Magisk - TomKing062/CVE-2022-38694_unlock_bootloader GitHub Wiki

NEVER re-sign vbmeta !

NEVER re-sign vbmeta !

NEVER re-sign vbmeta !

unless (meet one of following situations):

  1. your device use unisoc keys (especially public bsp keys)
  2. you want to use CVE-2022-38691_38692 on your device

Android 9

now we have 3 method:

  1. system mode (max version is Delta 26301, Kitsune not support android 9)

  2. repartition (patch recovery, rename system to vroot, then put patched ramdisk to fake system partition)

  3. big resign (especially for fused ums312/ums512/ud710)

    check action_big_resign_with_magisk

Android 10

now we have 3 method:

  1. system mode (max version is Kitsune)

  2. normally patch and sign

  3. big resign (especially for fused ums312/ums512/ud710)

    check action_big_resign_with_magisk

Android 11

now we have 2 method:

  1. normally patch and sign

  2. big resign (especially for fused ums312/ums512/ud710)

    check action_big_resign_with_magisk

Android 12(+)

boot doesn't need to be signed anymore, just patch with magisk or apatch and write back.

Magisk system mode (Android 9-10)

currently this needs another device rooted with Magisk (Official/Delta/... are ok)

part 1

find which file is used by your system

  • /vendor/etc/selinux/precompiled_sepolicy
  • /system_root/odm/etc/selinux/precompiled_sepolicy
  • /system/etc/selinux/precompiled_sepolicy
  • /system_root/sepolicy
  • /system_root/sepolicy_debug
  • /system_root/sepolicy.unlocked

patch your sepolicy

magiskinit --patch-sepol sepol.in sepol.out

gzip original sepolicy to sepolicy.gz

  • /vendor/etc/selinux/precompiled_sepolicy.gz
  • /system_root/odm/etc/selinux/precompiled_sepolicy.gz
  • /system/etc/selinux/precompiled_sepolicy.gz
  • /system_root/sepolicy.gz
  • /system_root/sepolicy_debug.gz
  • /system_root/sepolicy.unlocked.gz

part 2 (use unpack tool or mount image on linux)

overwrite sepol.out and "sepolicy.gz" back to device partition

cp /system/etc/init/bootanim.rc and /system/etc/init/magisk from rooted device to unrooted device's partition

gzip original bootanim.rc to bootanim.rc.gz

remember to add/change properties(owner, permission, selinux context) for them

write partition back by spd_dump or fastboot(d)

owner and permission

system/system/etc/init/magisk/magisk32 0 0 0700
system/system/etc/init/magisk/magisk64 0 0 0700
system/system/etc/init/magisk/magiskpolicy 0 0 0700
system/system/etc/init/magisk/magiskinit 0 0 0700
system/system/etc/init/magisk/stub.apk 0 0 0700
system/system/etc/init/magisk/config 0 0 0700
system/system/etc/init/magisk 0 0 0700

selinux context

/system/system/etc/init/magisk u:object_r:system_file:s0
/system/system/etc/init/magisk/config u:object_r:system_file:s0
/system/system/etc/init/magisk/magisk32 u:object_r:system_file:s0
/system/system/etc/init/magisk/magisk64 u:object_r:system_file:s0
/system/system/etc/init/magisk/magiskinit u:object_r:system_file:s0
/system/system/etc/init/magisk/magiskpolicy u:object_r:system_file:s0
/system/system/etc/init/magisk/stub\.apk u:object_r:system_file:s0

content of config

SYSTEMMODE=true
RECOVERYMODE=false

content added to original bootanim.rc

on post-fs-data
    start logd
    exec u:r:su:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
    exec u:r:magisk:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
    exec u:r:update_engine:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
    exec u:r:su:s0 root root -- /system/etc/init/magisk/magisk64 --auto-selinux --setup-sbin /system/etc/init/magisk /sbin
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --post-fs-data

on nonencrypted
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --service

on property:vold.decrypt=trigger_restart_framework
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --service

on property:sys.boot_completed=1
    mkdir /data/adb/magisk 755
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --boot-complete
   
on property:init.svc.zygote=restarting
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --zygote-restart
   
on property:init.svc.zygote=stopped
    exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --zygote-restart

Repartition (Android 9)

If this doesn't work, use system mode or big resign method.

