[Tutorial] Unlock Bootloader, get root and valid Safetynet

Search This thread

Raz0Rfail

Senior Member
Oct 24, 2013
225
114
Nope I didn't wiped before I switched to android 12. I made an full backup from phone via file copying and swift Backup. As I knew an new os version could break things and lead to boot loops. I got boot loops after installed the patched magisk boot.img, but then I learned that I had to reflash vbmeta including the parameters, and it worked on my side with magisk and valid safety net. But the primary lucky reason I don't got the problems was that I was on a custom Rom. And I'm feeling bad for them who had a broken data partition after the android 12 update. I hope they made at least an backup so it's not so much harm for them.
 

V0latyle

Forum Moderator
Staff member
Nope I didn't wiped before I switched to android 12. I made an full backup from phone via file copying and swift Backup. As I knew an new os version could break things and lead to boot loops. I got boot loops after installed the patched magisk boot.img, but then I learned that I had to reflash vbmeta including the parameters, and it worked on my side with magisk and valid safety net. But the primary lucky reason I don't got the problems was that I was on a custom Rom. And I'm feeling bad for them who had a broken data partition after the android 12 update. I hope they made at least an backup so it's not so much harm for them.
Well, the biggest issue, as I've mentioned, seems to be that attempting to modify vbmeta and boot without a factory wipe results in the "corrupted data" error. If the factory image is installed with a wipe, this problem doesn't happen; otherwise, if /vbmeta and /boot are untouched, the user can live boot a patched image for temporary root.
 
  • Like
Reactions: andybones

omartins

Senior Member
Jan 31, 2011
219
57
Well, the biggest issue, as I've mentioned, seems to be that attempting to modify vbmeta and boot without a factory wipe results in the "corrupted data" error. If the factory image is installed with a wipe, this problem doesn't happen; otherwise, if /vbmeta and /boot are untouched, the user can live boot a patched image for temporary root.

Hello all,

Maybe this might sound obvious for many, but better safe than sorry, so here it goes:

If if flash factory image (A12 public release) via fastboot, using the bat file in its original state, this is without removing the "-w", Ill be on A12 with wiped data. After this, is it safe to just patch and flash boot.img or is it also necessary to flash vbmeta with disabled flags?

Thank you in advance.
 

V0latyle

Forum Moderator
Staff member
Hello all,

Maybe this might sound obvious for many, but better safe than sorry, so here it goes:

If if flash factory image (A12 public release) via fastboot, using the bat file in its original state, this is without removing the "-w", Ill be on A12 with wiped data. After this, is it safe to just patch and flash boot.img or is it also necessary to flash vbmeta with disabled flags?

Thank you in advance.
If you flash the factory image, it also flashes vbmeta. To avoid doing it twice, change the line in the batch file that reads

fastboot -w update redfin-image.zip

to

fastboot --disable-verity --disable-verification -w update redfin-image.zip

Then, when the update finishes, patch and flash the boot image.

If you do not disable verity and verification before modifying the boot image, you will get stuck in bootloader with an error message:

"unable to load/verify boot image"
 

omartins

Senior Member
Jan 31, 2011
219
57
If you flash the factory image, it also flashes vbmeta. To avoid doing it twice, change the line in the batch file that reads

fastboot -w update redfin-image.zip

to

fastboot --disable-verity --disable-verification -w update redfin-image.zip

Then, when the update finishes, patch and flash the boot image.

If you do not disable verity and verification before modifying the boot image, you will get stuck in bootloader with an error message:

"unable to load/verify boot image"

Hello!

Just updated to A12 with permanent root, using the above method. No hiccups, all smooth.

Boot IMG patched with stable Magisk (from github)

Also SwiftBackup was a big help to setup things back!
 
Last edited:
  • Like
Reactions: V0latyle

V0latyle

Forum Moderator
Staff member
So, the data wipe issue has been partly figured out.

/data must be clean when verity and verification are disabled, once they have been enabled. Unfortunately for those on Android 11, there simply is no way around this.

The good news is that once disabled, a data wipe is not required so long as they are not enabled again. The bad news is, we cannot let any update process boot the device into system without making sure both are disabled.

This means no more automatic updates.

So, we have two (well, three) available options for monthly updates:

1. Sideload the OTA, then immediately reboot into bootloader, and reflash vbmeta with verity and verification disabled.

Or...

2. Flash the factory zip, either via ADB or Android Flash Tool, with verity and verification disabled.
 
  • Like
Reactions: andybones

Top Liked Posts

  • There are no posts matching your filters.
  • 9

    04/09/21 v2​

    Just install this Module via magisk manager:
    which is mentioned by this thread:

    You need it + safetynetfix from kdrag0n then you have valid safetynet.

