How To Guide Guide to Lock Bootloader while using Rooted GrapheneOS (Magisk Root)

[nujackk]

and the preinit device name for the Pixel 6 Pro, for GrapheneOS at least is metadata
If anyone could please share the correct preinit device name for the Pixel 6 that would be appreciated

This hasn't changed, it's mostly an issue that Graphene isn't going to fix
hopefully a solution like the universal safetynet fix will be updated to work with Graphene

So is the preint device name different for each rom? I'm currently using this method on CalxysOS but unable to update to magisk 26 as I have no way to get the the preint deivce name with current 25.2 and locked bootloader.

 

[i_bl00dy]

So is the preint device name different for each rom?

Its not likely to be different from phone to phone using the same ROM, but different ROMs have the potential to use different values, so it must be checked on each phone individually. This is also because android phones have a large variety of hardware, and magisk aims to support as many of them as they can .

I'm currently using this method on CalxysOS but unable to update to magisk 26 as I have no way to get the the preint deivce name with current 25.2 and locked bootloader.

Read full documentation here on how to get it: avbroot#magisk-preinit-device

TLDR:
Extract boot.img from OTA update zip
Copy boot.img from computer to phone
Install Magisk V26.1.apk on phone (just runs as app, not root)
Patch the boot.img from the magisk app on phone
Copy the resulting magisk_patched-26100.img from phone to computer
Run the command "python3 avbroot.py magisk-info --image magisk_patched-26100.img" to get the PREINITDEVICE=<name>

Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.

 

[FireRattus]

Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.

Unfortunately not, I tried using older versions to see if I had any success with those but I was not able to get it to work at all
I was able to get a shortcut for LSPosed on the home screen, which when clicked to open the manager, it would cause my phone to act sort of like there was something invisible open on the screen, until I would swipe back or to home
It would be great if someone could figure out why exactly it doesn't work on GrapheneOS as I believe it used to in the past

 

[sn00x]

Thanks for the guide!

I'm using an alternative method after building GrapheneOS from source, though. In fact you can simply use the following commands right after the build process:

AVBROOT=/path/to/avbroot.py
MAGISK=/path/to/Magisk-v26.1.apk
MAGISK_PREINIT_DEVICE=persist
cd $ANDROID_BUILD_TOP
if [ ! -f keys/$TARGET_PRODUCT/releasekey.pem ] ; then openssl pkcs8 -topk8 -inform DER -in keys/$TARGET_PRODUCT/releasekey.pk8 -out keys/$TARGET_PRODUCT/releasekey.pem ; fi
python $AVBROOT patch \
    --input out/release-$TARGET_PRODUCT-$BUILD_NUMBER/$TARGET_PRODUCT-ota_update-$BUILD_NUMBER.zip \
    --privkey-avb keys/$TARGET_PRODUCT/avb.pem \
    --privkey-ota keys/$TARGET_PRODUCT/releasekey.pem \
    --cert-ota keys/$TARGET_PRODUCT/releasekey.x509.pem \
    --magisk $MAGISK \
    --magisk-preinit-device=$MAGISK_PREINIT_DEVICE

Just be sure to set valid values for AVBROOT, MAGISK and MAGISK_PREINIT_DEVICE. (See Magisk preinit device section for details on how to get the correct name of your preinit-device. For my Pixel 7 Pro it's "persist", but for your's it can be different).

If you didn't just finish the build process, you need to set up your environment variables first (just set DEVICE to the codename of your device):

DEVICE=cheetah
cd /path/to/android-build-top
source script/envsetup.sh
choosecombo release $DEVICE user

The big advantage of this method is, that no new keys need to be generated, but the build keys are used. That means you can switch between the original and rooted OTAs on the fly without having to unlock the bootloader. So you can even keep the bootloader locked (and thus avoid wiping your data) even if you never used Magisk before.

 

[PiXinCreate]

As an intermediate user, I find this a bit too confusing. It would be great if you could address my concerns and questions:
- Q1: I'm running GrapheneOS with bootloader locked. To get root access in grapheneOS, do I need to unlock bootloader first, patch with AVBRoot, flash, lock the bootloader again while having OEN Unlock enabled to have root?
- Q2: Once installed with AVBRoot, I can directly update right without unlocking and unlocking the bootloader? (I intentionally stopped reading the documentation as it felt a bit too long to get the context and started to get confused with what is written in this thread)
- Q3: Like, if I were to just root GrapheneOS and pass PIA or SafetyNet, I can instead use AVB given by Google for the stock ROM and use it in GOS. Would that pass PIA?
- Q4: What makes GOS different from LOS that makes it impossible to pass PIA?

