General System root + Passed Safety Net Pixel 5a - Google Pixel 5a

Hey everyone,
after some trial and error, I was able to pass Safety Net.
I just want to mention what I did in the process to get there. May have been a combination of things or just one...
1. I followed this guide, but make sure you notice that It's for the Pixel 5 not 5a. But the process is similar. This process didn't fix the issue. However, it's also a good how-to on how to root. I did also modify the props to the 3a.
How to Root the Pixel 5 & Still Pass SafetyNet — Full Guide for Beginners & Intermediate Users
The Pixel 5 is a great value proposition in this era of $1,500 phones. With its reasonable price tag, fully open-sourced software, and unlockable bootloader, it's also an ideal phone for rooting.
android.gadgethacks.com
2. When that didn't work, I followed this video, and hid all my banking apps besides the Google Play Services:
3. When that didn't work, I installed these both using Magisk from this post:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
4. Cleared my data and cache with Google Play and GPay + any other banking apps.
That worked for me!
EDIT: IF GOOGLE MAPS reports the wrong location, its likely XPrivacy-LUA, Google Services. Uncheck some of them.

Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!

anubis2k3 said:
Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!
Click to expand...
Click to collapse
Didnt think it was that big of a deal to me. But it was fun with a new phone with nothing on it.

This was the Magisk module that worked to pass safety net for me. I didn't need any others.
Releases · kdrag0n/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.

joemommasfat said:
Google Pay "appears" to be working too. Haven't gone out and tried it yet though.
Click to expand...
Click to collapse
That's the part that I use the most, and the reason I haven't rooted yet. Please let us know if it works. Much appreciated!

I can confirm that using google pay (newer GPay app) on my rooted 5a works at merchants. I've already used it several times over the last week or so with no problems.

Deadmau-five said:
3. When that didn't work, I installed these both using Magisk from this post:
Click to expand...
Click to collapse
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.

borxnx said:
Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions.
Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.
Click to expand...
Click to collapse
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.

I only mentioned what works for me since there was no step-by-step guide.
Dangerous how? Doing any mods to your phone is "dangerous". I fail to see how this is more so than others. Modifying your phone is risky.
If it didn't work I wouldn't have posted this guide. I only mentioned the steps that I took. It's not really a guide, just how I passed safety net.
But, my 5a has still been working great since then. GPay included.

jcmm11 said:
You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now.
I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following:
They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case.
You will definitely need kdragOn/safetynet-fix.
Hopefully that's all you need.
I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems.
Best best is to check the following threads and see what's going on:
Actually see this post and the 2 posts immediately following
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.
Click to expand...
Click to collapse
Just a quick note to say I just finished with everything (new Pixel 5a 5G, rooted + Safety net, restored all my apps, etc) and it's a flawless victory, ALL banking apps work great, SafetyNet passes, no hiccups.
I'd be happy to craft up a step by step and post it if there's some interest. It's not often I get to give back to this outstanding community, so it's the least I can do jumping on the opportunity. UFC 266 Main card is just starting, so I'll get started right after the fight and post it here in this thread.
Great to see ya again @jcmm11! Coming back to root a new phone feels like a family reunion, so great to see many of you active folks still here helping out!!
hfam

Alright, as promised, here is my writeup for a step-by-step tutorial for rooting your new Pixel 5a and getting SafetyNet up and going. I know it looks like a book, but I wanted to put it into plain language and attempt to explain the process for everyone, even absolute first timers. I know when I first started I really appreciated when the person helping didn't presume I had any knowledge, so for those that may have some experience, sorry for the wordiness. I'll also include how I apply updates when a new Android security update is pushed out. I understand that there are now elegant ways to accept OTA updates, but that is out of the scope of this tutorial as I have always had issues with OTA, and have to catch up on how that works myself. I can attest to years of using this method though (using a full factory image) to perform the "monthly" security updates, and I have never had anything but full success, so I'll share that here below the rooting tutorial.
*Disclaimer and heads-up* this is for an UNLOCKED PIxel 5a purchased directly from Google Store. At the time of this writing that is the only place I'm aware of which currently offers the PIxel 5a. Once carriers like Verizon, etc, offer this device, there may be some changes to the process, so just know up front this is for the unlocked Pixel 5a*
*WARNING*! When you unlock the bootloader on your phone it WILL WIPE YOUR PHONE and reset it to factory. If you've already used your phone and set it up, you're going to lose that setup. If you can't bear it, then the rest of this isn't for you, as root cannot be achieved without unlocking the bootloader.
First, you'll need a few things
- https://developers.google.com/android/images
and download the latest FACTORY IMAGE for "barbet", which is the Pixel 5a. You want to download the SAME VERSION that is currently installed on your device. At the time of this writing, it's the September release.
From that same page, you will need the ADB+Fastboot platform tools which will allow you to perform the required tasks, download from this link:
- https://developer.android.com/studio/releases/platform-tools.html
I use Windows 10, and extract this tools download to a folder in the root of C: called "platform-tools". You will then need to add "c:\platform-tools" to your environment path.
On the Pixel 5a, you need to enable developer options. Go into Settings/About Phone/and tap "Build Number" 7 times. This enables developer options and it will let you know when you've unlocked this as you tap 7 times. Once developer options is unlocked, go back to Settings/System/Advanced, and you'll see Developer Options is now available.
Select Developer Options, and enable "USB Debugging" and also enable "OEM Unlocking".
(**NOTE** For now at least, until you decide how you want to proceed with handling updates in future (more on that later), I strongly recommend turning OFF "Automatic System Updates" as well, just a few items below "OEM Unlocking". This prevents any updates happening automatically on a phone reboot. You don't want to wake up and find an OTA update pushed out and removed root, or worse. You can always turn it back on later.)
Plug your phone into a USB port on your PC. Allow the PC to do it's thing. You can open up Computer Management on the PC (right click the windows menu button icon lower left of your toolbar and select "Computer Management". Select "Device Manager" on the left panel. You should see "Android ADB Device" appear at the top of the right pane list of devices. if not, then visit:
Install OEM USB drivers | Android Studio | Android Developers
Discover links to the web sites for several original equipment manufacturers (OEMs), where you can download the appropriate USB driver for your device.
developer.android.com
and download the appropriate USB driver for your system and retry the above directions.
First thing we have to do is unlock the bootloader.
On the PC, open a command prompt and change directory to "C:\platform-tools" as discussed above.
Now, type in "adb reboot bootloader". The phone will reboot into bootloader. (you may receive a dialog on the phone which says something to the effect of not recognizing the PC. Go ahead and allow it, check the box to allow it in the future, and proceed.
Phone is now at the bootloader, and shows you some info letting you know it's so, including that the bootloader is locked. Also, look at the Device Manager we opened earlier and confirm that you see Android ADB Device (or similar) which confirms your PC recognizes the phone and setup for ADB commands .
To unlock the bootloader, in the command prompt type:
fastboot flashing unlock
This will unlock the bootloader, you will likely see a warning that it's going to wipe the phone. Proceed and allow the unlock. The phone will then reboot and take you to your wiped phone just as you received it out of the box, except the bootloader is now unlocked and Developer Options are still available. Let the phone continue through it's first-time setup, and leave the phone plugged into the PC. If you unplugged no biggie, but we're going right back to the PC shortly and it will need to be plugged back in before the next step to accept the file we're going to push to it.
Now, you want to open a browser on the phone and go to (at the time of this writing, v23.0 is the current stable Magisk):
Release Magisk v23.0 · topjohnwu/Magisk
This release is focused on fixing regressions and bugs. Note: Magisk v22 is the last major version to support Jellybean and Kitkat. Magisk v23 only supports Android 5.0 and higher. Bug Fixes [App]...
github.com
Scroll down and under "Assets" select that Magisk 23.apk file, download and install it. Open Magisk if it doesn't open on install, and just let it sit, we're coming back to it shortly.
PATCHING THE BOOT.IMG FILE
On the PC, go back to the Factory Image you downloaded, and extract it to a temporary directory. You will see 6 files; a few "flash-all" files, a radio image, a bootloader image, and a ZIP file called "image-barbet-XXXXXXXXXXX.zip (the xxx's are whatever the version number is you've downloaded). Double click that ZIP file and you will see a dozen files. The one we need to root the device is "boot.img".
