mind sharing a guide or quick'n'dirty process on how to implement this? I'm exceedingly more interested in AA than root. But I may have to follow you cuz integrated services sounds so much better then root on graphene

    Meanwhile I've created a new one. With the help of this patch it is possible to run Android Auto as user app(!) under GrapheneOS (and probably other Android 13 roms, cause it doesn't rely on GrapheneOS itself).

    It also provides a layer for Screen2Auto that only grants invasive permissions (draw over other apps, accessibility service) while connected to a head unit or screen sharing. That means you can watch Netflix on your head unit and even use it as a touch screen while not granting any of those permissions to Screen2Auto when they are not needed.

    Follow these basic instructions to build
  • 14
    This guide is intended to help people to achieve having a Pixel 6 Pro using GrapheneOS with Root (using Magisk) and a Locked Boot Loader
    Though it should be possible to do this with any device that GrapheneOS officially supports.

    Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root. This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition. In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed. This effectively renders the device hard bricked.

    I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.

    Simple method without building from source Although I highly recommend building Graphene yourself,
    All you really need to do is patch the official OTA released by graphene using AVBRoot
    Follow steps 1-6 in the usage section after the prerequisites are complete
    Simply flash the official factory graphene build, then your patched OTA using
    adb sideload /PATH/TO/patched_ota.zip
    Then flash the avb_pkmd.bin
    fastboot erase avb_custom_key
    fastboot flash avb_custom_key /PATH/TO/avb_pkmd.bin
    And now you can lock the bootloader, with patched rooted graphene.
    You will need to patch each new OTA to update and sideload the update as explained HERE Flash it to Both Slots
    Better Method, But requires more time and a decent computer
    Only Recommended for people with experience things building from source
    The first step is to build GrapheneOS from its sources or to use AVBRoot on official builds. I will include some of the information specific for Pixel 6 Pro to help with the build process

    Part one, follow this guide to build GrapheneOS from source

    You will want to build a Stable Release using the TAG_NAME 2023071100 this an EXAMPLE Tag for the Pixel 6 Pro
    Find the Latest tag on the Releases page https://grapheneos.org/releases

    When it comes to the step of "Extracting vendor files for Pixel devices"
    The DEVICE for the 6 Pro is raven and an Example of the BUILD_ID is tp1a.221105.002
    You can obtain the correct BUILD_ID from build/make/core/build_id.mk

    Continue to follow the guide until completion, creating your own Keys during the process
    I do recommend testing to Lock the Boot Loader, Just to see if you are able to
    In my experience if the pixel does not detect a valid signed boot etc, it will not allow you to lock the bootloader
    So if it brings up the screen on your phone where you can confirm the locking of the bootloader
    at this stage you can just select No / Do not lock

    To build with a specific BUILD_NUMBER use the command export BUILD_NUMBER=2022112500Replacing the number with what matches the version you are attempting to build
    Remove the encryption from keys/raven/avb.pem that was created for Graphene so that you can use it with AVBRoot

    Use the script script/decrypt_keys.sh https://grapheneos.org/build#encrypting-keys
    And set a copy of the key aside for the next steps.
    Use the following process to create the correct keys for AVBRoot & GrapheneOS

    Use the avb.pem you decrypted in the last step
    Convert the avb.pem to avb.key with the following command
    openssl rsa -in avb.pem -out avb.key
    Then clone the avb.key and rename it to ota.key

    as it says "The boot-related components are signed with an AVB key and OTA-related components are signed with an OTA key. They can be the same RSA keypair, though the following steps show how to generate two separate keys."

    Continue by following the instructions for generating the keys for AVBRoot using the avb.key and ota.key you now have

    I am not entirely certain what other of the keys I should use instead, I think this is the best approach for now
    as it creates all the keys it requires and this process works for me

    Copy the OTA (raven-ota_update-*.zip) from the folder where you have your own Factory Graphene Build and use this with AVBRoot
    Then you will have all the keys and files you need to continue the guide and use the AVBRoot script
    Now it's time to follow the instructions Here https://github.com/chenxiaolong/avbroot

    To create a full factory installer, Intall it and lock the bootloader.
    When you are done with AVBRoot and you have the boot.img, vbmeta.img and vendor_boot.img
    All patched and signed by AVBRoot, Take a factory image from your Graphene Build and Extract it anywhere
    Open the image-raven-*.zip with an Archive manager
    Delete the existing boot.img, vbmeta.img and vendor_boot.img files and replace them the patched ones
    also replace the avb_pkmd.bin with the one you have created in the previous steps for AVBRoot (might work without this step)

    Finally, you are able to run the flash-all.sh and then lock the bootloader
    ./flash-all.sh
    fastboot flashing lock

    Updating is very simple, Once you use AVBRoot to create the Patched OTA.zip
    you can reboot to recovery and flash the patched ota.zip with adb sideload
    adb sideload raven-ota_update-*.zip.patched
    https://grapheneos.org/usage#updates-sideloading

    Creating the patched full factory installer is not required if you simply flash the avb custom key and the patched OTA zip before locking the bootloader, after flashing the unpatched full system install build

    This for me allowed me after much struggle to achieve a Rooted, Locked Boot Loader using GrapheneOS and Magisk
    Now though with this guide worked out, I think it should be quite easy for anyone with basic terminal knowledge to accomplish.

    Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
    and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
    But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
    Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity

    To Be Clear, Although it already should be, This is NOT Modifying the official Graphene OS Sources, it is simply using them as a SOURCE for a GUIDE, You build it using unmodified grapheneOS source code so it is an unnofficial build according to their website

    Sources: GrapheneOS, AVBRoot,
    Magisk

    PayPal Donation Link
    5
    Thanks for the guide!

    I'm using an alternative method after building GrapheneOS from source, though. In fact you can simply use the following commands right after the build process:

    Bash:
    AVBROOT=/path/to/avbroot.py
    MAGISK=/path/to/Magisk-v26.1.apk
    MAGISK_PREINIT_DEVICE=persist
    cd $ANDROID_BUILD_TOP
    if [ ! -f keys/$TARGET_PRODUCT/releasekey.pem ] ; then openssl pkcs8 -topk8 -inform DER -in keys/$TARGET_PRODUCT/releasekey.pk8 -out keys/$TARGET_PRODUCT/releasekey.pem ; fi
    python $AVBROOT patch \
        --input out/release-$TARGET_PRODUCT-$BUILD_NUMBER/$TARGET_PRODUCT-ota_update-$BUILD_NUMBER.zip \
        --privkey-avb keys/$TARGET_PRODUCT/avb.pem \
        --privkey-ota keys/$TARGET_PRODUCT/releasekey.pem \
        --cert-ota keys/$TARGET_PRODUCT/releasekey.x509.pem \
        --magisk $MAGISK \
        --magisk-preinit-device=$MAGISK_PREINIT_DEVICE

    Just be sure to set valid values for AVBROOT, MAGISK and MAGISK_PREINIT_DEVICE. (See Magisk preinit device section for details on how to get the correct name of your preinit-device. For my Pixel 7 Pro it's "persist", but for your's it can be different).

    If you didn't just finish the build process, you need to set up your environment variables first (just set DEVICE to the codename of your device):
    Bash:
    DEVICE=cheetah
    cd /path/to/android-build-top
    source script/envsetup.sh
    choosecombo release $DEVICE user

    The big advantage of this method is, that no new keys need to be generated, but the build keys are used. That means you can switch between the original and rooted OTAs on the fly without having to unlock the bootloader. So you can even keep the bootloader locked (and thus avoid wiping your data) even if you never used Magisk before.
    3
    Hey, thanks for the excellent guide, this is all about to be applicable to me :)

    I have run into a small issue though, when generating the avb.key, openssl gives me an unsupported error

    openssl rsa -outform der -in avb.pem -out avb.key

    routines:ssl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
    Unable to load certificate

    I am wondering if since I didn't put a password on the keys if that caused an issue. I tried encrypted/decrypted, same issue. It's a fresh arch linux install, so packages are up to date.

    Thanks!
    Thank you, I am glad that it has been helpful for you, I have not encountered that error myself but I did use a password initially for the steps to create the keys for Graphene, I don't think this should matter though
    If you don't mind and are able to, can you create another copy of the avb.pem, see if the problem still occurs and share it with me if it does, so I can test if I get the same error when I use your .pem

    Wouldn't rooting GrapheneOS decrease the security of the operating system, a key aspect that Graphene is designed to improve? Seems like that defeats the purpose of using it in the first place.
    I do clearly say in the first post
    > Rooting your device can potentially introduce security flaws, I am not claiming this to be secure.
    I don't believe just using magisk is really such an issue, you are able to deny root from any applications you don't want to use it
    it is possible there are unknown security vulnerabilities in magisk, but that's the same with anything.
    Even though it may introduce some potential security vulnerabilities that Graphene combats against
    I believe it should be everyones choice to use root and lock their boot loader if they choose to do so
    2
    I highly recommend using your own build that is signed with your own keys that you can keep secure!
    I make no promises to provide any updates to this rom at this time

    Here more as a proof of concept that it works and updates are possible
    Latest builds moved to: Unofficial GrapheneOS, Magisk Patched for Pixel 6 / 6 Pro
    2
    {Mod edit: Quoted post has been deleted. Oswald Boelcke}
    When locking or unlocking the bootloader it will trigger a wipe of all the user data but your phone will still be usable after, It does not turn it into a brick in my experience, you will need to have flashed a properly signed build signed with your own custom avb keys as instructed by AVBRoot