All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.
I'll dig into this to understand what's happening beneath it to have clear picture.

 

[sn00x]

I've recently patched Android Auto into my GrapheneOs build. Furthermore the patch bypasses a behaviour change of Android 13 that made Screen2Auto crash when starting some apps. Last but not least, my changes enable mirroring of Netflix and other media apps. It doesn't require root.
This is what I did: https://gist.github.com/sn-00-x/9bd0b0143139c7efdae5507ad845ed86

 

[sn00x]

@PiXinCreate do you run the official GrapheneOS images? Then you definitely have to unlock the bootloader and thus wipe your data.
If you built the rom yourself, you could simply use your existing signing key to sign a patched init_boot image without having to wipe (but you'd have to do it like I described a few posts ago and not follow the thread's howto guide).
Without root, you should be able to get a yellow state in PIA. I didn't try with root, yet or if USNF with MagiskHide work. It may, or may not, I don't know and didn't bothered trying, cause my goal is to patch everything I need directly into the rom without requiring Magisk and only flash a patched init_boot img in an emergency.
What definitely doesn't work in GrapheneOS is LSPosed and therefor Shamiko can't be enabled.

 

[FireRattus]

As an intermediate user, I find this a bit too confusing. It would be great if you could address my concerns and questions:
- Q1: I'm running GrapheneOS with bootloader locked. To get root access in grapheneOS, do I need to unlock bootloader first, patch with AVBRoot, flash, lock the bootloader again while having OEN Unlock enabled to have root?

Yes, because GrapheneOS is signed with their own keys, to use your own patched version of GrapheneOS with root and a locked boot loader, You will need to unlock the bootloader to flash the patched version, then you can lock it again, Leaving the OEM Unlock option enabled, will allow you to Unlock the bootloader and recover the device in the case of a soft brick, You can still lose your data but your phone should be recoverable

- Q2: Once installed with AVBRoot, I can directly update right without unlocking and unlocking the bootloader? (I intentionally stopped reading the documentation as it felt a bit too long to get the context and started to get confused with what is written in this thread)

Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed
As long as you use AVBRoot to patch updates with the same keys then you should have no issues with updates

- Q3: Like, if I were to just root GrapheneOS and pass PIA or SafetyNet, I can instead use AVB given by Google for the stock ROM and use it in GOS. Would that pass PIA?
- Q4: What makes GOS different from LOS that makes it impossible to pass PIA?

All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.
I'll dig into this to understand what's happening beneath it to have clear picture.

Unfortunately I am not sure what is causing GOS to not pass safetynet, It can pass only the basic integrity
I don't know any way currently to pass safetynet with GOS

Although I do have no issues using 3 different banking apps on my own phone, without passing safetynet

 

[i_bl00dy]

The big advantage of this method is, that no new keys need to be generated, but the build keys are used.

Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?

I've recently patched Android Auto into my GrapheneOS build.

How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?

All that I want is root access in GrapheneOS that passes PIA / SafetyNet which can run Banking Apps in my country.

The only Banking app that absolutely refused to work for me is the Citi Mobile app. (what ever they are doing, they are anal about security. I couldnt even use their app on my jailbroken iphone.)
On Graphene OS, using the latest Safetynet Patch _Mod 1.2 allows me to to use all the other apps. But this is a SafetyNet patch, I dont think any of my apps require PIA. I have working AmEx, Wells Fargo, Schwab, Local FCU, Cash App. (without the patch I couldnt set up biometric login on a few of them)

 

[spida_singh]

Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?


How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?



The only Banking app that absolutely refused to work for me is the Citi Mobile app. (what ever they are doing, they are anal about security. I couldnt even use their app on my jailbroken iphone.)
On Graphene OS, using the latest Safetynet Patch _Mod 1.2 allows me to to use all the other apps. But this is a SafetyNet patch, I dont think any of my apps require PIA. I have working AmEx, Wells Fargo, Schwab, Local FCU, Cash App. (without the patch I couldnt set up biometric login on a few of them)

Does the safety net patch by displax work ok for you in GrapheneOS? And you pass both BASIC and DEVICE PI checks?

 

[i_bl00dy]

Does the safety net patch by displax work ok for you in GrapheneOS? And you pass both BASIC and DEVICE PI checks?