Here is a github action to patch recovery.img.

Begin from ZERO

You can't modify boot. Root can be done by repartition.

In spd_dump, (after send uboot and exec command), type partition_list partition.xml.

Edit partition.xml: Create a 32mb partition, shrink an unimportant partition or just shrink userdata, name this 32mb partition as system, name the original system to vroot. See this for information.

Create 32mb image, format it as ext4, choose recovery.img to patch in magisk, get ramdisk.cpio from patched_recovery.img.

mkdir ramdisk
sudo mount -t ext4 -o rw ramdisk.img ramdisk
cd ramdisk
sudo cpio -idv < ../ramdisk.cpio
cd ..
umount ramdisk

Use spd_dump to write modified partition-table and ramdisk.img

repartition new-table.xml
write_part system ramdisk.img

Update Magisk

Choose recovery.img to patch in magisk, make new ramdisk.img, write_part system ramdisk.img in spd_dump or dd if=new.img of=/dev/block/by-name/system

Magisk normally patch and sign (Android 10-11)

sign patched boot with avbtool or you will stuck at bootlogo

不能直接安装,必须选择文件修补,然后用avbtool签名,签名后的boot才不会卡开机

avbtool windows

DON'T CHANGE INSTALL LOCATION.

不要更改安装位置

[1]python2 x86|x64

[2]avbtool

[3]OpenSSL(x64) can be found in above avbtool repository, find x86 if you need.

[4]Android Image Kitchen

step 0

get original boot.img, patch with Magisk.

sc9863a:

spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x5000 fdl fdl2-dl.bin 0x9efffe00 exec r boot reset

ums312/ums512/ud710:

spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec r boot reset

or

spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec r boot reset

ums9230:

spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0x9efffe00 exec r boot reset

ums9620:

spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0xb4fffe00 exec r boot reset

exec_addr are different for devices.

ums312/ums512/ud710 don't need exec_addr parameter if image is patched with 38691.

此处注意更改exec地址(用你自己的cpu的fallback模式地址,现在两种模式使用同一个跳过文件了,sc9832e的两种模式没有合并,需要区分地址)

ums312/ums512/ud710的镜像在用38691处理过后不需要exec_addr参数

step 1

Run this in cmd:

mklink /H C:\Python27\python2.exe C:\Python27\python.exe

在cmd里运行上面的命令

add C:\Python27, C:\Python27\Scripts and C:\Program Files\OpenSSL-Win64\bin to windows PATH.

把上面3个目录加到PATH环境变量

Run this:

python2 -m pip install pycryptodome

运行上面这句命令

step 2

Unpack and repack magisk_patched-*.img with AIK, now you have image-new.img.

用AIK解包打包magisk生成的img,得到image-new.img

step 3

save rsa4096_boot.pem

下载rsa4096_boot.pem,存在avbtool文件夹里

android 10

python2 avbtool add_hash_footer --image AIK/image-new.img --partition_name boot --partition_size 36700160 --key rsa4096_boot.pem --algorithm SHA256_RSA4096 --salt 5F55215FD2302D021F850B55912ED48D176784678692DC012E054B1ECD0BE025

android 11

python2 avbtool add_hash_footer --image AIK/image-new.img --partition_name boot --partition_size 67108864 --key rsa4096_boot.pem --algorithm SHA256_RSA4096 --prop com.android.build.boot.fingerprint:$FINGERPRINT --prop com.android.build.boot.os_version:$OS_VERSION --salt 7A91E47F8D2CFB95DCCFF13305EE3F07EDCF83A42660A811F3724E1E8B463284

some devices may have to add “rollback_index” by --rollback_index $num

step 4

adb reboot fastboot
fastboot flash boot AIK/image-new.img
fastboot reboot

or

spd_dump exec_addr $exec_addr_fallback fdl FDL1 $FDL1_ADDR fdl FDL2 $FDL2_ADDR exec w boot boot_signed.img reset