[Tutorial] How to use AVBtool and a private key to sign a Unisoc (SPD) image

Hovatek Forum

[Tutorial] How to use AVBtool and a private key to sign a Unisoc (SPD) image - Printable Version

+- Hovatek Forum (https://www.hovatek.com/forum)
+-- Forum: DEVELOPMENT (https://www.hovatek.com/forum/forum-38.html)
+--- Forum: Android (https://www.hovatek.com/forum/forum-39.html)
+--- Thread: [Tutorial] How to use AVBtool and a private key to sign a Unisoc (SPD) image (/thread-32674.html)

Pages: 1 2 3 4

How to use AVBtool and a private key to sign a Unisoc (SPD) image - hovatek - 13-03-2020

This guide will explain how to sign Unisoc / Spreadtrum (SPD) images (e.g boot, recovery etc) using a private key and AVBtool. This guide is ideal for those with vbmeta-sign.img in their firmware as such devices will only accept images signed with keys that match what's contained in the device's vbmeta partition.

Requirements

An Unlocked Bootloader
A custom signed vbmeta image which has already been flashed to the device
If you'd replaced the stock public keys for any partition while creating your custom signed vbmeta then you'll need the private key (used to generate your custom public key) for signing any image you intend to flash to that partition. I'd used hovatek.pem
A Linux-based PC. Windows users can use Vmware or Linux Live USB or VMWare Workstation Player. I'm using Ubuntu via Live USB on my Windows PC for this guide
Download zipped AVBtool python script (unzip after downloading) @ https://mega.nz/#!s7JEGCbA!9H2KJkppDGYbUefQ87QXJBNHXZCSVxen3w7yLOHL9KA . Python v3 users can use this avbtool.py @ https://mega.nz/file/VtQlgTBS#Ftvh_waarwhuOVnfNbFaSBZJMiNLKYHtSKoiH95VSAo
The image you intend to flash and its stock version (e.g twrp image and stock recovery image). This guide will be using recovery_stock.img (stock) and recovery_magisk.img (magisk patched recovery).

Steps to use AVBtool and a private key to sign a Unisoc (SPD) image

Follow the steps below to sign boot.img, recovery.img etc images using avbtool

See the video below or @ https://youtu.be/ggUcN4xcLkI

Right-click in the folder where all your files are (avbtool, key and images) and click Open in Terminal
Run this command

Code:
python avbtool info_image --image recovery_stock.img

You sometimes need to use 'python2 or 'python3' instead of 'python' depending on your setup.
You should get an output like:

Code:
Footer version: 1.0 Image size: 41943040 bytes Original image size: 23742464 bytes VBMeta offset: 23744512 VBMeta size: 2112 bytes -- Minimum libavb version: 1.0 Header Block: 256 bytes Authentication Block: 576 bytes Auxiliary Block: 1280 bytes Algorithm: SHA256_RSA4096 Rollback Index: 0 Flags: 0 Release String: 'avbtool 1.1.0' Descriptors: Hash descriptor: Image Size: 23742464 bytes Hash Algorithm: sha256 Partition Name: recovery Salt: 6d13e635e505f337460c4e0f9d22be4a96518ceee422511cca6c6113cd96fa25 Digest: 75ab9441053eb877eb2c95f1dd3474beeead5437a9a16c3d09efe931c4d16693 Flags: 0
From the output, take note of the Image size, Algorithm and Partition Name. You'll need them in the next command. Next, run:

Code:
python avbtool add_hash_footer --image recovery_magisk.img --partition_name recovery --partition_size 41943040 --key hovatek.pem --algorithm SHA256_RSA4096

The variables in this command are:
--image - the file name of the image you wish to sign
--partition_name the partition this image belongs to
--partition_size - Obtained from Image size in the output above
--key - The primary key used to generate your public keys
--algorithm - Obtained from Algorithm in the output above
Now, you'll have a magisk patched recovery image which is identical in size to stock and has been signed with your private key.

Important Notice

If you encounter an error such as avbtool: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160, simply unpack and repack your magisk patched boot image using Android Image Kitchen. This will reduce the size.
Recall I'd used hovatek.pem private key to create hovatek.bin public key which I'd then used to sign recovery partition when creating my custom signed vbmeta. The custom signed vbmeta first needs to have been flashed to the device else it won't accept this newly signed recovery image
You can repeat the same procedure for other partitions. Just replace recovery in the command with the partition name e.g. boot. You also need to have signed that partition using your custom public key back when creating your custom signed vbmeta
Credits goes to Petercxy

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - Abatoir - 17-06-2020

(13-03-2020, 05:32 PM)hovatek Wrote: ...