The SafetyNet Patch 2.4.0-mod_1.2 by Displax allows my device (Pixel 4a5G) with graphene OS to pass the Safetynet BASIC, where without the patch even the BASIC would fail. The CTS profile match is still a fail (probably why citi doesnt work)

Something to note is that GrapheneOS does Not Pass the CTS Profile integrity check
and I do Not Pass the Play Integrity API Check currently, Neither the Basic or Strong check
But I can pass the Basic attestation Safety Net test when using the patched SafetyNet Fix
Further testing is needed and welcomed to try and pass SafetyNet and Play Integrity

Play Integrity on my Device doesn't work at all.

Something to keep in mind is that Google is in the process of deprecating Safetynet. Timeline So I hope that the Custom Rom/Android Devs can come up with a way to at least pass PI MEETS_BASIC_INTEGRITY in the next year...

Compare Safety Net vs Play Integrity

 

[spida_singh]

The SafetyNet Patch 2.4.0-mod_1.2 by Displax allows my device (Pixel 4a5G) with graphene OS to pass the Safetynet BASIC, where without the patch even the BASIC would fail. The CTS profile match is still a fail (probably why citi doesnt work)


Play Integrity on my Device doesn't work at all.

Something to keep in mind is that Google is in the process of deprecating Safetynet. Timeline So I hope that the Custom Rom/Android Devs can come up with a way to at least pass PI MEETS_BASIC_INTEGRITY in the next year...

Compare Safety Net vs Play Integrity

Thanks

I ran GrapheneOS for some time. It always passed basic and never device out of the box. Installing the displax module broke basic for me.

The module needs to be adapted for GrapheneOS or you bake it in from source wit some tweaks.

 

[Sredna76]

I am sorry if my question is not in the correct thread but i will ask anyway.
1. Will this procedure work for Pixel 7 Pro?
2. Can Pixel flasher be used for this?
3. Must the bootloader be locked for using Graphene OS.

I have been using Lineage with microG but like to try Graphene with root.

 

[sn00x]

Does Graphene OS supply the build keys with the source code? Are these the same keys as for the official release? I wouldn't think so for security reasons. If they dont supply the keys, do they have to be self generated at first build?

Of course they don't ship the official keys. I was referring to the build keys that are generated when following their build instructions.

How much of this would work by just installing a regular APK (without root)? Possibly just the display mirroring without the touch control? Or will android auto not even initialize without OS level integration?

Is it possible to convert your AA implementation into an App (probably requires root)? I assume you have no interest in doing so because you are patching your OS directly?

Android Auto needs elevated permissions, so a normal app won't be possible. It has to be a privileged system app.

When using Magisk, it is possible to overlay a priv-app stub into the OS with the help of a Magisk module. I've created such a module: aa4mg
It works great on other roms, but GrapheneOS has introduced fs-verity for system app updates and therefor won't allow updating the stub (i.e. you won't be able to install the actual Android Auto app).

Well, you could still use aa4mg and replace the AndroidAuto stub with the actual AA app.
To do that, follow these steps:

- In a temp directory with just the contents of the aa4mg zip (assuming you're on linux, otherwise use win equivalents):

rm system/product/priv-app/AndroidAutoStubPrebuilt -rf
mkdir -p system/product/priv-app/AndroidAuto
cp <path to downloaded real AA .apk> system/product/priv-app/AndroidAuto/AndroidAuto.apk
unzip -d system/product/priv-app/AndroidAuto system/product/priv-app/AndroidAuto/AndroidAuto.apk lib/*
mv system/product/priv-app/AndroidAuto/lib/arm64-v8a system/product/priv-app/AndroidAuto/lib/arm64
sed -i '$ d' module.prop
rm aa4mg-v0.6.1.zip
zip aa4mg-v0.6.1-graphene.zip -9r *

(the sed line removes the last line of module.prop. That is to prevent an accidental update through magisk, which would overwrite AA with a stub you can't update under GrapheneOS)
- install aa4mg-v0.6-graphene.zip through magisk manager and reboot

 

[FireRattus]

I am sorry if my question is not in the correct thread but i will ask anyway.
1. Will this procedure work for Pixel 7 Pro?

Yes

2. Can Pixel flasher be used for this?

I believe that it would work essentially the same as the flash-all.bat / flash-all.sh
But you may need to make sure you properly flash the AVB Keys so you can lock the bootloader, if you wanted to do that

3. Must the bootloader be locked for using Graphene OS.

No, you can use it with an unlocked bootloader, it's just less secure

 

[PiXinCreate]

@PiXinCreate do you run the official GrapheneOS images? Then you definitely have to unlock the bootloader and thus wipe your data.
If you built the rom yourself, you could simply use your existing signing key to sign a patched init_boot image without having to wipe (but you'd have to do it like I described a few posts ago and not follow the thread's howto guide).
Without root, you should be able to get a yellow state in PIA. I didn't try with root, yet or if USNF with MagiskHide work. It may, or may not, I don't know and didn't bothered trying, cause my goal is to patch everything I need directly into the rom without requiring Magisk and only flash a patched init_boot img in an emergency.
What definitely doesn't work in GrapheneOS is LSPosed and therefor Shamiko can't be enabled.

