Talk with a Hovatek Engineer/Developer. Start Now

Learn Mediatek Software Repairs Online! Enroll



  1. Hovatek Forum
  2. DEVELOPMENT
  3. Android

How to create custom vbmeta to bypass dm-verity?
https://www.hovatek.com/forum/images/default_avatar.png
bapsidirka
Enthusiastic Member
Posts: 7
Threads: 2
Joined: Jun 2022
Reputation: 0
#1

Post: 1 by bapsidirka

24-06-2022, 12:38 PM


Hello,

I am trying to do exactly what this user did with Custom vbmeta and Signed boot image.

https://www.hovatek.com/forum/thread-42870.html

Device: OnePlus NORD CE 2 5G

I can Unlock and Re-lock the Bootloader, Flash any partition including vbmeta and boot.

I want to flash a patched boot image, add its sha1 to vbmeta and bypass dm-verity.

Device firmware contains 'vbmeta.img' and not 'vbmeta-sign.img'.

How should I proceed from here to extract signing keys or create custom vbmeta containing the sha1 of new boot image?

find 444236 Find
find Reply
https://www.hovatek.com/forum/images/default_avatar.png
bapsidirka
Enthusiastic Member
Posts: 7
Threads: 2
Joined: Jun 2022
Reputation: 0
#2

Post: 2 by bapsidirka

25-06-2022, 11:02 AM
step 1 - contents of original vbmeta

Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 320 bytes
Auxiliary Block: 3136 bytes
Algorithm: SHA256_RSA2048
Rollback Index: 0
Flags: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Chain Partition descriptor:
Partition Name: vbmeta_system
Rollback Index Location: 2
Public key (sha1): 1a130f9ac8720d5c66e8b62c92505173633166f6
Chain Partition descriptor:
Partition Name: vbmeta_vendor
Rollback Index Location: 4
Public key (sha1): 1a130f9ac8720d5c66e8b62c92505173633166f6
Chain Partition descriptor:
Partition Name: boot
Rollback Index Location: 3
Public key (sha1): 1a130f9ac8720d5c66e8b62c92505173633166f6
Prop: com.android.build.system.os_version -> '11'
Prop: com.android.build.system.security_patch -> '2022-04-05'
Prop: com.android.build.vendor.security_patch -> '2022-04-05'
Prop: com.android.build.boot.security_patch -> '2022-04-05'
Prop: com.android.build.dtbo.fingerprint -> 'alps/vnd_oplus6877/oplus6877:11/RP1A.200720.011/1650817892671:user/release-keys'
Hash descriptor:
Image Size: 1267984 bytes
Hash Algorithm: sha256
Partition Name: dtbo
Salt: e7e07c65e55afe11fa0f6d3bc044faaf723df9b4cd73d3e1464ca51ffc338564
Digest: 91a763c1ccfa8fbd8f3b17c276af3b3c7ebf1348849a8a78723d140eeccf560a
Flags: 0

I want to update this vbmeta with new sha1 of patched boot image. What should i do next?
find 444236 Find
find Reply
https://www.hovatek.com/forum/uploads/avatars/avatar_415583.jpg?dateline=1641029370
Gargoyle
Contributor
Posts: 423
Threads: 5
Joined: Sep 2021
Reputation: 2
#3

Post: 3 by Gargoyle

26-06-2022, 06:16 PM
Trying unnecessarily, this method only works with Unisoc, not MediaTek.
find 415583 Find
find Reply
https://www.hovatek.com/forum/images/default_avatar.png
bapsidirka
Enthusiastic Member
Posts: 7
Threads: 2
Joined: Jun 2022
Reputation: 0
#4

Post: 4 by bapsidirka

27-06-2022, 12:45 PM
(26-06-2022, 06:16 PM)Gargoyle Wrote:  Trying unnecessarily, this method only works with Unisoc, not MediaTek.

Is it because the 'private key' is mandatory to create custom vbmeta?
find 444236 Find
find Reply
« Next Oldest | Next Newest »




Users browsing this thread: 1 Guest(s)
YouTubeWhatsappTelegram

© 2023. Powered by Hovatek...just a button away! Software by MyBB.