Copy (don't move!!) this file to c:\platform-tools. Now, go back to your command prompt (still pointing to c:\platform-tools) and type in:
adb push boot.img /sdcard/Download
Now back on the phone, within the Magisk app we left open, at the top where it says Magisk, choose to install. A dialog box will open, select Patch Boot File Image. Point the process to your /sdcard/Download, and select the boot.img file we just pushed there. Now allow it to patch the boot.img and Magisk will show you it's patching it, and in a moment tell you it was successful. Close the Magisk app, open "Files" and direct it to sdcard/Download. Note the name of the patched boot file, which is called "magisk_patched-XXXXX_xxxxx.img (the X's are the Magisk version, and the x's are 5 random chars). Feel free to leave it there as you go back to the PC...
Back on the PC, in the command prompt, now type:
adb pull /sdcard/Download/magisk_patched-XXXXX_xxxxx.img
make certain you get the name exact or it won't go, no worries, just get it correct. The file now resides in the "c:\platform-tools" directory along with the unpatched "boot.img" and your ADB+Fastboot tools.
Just about done rooting, here we go!
Now, in the command prompt type:
adb reboot bootloader
The phone reboots into bootloader. Now type:
fastboot flash boot magisk_patched-XXXXX_xxxxx.img (again, use the numbers and letters in YOUR patched file!)
Lastly, type:
fastboot reboot
Your phone reboots, and you should be rooted!! Unplug your phone from the PC, open up Magisk App and confirm, the Magisk entry at the top of the main Magisk App screen should now show you the version you installed, etc!
Time to get your banking apps (and any others that may detect unlocked bootloaders/root/etc) working!
In the Magisk App, on the bottom of the screen is a 4 item menu bar. Select the right-most icon, which is "Modules". At the top of the screen select "sorting order" and sort alphabetically. Scroll down to "riru" and select the module that is JUST "RIRU", (not any of the other "riru _______" modules). Choose to download it, then choose to install it. You'll be prompted to reboot the phone, so reboot the phone.
Next, we're going to install drag0n's Universal SafetyNet fix (at the time of this writing it's currently v 2.1.1) You will need to download this via a browser on your phone, so open a web browser and go to:
GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
Google SafetyNet attestation workarounds for Magisk - GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk
github.com
On the right-hand side, you'll find "Releases", and v2.1.1 is the latest. Select that, then scroll down to "Assets" and download "safetynet-fix-v2.1.1.zip" By default this will download to sdcard/Download.
Go back into the Magisk App, select the "Modules" menu as above, and at the very top select the "Install from Storage" bar. Point to the file we just downloaded and install it (don't extract it, etc, it requires the zip exactly as downloaded and will do it's thing). Again, it will install the module and prompt you to reboot. Reboot.
Almost there!
At this point, if you havent installed your banking apps, do so. DON'T RUN THEM, just install them. I also have a Nintendo Switch Online app which failed because of root, so if you also have or want this app, install it now, again, do NOT run it yet, just install. Same with any other apps you are aware which have root/bootloader unlocked issues, get them installed, but don't run 'em.
Now, we're going to use MagiskHide to hide these apps and complete the process for passing SafetyNet and running apps which may not run due to root.
in the Magisk App, at that 4 item menu bar at the bottom, select the 2nd from left, or "MagiskHide". Select the MagiskHide item and it will open to a scan of all the apps on your system. By default I believe Magisk sets up to hide Google Play Services. You will see it selected, and all the other apps on your system unselected. Select each of the banking apps, the Nintendo Switch Online (if you have it), and any other apps that YOU ARE SURE will complain about unlocked bootloaders and/or root. Any onilne gaming that's popular are good choices, but again, it's easiest to NOT RUN them PRIOR to hiding them via MagiskHide. Pokemon GO comes to mind as one I've seen that needs hiding, etc, so make it easy on yourself and do a little research on any suspect apps prior to running them, then hide them if needed.
Anyhow, select your banking apps to hide them.
Now, we're going to check SafetyNet to make sure youll now pass.
On the Home menu in the Magisk App, select "Check SafetyNet". You will be prompted to download some proprietary SafetyNet shhhhhhhtuff....so let it download. Once done, SafetyNet check will open, and you should show a blue screen which says SUCCESS, and "basicintegrity" and "ctsProfile" will be checkmarked, evalType will show BASIC.
You're good to go, rooted, SafetyNet works perfect, and you can now open your banking apps and should open right up!!
If you find any specific issues about specific apps not working, or detecting root, etc, the best place to get help is in the Magisk General Discussion forum:
Magisk General Support / Discussion
This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread
forum.xda-developers.com
I owe those folks eternally for showing me what I know, and always having the answers for any issues I've ever had. Some of the nicest, smartest people Ive had the pleasure of knowing, they're always helpful, and even maintain fantastic sites for FAQ and chock full of great info about every aspect of Magisk.
BONUS ITEM: As I indicated above, I'd share the method I know, trust, and have used many many times, trouble free, to apply a system update to the phone without overwriting anything, and not hitting any issues many encounter using the OTA method (though I understand that's been vastly improved, I haven't educated myself as to that process and will likely continue to use this method).
Security Update (monthlies) Process using Full System Image
As above, download the newest Full Factory Image from the site. Extract this full image to a directory inside C:\platform-tools
In this directory, if you're on Windows, open the "flash-all.bat" file (don't run it, open it with Notepad or something similar, I really like Notepad++ as it's free, has a LOT of great functionality and, like the native Notepad, doesn't do any goofy formatting/fonting/etc when modifying and saving a file.)
In flash-all.bat, look for the "-w" entry in the fastboot command near the end of the file and REMOVE ONLY THE "-w", leaving the line correctly formatted (don't leave an extra space or something goofy), then save the file over the top of the original with the same name. This will remove the overwriting of your data when pushing the image, the "-w" tells the process to overwrite, so we remove it.
Open up a Windows Explorer and go to your c:\platform-tools directory. Delete (or move to another location) any "boot.img" files along with any "magisk_patched-XXXXX_xxxxx.img" files from previous operations. Also note and confirm that you have correctly extracted the latest Full System Image to it's own directory, residing in c:\platform-tools.
Now, connect your phone to the PC. Open your command prompt and point to "C:\platform-tools" again. Type: cd <name of Full system Image directory>
In command prompt, type:
adb reboot bootloader
The phone is now in bootloader. In command prompt, confirm you're pointing to "C:\platform-tools\<Full System Image extract dir>" Type:
flash-all
This will do a full factory image push to your phone, you'll see a couple quick writes and phone reboots, then begins writing the rest of the image to your phone, but since we removed the "-w" from "flash-all.bat", it's NOT overwriting your data, just the necessary system files to update it to the latest version!
Reboot your phone, let it do any optimizing and updating it needs to do, and don't run anything yet, we're not quite done, just let the phone settle in and finish booting and doing it's thing.
Now, go back and perform the steps above listed under "PATCHING THE BOOT.IMG FILE" to patch the newest boot.img from the Full System Image we just updated the phone with (push the boot.img to sdcard/Download, patch with Magisk App, pull magisk_patched-XXXXX_xxxxx.img to your PC, blast it back using fastboot), and you've now rerooted the phone.
Lemme just say again that I know this was a friggin' book, and I tried to make it as clear and plain language as I could to help even a first timer, so my apologies if it seems like an onerous process. It's really not, and once you've done this once or twice, it's a cakewalk and takes about 10 minutes of your time from start to finish to do the whole system update and reroot. Again, the newer methods to take OTA without losing root may be something you'd like to look into, i definitely will, but I'm very confident in sharing this method as I know it works like a champ and is foolproof if you take your time the first few times and make sure you do what's required (remove the "-w" from the flash-all.bat, etc)
Lastly, I've been using this method since the Pixel 2, and just performed it on my new 5a, it worked exactly as it has for years for me on the P2, so you can be confident moving forward that, if you follow instructions and take your time until it's all familiar, you'll be successful in rooting, passing SafetyNet, and applying system updates without screwing up the A/B slots or overwriting your data in the process.
I hope this helps even one person, and since I rarely find myself able to give back to the community in any real meaningful way (many of these folks are WAAAY beyond my modest skills and know so much!!), I hope that this provides some folks with a useful and meaningful tutorial, providing confidence that anyone can root their P5a (or about any Pixel it seems) without being a Magisk/Android prodigy.
@Didgeridoohan, @pndwal, @zgfg, @jcmm11, and so many others over the years have been so helpful, I couldn't have done any of this without their selfless help, so give those folks a big thanks also if this is any help to you.
Best of luck,
hfam

Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!

nsoult said:
Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app.
Appreciate you!
Click to expand...
Click to collapse
Awww, thanks! Glad to do it and really hope it helps some folks tackle rooting their phones and passing SN!

Rooted with magisk v.23 - flashed zip as a module

So has anyone installed the October update yet?

GrandAdmiral said:
So has anyone installed the October update yet?
Click to expand...
Click to collapse
Yep, good to go. I used the same method I shared above.

Is this working with Android 12? Which Magisk version to use?

This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?

Poking around in this thread, it seems that android 12 root is a much more involved process, requiring factory wipe and additional steps.
[Guide] Flash Magisk on Android 12
Trying to root the Pixel 5 running Android 12 by flashing a magisk-patched boot image results in the phone only booting to fastboot mode ("failed to load/verify boot images") Some users have reported that booting (instead of flashing) the patched...
forum.xda-developers.com

tintn00+xda said:
This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says:
failed to load/verify boot images
Any advice? My Magisk is v23. Do I need to use a beta version?
Click to expand...
Click to collapse
As you stated, you are correct. You need to perform a full wipe or flash the factory image with a wipe and then root works fine and phone boots. Tried myself and works fine.

Related

[ROOT] SM-T707A - Lollipop with SuperSu - Xposed & Debloated - Part II

Root SM-T707A on Lollipop with SuperSu - Xposed & Debloated - Part II
Where are we right now?
* Part I: Flash Stock Lollipop 5.0.2.
* Part II: Gain Root access for Lollipop with SuperSU. <---- YOU ARE HERE!
* Part III: Flash Xposed Framework thru Flashfire.
* Part IV: Debloat the tablet from both AT&T and most of Samsung stuff.
* Part V: Improve usability and aspect with Xposed Modules.
Once again, some words of our sponsors: NO, I'm NOT resposible for any consequence originated from the use of this guide, being that the death of your tablet, or your smart tv, the Panama Papers or Luis Suarez just playing rough with Filipe Luiz's foot. Whatever happens to your tablet, it's ON YOU.
Introduction (PLEASE READ!):
This guide works as a continuation of Part I, so we assume you flashed KitKat and applied Lollipop updates as described.
If you are already on Lollipop and have several weeks using it, of course you can try this guide, but I STRONGLY SUGGEST to start from zero, backup your files and use the guidelines on Part I of this guide.
Part II: Gain Root access for Lollipop with SuperSU
IMPORTANT - During the first boot on our brand new lollipop, don't try to connect to your WiFi and remove your SimCard if availble before even selecting any option. We don't want any internet at this time.
Our first move in Lollipop is to Reject all the AT&T offers..
Then accept terms of Samsung EULA (and hit No Thanks below)...unless you want to share information with Sammy.
Then you can put your name (I didn't), it' s up to you.
Disable the 3 checkboxes for location services (you can enable this later).
Then skip the Samsung Account creation and hit also Next on my "Find my mobile" screen without doing nothing.
Finally, you'll reach the Android Desktop.
Setting the stage for rooting with KingRoot
Still avoiding any conection to the internet, go to your apps and tap Settings.
Before doing nothin, I strongly suggest you change your language to english in case you use another.
If your first language is English, you're good.
If it's not, you can change it on General TAB, then "Language and Input".
After this, tap the Device tab, choosing then Display option on the left.
Choose Screen timeout and select 10 minutes.
Now select Lock screen on your left and Screen lock on your right. Tap "None".
Now go to "General" tab and tap "Security".
Enable the Unknown sources checkbox and press OK on the popup.
Press home button. Now you can connect to your Wifi.
The moment you got Internet, Samsung will start forcing some updates on your tablet.
At the same time, several Google popups will ask you to "regularly check device for security".
Decline them all the time!
There is a "Games" app that loves to open itself without asking
When that happens, it will introduce you to an agreement that you will REJECT.
If it doesn't show, better. But it will eventually.
Now enter the Play Store and Log in with your credentials.
Accept the playstore conditions when prompted. If you are kicked out of the app just enter again.
Still inside Playstore, now swipe from your left side border to gain access to the menu.
Tap "My Apps" and use the "Update All" button on the right.
Accept all APP Permisions (seven times in my case).
The update process will start. This will take some time so BE PATIENT and do nothing else.
When everything is updated, you'll notice some warning on your status bar.
Swipe down your status bar. It will ask several times to Update Google Play Services.
Tap any of update offers for Play Services. Playstore will open again offering the update.
Hit Update and Accept. When the update of Google Play Services is finished, hit the Open button.
You gain access to Google Settings. Tap Security.
Disable "Remote locate this device" - "Allow remote lock and erase".
Disable also "Scan device for security threats" and "Improve harmfull app detection" (unless is greyed out).
Hit the home button and go back to desktop.
Installing KingRoot
For the next step, you need to download these files on your PC:
* Kingroot V4.90
* RemoveKing
Copy them on your tablet's internal memory. Specifically on the root of your internal memory. If you copy them inside a folder, later commands will fail.
Back to your tablet's desktop, look for the folder icon on the bottom left corner. This will open the Samsung File Manager. Look for "Device Storage" on the left column. If you copied the files correctly, you'll find both on the right pane of the display. Extract the RemoveKing.zip file by tapping it and clicking "OK". A RemoveKing folder will appear on the root of your filesystem.
Now open the Kingroot V4.90 file. Hit Next and then Install.
If a google warning appears citing - "Installation blocked". Hit "Install anyway" (unsafe).
If it doesnt, just hit Open. A blue screen shows up with the legend "ROOT auth".
Swipe upwards twice (assuming you're holding your tablet in portrait).
Now hit the "Try it" button. The app will verify root status in a matter of seconds.
Now tap the "TRY THE ROOT" button at the bottom.
When the root is sucessful, you'll be asked to "Forbid Knox".
Tap Cancel and press the home button. Now you are rooted with Kingroot.
Installing and preparing Terminal Emulator
Now that we are rooted, enter the playstore and install the app "Terminal Emulator for Android". Open it. You'll notice some small font selected so, hit the 3 dots on the right upper corner and go to preferences. On Font Size choose 24 pt. Hit the back physical button of the tablet. Now the "white letters" become readable. And it shows something like:
Code:
klimtlteatt:/ $
Next type the following and hit enter:
Code:
su
A Kingroot popup will ask for root permission. Tap "Allow".
Now the $ symbol will change for #.
Next you hit the HOME button to exit the app briefly (don't close the app in any other way, just hit the HOME button).
Uninstalling KingRoot
After that, go to your apps and enter the KingRoot app.
Now tap the 3 dots on the upper right corner and select "General Setting". Disable "Smart Authorization", then disable "Enable Root Authorization". Finally choose below "Uninstall KingRoot". Hit Continue. Uncheck "Backup Root" when prompted and hit OK. When all is over, you're back to the desktop. Go back again to your apps and uninstall Purify.
Applying the Scripts
Open again Terminal Emulator app (thru the app Icon) . Now we need to hit a couple of scripts by moving first to our extracted folder by entering the following command on the terminal (plus enter):
Code:
cd /sdcard/RemoveKing/
To run the first script type (then press enter):
Code:
./step0.sh
It just takes 3 seconds, then type the following and press enter:
Code:
./step1.sh
This last script will ask for a confirmation during its process.
Type just an "y" and hit enter: (WARNING, the Y won't appear on your display after typing it)
Code:
y
You'll notice a bunch of errors, don't mind them.
Installing SuperSU
Now hit the home button and go to the play store.
Search and Install SuperSU (free version). Open it. Choose Expert.
The app will ask "The SU binary needs to be updated, continue?".
Hit Continue and then choose "Normal" when asked on the next popup.
You'll receive an "Installation Sucess!". Tap the Reboot option.
Congratulations! You are now rooted with SuperSU.
After rebooting, enter the Terminal app once more, and tap the X on the right upper corner and hit OK.
That will finish the current terminal session.
If you're interested in getting Xposed Framework, go to part 3 of this guide.
If you're just interested in debloating the SM-T707A and improve its performance, go to part 4 (Soon).
Part 5 is where I discuss the modules I'm using on Xposed and also some Playstore apps to improve functionality, and remove as much Touchwiz as possible, while also working on better battery life (Soon too).
Final Considerations (suggested reading - not mandatory)
While this guide may seem easy to carryout, it took me almost a month to get SuperSu to work on Lollipop.
I'm no coder (a soon to be Certified Public Accountant), and the real magic to pull this off was to try many combinations of different app versions, different situations with google services and several strategies with the script and superSU. In fact, most of KingRoot versions don't work on this tablet to get root, also tried SuperSume app from the playstore. The same could be said for KingoRoot (don't confuse it with KingRoot), it worked but I couldn't remove it without losing root.
Why I'm telling you this? Because using KingRoot and similar apps to root this tablet, your mileage may vary while doing it. In fact, even while applying my first two guides there's a respectable chance of KingRoot tool failing to root your tablet. If you followed this couple of guides to the last comma, your chances of success are very close to 100%. But I have noticed in similar Galaxy Tab S threads, that the use of KingRoot and KingoRoot to achieve root is just a matter of using the root tool many times until it works, and I wanted to avoid you guys going thru that. To take sucess rate as close as it gets to 100%, we took all of this steps. They were included to avoid many failures. I believe they're are 99% flawless to achieve root on Lollipop with SuperSU.
Also, the second script won't remove many KingRoot files, because it was thought for KingoRoot on KitKat.
I have to give myself more time to develop something that could really clean up the last traces of KingRoot.
Special Thanks
* @chixvicious - For showing how to achieve the same over KitKat and KingoRoot instead.
* @bakageta - For creating these scripts for the Alcatel smartphone over KingoRoot.
* @Kingxteam - For developing KingRoot to allow us to root our device.
Oh wow, I had forgotten all about those scripts. Glad to see someone getting some use out of them.
bakageta said:
Oh wow, I had forgotten all about those scripts. Glad to see someone getting some use out of them.
Click to expand...
Click to collapse
They were life-savers, thanks a lot for them!!
Broken links?
First and foremost, thank you for the thorough walkthrough.
I've come across an issue with the provided links to KingRoot and RemoveKing. When I click on either, I receive the following message:
"Invalid Attachment specified. This can happen for a variety of reasons-- most likely because the thread or post you are trying to view has been moved or deleted. Please return to the forum home and browse for another similiar post."
Do you have any alternate links available?
EDIT: I did find an alternate method that worked for proper replacement of KingRoot with SuperSU. All good, and glad for the compatible xposed framework.
zopert said:
First and foremost, thank you for the thorough walkthrough.
I've come across an issue with the provided links to KingRoot and RemoveKing. When I click on either, I receive the following message:
"Invalid Attachment specified. This can happen for a variety of reasons-- most likely because the thread or post you are trying to view has been moved or deleted. Please return to the forum home and browse for another similiar post."
Do you have any alternate links available?
EDIT: I did find an alternate method that worked for proper replacement of KingRoot with SuperSU. All good, and glad for the compatible xposed framework.
Click to expand...
Click to collapse
Thanks for the heads up!!. I'll check them ASAP.
EDIT: All links are fixed!!
kainanmaki said:
Thanks for the heads up!!. I'll check them ASAP.
EDIT: All links are fixed!!
Click to expand...
Click to collapse
Man, can't thank you enough for this...So great for someone like me with little knowledge for all this magic. I am gonna do this when I get back from vacation. Can't wait for the rest of it!
Thanks again
ElCid43 said:
Man, can't thank you enough for this...So great for someone like me with little knowledge for all this magic. I am gonna do this when I get back from vacation. Can't wait for the rest of it!
Thanks again
Click to expand...
Click to collapse
I hope to get part IV and V in no more than 10 days...
I'm in the process of testing removing/freezing many services, just a sneak preview:
So far I was able to disable close to 180-190 apps/services from a total 250-260 (can't remember the exact number).
Of course there are some key services removed (for e.g multi windows, but that's just one service).
Still you can easily remove like 165 without losing any stock functionality. That's how much bloated the tablet is.
Removing useless stuff from samsung and 3rd party (eg. VPN, Policy Updates) or more evident like MultiWindow, the gallery app or even the file browser.
Or the weird ones like the phone app that is hidden and you can't use (you can disable it and still keep LTE Data).
More to come.
Need Help - Having Untimely Reboot Issues
Wow...Thanks SO MUCH for this guide! It gives me hope that I can actually enjoy using my T707A to the fullest!
Alas, I need some assistance PLEASE:crying:
I'm following your guide to the letter, and I've successfully achieved Part 1. Part 2, however, alludes me even after many, many tries. Here is what is going right and wrong:
a) Achieved root with KingRoot
b) installed and achieved SU with Terminal
c) ISSUE - KingRoot (or something) reboots the tablet during Uninstall, which kills SU access obtained with Terminal
d) ISSUE - after reboot, I no longer have permission to run the scripts to uninstall KingRoot
Is there another way for me to do this? As long as the tablet is rebooting during uninstall of KingRoot I have no SU access, so can't do anything but start over and experience the same thing time after time.
ANY assistance would be so very much appreciated...MOST humbly & sincerely...Tom
Where did you find the alternate method??
zopert said:
First and foremost, thank you for the thorough walkthrough.
I've come across an issue with the provided links to KingRoot and RemoveKing. When I click on either, I receive the following message:
"Invalid Attachment specified. This can happen for a variety of reasons-- most likely because the thread or post you are trying to view has been moved or deleted. Please return to the forum home and browse for another similiar post."
Do you have any alternate links available?
EDIT: I did find an alternate method that worked for proper replacement of KingRoot with SuperSU. All good, and glad for the compatible xposed framework.
Click to expand...
Click to collapse
Hi...I am VERY interested in your "alternate" method for replacement of KingRoot with SuperSU that actually worked. Would you be so kind as to share that with me? I'm having huge troubles (see my post) replacing KingRoot as it reboots thus killing my SU access necessary to run the uninstall scripts provided in OP. Any help would be GREATLY appreciated. MOST humbly & sincerely...Tom
TomandJonna said:
Wow...Thanks SO MUCH for this guide! It gives me hope that I can actually enjoy using my T707A to the fullest!
Alas, I need some assistance PLEASE:crying:
I'm following your guide to the letter, and I've successfully achieved Part 1. Part 2, however, alludes me even after many, many tries. Here is what is going right and wrong:
a) Achieved root with KingRoot
b) installed and achieved SU with Terminal
c) ISSUE - KingRoot (or something) reboots the tablet during Uninstall, which kills SU access obtained with Terminal
d) ISSUE - after reboot, I no longer have permission to run the scripts to uninstall KingRoot
Is there another way for me to do this? As long as the tablet is rebooting during uninstall of KingRoot I have no SU access, so can't do anything but start over and experience the same thing time after time.
ANY assistance would be so very much appreciated...MOST humbly & sincerely...Tom
Click to expand...
Click to collapse
I had that problem many times, the uninstall reboots the tablet before you can establish SuperSu.
The most reliable way I found of overcoming this is to follow the exactly in this order and without stopping to much because google wants to run updates behind scenes that mess with our process (that's why sometimes it works and sometime it doesn't). My recommendation is to start over from scracth again (I know it's boring). I'll probably do it again on my tablet just to validate and to try some other things related to the original services).
TomandJonna said:
Hi...I am VERY interested in your "alternate" method for replacement of KingRoot with SuperSU that actually worked. Would you be so kind as to share that with me? I'm having huge troubles (see my post) replacing KingRoot as it reboots thus killing my SU access necessary to run the uninstall scripts provided in OP. Any help would be GREATLY appreciated. MOST humbly & sincerely...Tom
Click to expand...
Click to collapse
Other thing I forgot to ask, did you started clean from the first part or just started with part 2 of the guide?
Will this method trip Knox?
i need * RemoveKing file now...

