Join us on Tl   Wh

Hovatek Forum DEVELOPMENT Android custom signed [stock recovery image] unbootable

custom signed [stock recovery image] unbootable

custom signed [stock recovery image] unbootable

albert_ein
albert_ein
albert_ein
Newbie
4
14-01-2024, 10:25 PM
#1



my device: 

Alcatel 1S 2019

Android 9.0 (Pie)

Unisoc SC9863 (28nm)

Models: 5024D_EEA

according to magisk app its partition isn't A/B type nor has ramdisk boot partition.

operation platform:
most operations on the Debian 11 x64, the others on the Windows 10 x64

my Process:
1. first went through this: https://www.hovatek.com/forum/thread-32287.html
result:
(oem unlock option turn grey in developer options after data wiped)
many fastboot commands still get
FAILED (remote: 'unknown cmd.')
FAILED (remote: 'not implemented')
fastboot: error: Command failed

2. anyway i decided to keep going with this: https://www.hovatek.com/forum/thread-32664.html

i keep using rsa4096_vbmeta.pem from [Hovatek] modified_fastboot.zip
python3 avbtool.py extract_public_key --key modified_fastboot/rsa4096_vbmeta.pem --output modified_fastboot/rsa4096_vbmeta.bin
=>
-rw-r--r--  1 1.1K Jan 14 17:02 rsa4096_vbmeta.bin

i use https://www.hovatek.com/forum/thread-31800.html  to extract vbmeta-sign_COM4.img, recovery_COM4.img from my phone directly
(I also managed to get a firmware named "5024D_EEA_ALWE_2SIM_V3.9_20200514_UNLOCK" from needrom which has a pac, though different from [ro.build.display.id]: [5024D_EEA_ALWE_2SIM_V4.7_20210508_UNLOCK] which showed in getprop)

result:

python3 avbtool.py make_vbmeta_image --key \
                  modified_fastboot/rsa4096_vbmeta.pem \
                  --algorithm SHA256_RSA4096 --flag 2 \
                  --chain_partition boot:1:keys/key_boot.bin \
                  --chain_partition system:3:keys/key_system.bin \
                  --chain_partition vendor:4:keys/key_vendor.bin \
                  --chain_partition product:10:keys/key_product.bin \
                  --chain_partition dtbo:9:keys/key_dtbo.bin \
                  --chain_partition recovery:2:keys/rsa4096_vbmeta.bin \
                  --chain_partition l_modem:5:keys/key_l_modem.bin \
                  --chain_partition l_ldsp:6:keys/key_l_ldsp.bin \
                  --chain_partition l_gdsp:7:keys/key_l_gdsp.bin \
                  --chain_partition pm_sys:8:keys/key_pm_sys.bin \
                  --chain_partition dtb:11:keys/key_dtb.bin \
                  --padding_size 16384 \
                  --output vbmeta-sign-custom.img

=> -rw-r--r--  1  16K Jan 14 17:23  vbmeta-sign-custom.img

after padding

=> -rw-r--r--  1 1.0M Jan 14 17:30  vbmeta-sign-custom-pad.img

I did check and compared all the images by

python3 avbtool.py info_image --image x.img

and make sure then only difference is recovery's public key

sudo ./fastboot flash vbmeta vbmeta-sign-custom-pad.img
=>
target didn't report max-download-size
sending 'vbmeta' (1024 KB)...
OKAY [  0.043s]
writing 'vbmeta'...
OKAY [  0.343s]
finished. total time: 0.386s

at this point I tried to ./adb reboot recovery but failed(stuck on the device lauch logo), so I continued to flash custom signed recovery:

python3 avbtool.py add_hash_footer --image x.img \
                                  --partition_name recovery \
                                  --partition_size 41943040 \
                                  --key modified_fastboot/rsa4096_vbmeta.pem \
                                  --algorithm SHA256_RSA4096

(I get a unofficial twrp for sc9863a)

sudo ./fastboot flash recovery x.img

but no matter I flash signed_unofficial_twrp or signed_recovery_COM4.img, they all unbootable.
After successfully write in and reboot to android, ./adb reboot recovery, the screen stuck on the logo. (the normal launch screen that "powered by android" on the bottom)

At mean time, I could boot into android system and bootloader normally.

I even tried to flash original recovery_COM4.img and even failed during write(which i deemed as the new vbmeta worked).

so I flashed original vbmeta and recovery back, and everything return normal inlcude stock version recovery mode, which confused me a lot.....

At least I think I flashed vbmeta and signed it successfully, but I dont know why I failed on the recovery.....