    04/09/21​

    For the last two days there has been an update on Google's site that causes Safetynet to fail on your phone. It didn't work on my phone and a colleague's phone, but it worked on another colleague's phone with no problems. So it may or may not fail on your end.

    If you have the problem with safetynet failing. First update magisk to v.23 and the manager to the latest version.

    Then we need lsposed with a separate module for lsposed. You can use edxposed, but for most users it laggs much more than lsposed.

    If you don't have lsposed. You need to install the following two Magisk modules in the order described.
    1. riru
    2. riru - LSposed

    Otherwise you will get an installation error because the core is missing.
    After the installation, restart the phone.

    Then the LSposed manager should be visible in your launcher. If not, download the full zip package from here:

    Extract the manager.apk from it and install it.

    Inside the manager, you should get a green message with "activated". If not, you have not installed the module.

    Inside the Lsposed manager, install the XprivacyLua module from the repo. The search function is located at the bottom.

    Go to Modules and click on XprivacyLua. And tick the two items for the recommended applications:
    System Framework
    settings storage

    Then click on the 3 dots at the top right.
    There, uncheck the item in "Hide -> System apps".
    Now you can search in the app list for
    Google play Services and set the hook.

    Then click on the gear icon on the top right and the app XprivacyLua will open.

    In it, search for Google play Services again and set the checkmark next to the gear icon so that each sub-checkmark is set.

    Now we need to hide the Magisk Manager. To do this, open the Magisk Manager.

    Click on the gear icon at the top right of the main menu. Then click on hide magisk manager. Enter the desired name and wait until the Magisk Manager opens again.

    If you have not installed the Safetynet fix from kdrag0n, you can download it here:

    Then install it from the "modules" menu in magisk manager using the "install module from storage" function.

    Once you have installed the Safetynet Fix module, restart the phone.

    Then open the Settings app and navigate to the Apps section. Then search for Google Play Services, open it and in the storage option, use the function to clear the cache memory.

    Now you can check Safetynet again in Magisk and it should be valid.


    19/04/21:​

    There is currently a problem with magisk checking safetynet. When you check safetynet in magisk, you get a safetynet API error. Either use an alternative Safetynet app e.g. Safetynet Test or install the magisk canary app. I heard it was fixed there, but don't know for sure.



    I wrote this entire tutorial already in this Thread, but I think it should be separated, so everyone can find it easier:
    https://forum.xda-developers.com/showpost.php?p=83736713&postcount=89

    This Tutorial descripes 3 Points:
    • Unlock Bootloader - which is necessary for root
    • Get root via Magisk
    • Valid Safetynet

    Enable Developer mode in settings
    1. Open Settings App
    2. Move to About The Phone
    3. 7 Taps on the Build-Number

    Enable OEM-Unlock in settings
    1. Go back to Main Menu of Settings
    2. move to system
    3. Unfold Extended
    4. Open Developer options
    5. Enable OEM-Unlock

    If you go further, you should either have a clean phone or backup your data. Because if you unlock the bootloader, the entire phone will be wiped.

    Reboot Phone in Fastboot

    1. Turn off Phone with long press on Power Button and click turn off
    2. Press Power Button + Lower Volume together for some seconds and you are in fastboot mode

    Use Fastboot to unlock Phone
    If you don't have it download at first the needed adb and fastboot files for your system:
    https://developer.android.com/studio/releases/platform-tools
    Extract it to a path where you want it.

    1. Connect your P5 with your PC with an USB cable
    2. Open the path where you have extracted the adb tools.
    3. On Windows press Shift + Right click and in the context menu click on open commandline Window
    4. If you enter the following console command you should see an listed device about it's serial number:
      Code:
      fastboot devices
      If you get an empty result, you have to check if P5 is correct connected via usb and p5 is in fastboot mode (you see it onscreen)
      It could be that you have to install the usb drivers at first for recognizing it via fastboot.

    If a Serial was listed in the Previous step, go further.

    Enter the following command to start to unlocking your phone
    Code:
    fastboot flashing unlock

    On your Phone you see a message to "not unlock your phone", with volume up you switch it to "unlock your phone". With the Power Button you accept it.
    It will reboot now and at this moment it wipes the entire phone, so you start again from scratch to configure the p5.

    if you have a Pixel 5 without the KDDI Version, you can use the following boot image, which is already a prepatched boot image including magisk 21 (Build 21005).
    Download it at first:
    http://www.mediafire.com/file/8ll4mlzt3l9njph/magisk_patched+Build+21005.img/file
    KDDI variant: http://www.mediafire.com/file/widag4w5s02itq5/magisk_patched+KDDI.img/file

    Copy the img-file to the path where you had extracted the adb files.