Got Semi-Root-- Is Anyone Still Full-Rooted?

Dear forum,
Long time no talk! I have been able to get "root" for our phones on G925VVRU4BOG7, which anyone can downgrade to. The catch is that even with /system mounted as rw, I am unable to write to it directly through most conventional means. (I can write to /data, though, which means i can patch dalvik-cache, which means my mods are coming ) However, I am able to still write to it using another, more complicated way (I can go into more detail for those interested), as a whole. Here's where you come in-- is anyone still full-rooted? If so, please message me as soon as possible! I may be able to have users who are on newer builds downgrade to older builds and get su properly installed, then manually upgrade back up to the later builds again!
If you are rooted still, all i'm going to have you do is perform this command:
Code:
su
dd if=/dev/block/platform/15570000.ufs/by-name/SYSTEM bs=4096 of=/sdcard/system.img
Then send me that system.img file on your sdcard! It'll be pretty big, so you can zip it or .7z (7-zip), whatever you'd like to do.
I will also need what build you are on. You can just send me your Build number within "Settings->About phone".
First one who does it gets credits on the official release thread i'll make, when I get a procedure down that people can follow!
Thanks!
-Trailblazer101
i have an s6 edge on 5.0.2 rooted. Would that be of help?
Did you get the system.img file? I really wish I could help you. I have this phone on 6.0.1 and stuck without root, but the thing is I really need the root because I bought it used, worked fine the first few days, then didn't get any signal (turns out that it was reported as stolen and of course the IMEI got blacklisted; I tried to contact the seller but he was gone, and his ebay account deleted, so basicly I'm stucked with a ' 5.1" tablet' . I got scammed :/ )
I would be very grateful if you could explain how did you get root on G925VVRU4BOG7 . I know that you want the file mentioned for creating some kind of universal root for the phone, but right now I'm kind of desperate and need root as soon as possible to fix my IMEI issue and I would follow your steps if you made a tutorial.
Thank you very much!
trailblazer101 said:
Dear forum,
Long time no talk! I have been able to get "root" for our phones on G925VVRU4BOG7, which anyone can downgrade to. The catch is that even with /system mounted as rw, I am unable to write to it directly through most conventional means. (I can write to /data, though, which means i can patch dalvik-cache, which means my mods are coming ) However, I am able to still write to it using another, more complicated way (I can go into more detail for those interested), as a whole. Here's where you come in-- is anyone still full-rooted? If so, please message me as soon as possible! I may be able to have users who are on newer builds downgrade to older builds and get su properly installed, then manually upgrade back up to the later builds again!
If you are rooted still, all i'm going to have you do is perform this command:
Code:
su
dd if=/dev/block/platform/15570000.ufs/by-name/SYSTEM bs=4096 of=/sdcard/system.img
Then send me that system.img file on your sdcard! It'll be pretty big, so you can zip it or .7z (7-zip), whatever you'd like to do.
I will also need what build you are on. You can just send me your Build number within "Settings->About phone".
First one who does it gets credits on the official release thread i'll make, when I get a procedure down that people can follow!
Thanks!
-Trailblazer101
Click to expand...
Click to collapse
I am currently running on A0E2 using your rooted rom for this phone. It runs great....except I tried flashing xposed framework using Flashfire and it of course failed...due to the fact that xposed only works on 5.1.1 or above...sucks we are in such a catch 22 with our devices...although I'm happy because I am still rooted.. Anyway...I set up ADB and entered that command you posted and it worked...I just don't know where the storage location of the system.img file is for me to transfer to my PC, 7zip, and send to you. Any help would be excellent....as I desperately want to run xposed framework on my device....but am stuck on 5.0.2
r0ckinb0i said:
I am currently running on A0E2 using your rooted rom for this phone. It runs great....except I tried flashing xposed framework using Flashfire and it of course failed...due to the fact that xposed only works on 5.1.1 or above...sucks we are in such a catch 22 with our devices...although I'm happy because I am still rooted.. Anyway...I set up ADB and entered that command you posted and it worked...I just don't know where the storage location of the system.img file is for me to transfer to my PC, 7zip, and send to you. Any help would be excellent....as I desperately want to run xposed framework on my device....but am stuck on 5.0.2
Click to expand...
Click to collapse
Looking at the last part of the command and if it ran successfully, it should be in /sdcard. Did you ever find it?
gabes100 said:
Looking at the last part of the command and if it ran successfully, it should be in /sdcard. Did you ever find it?
Click to expand...
Click to collapse
Thank you I found it...I'm new to command prompt although I am learning quickly. I found it. I just need to load it onto my computer and compress it so I can send it to Trailblazer. I will do that tomorrow night when I get back home.
I have the img on my computer. It is 4.3G. How do I get it to Trailblazer? Google Drive? EDIT: it is 4.58GB. I am uploading now to google drive, it will an hour
Hi Trailblazer,
Here is a link to system.img:
https :// drive google com / open?id=0B-j3XfGrnj9PbUdwaml5eERvbFU
I am too new to post links the correct way.
Are there any updates on this topic? When I first saw this thread last week, It got me thinking about what a Tethered Root (Temporary/Semi - Root) would still be capable of doing for those of us still on Official Firmware in this day and age.
And really it occurred to me at that moment, that if we could just attain a Root Shell even if it was only for 60 seconds to five minutes, that would be sufficient to get enough root information off of the phone and into a PC editable format.
I ask, because I am in the process of forming a method for the G925V 6.0.1 [PI2] Build. The problem I'm pretty sure I'm going to run into sooner or later in my experiments/research, is the fact that I am one of the few who have the 64GB Verizon S6 Edge. Technically speaking, my device refers to itself in Download/ODIN mode as a SM-G925VZKE model. This also means that my Stock .PIT file is going to be very different than most people's, also meaning my FSTAB configuration probably will be different.
Because there shouldn't be a reason I can't at least get a temporary Root Shell very soon.
So whats up with this? My wife has 6.0.1 on Verizon and I have international much better choice. Will we have root on this phone?
If you are currently on 6.0.1 on your Verizon device. It would serve you well for the time being to disable Automatic Security Updates.
Settings > Lock Screen and Security > Other Security Settings > Security Policy Updates
Turn OFF Automatic Updates, and Turn OFF Wi-Fi Only.
If you leave these on, any potential root option will be patched by Samsung/Google before you know it exists. Disable it for now so you can find an exploit for the build the device is on.
UPDATE:
So apparantly, I've had a rooted 6.0.1 PI2 device persistent through factory resets for over a week, but didn't realize just how much was achieved on my device! According to diagnostics.
I'm already started on writing up the combination of methods that the OP was walking into. Turns out it works up to the September patch too.
But lucky me and not you this time. I got my device essentially decommissioned because I ran my code too soon. But in the sweetest possible way after being so pissed when my tech coach said my warranty was void.
By the end of tomorrow night I should have a thread.
Anyone still working on this?
d0lph said:
Anyone still working on this?
Click to expand...
Click to collapse
Yes. Using the dirtycow vulnerability we've managed to get an arm64 version running that will indeed allow a root console on MM builds.
The last thing standing in the way, for at least a tethered root, is for someone to help me convert the script from the flashable zip version of the SuperSu installer into basically a batch script. Because the how-to guide ChainFire wrote in comments inside his installer script is kind of hard to read because it covers all the different versions of android in a tiny block of text and not every device sets up the same SELinux environment.
Not to mention, if I could get SuperSU to try and install itself as a System Application, it would probably work with what I have already. But for some reason I CANNOT find a single guide anywhere on how to perform a "System" Install of SuperSU, everyone wants to use the "Systemless" version, which is NOT going to work I believe.
We can manage booting the device in the event of DM-Verity Failure, when that happens with the 5.1.1 OG ENG Kernel, we can indeed mount "/system" as read/write, and we can indeed change the contents of the System partition that persist through a reboot.
I just need help setting Perms & Contexts. Because at one point in time, I DID actually manage to get SuperSU to give me a root shell instead of a user shell, but only on the ADB Command Line. In that test I could not get an application to start from the launcher and have Root Permissions.
Delgoth said:
Yes. Using the dirtycow vulnerability we've managed to get an arm64 version running that will indeed allow a root console on MM builds.
The last thing standing in the way, for at least a tethered root, is for someone to help me convert the script from the flashable zip version of the SuperSu installer into basically a batch script. Because the how-to guide ChainFire wrote in comments inside his installer script is kind of hard to read because it covers all the different versions of android in a tiny block of text and not every device sets up the same SELinux environment.
Not to mention, if I could get SuperSU to try and install itself as a System Application, it would probably work with what I have already. But for some reason I CANNOT find a single guide anywhere on how to perform a "System" Install of SuperSU, everyone wants to use the "Systemless" version, which is NOT going to work I believe.
We can manage booting the device in the event of DM-Verity Failure, when that happens with the 5.1.1 OG ENG Kernel, we can indeed mount "/system" as read/write, and we can indeed change the contents of the System partition that persist through a reboot.
I just need help setting Perms & Contexts. Because at one point in time, I DID actually manage to get SuperSU to give me a root shell instead of a user shell, but only on the ADB Command Line. In that test I could not get an application to start from the launcher and have Root Permissions.
Click to expand...
Click to collapse
Thank you for taking the time to still work on this. Subscribed. Following this to the T.
Rand0lph said:
Thank you for taking the time to still work on this. Subscribed. Following this to the T.
Click to expand...
Click to collapse
If you want to follow the complete story of what I just mentioned please follow and contribute to this thread: Injecting Root & Setting SELinux - End Stages?
This is the thread that contains the Greyhat Root console, first designed for the AT&T Galaxy Note 5. But that device uses the same Exynos7420 Mainboard as the Galaxy S6 Edge, so the project is still compatible.
I haven't kept the OP maintained as I should yes. But it is actually worth it to read that whole thread as @droidvoider went out of his way explaining some of his methods. I have a bit of R&D that isn't posted in that thread as well, if you can read up on the project. I'd be more than happy to share what I know with anyone wanting to help as long as they can catch up with what we have accomplished so far.
Look at some of the other threads I've started as well for the initial methods.
Delgoth said:
If you want to follow the complete story of what I just mentioned please follow and contribute to this thread: Injecting Root & Setting SELinux - End Stages?
This is the thread that contains the Greyhat Root console, first designed for the AT&T Galaxy Note 5. But that device uses the same Exynos7420 Mainboard as the Galaxy S6 Edge, so the project is still compatible.
I haven't kept the OP maintained as I should yes. But it is actually worth it to read that whole thread as @droidvoider went out of his way explaining some of his methods. I have a bit of R&D that isn't posted in that thread as well, if you can read up on the project. I'd be more than happy to share what I know with anyone wanting to help as long as they can catch up with what we have accomplished so far.
Look at some of the other threads I've started as well for the initial methods.
Click to expand...
Click to collapse
Sorry, I didn't even acknowledge this is for the EDGE S6. I have a regular Verizon S6.
Rand0lph said:
Sorry, I didn't even acknowledge this is for the EDGE S6. I have a regular Verizon S6.
Click to expand...
Click to collapse
I don't really think that matters as much for the thread I referred to.
I tested the Greyhat Root Console on my S7 Edge, and it worked as well using the September build.
The S6 Line plus the Note 5, all use the same System on a Chip.
If anything, there may be just a couple tweaks to make when compiling it using the NDK.