------------------------------------------------------------------------
below is info of images:

vbmeta-sign.img(both the one downladed from needrom and the one extracted from phone are same)
Minimum libavb version:  1.0
Header Block:            256 bytes
Authentication Block:    576 bytes
Auxiliary Block:          13504 bytes
Public key (sha1):        2597c218aae470a130f61162feaae70afd97f011
Algorithm:                SHA256_RSA4096
Rollback Index:          0
Flags:                    0
Rollback Index Location:  0
Release String:          'avbtool 1.1.0'
Descriptors:
...
      Partition Name:          recovery
      Rollback Index Location: 2
      Public key (sha1):      d9093b9a181bdb5731b44d60a9f850dc724e2874
...

vbmeta-sign-custom.img(the one I custom signed with rsa4096_vbmeta)
Minimum libavb version:  1.0
Header Block:            256 bytes
Authentication Block:    576 bytes
Auxiliary Block:          13504 bytes
Public key (sha1):        2597c218aae470a130f61162feaae70afd97f011
Algorithm:                SHA256_RSA4096
Rollback Index:          0
Flags:                    2
Rollback Index Location:  0
Release String:          'avbtool 1.2.0'
...
      Partition Name:          recovery
      Rollback Index Location: 2
      Public key (sha1):      2597c218aae470a130f61162feaae70afd97f011
...

stock recovery recovery_COM4.img:
Footer version:          1.0
Image size:              41943040 bytes
Original image size:      23904256 bytes
VBMeta offset:            23904256
VBMeta size:              2112 bytes
--
Minimum libavb version:  1.0
Header Block:            256 bytes
Authentication Block:    576 bytes
Auxiliary Block:          1280 bytes
Public key (sha1):        d9093b9a181bdb5731b44d60a9f850dc724e2874
Algorithm:                SHA256_RSA4096
Rollback Index:          0
Flags:                    0
Rollback Index Location:  0
Release String:          'avbtool 1.1.0'
Descriptors:
    Hash descriptor:
      Image Size:            23904256 bytes
      Hash Algorithm:        sha256
      Partition Name:        recovery
      Salt:                  0cf8fa836005623160c8900b61fb280b801f30a00850e87083e3121a0e0fab76
      Digest:                b1055575863dff9eeba53c4ad938f531069227727f2d666856fd517039755937
      Flags:                0

custom signed unofficial twrp:
Footer version:          1.0
Image size:              41943040 bytes
Original image size:      31289344 bytes
VBMeta offset:            31289344
VBMeta size:              2112 bytes
--
Minimum libavb version:  1.0
Header Block:            256 bytes
Authentication Block:    576 bytes
Auxiliary Block:          1280 bytes
Public key (sha1):        2597c218aae470a130f61162feaae70afd97f011
Algorithm:                SHA256_RSA4096
Rollback Index:          0
Flags:                    0
Rollback Index Location:  0
Release String:          'avbtool 1.1.0'
Descriptors:
    Hash descriptor:
      Image Size:            31289344 bytes
      Hash Algorithm:        sha256
      Partition Name:        recovery
      Salt:                  1f5df6b8308b9b1e7080b3f0ff0db2aa127eec4fe4daca73c3ae467b3ba21cc2
      Digest:                d3f455dd188e884d51f1c745de8324a37b80c5aa2d08ed4529bfc76571c35356
      Flags:                0


custom signed stock recovery:
Footer version:          1.0
Image size:              41943040 bytes
Original image size:      23904256 bytes
VBMeta offset:            23904256
VBMeta size:              2112 bytes
--
Minimum libavb version:  1.0
Header Block:            256 bytes
Authentication Block:    576 bytes
Auxiliary Block:          1280 bytes
Public key (sha1):        2597c218aae470a130f61162feaae70afd97f011
Algorithm:                SHA256_RSA4096
Rollback Index:          0
Flags:                    0
Rollback Index Location:  0
Release String:          'avbtool 1.2.0'
Descriptors:
    Hash descriptor:
      Image Size:            23904256 bytes
      Hash Algorithm:        sha256
      Partition Name:        recovery
      Salt:                  3e4f7d3b2445f793668a7fc3a5ef1a9098aa08eecb4dcb06e2ffbf76542b87c8
      Digest:                c030b0e881db9a9447d0ab2060834e61efd6b1c5fd182af09ac291640995d23b
      Flags:                0
AutoResponder
AutoResponder
AutoResponder
Verified Account
609
14-01-2024, 10:25 PM
#2
Thank you for reaching out for support. Due to high demand, our free support services may experience some delays in response time. We apologize for any inconvenience this may cause.
Alternatively, we offer private support where you can receive dedicated attention and prompt support. These sessions are designed to provide personalized solutions to your specific needs.
If you are interested in scheduling a private session, please visit https://www.hovatek.com/remote
Gargoyle
Gargoyle
Gargoyle
Contributor
527
15-01-2024, 11:50 PM
#3
Some devices have a problem with --flag 2,
try leaving the original value of --flag 0
albert_ein
albert_ein
albert_ein
Newbie
4
30-01-2024, 01:04 PM
#4
(15-01-2024, 11:50 PM)Gargoyle Some devices have a problem with --flag 2,
try leaving the original value of --flag 0
Sorry for the late reply indeed. I am next to the give up on this thing. I tried generate new vbmeta.img with --flag 0 and no luck. I dig into the dm-verity implement detail, avbtool articles and even the source code for the data structure definition. I compared origin recovery image and vbmeta image with my self-signed one via hex editor.
thank you for the reply.
maxpayne
maxpayne
maxpayne
Intern
3,940
02-02-2024, 01:29 PM
#5



(14-01-2024, 10:25 PM)albert_ein my device: 

Alcatel 1S 2019

Android 9.0 (Pie)

Unisoc SC9863 (28nm)

Models: 5024D_EEA
..