    After you have configured your phone so you can use it, turn off p5 again and go again into fastboot mode.
    Ensure your phone is connected via usb to the PC.

    In the opened command line Window enter the following command:
    Code:
    fastboot flash boot "magisk_patched Build 21005.img"

    For windows powershell Users check this out, if the above command failed:
    A suggestion, please add that those having issues with the flash command failing to WRITE can try putting ./ before the command and that should work.

    hm not working for me. P5 is unlocked.

    C:\>fastboot flash boot "magisk_patched Build 21005.img"
    target reported max download size of 268435456 bytes
    sending 'boot' (98304 KB)...
    OKAY [ 2.419s]
    writing 'boot'...
    FAILED (remote: Failed to write to partition Not Found)
    finished. total time: 2.500s

    Do:

    ./fastboot flash boot "magisk_patched Build 21005.img"


    After it finished you can reboot your phone into android system and you will see the magisk manager logo.

    Open it and you should see magisk 21005 is installed, then you know root access is granted.

    For Safetynet you have to do the following steps
    1. In Magisk Manager open settings gear.
    2. under Magisk enable MagiskHide
    3. Above MagiskHide is a menupoint called "Hide Magisk Manager", click on it, give the magisk manager a new name, click ok and wait until it's reopend.
    4. Go to main menu of the magisk manager. On bottom is a "shield icon" open it.
    5. Go to "MagiskHide"
    6. On Top is the item "Google Play Services" unfold it and set every hook on it.
    7. It's recommended to set the hook on every google Service you find.
    8. Go Back to main menu of magisk manager
    9. Download the latest universal safetynet fix for your P5:
      Then in magisk manager under modules click on the "Install from memory" button and then select the zip file you just downloaded and magisk manager will then install the module.
    10. After finished installation reboot your P5.
    After reboot check safetynet state in Magisk Manger, it should be OK.

    Now you have a rooted phone and a valid safetynet.
    2
    Hello all,

    Maybe this might sound obvious for many, but better safe than sorry, so here it goes:

    If if flash factory image (A12 public release) via fastboot, using the bat file in its original state, this is without removing the "-w", Ill be on A12 with wiped data. After this, is it safe to just patch and flash boot.img or is it also necessary to flash vbmeta with disabled flags?

    Thank you in advance.
    If you flash the factory image, it also flashes vbmeta. To avoid doing it twice, change the line in the batch file that reads

    fastboot -w update redfin-image.zip

    to

    fastboot --disable-verity --disable-verification -w update redfin-image.zip

    Then, when the update finishes, patch and flash the boot image.

    If you do not disable verity and verification before modifying the boot image, you will get stuck in bootloader with an error message:

    "unable to load/verify boot image"
    2
    For just valid safetynet you need only
    04/09/21 v2
    (on this date Google had changed some behaviors on the server side, which was the reason why safetynet stopped working if you don't use the latest fixes. And the older dates are the fixes for safetynet in the past.)

    If you want to have an rooted phone you have to start at :
    "I wrote this entire tutorial already in this Thread, but I think it should be separated, so everyone can find it easier:"

    Then when you want to have valid safetynet just use the information on the latest Date.
    1
    This post describes how to patch magisk to a new firmware as long as no twrp recovery is available:

    At first download the specific rom:
    https://developers.google.com/android/images

    You need only the "Link". Flash is only for flashing the rom over an chromium browser.

    After downloaded the zip file open it, and you find another zip file. This zip file has to be extracted.

    Into the extracted zip is the file boot.img, extract it.

    Copy the boot.img to your p5 by usb.

    Install the last magisk manager Canary version on your p5:
    https://github.com/topjohnwu/Magisk

    Open magisk manager. In main menu click on install. In the new menu click on "select a file and patch it". Search for the copied boot.img on your p5 and select it.
    Wait for flash completion. And check if it's successful.

    Copy the file /sdcard/download/magisk_patched.img to your pc in the adb files directory.
    If you on the step to flash the boot image, you have to use the new file name.
    1
    So, the data wipe issue has been partly figured out.

    /data must be clean when verity and verification are disabled, once they have been enabled. Unfortunately for those on Android 11, there simply is no way around this.

    The good news is that once disabled, a data wipe is not required so long as they are not enabled again. The bad news is, we cannot let any update process boot the device into system without making sure both are disabled.

    This means no more automatic updates.

    So, we have two (well, three) available options for monthly updates:

    1. Sideload the OTA, then immediately reboot into bootloader, and reflash vbmeta with verity and verification disabled.

    Or...

    2. Flash the factory zip, either via ADB or Android Flash Tool, with verity and verification disabled.