• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Question Read this before rooting your Raven

Search This thread
I can confirm this on 2 devices. Pixel 3xl and Pixel 4a. I used the tried and true method of patching and flashing the boot.img with no issues.
Okay, so it's just the 4a, 4a 5g, 5, and 5a that this affects...and likely the 6 / 6Pro.

And just to be clear, while I doubt a data wipe will be necessary for devices that started with a clean Android 12 install...disabling dm-verity and vbmeta verification will still be necessary for Android 12, regardless of whether you upgraded or your device shipped with it.
 
  • Like
Reactions: roirraW "edor" ehT

diesteldorf

Senior Member
Nov 22, 2010
63
41
Incorrect. DM verity and vbmeta verification MUST be disabled to run a patched boot image. This is true regardless of whether it's the 12 Beta or the public release.


Remove Magisk via the Uninstall option within the app; first use Restore Images, then use Complete Uninstall. This will restore the boot image, so you don't have to. It will then reboot the phone.

At that point, yes, you would install the older version of Magisk, then root as usual by patching the boot image.
Just wanted to give you a public shoutout and thank you for the bit of tech support. I was able to revert back to Magisk 23001, install RIRU, and Universal SafetyNet fix, and now I am back to officially passing Safetynet and all banking apps are working.

I appreciate it.
 

Lughnasadh

Senior Member
Mar 23, 2015
2,357
1,776
Google Nexus 5
Huawei Nexus 6P
Same here, which is shy I was wondering about the chat around this, on top of that I was only using Magisk 23 didn't want to change to loose Magisk hide, for banking apps, and some other random ones.
It's because starting with the Pixel 5 (maybe the 4a as well?) you have to do those extra steps when on Android 12. I think we're all just assuming this will be carried over to the Pixel 6. This is true even when using Magisk 23. Previous Pixels don't seem to be affected by this.
 
Last edited:

roirraW "edor" ehT

Recognized Contributor
Just wanted to give you a public shoutout and thank you for the bit of tech support. I was able to revert back to Magisk 23001, install RIRU, and Universal SafetyNet fix, and now I am back to officially passing Safetynet and all banking apps are working.
I want to be 100% clear - this is on the Pixel 4 XL you're talking about, correct? Not the Pixel 6 Pro. Just want to make sure I know if someone already threw caution to the wind and successfully rooted their Pixel 6 Pro. :D I'm not brave enough before the official firmware update zips come out.
 
I want to be 100% clear - this is on the Pixel 4 XL you're talking about, correct? Not the Pixel 6 Pro. Just want to make sure I know if someone already threw caution to the wind and successfully rooted their Pixel 6 Pro. :D I'm not brave enough before the official firmware update zips come out.
You aren't going to be able to root until the firmware comes out anyway, because to root you have to patch the boot image, and there's unfortunately no way to pull the boot image from the phone without root or TWRP.

You can however unlock your bootloader, although it's pretty pointless at this time given the lack of anything to flash.
 
Last edited:

diesteldorf

Senior Member
Nov 22, 2010
63
41
I want to be 100% clear - this is on the Pixel 4 XL you're talking about, correct? Not the Pixel 6 Pro. Just want to make sure I know if someone already threw caution to the wind and successfully rooted their Pixel 6 Pro. :D I'm not brave enough before the official firmware update zips come out.
You are correct. I check both forums, but I've had every Pixel, except the 5, and they have a lot of similarities for rooting, and differences too.

I figured someone knew the answer to my dilemma, so I posed the question and will probably use that same knowledge in a few days, once firmware is released and my Casemate case arrives.

Rooting doesn't scare me as much as dropping the phone without a case...LOL
 
You are correct. I check both forums, but I've had every Pixel, except the 5, and they have a lot of similarities for rooting, and differences too.

I figured someone knew the answer to my dilemma, so I posed the question and will probably use that same knowledge in a few days, once firmware is released and my Casemate case arrives.

Rooting doesn't scare me as much as dropping the phone without a case...LOL
Well, we just have a particular challenge that we need to figure out first - how to gain permanent root without wiping /data. This seems to be particular to the 4a, 5, 5a, and I would assume the 6 as well.

Previously, on Android 11 on all Pixels, we could just flash a patched boot image, and be on our merry rooted way.

However, with the 12 Beta, we discovered that /vbmeta comes into play; flashing a patched boot image would result in "failed to load/verify boot images" at boot, which we discovered could be prevented by reflashing vbmeta with --disable-verity and --disable-verification.

Unfortunately, on the 12 stable, doing this causes the device to bootloop into recovery with a message "Can't load Android system. Your data may be corrupt". If the user chooses to wipe data, they can successfully run permanent root; otherwise, /vbmeta and /boot have to be reflashed to stock, although temporary root can be gained by live booting a patched image from fastboot.
 

