MediaTek Software Repairs Training! Join Now

Hovatek Forum DEVELOPMENT Android Teclast M40Pro M1A1 custom signed vbmeta 'Wait input time out"

Teclast M40Pro M1A1 custom signed vbmeta 'Wait input time out"

Teclast M40Pro M1A1 custom signed vbmeta 'Wait input time out"

 View a Printable Version
 
mikau
mikau
mikau
Newbie
Find
4
29-10-2023, 07:00 PM
#1



I'm trying to root my tablet, a Teclast M40 Pro (ID M1A1).
What I did:
  1. Unlocked the bootloader following this guide: https://www.hovatek.com/forum/thread-32287.html. I used the rsa4096_vbmeta.pem that starts "MIIJKQIBAAKCAgEA2ASv49OEbH4NiT3CjNMSVeliyfEPXswWcqtEfCxlSpS1FisA"
  2. Downloaded the official Firmware.pac
  3. Tried flashing it, to see if it worked (it did)
  4. Followed https://www.hovatek.com/forum/thread-32664.html to create a custom signed vbmeta. The command I ran for generating it was
    Code:

    python avbtool.py make_vbmeta_image --key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 --chain_partition boot:1:keys/boot --chain_partition dtbo:6:keys/dtbo  --chain_partition socko:13:keys/socko --chain_partition odmko:14:keys/odmko --chain_partition vbmeta_system:2:keys/vbmeta_system --chain_partition vbmeta_system_ext:3:keys/vbmeta_system_ext --chain_partition vbmeta_vendor:4:keys/vbmeta_vendor --chain_partition vbmeta_product:5:keys/vbmeta_product --chain_partition l_modem:7:keys/l_modem --chain_partition l_ldsp:8:keys/l_ldsp --chain_partition l_gdsp:9:keys/l_gdsp --chain_partition pm_sys:10:keys/pm_sys --chain_partition l_agdsp:11:keys/l_agdsp --chain_partition l_cdsp:12:keys/l_cdsp --padding_size 16384 --output vbmeta-sign-custom.img
    As you can see, I used the original keys extracted from vbmeta-sign.img for all partitions, since I first wanted to check if the process worked.
  5. Ran
    Code:

    python vbmeta_pad_10.py
    i.e. the padding script for Android 10. This could be an issue, since my device is running Android 11. I did however check that my vbmeta-sign.img has 00 50 00 00 padding:
    Code:

    000ffe00: 4448 5442 0100 0000 f75e 36d1 04e3 a298  DHTB.....^6.....
    000ffe10: 0e74 4440 c537 ef6b 44c3 6f9e 72d7 5171  .tD@.7.kD.o.r.Qq
    000ffe20: fc9f a794 d0f9 1763 0000 0000 0000 0000  .......c........
    000ffe30: 0050 0000 0000 0000 0000 0000 0050 0000  .P...........P..
  6. Tried using ResearchDownload R25.20.3901 (same as in step 3) to flash the new vbmeta-sign.img

This Process got stuck at "Downloading" VBMETA, then failed with "Failed: Wait input time out". I also tried using fastboot to flash the image
Code:

fastboot flash vbmeta vbmeta-signed-custom.img
which succeeded, but resulted in a bootloop. I'm attaching both the original and the custom vbmeta-sign.img. The only difference it the output of
Code:

avbtool info_image
for the two are the different avbtool version numbers:
Code:

$ diff <(python avbtool.py info_image --image vbmeta-sign-custom.img) <(python avbtool.py info_image --image vbmeta-sign-orig.img)
10c10
< Release String:           'avbtool 1.2.0'
---
> Release String:           'avbtool 1.1.0'
Attached Files
.img
vbmeta-sign-custom.img
Size: 1 MB / Downloads: 2
.img
vbmeta-sign-orig.img
Size: 1 MB / Downloads: 3
Reply
Reply
AutoResponder
AutoResponder
AutoResponder
Verified Account
Find
609
29-10-2023, 07:00 PM
#2
Thank you for reaching out for support. Due to high demand, our free support services may experience some delays in response time. We apologize for any inconvenience this may cause.
Alternatively, we offer private support where you can receive dedicated attention and prompt support. These sessions are designed to provide personalized solutions to your specific needs.
If you are interested in scheduling a private session, please visit https://www.hovatek.com/remote
Reply
Reply
mikau
mikau
mikau
Newbie
Find
4
30-10-2023, 11:52 AM
#3
I've made a new discovery. I hunted down avbtool version 1.1.0, the one used to create my device's original vbmeta-sign.img. I then proceeded to repeat the process of trying to create an identical image myself.
Using the same commands, the two images differ only in the DHTB sections:
Code:

$ diff <(xxd vbmeta-sign-custom.img) <(xxd vbmeta-sign-orig.img)