[GUIDE] Re-locking the bootloader on the OnePlus 6t with a self-signed build of LOS

What is this tutorial?
This tutorial will:
Creating an unofficial build of LineageOS 17.1 suitable for using to re-lock the bootloader on a OnePlus 6/6t
Take you through the process of re-locking your bootloader after installing the above
This tutorial will NOT:
Remove *all* warning messages during boot (the yellow "Custom OS" message will be present though the orange "Unlocked bootloader" message will not)
Allow you to use official builds of LineageOS 17.1 on your device with a re-locked bootloader (more details near the end of the tutorial)
This tutorial will assume you are working on an Ubuntu 18.04 installation, if you are using Windows or another Linux distro, the commands may be different.
Supported devices:
Current both the OnePlus 6 (enchilada) and 6t (fajita) have been tested, but newer phones should work as well.
For simplicities sake, all further references will only be to the 6t (fajita).
Pre-requisites:
a mid level knowledge of terminal commands and features
a supported phone
a PC with enough CPU/RAM to build LineageOS 17.1 (recommended 8 cores, 24g of RAM)
a working USB cable
fastboot/adb installed and functional
LineageOS 17.1 source code downloaded
at least one successful build of LineageOS
at least one successful signing of your build with your own keys
Misc. notes:
the basics of building/signing of LineageOS is outside the scope of this tutorial, refer to the LineageOS Wiki for details on how to complete these tasks
you'll be modifying some code in LineageOS, so if you are not comfortable using basic editing utilities as well as patch, do not proceed any further
the path to your LineageOS source code is going to be assumed to be ~/android/lineageos, if it is somewhere else, substitute the correct path in the tutorial
the path to your private certificate files is going to be assumed to be ~/android-certs, if it is somewhere else, substitute the correct path in the tutorial
*** WARNING ****
This process may brick your device. Do not proceed unless you are comfortable taking this risk.
*** WARNING ****
This process will delete all data on your phone! Do not proceed unless you have backed up your data!
*** WARNING ****
Make sure you have read through this entire process at least once before attempting, if you are uncomfortable with any steps include in this guide, do not continue.
And now on with the show!
Step 1: Basic setup
You need a few places to store things, so create some working directories:
Code:
mkdir ~/android/fajita
mkdir ~/android/fajita/oos
mkdir ~/android/fajita/images
mkdir ~/android/fajita/images_raw
mkdir ~/android/fajita/patches
mkdir ~/android/fajita/pkmd
You also need to add "~/android/lineageos/out/host/linux-x86/bin" to your shell's profile path. Make sure to close and restart your session afterwards otherwise the signing will fail later on with a "file not found" error message .
Step 2: Download the latest OxygenOS from OnePlus
Go to https://www.oneplus.com/support/softwareupgrade and download the latest OOS update, store it in ~/android/fajita/oos
Step 3: Extract the vendor.img from OOS
Run the following commands to extract the vendor.img from OOS:
Code:
cd ~/android/fajita/oos
unzip [oos file name you downloaded] payload.bin
cd ../images_raw
python ~/android/lineageos/lineage/scripts/update-payload-extractor/extract.py --partitions vendor --output_dir . ../oos/payload.bin
You should now have a ~1g file named vendor.img in the images_raw directory.
Step 4: Update fajita's BoardConfig.mk
You will need to add a few parameters to the end of ~/android/lineageos/device/oneplus/fajita/BoardConfig.mk, they are:
Code:
BOARD_PREBUILT_VENDORIMAGE := /home/<userid>/android/fajita/images_raw/vendor.img
AB_OTA_PARTITIONS += vendor
BOARD_AVB_ALGORITHM := SHA256_RSA2048
BOARD_AVB_KEY_PATH := /home/<userid>/.android-certs/releasekey.key
Note you cannot use "~"" in the path names above to signify your home directory, so give the full absolute path to make sure the files are found.
Step 5: Update sdm845-common's BoardConfigCommon.mk (optional)
LineageOS by default disables Android Verified Boot's partition verification, but you can enable it now as all the required parts will be in place. However, you may not want to if you intend to make other changes to the system/boot/vendor partitions (like Magisk, etc.) after you have re-locked the bootloader.
To enable partition verification do the following:
Code:
cd ~/android/lineageos/devices/sdm845-common
sed -i 's/^BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2/#BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2/' BoardConfigCommon.mk
Step 6: Patch the AOSP/LineageOS releasetools
Two releasetools included with LineageOS need to be patched as they otherwise will not properly process a pre-built vendor.img.
The required patches can be found here:
https://raw.githubusercontent.com/W.../source/add_img_to_target_files.py-17.1.patch
https://raw.githubusercontent.com/W...r/source/sign_target_files_apks.py-17.1.patch
Download both and store in ~/android/fajita/patches.
Now apply them with the following commands:
Code:
cd ~/android/lineageos/build/tools/releasetools
patch add_image_to_target_files.py ~/android/fajita/patches/add_image_to_target_files.py-17.1.patch
patch sign_target_files_apks.py ~/android/fajita/patches/sign_target_files_apks.py-17.1.patch
Step 7: Build LineageOS
You are now ready to build:
Code:
cd ~/android/lineageos
source build/envsetup.sh
croot
breakfast fajita
mka target-files-package otatools
Step 8: Prepare vendor.img
As part of the build process above, your raw vendor.img will been copied to the $OUT directory and a new hashtree (what AVB uses to verify the image) will have been added to it.
You need to use this new version in the signing process but due to how the build system works, this is not done by default.
So, let's put it where it is needed:
Code:
cp $OUT/obj/PACKAGING/target_files_intermediates/lineage_fajita-target_files-eng.*/IMAGES/vendor.img ~/android/fajita/images
Step 9: Sign the APKs
You are now ready to sign the apks with sign_target_files_apks:
Code:
./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs --prebuilts_path ~/android/fajita/images $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip
Note the new "--prebuilts_path" option, which points to where your new vendor.img file is located.
Step 10: Build the OTA
Now it is time to complete the OTA package:
Code:
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block signed-target_files.zip lineage-17.1-[date]-UNOFFICIAL-fajita-signed.zip
Note, replace [date] with today's date in YYYYMMDD format.
Step 11: Create pkmd.bin for your phone
Before you can lock your phone, you have to tell it what your public key is so it knows it can trust your build.
To do this you need to create a pkmd.bin file:
Code:
~/android/lineageos/external/avb/avbtool extract_public_key --key ~/.android-certs/releasekey.key --output ~/android/fajita/pkmd/pkmd.bin
Step 12: Flashing your LineageOS build
It's time to flash your build to your phone. The following steps assume you have already unlocked your phone and have flashed an official version of LineageOS to it. You don't need to have flashed LineageOS yet, you could use TWRP through "fastboot boot" if you prefer.
Reboot your phone in to recovery mode
In LineageOS Recovery select "Apply update"
From your PC, run:
Code:
adb sideload ~/android/lineageos/lineage-17.1-[date]-UNOFFICIAL-fajita-signed.zip
When the sideload is complete, reboot in to LineageOS. Make sure everything looks good with your build.
You may also need to format your data partition at this time depending on what you had installed on your phone previously.
Step 13: Flashing your signing key
Now it's time to add your signing key to the Android Verified Boot process. To do so, do the following:
Reboot your phone in to fastboot mode
From your PC, run:
Code:
fastboot flash avb_custom_key ~/android/fajita/pkmd/pkmd.bin
fastboot reboot bootloader
fastboot oem lock
On your phone, confirm you want to re-lock and it will reboot
Your phone will then factory reset and then reboot in to LineageOS.
Which of course means you have to go through the first time setup wizard, so do so now.
Step 14: Disable OEM unlock
Congratulations! Your boot loader is now locked, but you can still unlock it again using fastboot, so it's time to disable that as well.
Unlock you phone and go to Settings->About phone
Scroll to the bottom and find "Build number"
Tap on it you enable the developer options
Go to Settings->System->Advanced->Developer options
Disable the "OEM unlocking" slider
Reboot
Step 15: Profit!
Other things
The above will build a standard USERDEBUG version of LineageOS, however this will still allow LineageOS Recovery to sideload non-signed files. If you have implemented step 5 above, then this protects your system/vendor/boot/dtbo partitions, but none of the others. Likewise USERDEBUG builds will allow for rolling back to a previous version. To increase security and disallow both of these scenarios you may want to build a USER version of LineageOS to install. However this brings in other issues, such as flashing newer firmware from OnePlus so make sure you understand the implications of both choices. For more details on build types, see https://source.android.com/setup/develop/new-device#build-variants.
In the above example the releasekey from your LineageOS install has been used to sign AVB, but AVB supports other key strengths up to SHA512_RSA8192. You could create a key just for signing AVB that used different options than the default keys generated to sign LineageOS.
If you want to remove you signing key from your phone, you can do it by running "fastboot erase avb_custom_key".
The changes you made to the make files and releasetools may conflict with future updates that you pull from LineageOS through repo sync, if you have to reset the files to get repo sync to complete successfully, you'll have to reapply the changes afterwards.
So why can't I do this with official LineageOS builds?
For Android Verified Boot (AVB) to work, it must have the hash values for each of the system/vendor/boot/dtbo partitions stored in vbmeta. Official LineageOS builds do not include the vendor.img in them (for fajita at least, other phones may), instead simply using the existing partition on the phone.
That means that there is no vendor.img information in vbmeta for the official builds, which means AVB will fail to verify it during boot and give the red corruption message and halt the boot process after you have re-locked the bootloader.
And since you cannot add to vbmeta without the LineageOS private key, which only the LineageOS signing server has, you cannot add it.
This means you must do a full build with new signing keys to make it work.
Theoretically you could pick apart a LineageOS release, rehash the system/vendor/boot/dtbo and then recreate vbmeta and the payload.bin file, but that brings a host of other issues. For example, since such a "build" would look like a full LinageOS release, if you ever accidentally let the updater run it would brick (soft) that slot and you'd have swap back to your other slot to boot again. In an extreme case, if you managed to corrupt the second slot somehow you'd have to wipe your entire and recover from the brick with one of the available tools to do so.