How can I rectify this issue? https://imgur.com/fs7KHaX

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - X3non - 18-06-2020

(17-06-2020, 11:34 AM)Abatoir Wrote: How can I rectify this issue? https://imgur.com/fs7KHaX

if using windows OS, install both python and openssl and ensure that both are added into PATH
if using linux OS, you might want to try installing python 2.x , openssl should be installed by default but you can check to confirm if not the install openssl as well

if you still have problems then create a new thread for your device issue by clicking "ask question" at the top

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - Abatoir - 19-06-2020

(18-06-2020, 02:57 PM)X3non Wrote:
(17-06-2020, 11:34 AM)Abatoir Wrote: How can I rectify this issue?

if using windows OS, install both python and openssl and ensure that both are added into PATH
if using linux OS, you might want to try installing python 2.x , openssl should be installed by default but you can check to confirm if not the install openssl as well

if you still have problems then create a new thread for your device issue by clicking "ask question" at the top

thnk you, i shall post results asap.

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - ch3mn3y - 17-09-2020

I'm trying to sign magisk patched boot.img using rsa4096_vbmeta.pem which I have as my publickey.bin file.
Unfortunately avbtool seems to not treat patched boot as boot...

I got error like this:

Code:
>python avbtool.py add_hash_footer --image boot.img --partition_name boot --partition_size 36700160 --key publickey.bin --algorithm SHA256_RSA4096

usage: avbtool.py add_hash_footer [-h] [--image IMAGE]

                                  [--partition_size PARTITION_SIZE]

                                  [--partition_name PARTITION_NAME]

                                  [--hash_algorithm HASH_ALGORITHM]

                                  [--salt SALT] [--calc_max_image_size]

                                  [--output_vbmeta_image OUTPUT_VBMETA_IMAGE]

                                  [--do_not_append_vbmeta_image]

                                  [--algorithm ALGORITHM] [--key KEY]

                                  [--signing_helper APP]

                                  [--signing_helper_with_files APP]

                                  [--public_key_metadata KEY_METADATA]

                                  [--rollback_index ROLLBACK_INDEX]

                                  [--append_to_release_string STR]

                                  [--prop KEY:VALUE]

                                  [--prop_from_file KEY:PATH]

                                  [--kernel_cmdline CMDLINE]

                                  [--setup_rootfs_from_kernel IMAGE]

                                  [--include_descriptors_from_image IMAGE]

                                  [--print_required_libavb_version]

                                  [--chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH]

                                  [--flags FLAGS]

                                  [--set_hashtree_disabled_flag]

                                  [--use_persistent_digest] [--do_not_use_ab]

avbtool.py add_hash_footer: error: argument --image: invalid FileType('rab+') value: 'boot.img'

Tried different file names (thought that may be the problem, like standard "magisk_patched" or "boot_magisk".

EDIT: Same problem with stock boot...

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - hovatek - 19-09-2020

(17-09-2020, 10:42 PM)ch3mn3y Wrote: I'm trying to sign magisk patched boot.img using rsa4096_vbmeta.pem which I have as my publickey.bin file.
Unfortunately avbtool seems to not treat patched boot as boot...

I got error like this:

Code:
>python avbtool.py add_hash_footer --image boot.img --partition_name boot --partition_size 36700160 --key publickey.bin --algorithm SHA256_RSA4096 usage: avbtool.py add_hash_footer [-h] [--image IMAGE] [--partition_size PARTITION_SIZE] [--partition_name PARTITION_NAME] [--hash_algorithm HASH_ALGORITHM] [--salt SALT] [--calc_max_image_size] [--output_vbmeta_image OUTPUT_VBMETA_IMAGE] [--do_not_append_vbmeta_image] [--algorithm ALGORITHM] [--key KEY] [--signing_helper APP] [--signing_helper_with_files APP] [--public_key_metadata KEY_METADATA] [--rollback_index ROLLBACK_INDEX] [--append_to_release_string STR] [--prop KEY:VALUE] [--prop_from_file KEY:PATH] [--kernel_cmdline CMDLINE] [--setup_rootfs_from_kernel IMAGE] [--include_descriptors_from_image IMAGE] [--print_required_libavb_version] [--chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH] [--flags FLAGS] [--set_hashtree_disabled_flag] [--use_persistent_digest] [--do_not_use_ab] avbtool.py add_hash_footer: error: argument --image: invalid FileType('rab+') value: 'boot.img'

Tried different file names (thought that may be the problem, like standard "magisk_patched" or "boot_magisk".

