[hovatek]

If you're into rooting and flashing custom recoveries then Android Verified Boot (AVB) or dmverity is something you should be aware of.  We'd dropped a blog post on why dmverity could be causing your phone to get bricked when you try root or flash a custom recovery

A little history

Long ago, one-click root apks were a thing. Not anymore...at least till MTKsu brought back something similar to a few 64 bit Mediatek chipsets. Rooting later moved to flashing a custom recovery and SuperSU.zip...then Magisk came along.

We'd dropped a guide on how to root Android using Magisk Manager and stock boot.img and our Mediatek , Unisoc (Spreadtrum) and Qualcomm auto TWRP porters can give you a working TWRP in seconds.

All this was pretty straightforward till dmverity came along.  In the first version, you needed to patch the boot.img. Magisk already does that so no worries there. Android 9 came along with AVB in the vbmeta partition...and things became a little more interesting.

Flashing a blank vbmeta before flashing a magisk patched boot or TWRP custom recovery was the way around...till signed vbmeta came along. What this now means for device's with vbmeta-sign is that you must flash a customised but signed vbmeta before you can tamper with checked partitions.

This guide is going to show you how to do that on Unisoc / Spreadtrum (SPD)

Back to present day...

Luckily, many Unisoc OEMs were lazy enough to use the same key to sign vbmeta, this guide capitalizes on that. I used Ubuntu for this guide because AVBtool kept giving errors. I'll update the guide if a fix for Windows is found.

Requirements

• Before proceeding with the guide below, ensure that you've been able to successfully unlock the bootloader of your device using this guide. If you were unable unlock the bootloader of your device then it's likely the OEM of your device used a custom private key (.pem) and the guide on this thread will NOT work for your device unless you've somehow manage to get the key your OEM used to sign vbmeta. If you have you OEM's key then replace "rsa4096_vbmeta.pem" in the list of requirements with your OEM's key
  
• vbmeta-sign.img extracted from a pac file for your model
  
• A Linux based PC. Windows PC users should install python and openssl and ensure to add both to PATH or use Linux Live USB (LiLi) or use VMware or VirtualBox
  
• Once booted to the Linux OS, ensure to check if python is installed and if it's not then install python
  
• Download zipped AVBtool (unzip after downloading) @ https://mega.nz/#!s7JEGCbA!9H2KJkppDGYbU...w7yLOHL9KA
  
• Depending on your device, download zipped (unzip after downloading) rsa4096_vbmeta.pem @ https://mega.nz/#!tjAg0K4R!sN-XJJe0ca5Ka...SlDNm59q10 or rsa2048_vbmeta.pem @ https://mega.nz/file/RmwTCIoa#UABBUOsERY...thIu9jtc0g
  
• Download vbmeta_pad.py based on your phone's stock vbmeta's content from the links below (unzip after downloading)
  • For Android 8.x (usually with but not limited to 00 30 00 00 padding), download this zipped vbmeta_pad.py @ https://mega.nz/file/FLY0Eb4Q#zP0YHJPtbH...prKuqBJdR8 or vbmeta_pad.py
    
  • For Android 9 (usually with but not limited to 00 40 00 00 padding) devices, download zipped vbmeta_pad.py @ https://mega.nz/#!5vJGyAib!Q-j402gC_lAO1...zO5MgB6ivg
    
  • For Android 10 (usually with but not limited to 00 50 00 00 padding), download zipped vbmeta_pad.py @ https://mega.nz/file/NWQkTBYJ#Hu28sW9lMh...tsCWg7gNuk
    
• Extract the public keys from your vbmeta-sign.img as explained @ https://www.hovatek.com/forum/thread-32667.html and copy them into a folder named keys. We provided our vbmeta-sign.img and extracted public keys at the guide. Only use ours if your vbmeta-sign matches ours.
  
• The modified file you intend to flash to the device (e.g boot.img, recovery.img etc). You only need this to extract certain info
  
• Know how to check file info using AVBtool (avbtool info_image) as explained @ https://www.hovatek.com/forum/thread-32666.html
  
• Generate a custom signing .pem key using OpenSSL or you could stick with using rsa4096_vbmeta.pem used to sign vbmeta.
  