Ok, what messages do I see during the boot process then?
During a boot you will of course see the standard OnePlus power up screen, followed by the yellow "custom os" message an then the stardard LineageOS boot animation.
For more details on AVB boot messages, see https://source.android.com/security/verifiedboot/boot-flow
So what do those two patches to the release tools do?
AOSP/LineageOS's add_image_to_target_files.py detects if a vendor.img file already exists, and if so, simply includes it in the build process. The patch adds one extra step, so that AVB is being enabled for the build, it will replace the existing hashtree on vendor.img using the same salt and other options as will be used on system/boot/dtbo. This ensure that when vbmeta is generated, it has the right information from vendor.img.
The script is called from the make system as part of the "mka target-files-package otatools" and the appropriate parameters from the make system, like "BOARD_PREBUILT_VENDORIMAGE", are used to create arguments to the script to build the standard image files as well as include the prebuilt vendor.img.
This script is used both during the initial build as well as the signing process, but this change is only targeted at the build time implementation. During signing, the script uses whatever hashtrees are in place and does not regenerate them.
AOSP/LineageOS's sign_target_files_apks.py is responsible for signing the APKs that have been built as part of "mka target-files-package otatools", unfortunately it is not part of the "make" system, so settings like "BOARD_PREBUILT_VENDORIMAGE" do not impact the script. This means that sign_target_files_apks.py does not have any knowledge that it should be including a pre-built vendor.img, even though it is in the $OUT directory waiting to be used.
The patch adds a new parameter to the script (--prebuilts_path), so that during the signing process, any image files found in the provided path, will be included in the process. So make sure that only vendor.img is in the provided directory. This is a directory instead of a single file as future uses may be to include things like firmware, other partition types, etc. in to the signing process.
Thank you's
Obviously to all of the members of the LineageOS team!
LuK1337 for supporting fajita
optimumpro for the OnePlus 5/5t re-locking guide (https://forum.xda-developers.com/oneplus-5/how-to/guide-relock-bootloader-custom-rom-t3849299) which inspired this one
Quark.23 for helping with the process and testing on enchilada
Nice , Will this enable widewine L1?
jsidney96 said:
Nice , Will this enable widewine L1?
Click to expand...
Click to collapse
I don't believe there is a connection between the two.
WhitbyGreg said:
I don't believe there is a connection between the two.
Click to expand...
Click to collapse
If you unlock bootloader on phones supporting L1 they drop to L3. I know some Oneplus phones (op6 etc.) did not support L1 even on stock.
cowgaR said:
If you unlock bootloader on phones supporting L1 they drop to L3. I know some Oneplus phones (op6 etc.) did not support L1 even on stock.
Click to expand...
Click to collapse
Yeah.. It brings it to L1
Great writeup @WhitbyGreg
As Android security gets tighter and tighter, hoping one day all ROMs would support AVB by default..
---------- Post added at 06:16 PM ---------- Previous post was at 05:48 PM ----------
Curious question here,
WhitbyGreg said:
*** will build a standard USERDEBUG version of LineageOS, however this will still allow LineageOS Recovery to sideload non-signed files. If you have implemented step 5 above, then this protects your system/vendor/boot/dtbo partitions, but none of the others. Likewise USERDEBUG builds will allow for rolling back to a previous version. To increase security and disallow both of these scenarios you may want to build a USER version of LineageOS to install. However this brings in other issues, such as flashing newer firmware from OnePlus so make sure you understand the implications of both choices***
Click to expand...
Click to collapse
After a launch of any phone, how drastic are such firmware updates to bother about? In other words, Unless we're in stock ROM is it mandatory to update phone firmware?
arvindgr said:
Yeah.. It brings it to L1
Click to expand...
Click to collapse
Good to know.
arvindgr said:
Great writeup @WhitbyGreg
As Android security gets tighter and tighter, hoping one day all ROMs would support AVB by default..
Click to expand...
Click to collapse
That would be nice but more importantly, more phones need to support re-locking.
arvindgr said:
Curious question here,
After a launch of any phone, how drastic are such firmware updates to bother about? In other words, Unless we're in stock ROM is it mandatory to update phone firmware?
Click to expand...
Click to collapse
Reasonably important, after all, if you never get firmware updates you'll have outdated security patching for the firmware. Some official LOS builds require newer versions of the firmware as they are released and won't install without it.
This guide was very helpful to me when re-locking my Oneplus 7T and enabling hash/hashtree verification. A dude on telegram had actually sent me the link and I only briefly skimmed over. Ironically when looking for patches to fix my issues after attempting to include pre-built vendor/odm and failing I cross referenced and ended up back here.
Here's where I originally found them:
https://review.lineageos.org/c/LineageOS/android_build/+/278015
https://review.aosip.dev/c/AOSIP/platform_build/+/13385
I myself have made some more patches to ensure every possible pre-built image gets signed on my builds. After some experimentation I have found it possible to have Magisk with hash verification enabled
https://github.com/Geofferey/omni_android_build/commits/geofferey/android-10
There is also a fix to ensure appropriate args get passed when regenerating hashtree for pre-built vendor.
Geofferey said:
This guide was very helpful to me when re-locking my Oneplus 7T and enabling hash/hashtree verification.
Click to expand...
Click to collapse
So you can confirm you have relocked the bootloader on the 7T with AVB enabled?
Geofferey said:
A dude on telegram had actually sent me the link and I only briefly skimmed over. Ironically when looking for patches to fix my issues after attempting to include pre-built vendor/odm and failing I cross referenced and ended up back here.
Here's where I originally found them:
https://review.lineageos.org/c/LineageOS/android_build/+/278015
https://review.aosip.dev/c/AOSIP/platform_build/+/13385
Click to expand...
Click to collapse
Yes, those are my patches that I've submitted to LOS, I also have two other patches submitted to allow for other prebuilt images (aka firmware images) to be included in the build process.
Geofferey said:
I myself have made some more patches to ensure every possible pre-built image gets signed on my builds. After some experimentation I have found it possible to have Magisk with hash verification enabled
https://github.com/Geofferey/omni_android_build/commits/geofferey/android-10
There is also a fix to ensure appropriate args get passed when regenerating hashtree for pre-built vendor.
Click to expand...
Click to collapse
I'll take a look and see if I need to update any of my submissions, thanks.
I will have to update those commits with you as author. I messed that up and set person who picked yours as author. I am sorry. BTW thank you for those patches they were a lifesaver and inspired me.
Yes, I can confirm re-lock with AVB enabled on 7T works and also with hash verification. If I flash an image not signed by the build process with hash verification enabled I go red. Currently I am working on getting magisk directly integrated with build instead of using prebuilt patched imgs that cause builds to not pass CTS.
Geofferey said:
Currently I am working on getting magisk directly integrated with build instead of using prebuilt patched imgs that cause builds to not pass CTS.
Click to expand...
Click to collapse
Why do you want to put Magisk if you went to all the trouble of having avb with a locked bootloader? Isn't rooting defeating the purpose of avb?
quark23 said:
Why do you want to put Magisk if you went to all the trouble of having avb with a locked bootloader? Isn't rooting defeating the purpose of avb?
Click to expand...
Click to collapse
No, it does not defeat the purpose... Hashtree verification will still happen since root can be included in the build as opposed to flashing after the fact. In a way it's actually even more advised. The way I think, having root may lead to a means of being exploited but true AVB closes the door to any persistent rootkits that may try to modify partitions at block level. If ANYTHING modifies the verified partitions phone will refuse to boot and I will be protected. Doing exactly what AVB is supposed to do, verify the phone is in it's intended state. I also think of phone as a computer, you have root access on Linux, Windows and even Mac for Christ sake, why shouldn't it be the same for phones? The ONLY reason we don't by default is so manufacturers and carriers can stay in control. I've been rooting and modifying phones for years without AVB and yet to have a known breech of my data besides the Google apps constantly collecting on me. This just adds another level of security that I used to sacrifice in order to have root access.
Here is my PoC to include Magisk in builds so dm-verity can be kept enabled. Just two commits. If someone could make this better that would be really cool.
https://github.com/Geofferey/omni_android_build/commit/d60958780e6b26d7cb0cec5939b82df3df74a68f
https://github.com/Geofferey/android_vendor_magisk
I have rooted for testing and you don't gen any warning. The way avb works on my phone is it discards any modification after reboot. With no warning at boot time. If you get hacked, you can have persistent hacks with root. Make a modification from twrp with avb enabled and see for yourself.
You break the Android security model by rooting the phone. If you need certain things you can include them at build time, such as a custom hosts file.
Also, what can you do with root that does not alter the hashtree?
The power you mention is of no real use yet you expose yourself by having it. Sure, you can go by without any issues. The problem is if you happen to get hacked, the attacker has full control over your phone. You won't br able to get rid of it by rebooting.
Also I see no way for google to collect data in this setup, with or without root. Afwall has an equivalent in android 10 (that mobile data & wifi setting) and inter process comms are the real issue if you are worried about rogue apps. Afwall leaks dns requests like crazy anyway.
I say you are better off letting root go and include what you need at build time. I see that as better spent effort than trying to add root.
quark23 said:
I have rooted for testing and you don't gen any warning. The way avb works on my phone is it discards any modification after reboot. With no warning at boot time. If you get hacked, you can have persistent hacks with root. Make a modification from twrp with avb enabled and see for yourself.
Click to expand...
Click to collapse