EDIT: Same problem with stock boot...

create a new thread by clicking Ask Question at the top.
In the thread, add a screenshot of the folder containing avbtool and other files
also a screenshot of the command(s) you ran

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - danpizzy - 20-09-2020

python avbtool info_image --image vbmeta-sign.img
avbtool: Given image does not look like a vbmeta image.

got this error on itel p33 plus

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - X3non - 21-09-2020

(20-09-2020, 11:13 PM)danpizzy Wrote: python avbtool info_image --image vbmeta-sign.img
avbtool: Given image does not look like a vbmeta image.

got this error on itel p33 plus

see the fix for your vbmeta type @ https://www.hovatek.com/forum/thread-32666-post-194924.html#pid194924

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - humni - 11-10-2020

(19-09-2020, 08:32 AM)hovatek Wrote:
(17-09-2020, 10:42 PM)ch3mn3y Wrote: I'm trying to sign magisk patched boot.img using rsa4096_vbmeta.pem which I have as my publickey.bin file.
Unfortunately avbtool seems to not treat patched boot as boot...

I got error like this:

Code:
>python avbtool.py add_hash_footer --image boot.img --partition_name boot --partition_size 36700160 --key publickey.bin --algorithm SHA256_RSA4096 usage: avbtool.py add_hash_footer [-h] [--image IMAGE] [--partition_size PARTITION_SIZE] [--partition_name PARTITION_NAME] [--hash_algorithm HASH_ALGORITHM] [--salt SALT] [--calc_max_image_size] [--output_vbmeta_image OUTPUT_VBMETA_IMAGE] [--do_not_append_vbmeta_image] [--algorithm ALGORITHM] [--key KEY] [--signing_helper APP] [--signing_helper_with_files APP] [--public_key_metadata KEY_METADATA] [--rollback_index ROLLBACK_INDEX] [--append_to_release_string STR] [--prop KEY:VALUE] [--prop_from_file KEY:PATH] [--kernel_cmdline CMDLINE] [--setup_rootfs_from_kernel IMAGE] [--include_descriptors_from_image IMAGE] [--print_required_libavb_version] [--chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH] [--flags FLAGS] [--set_hashtree_disabled_flag] [--use_persistent_digest] [--do_not_use_ab] avbtool.py add_hash_footer: error: argument --image: invalid FileType('rab+') value: 'boot.img'

Tried different file names (thought that may be the problem, like standard "magisk_patched" or "boot_magisk".

EDIT: Same problem with stock boot...

create a new thread by clicking Ask Question at the top.
In the thread, add a screenshot of the folder containing avbtool and other files
also a screenshot of the command(s) you ran

I also ran into this issue. This is to do with a bit encoding issue which affects Windows only. The Magisk patch meant that windows could not open the file in binary mode and hence preventing the script from running. I instead ran the command using WSL2 (Ubuntu sub system) and it worked like a charm.

RE: How to use AVBtool and a private key to sign a Unisoc (SPD) image - gradkal - 12-10-2020

After trying to sign an img in Ubuntu 20.4 with:

python avbtool add_hash_footer --image magisk_patched.img --partition_name boot --partition_size 36700160 --key keys/gk_custom.bin --algorithm SHA256_RSA4096

I always get an error like this:
avbtool: Image size of 36700160 exceeds maximum image size of 36630528 in order to fit in a partition size of 36700160.

The named partition_size is correct. info_img gives:

python avbtool info_image --image original_boot.img
Footer version: 1.0
Image size: 36700160 bytes
Original image size: 17532928 bytes
VBMeta offset: 17534976
VBMeta size: 2176 bytes

Any hints for this?

Edit: Had the wrong Magisk Manager version. The latest canary version doesn´t patch the image the right way. Tried it again with release 8.0.2 and patching worked well. No error with signing then. Problem solved.