• Check and take note of the padding size of your original vbmeta image using this guide
  

Steps to create a custom signed vbmeta.img for Unisoc using AVBtool

Follow the steps below to use AVBtool to create a custom signed vbmeta image for Unisoc / Spreadtrum (SPD)

See the video below or @ https://youtu.be/hcUv9EsR4kY

1. The files and folders you have should look something like this:
   
   
   
   
   
   
2. With all the required files in the same folder, launch Terminal by right-clicking in the folder and clicking Open Terminal
   
   
3. Run the avbtool info_image command against vbmeta-sign.img, copy out the output and save in a notepad. The vbmeta-sign in our example has a padded size of 16384 and DHTB checksum which needs to be added to the custom vbmeta image later on.
   
   
4. Generate a public key from the (custom) private key you've decided to use to sign your images going forward. I'll be using an OpenSSL generated key (hovatek.pem) as my custom private key for this guide. Feel free to use rsa4096_vbmeta.pem if you like.
   
   
   Code:

   python avbtool extract_public_key --key hovatek.pem --output keys/hovatek.bin
   
   
5. This command will generate a file named hovatek.bin to the keys folder which will be my public key for signing any partition I wish to flash to
   
   
6. Generate a vbmeta-sign-custom.img file by running the command below. Note that I intend to flash a custom file to recovery partition so instead of using recovery's public key extracted from vbmeta-sign.img, I'll use my newly generated public key for recovery. Feel free to do same for other partitions you intend to flash to
   
   
   Code:

   python avbtool make_vbmeta_image --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 2 --chain_partition boot:1:keys/key_boot.bin --chain_partition system:3:keys/key_system.bin --chain_partition vendor:4:keys/key_vendor.bin --chain_partition product:10:keys/key_product.bin --chain_partition dtbo:9:keys/key_dtbo.bin --chain_partition recovery:2:keys/hovatek.bin --chain_partition l_modem:5:keys/key_l_modem.bin --chain_partition l_ldsp:6:keys/key_l_ldsp.bin --chain_partition l_gdsp:7:keys/key_l_gdsp.bin --chain_partition pm_sys:8:keys/key_pm_sys.bin --chain_partition dtb:11:keys/key_dtb.bin --padding_size 16384 --output vbmeta-sign-custom.img
   
   Note: the value for --algorithm was obtained from reading the vbmeta-sign
   
   
7. Now I have a 16kb vbmeta-sign-custom.img file. I now need to add DHTB back to the same position as in vbmeta-sign.img . vbmeta_pad.py is the script for that. Run the code below:
   
   
   Code:

   python vbmeta_pad.py
   
   
8. vbmeta-sign-custom.img should now become a 1MB file like vbmeta-sign.img . Now, you can flash vbmeta-sign-custom.img via fastboot
   

Important Notice

• For models with fastbootd support, you might need to flash vbmeta in fastbootd if flashing in fastboot freezes or gives errors.
  
• Your boottloader will only accept images signed with the key from which you generated your custom public key
  
• If you must flash back your stock rom, ensure to flash back your stock vbmeta-sign.img first
  
• Avoid trying to flash images which haven't been signed with the keys your bootloader is expecting to avoid an endless wait in Research Download tool or stuck at writing in fastboot
  
• Credits goes to Petercxy
  

Video Transcript

In this video tutorial, I'll be explaining how to create a custom signed vmbeta image. These are the files you're going to need: the public keys, you can extract these ones from the stock vbmeta, I'll link to a guide on how to do that. I also have my AVBtool. I have my hovatek.pem. Its a private key which I created with OpenSSL, I'll link to that also. I have my rsa.pem which is my key used to sign my vbmeta image. Once you launch terminal as I did while talking, you run this command. this command is to run a check on the stock vbmeta image so I can get the information I need for future commands like the algorithm used and hashes.