Yes, all that I want is root access on GraphenOS just like any other ROM. But the problem that arised for me is that, as you said, LSPosed never worked and the play integrity api, even it claimed it passed the tests, banking apps kept detecting root access. Since then I've been looking for options as to how can I achieve my goal.
Building the ROM from applying patches is a no go for me given that the performance of my PC is next to god mode.

 

[PiXinCreate]

Yes, because GrapheneOS is signed with their own keys, to use your own patched version of GrapheneOS with root and a locked boot loader, You will need to unlock the bootloader to flash the patched version, then you can lock it again, Leaving the OEM Unlock option enabled, will allow you to Unlock the bootloader and recover the device in the case of a soft brick, You can still lose your data but your phone should be recoverable

Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed
As long as you use AVBRoot to patch updates with the same keys then you should have no issues with updates

Unfortunately I am not sure what is causing GOS to not pass safetynet, It can pass only the basic integrity
I don't know any way currently to pass safetynet with GOS

Although I do have no issues using 3 different banking apps on my own phone, without passing safetynet

> Yes you can sideload updates that are patched/signed with the same keys as the one you already have installed

With this, I feel like we can do something here to support OTA updates instead of sideloading. Once the ROM is downloaded, an automated shell script with the help of Root, snoop into the ROM, make necessary changes to have root. Change the signing key (I feel I'm wrong here, as the entire rOM has to be built from scratch and just changing signing key f*** whole thing up)

While I had root for 3 days, in the beginning, I tried literally everything possible from my end and could never get the banking app working. PIA used to claim that it is passing except hardware attestation as the bl was unlocked.
Once I relocked the bl and started to use GOS as usual, PIA still fails, the device it claims to be uncertified, but banking apps work flawlessly.

I'm not sure like how the apps are detecting root. I couldn't understand the logs exactly as I was using an android app that logs only basic infos

 

[PiXinCreate]

What makes GOS different from other ROMs like LineageOS? It is really hard to get thigns working GOS if the device is rooted. Like LSPosed doesn't work, bank apps detect root and many more!

Edit:
Will installing AVBRoot on locked bootloader greys out OEM unlocking? Having that would be really useful as it prevents accidental touches to it!

Edit: Ok, [here](https://forum.xda-developers.com/t/grapheneos-is-available-for-the-pixel6-6pro.4377019/post-86252913) I read that GOS uses heavily modified kernel for increased security.
So, IMO, reverting back some changes or make some more changes would help get LSPosed working and KernelSU (unsure whether it works on GOS)

 

[nujackk]

Its not likely to be different from phone to phone using the same ROM, but different ROMs have the potential to use different values, so it must be checked on each phone individually. This is also because android phones have a large variety of hardware, and magisk aims to support as many of them as they can .



Read full documentation here on how to get it: avbroot#magisk-preinit-device

TLDR:
Extract boot.img from OTA update zip
Copy boot.img from computer to phone
Install Magisk V26.1.apk on phone (just runs as app, not root)
Patch the boot.img from the magisk app on phone
Copy the resulting magisk_patched-26100.img from phone to computer
Run the command "python3 avbroot.py magisk-info --image magisk_patched-26100.img" to get the PREINITDEVICE=<name>

Anybody get LSposed working on GRaphene OS yet?
I got the module to install and run. I see the LSposed notification to install the manager, but clicking the notification does nothing. I manually installed the LSposed manager app, but it cant see the LSposed daemon running.

I probably will wave to abandon the LSposed idea since Graphene OS is significantly different from regular AOSP ROMs, but I was hoping to mess with the Notification panel a bit.

Than you soo Much , got absurdly busy just getting back to checking on this.
Hadn't thought about just using the apk.

 

[nujackk]

I am having 1 problem the instructions are not clear on how I pass the preinit device name.
DO i do it when patching the ota? or when sideloading?
and please give detailed example as i've tried doing it when patching by adding the line after the magisk location but always get unrecognized argument error. And not sure how to do so when sideloading.

Also would simply using a prepatched image eliminate the need for this ?
Thank you