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,644
7,912
24
Salford, Greater Manchester, UK
quinny898.co.uk
Cheers for this, much appreciated. I can confirm (yet again) that you have to do disable-verity to root the P6 Pro. It's early enough since getting the phone (literally today) that wiping data isn't too much of a hassle at this stage IMO.

Factory images are now up, I've just booted a freshly wiped phone with a magisk patch image, transferring stuff again now :)
 
Last edited:

Lughnasadh

Senior Member
Mar 23, 2015
2,357
1,776
Google Nexus 5
Huawei Nexus 6P
Cheers for this, much appreciated. I can confirm (yet again) that you have to do disable-verity to root the P6 Pro. It's early enough since getting the phone (literally today) that wiping data isn't too much of a hassle at this stage IMO.

System images are now up, I've just booted a freshly wiped phone with a magisk patch image, transferring stuff again now :)
Thanks for testing. Curious about a few things...

1. What build were you on when you patched the boot image? Because the factory image builds are earlier (.015) than what we have received through OTA yesterday (.036). Wondering if kernel has changed between those 2 versions.

2. I understand that you are saying we have to disable dm-verity and vbmeta verificaiton when flashing the vbmeta image, but do you know if we have to wipe data for sure? Sounds like maybe you just did that anyway since it was early enough for you?

3. Which Magisk version did you use?
 

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,644
7,912
24
Salford, Greater Manchester, UK
quinny898.co.uk
Thanks for testing. Curious about a few things...

1. What build were you on when you patched the boot image? Because the factory image builds are earlier (.015) than what we have received through OTA yesterday (.036). Wondering if kernel has changed between those 2 versions.

2. I understand that you are saying we have to disable dm-verity and vbmeta verificaiton when flashing the vbmeta image, but do you know if we have to wipe data for sure? Sounds like maybe you just did that anyway since it was early enough for you?

3. Which Magisk version did you use?
I was on SD1A.210817.015.A4, flashed a patched SD1A.210817.015.A4. I did try flashing without dm-verity, it obviously refused to boot and then also refused to boot when the stock image was flashed back. Without wiping data it didn't boot with dm-verity disabled, went straight to rescue party and told me to reset.

Latest canary, I know the latest stable works on 12 (or should do) too but I'm working on root stuff so I prefer to be ahead of stable for testing.
 

Morgrain

Senior Member
Aug 4, 2015
545
464
Cheers for this, much appreciated. I can confirm (yet again) that you have to do disable-verity to root the P6 Pro. It's early enough since getting the phone (literally today) that wiping data isn't too much of a hassle at this stage IMO.

Factory images are now up, I've just booted a freshly wiped phone with a magisk patch image, transferring stuff again now :)
Just for expressiveness sake, you successfully rooted the Pixel 6 Pro with a working magisk image and it booted up already?

Hell, that was fast.
 

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,644
7,912
24
Salford, Greater Manchester, UK
quinny898.co.uk
Just for expressiveness sake, you successfully rooted the Pixel 6 Pro with a working magisk image and it booted up already?

Hell, that was fast.
I think it's rooted, it's restoring data so I can't access ADB or Magisk to check. I've been refreshing the factory image page for a while waiting for it, knowing it may require a data wipe so to hold back on fully setting up the phone.

It's basically a rite of passage for a new phone with me, how quick does it get soft bricked when trying to root it (OnePlus 7T Pro currently holds the record of needing the MSM tool on day 1)
 

Lughnasadh

Senior Member
Mar 23, 2015
2,357
1,776
Google Nexus 5
Huawei Nexus 6P
I was on SD1A.210817.015.A4, flashed a patched SD1A.210817.015.A4. I did try flashing without dm-verity, it obviously refused to boot and then also refused to boot when the stock image was flashed back. Without wiping data it didn't boot with dm-verity disabled, went straight to rescue party and told me to reset.

Latest canary, I know the latest stable works on 12 (or should do) too but I'm working on root stuff so I prefer to be ahead of stable for testing.
Thanks for that info.

So if I'm understanding correctly, aside from disabling dm-verity, we will also have to wipe data each time when patching the new monthly boot images?
 
  • Like
Reactions: roirraW "edor" ehT

HereticBG

Member
Jul 19, 2011
8
11
I was on SD1A.210817.015.A4, flashed a patched SD1A.210817.015.A4. I did try flashing without dm-verity, it obviously refused to boot and then also refused to boot when the stock image was flashed back. Without wiping data it didn't boot with dm-verity disabled, went straight to rescue party and told me to reset.