Next, I'm going to create a public key using my private key. I'm using hovatek.pem. You can decide to use the rsa.pem as your private key also even though you're using it to sign vbmeta image. When I run this command, its going to create a file named hovatek.bin in the keys folder. This public key is going to be used to sign any partition I intend to flash a custom image to in the future. I'm going to be signing.. I'm going to be flashing to only recovery so I'm going to be signing only the recovery partition using this public key OK? Now, I'm going to run this command. This command is going to create my custom signed vbmeta image.

Now, I'm using the default public keys (extracted) from my stock vbmeta but for recovery, I'm going to replace the public key with my hovatek.bin public key. That means if I want to flash a recovery image to the recovery partition, I'll need to sign that recovery image using the hovatek.pem . I'll link to a guide on how to do that. Now, this command is going to create a vbmeta image which is 16kb. That's because the stock also has a padded size of 16kb but the overall size of stock is 1MB. That's because there's some Checksum that needs to be applied to a certain position. That's what this script is for, vbmeta_pad.py.

So you run this command also and this is going to generate a 1MB file. This is very identical to the stock. I'm going to run a command to see the information about or of this custom vbmeta image. When you compare it to the stock, you're going to see that its very identical; maybe the flag will just be different, which is 2 to disable verity checks and the hash for recovery partition is going to be different. Every other thing is going to be identical to what I have in stock and they're both the same signature.

You're going to need the keys your OEM used to sign your stock vbmeta if not this guide is not going to work. Unisoc uses the same key across, at least so far uses the same key across their models so I have my vbmeta. You can now flash it using fastboot.

[mainframe]

Thanks for a great indepth guide. I was wondering how can i determine the padding used the stock image? The guide uses a 16k padding because the stock has that aswel, but can i check/verify the padding?

Thanks.

[X3non]

Thanks for a great indepth guide. I was wondering how can i determine the padding used the stock image? The guide uses a 16k padding because the stock has that aswel, but can i check/verify the padding?

Thanks.

open the original vbmeta using hxd
search for text-string : DHTB
after the DHTB section you'll find a string similar to the ss below





convert that to little endian using the link @ https://www.scadacore.com/tools/programm...converter/


PS. if you have
00 50 00 00 then padding size = 20480
00 40 00 00 then padding size = 16384
00 30 00 00 then padding size = 12288

[alim07]

created vbmeta according to the instructions on one phone successfully on the other, too, but one of them is not stitched timeout, but on another phone model it is stitched.  Both android 9 sc9863a, what is the reason for the assembly?  bootlader not unlocked token not working

[X3non]

created vbmeta according to the instructions on one phone successfully on the other, too, but one of them is not stitched timeout, but on another phone model it is stitched.  Both android 9 sc9863a, what is the reason for the assembly?  bootlader not unlocked token not working

create a new thread for your device issue by clicking "Ask Question" at the top
in the new thread, state your device model and what problem(s) you're experiencing

[Ejike Dex]

Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img

[hovatek]

Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img

Your command would flash vbmeta to boot partition.
It should be

Code:

fastboot flash vbmeta vbmeta_custom.img

[Ejike Dex]

Hey guys thanks for this amazing site and all the informative resources. I followed your guide and was able to generate a  signed vbmeta image .
My question now is, when flashing it via fastboot? is the command below correct or am I mistaking something?

Code:

fastboot flash boot vbmeta_custom.img

Your command would flash vbmeta to boot partition.
It should be

Code:

fastboot flash vbmeta vbmeta_custom.img

Thank you very much. I am guessing after this I just have to flash a patched recovery image to the boot partition right? Flashing an Itel S15 running android 9 pie

[X3non]

Thank you very much. I am guessing after this I just have to flash a patched recovery image to the boot partition right? Flashing an Itel S15 running android 9 pie

i take it you plan to achieve root
you can try flashing magisk patched boot OR magisk canary patched boot into boot partition
OR
magisk patched recovery into recovery partition then reboot to recovery mode to get root access on the phone

you're not to flash recovery into boot or vice versa

[akramkhan]

@X3non
I tried to flash magisk patched img via fastboot and it was successful but unfortunately i am getting bootloop and worst is that i can't get into fastboot mode unless i flash stock rom via aftersale software my device is Tecno Pouvior 4 Pro, please advise. thanks