65505,65508c65505,65508
< 000ffe00: 4448 5442 0100 0000 2585 c152 cd53 1dfd  DHTB....%..R.S..
< 000ffe10: 492d d680 72e1 6b9c 2e6c af7e f068 80e2  I-..r.k..l.~.h..
< 000ffe20: fd6b afb8 f45e ccff 0000 0000 0000 0000  .k...^..........
< 000ffe30: 0050 0000 0000 0000 0000 0000 0000 0000  .P..............
---
> 000ffe00: 4448 5442 0100 0000 f75e 36d1 04e3 a298  DHTB.....^6.....
> 000ffe10: 0e74 4440 c537 ef6b 44c3 6f9e 72d7 5171  .tD@.7.kD.o.r.Qq
> 000ffe20: fc9f a794 d0f9 1763 0000 0000 0000 0000  .......c........
> 000ffe30: 0050 0000 0000 0000 0000 0000 0050 0000  .P...........P..
It seems that what vbmeta_pad.py is doing to generate the DHTB section isn't correct.
Reply
Reply
maxpayne
maxpayne
maxpayne
Intern
Find
4,448
30-10-2023, 12:18 PM
#4
(29-10-2023, 07:00 PM)mikau ......
Code:

avbtool info_image
for the two are the different avbtool version numbers:
Code:

$ diff <(python avbtool.py info_image --image vbmeta-sign-custom.img) <(python avbtool.py info_image --image vbmeta-sign-orig.img)
10c10
< Release String:           'avbtool 1.2.0'
---
> Release String:           'avbtool 1.1.0'

This difference is because of the avbtool and therefore python you used. You used avbtool for python 3 and python 3. Try using avbtool for python 2 and python 2 instead
I'll check the padding while you're at it
This post was last modified: 30-10-2023, 12:28 PM by maxpayne.
Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Reply
Reply
maxpayne
maxpayne
maxpayne
Intern
Find
4,448
30-10-2023, 01:02 PM
#5



The error was from the padding size you used. It should be 20480 but you used 16384
so stick with avbtool for python 2, use python 2 and use 20480 as your padding size lets see
Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Reply
Reply
mikau
mikau
mikau
Newbie
Find
4
30-10-2023, 01:04 PM
#6
(30-10-2023, 12:18 PM)maxpayne
(29-10-2023, 07:00 PM)mikau ......
Code:

avbtool info_image
for the two are the different avbtool version numbers:
Code:

$ diff <(python avbtool.py info_image --image vbmeta-sign-custom.img) <(python avbtool.py info_image --image vbmeta-sign-orig.img)
10c10
< Release String:           'avbtool 1.2.0'
---
> Release String:           'avbtool 1.1.0'

This difference is because of the avbtool and therefore python you used. You used avbtool for python 3 and python 3. Try using avbtool for python 2 and python 2 instead
I'll check the padding while you're at it
I thought the padding might be wrong. I wrote a small script taking padding bytes off the end and recalculating the hash until I got the same as the original img file. Turns out the correct amount of padding is 10240. After that I still need to change byte 0xFFE3D from 0x00 to 0x50.
Doing that with avbtool 1.1.0 gives me an image identical to the original which then gets accepted during flashing.

Changing --flags from 0 to 2 however leaves me with a bootloop. Interestingly, the screen is blank during this, but you can tell it is bootlooping because of the static coming out of the speakers.
Reply
Reply
mikau
mikau
mikau
Newbie
Find
4
30-10-2023, 01:33 PM
#7
IT WORKS!!!!

The avbtool version didn't end up mattering, neither did the python version. Using a padding size of 10240 gives a file with size 20480, which gives the correct  sha256 hash.
I used a modified vbmeta.py to put that pesky 0x50 in the right place:
Code:

import hashlib
import sys

f = open("vbmeta-sign-custom.img", "rb")

b = f.read()

sha = hashlib.sha256(b).digest()

f.close()
f = open("vbmeta-sign-custom.img", "wb")
f.write(b)
f.seek(1048576 - 512)

f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x00\x00')
f.seek(0xffe3d)
f.write(b'\x50')
f.seek(1048576 - 1)
f.write(b'\x00')

f.close()
Signed the magisk-modified boot image, added the key to vbmeta, flashed and it works.

Thanks so much for the help, even though I ended up figuring out a lot of it myself in parallel.
Reply
Reply
maxpayne
maxpayne
maxpayne
Intern
Find
4,448
30-10-2023, 11:25 PM
#8
(30-10-2023, 01:33 PM)mikau IT WORKS!!!!

The avbtool version didn't end up mattering, neither did the python version. Using a padding size of 10240 gives a file with size 20480, which gives the correct  sha256 hash.
I used a modified vbmeta.py to put that pesky 0x50 in the right place:
...

Yes, you were right about also adding that 0x50, I missed that. The padding too doesn't seem to change much (I'll have to test this theory on an actual device) but based on my test, the avbtool version used actually seems to matter because I got different DHTBs signatures for each with every other thing (command) being equal. Whether or not this difference matters would be on an actual device
Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
Reply
Reply
 View a Printable Version
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
Join us
WhTlYt