So you built your ROM from source with root included, had TWRP go through signing and was able to modify system and other partitions without receiving a device corrupt message? I highly doubt AVB is even implemented appropriately if you were able to do so. If it is implemented it sounds like the old version, tho I remember if I violated FS too much it wouldn't be able to fix and failed to boot. Having a locked bootloader because AVB is enabled does not mean dm-verity is enabled. Also, it should be nearly impossible to just write things like files to /system or w.e. if you are on a device that ships with 10.
quark23 said:
You break the Android security model by rooting the phone. If you need certain things you can include them at build time, such as a custom hosts file.
Click to expand...
Click to collapse
I know it does, but I am not doing such small things as modifying a host file. The kinds of things I include in my personal ROMs require such a high level of access to the point where I can not write SE polices that will allow me to pass CTS and spit out user builds without serious modifications to the build env.
quark23 said:
Also, what can you do with root that does not alter the hashtree?
The power you mention is of no real use yet you expose yourself by having it. Sure, you can go by without any issues. The problem is if you happen to get hacked, the attacker has full control over your phone. You won't b able to get rid of it by rebooting.
Click to expand...
Click to collapse
The act of flashing Magisk is what breaks AVB, if you include it in the ROM at build time like I am doing then it doesn't need to be flashed. It makes modifications to the system by binding data from the wipeable data partition to /system/. If something utilizes that to install a backdoor or tunnel it goes bye-bye when I wipe. If something utilizes it to flash anything or modify system device no boot.
quark23 said:
Also I see no way for google to collect data in this setup, with or without root. Afwall has an equivalent in android 10 (that mobile data & wifi setting) and inter process comms are the real issue if you are worried about rogue apps. Afwall leaks dns requests like crazy anyway.
Click to expand...
Click to collapse
You're kidding right? Android solely exist as a mean for Google to collect data. That was the whole idea behind Android. Buy & develop an OS that any manufacturer can put on their device, let them certify for Google Play Services and collect the data that powers their ad platform. They certainly didn't opensource their baby for free. If you allow ports 80 and 443 out with inbound related allowed, that's all they need.
quark23 said:
I say you are better off letting root go and include what you need at build time. I see that as better spent effort than trying to add root.
Click to expand...
Click to collapse
I'd just rather the manufactures and Google would implement a root solution that plays nice with Androids security instead of making us resort to violating it. It's funny to me that we find it acceptable for these fools to maintain control of something you purchased with your hard earned dollars because they think we are too stupid to have it. Like I stated root and admin privileges are fully available to us on nearly any PC but phones for some reason are an exception.
_________________________________________________
I could rant and debate about this forever... Fact of matter is, you don't have to disable every Android security feature to have root.
I didn't build with magisk, I just flashed after building.
But you can try and modify anything on /system or /vendor from twrp, without magisk, without locking the bootloader, and see what happens. Avb discards the modification, but doesn't warn you. Curious of your findings regarding this. If you then flash magisk, you ofc break the hashtree and avb and the mods remain persistent.
I understand that you are building with magisk included in the hashtree. What I am wondering is what exactly are you wanting root for? What are you doing with root that does not break the hashtree?
Regarding the data collection, you lost me. What exactly is being collected on a LOS userbuild without google services? Got any dns logs or mitm wireshark packets to show? What service exactly is collecting what kind of data? Google's dns servers can be replaced before building, Greg has some scripts for that. Captive portal can also be replaced or turned off. Apart from that, and any apps you add yourself, what kind of data is being collected as I want to check it out myself. I've monitored my phone and it's pretty silent. Whatever goes out is from additional apps I use. But I don't see anything from LOS. Really curious about this.
Regarding your last point I think it's something akin to risking shooting yourself in the foot by having root by default. I understand (somewhat) the security model and I find it smart to not have it by default. Also Android uses selinux more than your standard linux distro does. There are some differences in the security models between android and pc linux distro.
I'm really hapoy that AOSP exists. Also pretty happy with the LOS project. My problem is with the outdated blobs. Maybe I'll get a Pixel at some point and give GrapheneOS a go. Seems like a really nice project.
Managed to get hardened malloc + Vanadium on LOS atm and I'm liking the browser. Overall I think AOSP is a great project. Not a fan of google's privacy policy but they do make great stuff.
quark23 said:
I understand that you are building with Magisk included in the hashtree. What I am wondering is what exactly are you wanting root for? What are you doing with root that does not break the hashtree?
Click to expand...
Click to collapse
Ah, there lies the real question. I am including in my personal builds a Debian Linux chroot that gets extracted to /data/ so I can run Linux services, etc. I have customized the chroot with Openvpn so that it connects to my server and essentially allows me back into device wherever it may lay. Basically I am adding in the stuff of nightmares that all this security is supposed to prevent. That is why I want dm-verity, because I know I am leaving my self partially open by doing so. I have a decent understanding of dm-verity and have confirmed that it does and will protect me against the scenarios I imagine. BTW it operates completely differently in locked state vs. unlocked.
quark23 said:
Regarding the data collection, you lost me. What exactly is being collected on a LOS userbuild without google services?
Click to expand...
Click to collapse
Well, if you're the type of person who doesn't require Google Play Services, nothing of course. I was merely stating that Google had open sourced Android in hopes that manufacturers would adopt the OS and qualify their devices for Google PS so that it could be used as a data collection platform. You won't easily see all the information Google collects in a Wireshark log because it is encrypted of course. LOS better be silent as hell without it or I'd contact that dev with a strongly worded message lmfao.
quark23 said:
Regarding your last point I think it's something akin to risking shooting yourself in the foot by having root by default. I understand (somewhat) the security model and I find it smart to not have it by default. Also Android uses selinux more than your standard linux distro does. There are some differences in the security models between android and pc linux distro.
Click to expand...
Click to collapse
Oh I DO NOT think it should just be enabled by default. If I had my way it would be enabled in dev ops requiring authentication and protected via a different password than the one you use to unlock the device once setup. You'd also require those "root" privileges to OEM unlock once enabled. While those features were enabled you'd be warned on boot as well but without locking you out of apps etc because that kind of sensitive data should be handled by TEE and TZ. In a real Linux operating system that hasn't been fundamentally raped to offer a false sense of security in the name of protecting carriers and manufactures you can modify SE linux policies etc, not while live but without compiling from source. A lot of us forget most these security features exist more to protect their interest and attempt to hide what's going on behind the scenes. I've actually heard of some pretty shady stories where manufacturers in China place ad-tappers that run in background on devices running GooglePS to be sold in US, so it definitely doesn't protect you if the person building your phone is shade.
quark23 said:
I'm really hapy that AOSP exists. Also pretty happy with the LOS project. My problem is with the outdated blobs. Maybe I'll get a Pixel at some point and give GrapheneOS a go. Seems like a really nice project.
Managed to get hardened malloc + Vanadium on LOS atm and I'm liking the browser. Overall I think AOSP is a great project. Not a fan of google's privacy policy but they do make great stuff.
Click to expand...
Click to collapse
Me too mate. . AOSP has taught me a lot about development and coding in general. Sadly outdated blobs are a usually a by-product of using pre-builts from manufacturers that don't update as often. Pixel would be way to go if that's a concern. I honestly just think a lot of the security is abused to suit their needs. I am just trying to turn it around to work for me where it can.
If you repo sync you should run the vendor files script as there's a couple of new files added. The Muppets github has been updated with them as well. If you don't your build will fail at first power on.
A quick question, forgive me if this is obvious: am I correct in assuming that one the above has been completed and the device is using a locally-built copy of Lineage OS, that I cannot take advantage of OTA updates? I just want to know what I'm getting in to before wiping my phone multiple times.
Thanks in advance, this thread is massively helpful.
nictabor said:
A quick question, forgive me if this is obvious: am I correct in assuming that one the above has been completed and the device is using a locally-built copy of Lineage OS, that I cannot take advantage of OTA updates? I just want to know what I'm getting in to before wiping my phone multiple times.
Thanks in advance, this thread is massively helpful.
Click to expand...
Click to collapse
Correct, though if you setup your own update server you can still use the inbuilt updater app if you want.
I just happened across this thread searching for a proper way to generate the custom avb key. I thought i had found it at one time on aosp documentation but i lost/forgot where it was.
Anyways, I have a quick q about this. Would I be correct in assuming that if i wanted gapps to be available in my build, I would need to include it during build time and not be able to flash it as per the typical methods?
I am pretty sure I won't be able to but wanted to ask here for you guys' experiences.
Also, @WhitbyGreg you should be able to i believe. just setup the url properly and host it somewhere with direct download links. (This also requires setup of json for the updater to monitor for updates)
klabit87 said:
Would I be correct in assuming that if i wanted gapps to be available in my build, I would need to include it during build time and not be able to flash it as per the typical methods?
Click to expand...
Click to collapse
Correct (at least as far as I know), once the bootloader is relocked any modification of the system partition (like adding the play services) would trigger an AVB failure.