Latest canary, I know the latest stable works on 12 (or should do) too but I'm working on root stuff so I prefer to be ahead of stable for testing.

Well that's some good news that you got it going at least!

I guess now the question is if you can keep root and not have to wipe when dirty flashing a system update with all the dm-verity stuff, right?
 
  • Like
Reactions: roirraW "edor" ehT

Quinny899

Recognized Developer / Recognized Contributor
Jan 26, 2011
8,644
7,912
24
Salford, Greater Manchester, UK
quinny898.co.uk
Thanks for that info.

So if I'm understanding correctly, aside from disabling dm-verity, we will also have to wipe data each time when patching the new monthly boot images?
I don't have the experience with messing with dm-verity so I can't answer for sure (someone else correct me if I'm wrong), but I think it's a one time thing, so long as you don't flash vbmeta again without it? So basically don't use flash-all and flash the images manually, skipping vbmeta.

V0latyle was also saying that the requirement was worked around on the other Pixels anyway so it might not even be required by the next monthly patch.

In fact, re-reading his message again I could probably have got stock to boot again if I re-flashed vbmeta, which just shows my lack of experience with the newer Pixels.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6
    i can't take it anymore. So, why does everyone feel the need to "update" every month? I can see if Google decides to release some "Revolutionary" camera update or something. But just for a security update? lol what a joke that's been running for about 3 years or better
    Because I'm lazy, I update every other month, or every third month (unless the new update includes quadruple battery life), but I don't fault those who want, like, or feel the need to update monthly.

    As crazy as it sounds, some users just ENJOY tinkering, flashing, and messing with their devices and a fresh, new monthly factory image is the perfect excuse to do just that.

    I used to be one of those! I also used to underclock CPUs, GPUs, lower screen brightness, keep a 98% dark wallpaper, and Greenify everything app under the sun JUST to increase my SOT by 30 minutes :p

    But like the monthly factory update, I am now too lazy and no longer care about having to plug my device in once a day :D

    As for those who still squeeze every drop of life out of their battery, who enjoy updating the factory image every, single, month; good for you, keep on enjoying your device the way you prefer.

    For those, like me, who are too lazy or no longer care about living on the developmental razor's edge, good for us.
    4
    Isn't this a sort of vulnerability?

    How can I defend myself against live booting from fastboot?
    Don't unlock your bootloader
    4
    Which instructional steps would you suggest I use for being on the latest update and not bothered about losing data, to get permanent root (not lost on reboot)?
    Sorry I took so long to reply. I'm not an expert and shouldn't be considered one, but I've gotten so much help from XDA forums over the years I feel bad not contributing if I've got even 1% knowledge to help.

    So, here's what I did...

    1. Download factory image from Google, Riru & USNF from GitHub and MagiskAlpha from Telegram.
    2. Unlock bootloader (and factory wipe; all the developer mode, USB debugging and adb/fastboot + Google USB driver information applies as normal)
    3. Install MagiskAlpha, patch the factory boot.img
    4. fastboot flash with verity first, then fastboot flash boot the MagiskAlpha modded boot img, then reboot.
    5. You've now achieved root and have the ability to use MagiskHide. Do so, add all of Google Play services to the deny list, hide MagiskAlpha, install Riru module, reboot.
    6. Add USNF module. Reboot.

    should now have persistent root and pass SN. Add your DRM and banking apps to the deny list as necessary. May have to clear your Google Play data.
    3
    "fastboot flash vbmeta --etc --etc vbmeta.img" returns with "fastboot: unknown option -- etc". I searched for fastboot usage options but did not find --etc.
    he means etc as in etcetera not actual command :)
    what he was saying he you need to make sure you do it in bootloader after sideload OTA not in fastbootd and then flash to both slots before reboot
    3
    Just passing along info in case you didn't know, but vvb2060 is the 3rd leading contributor to John's Magisk (at least he was, may be 2nd by now), only behind John himself and John's designer I believe. You can see all he's done in John's Github.

    I'm curious, has anyone tried this when updating to new build?

    1. Manually install OTA (without rebooting)
    2. Take boot image from new factory image and patch it in Magisk Manager
    3. Boot into bootloader
    4. Flash vbmeta.img with flags disabled (fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img)
    5. Boot (not install) the patched boot.img (fastboot boot <nameofpatchedimage.img> (Because you mentioned you could live boot the patched image)
    6. When booted I would assume you would not be rooted, but then....
    7. Do a direct install in Magisk Manager
    8. Reboot

    Wondering if after this it will boot without having to factory reset/wipe data and be rooted???
    When you use
    Code:
    fastboot boot boot.img
    ADB sends the boot image via USB to the phone, and the phone loads it instead of what's in the /boot partition. Therefore if you boot a patched image, you should have root.

