Magisk
currently this needs another device rooted with Magisk (Official/Delta/... are ok)
find which file is used by your system
- /vendor/etc/selinux/precompiled_sepolicy
- /system_root/odm/etc/selinux/precompiled_sepolicy
- /system/etc/selinux/precompiled_sepolicy
- /system_root/sepolicy
- /system_root/sepolicy_debug
- /system_root/sepolicy.unlocked
patch your sepolicy
magiskinit --patch-sepol sepol.in sepol.out
gunzip original sepolicy to sepolicy.gz (Delta will not recognize device as system mode root if backup sepolicy not exist)
"sepolicy.gz":
- /vendor/etc/selinux/precompiled_sepolicy.gz
- /system_root/odm/etc/selinux/precompiled_sepolicy.gz
- /system/etc/selinux/precompiled_sepolicy.gz
- /system_root/sepolicy.gz
- /system_root/sepolicy_debug.gz
- /system_root/sepolicy.unlocked.gz
overwrite sepol.out and "sepolicy.gz" back to device partition
cp /system/etc/init/bootanim.rc and /system/etc/init/magisk from rooted device to unrooted device's partition
gunzip original bootanim.rc to bootanim.rc.gz (Delta will not recognize device as system mode root if backup bootanim.rc not exist)
remember to add/change properties(owner, permission, selinux context) for them
write partition back by spd_dump or fastboot(d)
owner and permission
system/system/etc/init/magisk/magisk32 0 0 0700
system/system/etc/init/magisk/magisk64 0 0 0700
system/system/etc/init/magisk/magiskpolicy 0 0 0700
system/system/etc/init/magisk/magiskinit 0 0 0700
system/system/etc/init/magisk/stub.apk 0 0 0700
system/system/etc/init/magisk/config 0 0 0700
system/system/etc/init/magisk 0 0 0700
selinux context
/system/system/etc/init/magisk u:object_r:system_file:s0
/system/system/etc/init/magisk/config u:object_r:system_file:s0
/system/system/etc/init/magisk/magisk32 u:object_r:system_file:s0
/system/system/etc/init/magisk/magisk64 u:object_r:system_file:s0
/system/system/etc/init/magisk/magiskinit u:object_r:system_file:s0
/system/system/etc/init/magisk/magiskpolicy u:object_r:system_file:s0
/system/system/etc/init/magisk/stub\.apk u:object_r:system_file:s0
content of config
SYSTEMMODE=true
RECOVERYMODE=false
content added to original bootanim.rc
on post-fs-data
start logd
exec u:r:su:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
exec u:r:magisk:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
exec u:r:update_engine:s0 root root -- /system/etc/init/magisk/magiskpolicy --live --magisk
exec u:r:su:s0 root root -- /system/etc/init/magisk/magisk64 --auto-selinux --setup-sbin /system/etc/init/magisk /sbin
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --post-fs-data
on nonencrypted
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --service
on property:vold.decrypt=trigger_restart_framework
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --service
on property:sys.boot_completed=1
mkdir /data/adb/magisk 755
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --boot-complete
on property:init.svc.zygote=restarting
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --zygote-restart
on property:init.svc.zygote=stopped
exec u:r:su:s0 root root -- /sbin/magisk --auto-selinux --zygote-restart
If this doesn't work, use system mode above.
Here is a github action to patch recovery.img.
You can't modify boot. Root can be done by repartition.
In spd_dump, (after send uboot and exec
command), type partition_list partition.xml
.
Edit partition.xml: Create a 32mb partition, shrink an unimportant partition or just shrink userdata, name this 32mb partition as system, name the original system to vroot. See this for information.
Create 32mb image, format it as ext4, choose recovery.img to patch in magisk, get ramdisk.cpio
from patched_recovery.img.
mkdir ramdisk
sudo mount -t ext4 -o rw ramdisk.img ramdisk
cd ramdisk
sudo cpio -idv < ../ramdisk.cpio
cd ..
umount ramdisk
Use spd_dump to write modified partition-table and ramdisk.img
repartition new-table.xml
write_part system ramdisk.img
Choose recovery.img to patch in magisk, make new ramdisk.img, write_part system ramdisk.img
in spd_dump or dd if=new.img of=/dev/block/by-name/system
sign patched boot with avbtool or you will stuck at bootlogo
不能直接安装,必须选择文件修补,然后用avbtool签名,签名后的boot才不会卡开机
DON'T CHANGE INSTALL LOCATION.