There are several possible break points but lets go one at a time.
recovery-from-boot.p should be renamed to recovery-from-boot.bak else the recovery you flashed will always get replaced by stock recovery which will fail the signature test since its different from what you'd originally flashed

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
albert_ein
albert_ein
albert_ein
Newbie
4
02-02-2024, 03:11 PM
#6
(02-02-2024, 01:29 PM)maxpayne
(14-01-2024, 10:25 PM)albert_ein my device: 

Alcatel 1S 2019

Android 9.0 (Pie)

Unisoc SC9863 (28nm)

Models: 5024D_EEA
..

There are several possible break points but lets go one at a time.
recovery-from-boot.p should be renamed to recovery-from-boot.bak else the recovery you flashed will always get replaced by stock recovery which will fail the signature test since its different from what you'd originally flashed

Sorry I dont really get what you were mean but I did make a copy of stock recovery image and signed then flashed this copy.

I did some test yesterday:

1. stock vbmeta image + stock recovery image
passed

2. self generated vbmeta image + stock recovery image
(key used are completely from here: https://www.hovatek.com/forum/thread-32667.html)
passed

3. generate a new private ssl key to sign recovery image and use it to generate a new vbmeta image
(
openssl genrsa -f4 -out 2024-02-01-Alcatel-1S-recovery.pem 4096
python3 avbtool.py extract_public_key --key keys/2024-02-01-Alcatel-1S-recovery.pem --output keys/2024-02-01-Alcatel-1S-recovery.pem.bin
I used the old salt from the stock recovery image to add_hash_footer to the COPY of stock recovery image to make sure the only difference I can tell is the Public key (sha1)*
* except the "Release String", the stock version is 'avbtool 1.1.0' while mine are 'avbtool 1.2.0'
)

recovery failed to boot

dead end again Rolleyes
maxpayne
maxpayne
maxpayne
Intern
3,940
06-02-2024, 08:30 AM
#7
(02-02-2024, 03:11 PM)albert_ein recovery failed to boot

dead end again Rolleyes

So this is what you need to do.
You said your boot.img ramdisk is empty so you need to rely on recovery.img and recovery partition to root.
The goal is to:
1. Gain temporary root
2. rename recover-from-boot.p to recover-from-boot.bak

The mistake you're making is that you are rebooting the phone to home screen after flashing the signed recovery. By doing this, recovery-from-boot.p is replacing the recovery.img you flashed with stock recovery. This will fail because your vbmeta is expecting a different recovery from stock recovery.

What you need to do is immediately after flashing your recovery.img in fastboot, you power off the phone using this trick https://www.hovatek.com/forum/thread-32663.html . Once its off, you then use button combo to try booting into recovery mode. The phone will boot normally instead (it won't enter recovery mode) and you should have root.

Once you confirm root access, you use a system app to go to /system and rename rename recover-from-boot.p to recover-from-boot.bak

I hope this is clear

Note!
We have a reply schedule for Free Support. Please upgrade to Private Support if you can't wait.
albert_ein
albert_ein
albert_ein
Newbie
4
16-02-2024, 02:28 PM
#8
(06-02-2024, 08:30 AM)maxpayne
(02-02-2024, 03:11 PM)albert_ein recovery failed to boot

dead end again Rolleyes

So this is what you need to do.
You said your boot.img ramdisk is empty so you need to rely on recovery.img and recovery partition to root.
The goal is to:
1. Gain temporary root
2. rename recover-from-boot.p to recover-from-boot.bak

The mistake you're making is that you are rebooting the phone to home screen after flashing the signed recovery. By doing this, recovery-from-boot.p is replacing the recovery.img you flashed with stock recovery. This will fail because your vbmeta is expecting a different recovery from stock recovery.

What you need to do is immediately after flashing your recovery.img in fastboot, you power off the phone using this trick https://www.hovatek.com/forum/thread-32663.html . Once its off, you then use button combo to try booting into recovery mode. The phone will boot normally instead (it won't enter recovery mode) and you should have root.

Once you confirm root access, you use a system app to go to /system and rename rename recover-from-boot.p to recover-from-boot.bak

I hope this is clear

Sorry it took me so long to reply. Thank you for your advice that I get the root finally, though a temporary one. It appears that my phone is the worst case to the Magisk. 
https://topjohnwu.github.io/Magisk/install.html
"Magisk in Recovery"
I have to follow the step above to get the Magisk's root function each time after an reboot. And it seems that I cannot have a custom recovery(like twrp) on this phone for good. (I tried the trick to patch and sign an unofficial twrp image but failed to boot it up).
Nevertheless, thank you @maxpayne. I even didn't know there is a thing called "recover-from-boot.p" before you pointed it out to me.
Users browsing this thread:
 1 Guest(s)
Users browsing this thread:
 1 Guest(s)
Join us
WhTlYt