    However, following the instructions above, you'll still have to wipe. There is an as yet unidentified issue with rooted boot images tripping something (probably the kernel) into thinking data is corrupted.

    Here is something you can try however:
    1. Download the OTA and the factory image to your computer
    2. Patch the boot image from the factory zip
    3. Sideload the OTA:
    Code:
    adb reboot sideload
    adb sideload ota.zip
    4. When the update completes, you will be in recovery. DO NOT REBOOT.
    5. Select "enter fastboot"
    6. Flash vbmeta and boot:
    Code:
    fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img
    fastboot flash boot magisk_patched-23xxx_xxxxx.img
    7. Reboot your device
  • 18
    For those of you who are planning on rooting:

    Be aware that Android 12 changed the way boot images are loaded, at least on the Pixel 4, 4a, and 5. We have no reason to believe the Pixel 6/Pro will be any different.

    Two new Verified Boot features implemented in Android 12 will interfere with attempts to root.

    Dm-verity (device-mapper-verity) is a method by which an image on block devices (the underlying storage layer of the file system) can be checked to determine if it matches an expected configuration, using a cryptographic hash tree. If the hash doesn't match, dm-verity prevents the stored code from loading.

    Vbmeta verification is the other half of this - it provides a cryptographically signed reference hash which is used to verify the integrity of /boot, /system, and /vendor partitions. The vbmeta image is only used to verify /boot, while vbmeta-system is used to verify /system.

    This was implemented to prevent persistent rootkits by means of a hardware level security check, to prevent "potentially harmful applications" such as Magisk from evading detection, as such applications residing within the kernel will have higher privileges than the detection applications.

    What this means is that with these two enabled, a modified boot image will cause a verification error when flashed to the device, preventing boot. Interestingly, this check is not performed against "live" boot images loaded via ADB, so with dm-verity and vbmeta verification enabled, a modified image can be booted as long as the image in /boot is intact.


    Dm-verity and vbmeta verification will need to be disabled in order to flash a rooted boot image. Unfortunately, this means that you will have to wait for the factory firmware to be released.

    fastboot flash vbmeta --disable-verity --disable-verification vbmeta.img

    We also discovered that a data wipe is required in order to get permanent root; flashing /vbmeta with the disable flags gets you stuck in recovery with "Unable to load Android system, your data may be corrupted" error if you didn't wipe /data when you upgraded. To be clear, this only happens in a specific circumstance:
    * You updated to Android 12 without a wipe, AND
    * You reflash vbmeta with the disable flags


    Here are some threads in the Pixel 5 forum on the matter:
    12
    Cheers for this, much appreciated. I can confirm (yet again) that you have to do disable-verity to root the P6 Pro. It's early enough since getting the phone (literally today) that wiping data isn't too much of a hassle at this stage IMO.

    Factory images are now up, I've just booted a freshly wiped phone with a magisk patch image, transferring stuff again now :)
    9
    1635445408510.png


    Confirmed.
    8
    Alright, so it's possible. Props to @snovvman for linking the vvb2060 repo, because if you read into the bits in English on the telegram, you'll discover that it has MagiskHide still, as an option.

    So:
    Download the latest alpha build from https://t.me/magiskalpha
    Install it by patching the boot image and flashing in fastboot. You might be able to do a direct install, but I patched it manually and checked it booted with fastboot first first to be safe.
    After it boots, you may need to uninstall a hidden Magisk manager if you didn't already - at this point the alpha build will take over, and tell you it needs to install some files and reboot, allow it.
    After rebooting, go into the Magisk settings and disable Zygisk. A magisk hide option will magically appear. Reboot.
    Install Riru and the latest Universal SafetyNet Fix. There's no repo in the build, so you need to get these from GitHub. I also have MagiskHide Props Config installed, but not with any BASIC spoofing enabled, just installed - not sure if that's required. Doesn't seem to be required.
    Reboot.
    Make sure you have Play Services unstable and snet added to your DenyList (it's still called DenyList, but it's Hide)

    Job done!

    1635533860772.png
    6
    The loss of "Hide Magisk" in the lastest release means a few of my apps (banking and work expense) are not going to work if I root my Pixel 6 P. So disappointing. I will miss GravityBox the most, but will learn to live without it.
    Magisk 23010 has DenyList, which works exactly like MagiskHide. However, getting Safetynet to pass is more complicated, as Riru is not compatible with 23010, so you can't use Universal SafetyNet Fix 2.0.0 or newer. So, I went back to Magisk 23001.