不要更改安装位置
[2]avbtool
[3]OpenSSL(x64) can be found in above avbtool repository, find x86 if you need.
get original boot.img, patch with Magisk.
sc9863a:
spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x5000 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot 0 35M boot.img reset
ums312/ums512/ud710:
spd_dump fdl fdl1-dl.bin 0x5500 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot 0 35M boot.img reset
or
spd_dump fdl fdl1-dl.bin 0x5500 fdl uboot-mod.bin 0x9efffe00 exec read_part boot 0 35M boot.img reset
ums9230:
spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0x9efffe00 exec read_part boot_a 0 64M boot.img reset
ums9620:
spd_dump exec_addr $exec_addr_fallback fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0xb4fffe00 exec read_part boot_a 0 64M boot.img reset
exec_addr and size of boot partition are different for devices, usually 35M for a9/a10, 64M for a11(+).
ums312/ums512/ud710 don't need exec_addr parameter if image is patched with 38691.
此处注意更改exec地址(用你自己的cpu的fallback模式地址,现在两种模式使用同一个跳过文件了,sc9832e的两种模式没有合并,需要区分地址)和boot分区大小(安卓9/10一般是35m,11(+)为64m)
ums312/ums512/ud710的镜像在用38691处理过后不需要exec_addr参数
Run this in cmd:
mklink /H C:\Python27\python2.exe C:\Python27\python.exe
在cmd里运行上面的命令
add C:\Python27
, C:\Python27\Scripts
and C:\Program Files\OpenSSL-Win64\bin
to windows PATH.
把上面3个目录加到PATH环境变量
Run this:
python2 -m pip install pycryptodome
运行上面这句命令
Unpack and repack magisk_patched-*.img
with AIK, now you have image-new.img.
用AIK解包打包magisk生成的img,得到image-new.img
save rsa4096_boot.pem
下载rsa4096_boot.pem,存在avbtool文件夹里
android 9/10
python2 avbtool add_hash_footer --image AIK/image-new.img --partition_name boot --partition_size 36700160 --key rsa4096_boot.pem --algorithm SHA256_RSA4096 --salt 5F55215FD2302D021F850B55912ED48D176784678692DC012E054B1ECD0BE025
android 11(+)
python2 avbtool add_hash_footer --image AIK/image-new.img --partition_name boot --partition_size 67108864 --key rsa4096_boot.pem --algorithm SHA256_RSA4096 --prop com.android.build.boot.fingerprint:$FINGERPRINT --prop com.android.build.boot.os_version:$OS_VERSION --salt 7A91E47F8D2CFB95DCCFF13305EE3F07EDCF83A42660A811F3724E1E8B463284
adb reboot fastboot
fastboot flash boot AIK/image-new.img
fastboot reboot
or
spd_dump exec_addr $exec_addr_fallback fdl FDL1 $FDL1_ADDR fdl FDL2 $FDL2_ADDR exec write_part PART_BOOT boot_signed.img reset
find out which slot (a or b) is being used on device (or read both, patch and the the newer one)
the procedure of signing boot is same as android 10 above
flash is slightly different
since bootloader/fastbootd/u2s_download may force change to use slot_a after flash boot
so
- enter fastbootd by
adb reboot fastboot
, or by flash misc partition -
fastboot flash boot_a boot_signed.img
andfastboot flash boot_b boot_signed.img
, (some devices met WiFi/Bluetooth issue when just flash one boot part) - if patch boot_a, use
fastboot set_active a
; if patch boot_b, usefastboot set_active b
- try normal boot, if stuck after boot animation, back to fastbootd, then recovery, then erase userdata (and may need to re-configure slot_a/slot_b after erase)
reason of boot fail before change slot is _a/_b has different security-patch-date
reason of boot fail before erase userdata is still unknown