[Guide] Working Google Pay on Redmi K30 Ultra

After lots of people here and on Reddit asked me to make a guide, here it is.
DISCLAIMER: DO AT YOUR OWN RISK. YOUR DEVICE MAY BRICK. I AM NOT A DEVELOPER, JUST A TECH NOOB WHO WANTED TO MAKE GOOGLE PAY WORK ON HIS PHONE.
Although the main point of this guide is making Google Pay work, a byproduct of going through it seems to be a better performing and more stable system (at least this is my subjective experience).
If anybody notices any mistakes or misunderstandings on my part, please post it so i can correct/update!
Step 0: Delete ANY kind of Password or Protection from your phone. I had multiple instances of TWRP not being able to decrypt my phone data because of a wrong password. I have no idea why and assume that this won't happen with no password set up.
Step 1: Set Up an Xiaomi account on your phone and start the process of unlocking it in Developer Settings. During this process, you have to download the Unlock Tool and probably have to wait around 10 days.
Step 2: Download this and unzip it. Also Download GApps Pico from here.
Step 3: Install TWRP via ADB as it is descripted here. Use the "recovery.img" you downloaded in Step 2.
Step 4: Boot into TWRP and change the language to English. Then make a backup and safe it on your PC by pressing "Mount" and then "Mount USB Storage". Move the files "Magisk-v20.4.zip", "K30U-去vbmeta校验.zip" and "open_gapps-arm64-10.0-pico-20201014.zip" you downloaded in Step 2 to your phones storage.
Step 5: Wipe your device by clicking on "Wipe" and swipe to "Reset". Then flash both "Magisk-v20.4.zip" and "K30U-去vbmeta校验.zip" by clicking on "Install", selecting those files and swiping to flash them. You MUST flash both of them or your device may brick.
// At this point you might be able to do what I describe in Step 6 by using Advanced/FileManager without ever leaving TWRP. This would speed up the process but its a bit more messy and for me sometimes it works to deletes System Data and sometimes it doesn't. I have no clue why and if you're up to messing around with it you probably know that you can and if you don't know its probably best to go straight to Step 6//
Step 6: Boot into system and rush throug config since we are going to reset the system again in Step 7. Download and install the newest version of MiXplorer or any File Explorer with Root Access and navigate to root/system/data-app. Unfortunately this is the part where i can't exactly tell you what to delete since its already gone on my device. I deleted around 5 apps and I remember they were among the first 10 apps listen. The apps I still have there are the following: Calculater, CleanMaster, com.zhihu.xyz, Email, GameCenter, Huanji, MiDrive, etc. so you can find out which ones to delete (please post the names of those you deleted here if you can so i can update this very messy Step 6). Importantly, you need about 200MB free space, you can see this in MiXplorer.
Step 7: Reboot into TWRP and repeat Step 5. After that, flash "open_gapps-arm64-10.0-pico-20201014.zip". Boot into System.
Step 8: You should be greeted by a friendly Google Setup instead of the Xiaomi one. Yay! Set the phone up and download GBoard, a Terminal app and GPay from the Play Store. Launch Magisk and Update the Manager, but do NOT update to Magisk 21.0, the phone can't handle it. Enable Magisk Hide and add all Google stuff to hide. Also hide the Magisk Manager. You should already pass the google Safety Net, but there is something left to do to use GooglePay.
Step 9: Download the Magisk Module MagiskHide Props and both change your fingerprint and force basic key attestation to "Redmi K30 Pro" inside your Terminal app by typing "props". Other fingerprints probably work, too. If you need more help, look here. Reboot.
Step 10: Open GPay and set it up. It should say "Hold to read" Go to settings/Connection&Sharing and change you default wallet to "Use HCE Wallet". Go to Tap&Pay and select Google Pay as default wallet.
Voila! It should work now.
Bonus step for a nice system: Deinstall as much Bloat as you can/want normally and with this tool. The rest, which you can't deinstall, deactivate with the tool.
Credits and Mentions:
@zgfg for the huge support figuring MagiskHide out and helping me with stuff that is way too complicated for me and way too easy for you.
@Didgeridoohan for making MagiskHide Props and helping out!
@JaboJG for helping me out a alot early and making me aware of the custom TWRP and Magisk for the K30U
@Prprdog for making a Custom ROM guide that mentioned Gapps Pico and that it makes GPay work.
@nikitos2323 for making me aware of the guide
Great work @Mirardt ! We should now be 1 step closer to a K30 Ultra forum
JaboJG said:
Great work @Mirardt ! We should now be 1 step closer to a K30 Ultra forum
Click to expand...
Click to collapse
Thank you! Yes, that would be great.
You might also want to try this magisk module to systemlessly (in easier terms reversibly) debloat apps
[MODULE][Terminal] Debloater v17.3.2 - Debloat Systemlessly!
Mirardt said:
After lots of people here and on Reddit asked me to make a guide, here it is.
DISCLAIMER: DO AT YOUR OWN RISK. YOUR DEVICE MAY BRICK. I AM NOT A DEVELOPER, JUST A TECH NOOB WHO WANTED TO MAKE GOOGLE PAY WORK ON HIS PHONE.
Although the main point of this guide is making Google Pay work, a byproduct of going through it seems to be a better performing and more stable system (at least this is my subjective experience).
If anybody notices any mistakes or misunderstandings on my part, please post it so i can correct/update!
Step 0: Delete ANY kind of Password or Protection from your phone. I had multiple instances of TWRP not being able to decrypt my phone data because of a wrong password. I have no idea why and assume that this won't happen with no password set up.
Step 1: Set Up an Xiaomi account on your phone and start the process of unlocking it in Developer Settings. During this process, you have to download the Unlock Tool and probably have to wait around 10 days.
Step 2: Download this and unzip it. Also Download GApps Pico from here.
Step 3: Install TWRP via ADB as it is descripted here. Use the "recovery.img" you downloaded in Step 2.
Step 4: Boot into TWRP and change the language to English. Then make a backup and safe it on your PC by pressing "Mount" and then "Mount USB Storage". Move the files "Magisk-v20.4.zip", "K30U-去vbmeta校验.zip" and "open_gapps-arm64-10.0-pico-20201014.zip" you downloaded in Step 2 to your phones storage.
Step 5: Wipe your device by clicking on "Wipe" and swipe to "Reset". Then flash both "Magisk-v20.4.zip" and "K30U-去vbmeta校验.zip" by clicking on "Install", selecting those files and swiping to flash them. You MUST flash both of them or your device may brick.
// At this point you might be able to do what I describe in Step 6 by using Advanced/FileManager without ever leaving TWRP. This would speed up the process but its a bit more messy and for me sometimes it works to deletes System Data and sometimes it doesn't. I have no clue why and if you're up to messing around with it you probably know that you can and if you don't know its probably best to go straight to Step 6//
Step 6: Boot into system and rush throug config since we are going to reset the system again in Step 7. Download and install the newest version of MiXplorer or any File Explorer with Root Access and navigate to root/system/data-app. Unfortunately this is the part where i can't exactly tell you what to delete since its already gone on my device. I deleted around 5 apps and I remember they were among the first 10 apps listen. The apps I still have there are the following: Calculater, CleanMaster, com.zhihu.xyz, Email, GameCenter, Huanji, MiDrive, etc. so you can find out which ones to delete (please post the names of those you deleted here if you can so i can update this very messy Step 6). Importantly, you need about 200MB free space, you can see this in MiXplorer.
Step 7: Reboot into TWRP and repeat Step 5. After that, flash "open_gapps-arm64-10.0-pico-20201014.zip". Boot into System.
Step 8: You should be greeted by a friendly Google Setup instead of the Xiaomi one. Yay! Set the phone up and download GBoard, a Terminal app and GPay from the Play Store. Launch Magisk and Update the Manager, but do NOT update to Magisk 21.0, the phone can't handle it. Enable Magisk Hide and add all Google stuff to hide. Also hide the Magisk Manager. You should already pass the google Safety Net, but there is something left to do to use GooglePay.
Step 9: Download the Magisk Module MagiskHide Props and both change your fingerprint and force basic key attestation to "Redmi K30 Pro" inside your Terminal app by typing "props". Other fingerprints probably work, too. If you need more help, look here. Reboot.
Step 10: Open GPay and set it up. It should say "Hold to read" Go to settings/Connection&Sharing and change you default wallet to "Use HCE Wallet". Go to Tap&Pay and select Google Pay as default wallet.
Voila! It should work now.
Bonus step for a nice system: Deinstall as much Bloat as you can/want normally and with this tool. The rest, which you can't deinstall, deactivate with the tool.
Credits and Mentions:
@zgfg for the huge support figuring MagiskHide out and helping me with stuff that is way too complicated for me and way too easy for you.
@Didgeridoohan for making MagiskHide Props and helping out!
@JaboJG for helping me out a alot early and making me aware of the custom TWRP and Magisk for the K30U
@Prprdog for making a Custom ROM guide that mentioned Gapps Pico and that it makes GPay work.
@nikitos2323 for making me aware of the guide
Click to expand...
Click to collapse
Thanks a lot man, and with the source that xiaomi provided, in no time we will get loads of roms for dis device.
Finally i'm leaving my Z2plus more than 4 years with it. But memory is a ***** and for me at least 4gb is not so good as i was 3 years ago to do some suff.
So if anyone that will make a rom for this i can help with my brain and some donations
I use 一键线刷REC.bat then get into Twrp, and install but can't see the folder name correctly all show亂碼 and i can't find the GAPPS.zip file that i put ,I just want to install google play not googld pay.so can I just install Gapps is ok?
i keep getting error 70 , looks like this thread is dead now tho :/ nvm i see the step i missed , idk why is didnt have to remove apps from data-app the 1st time but i got it.

Magisk help (please!)

Hi guys,
new here and went through quite a few threads on Magisk before posting.
Situation is as follows:
- got my Xiaomi Mi 11 Ultra from Aliexpress a few days ago.
- the seller unlocked the bootloader and instealled global ROM instead of the original Chineese ROM.
- the phone works fine, but Google Wallet would not allow me to add any of my credit/debit cards for contactless payments showing the usual "Your phone doesn't meet security requirements"
- NETFLIX wouldn't work.
- Quite a few of my banking apps work fine, including HSBC bank, Paypal, Revolut, IG Index and some others as well.
The obvious solution is to go ahead with Magisk Hide (or what's currently available instead as Hide module is phased out as far as I understand).
Now, I'm really new to all this (have rooted a couple of phones/tablets a few years back) and have a few questions:
1. I was going through the process of installing Magisk on my phone, folloing the instructions here: https://www.xda-developers.com/how-to-install-magisk/?newsletter_popup=1
So according to this, I'm supposed to find a boot.img file in the ROM archive as far as I understand, but my issue is that I don't have the installed ROM details or data as it wasn't me who installed the ROM in the first place.
Is there any way to find out what ROM is installed and perhaps I could download the package and get the boot.img file from there? (ramdisk parameter show YES)
2. I will be installing ADB on my computer to be able to install Magisk as per the following instructions: https://www.xda-developers.com/install-adb-windows-macos-linux/
is there anything else I'd need?
3. Lastly, there is a bunch of good tutorials on your tube on how to use the latest Magysk + shamiko module etc. If someone knows a really good one, I would appreicate if you could post it
Would really appreciate any other feedback etc for a person who is completely new to this
Thank you very much!
I'm not sure how to completely proceed as I am totally unfamiliar with Xiaomi, but I had a couple of ideas...
Kotofeus said:
- the seller unlocked the bootloader and instealled global ROM instead of the original Chineese ROM.
The obvious solution is to go ahead with Magisk Hide (or what's currently available instead as Hide module is phased out as far as I understand).
Now, I'm really new to all this (have rooted a couple of phones/tablets a few years back) and have a few questions:
1. I was going through the process of installing Magisk on my phone, folloing the instructions here: https://www.xda-developers.com/how-to-install-magisk/?newsletter_popup=1
So according to this, I'm supposed to find a boot.img file in the ROM archive as far as I understand, but my issue is that I don't have the installed ROM details or data as it wasn't me who installed the ROM in the first place.
Click to expand...
Click to collapse
I imagine you can find exactly what ROM you are using in the Settings -> "About Phone" or something similar; Probably under something like "Android version" or "Build number". You can google search (most likely by build number or something similar) and find the Factory image needed to flash/install the ROM. Once you download that specific ROM installation file (most likely a .zip file), you should be able to extract it (or go inside the zipped file and extract the specific boot.img file) to be able to patch it in Magisk.
Kotofeus said:
2. I will be installing ADB on my computer to be able to install Magisk as per the following instructions: https://www.xda-developers.com/install-adb-windows-macos-linux/
is there anything else I'd need?
Click to expand...
Click to collapse
Best place to get the adb (and you'll also need fastboot.exe so you'll also get it from) is from the Platform Tools from Google's developer's site here: https://developer.android.com/studio/releases/platform-tools
I'm unsure (but I doubt) if Xiaomi Mi 11 Ultra has 2 slots (A and B), but if it does, don't download the latest version of platform tools but version r33.0.3 because any version r34.0.0 and above has a known bug that will wreck devices with 2 slots (namely Google Pixels).
Anything else you'd need is to be sure to have USB debugging enabled and the proper Google USB drivers installed on your computer (there are Windows, Mac, and Linux drivers that can be installed).
Kotofeus said:
3. Lastly, there is a bunch of good tutorials on your tube on how to use the latest Magysk + shamiko module etc. If someone knows a really good one, I would appreicate if you could post it
Click to expand...
Click to collapse
There are a number of root hide methods that hide root from Netflix and Google Wallet. One usually starts with using Magisk and Zygisk Denylist and making sure that Wallet, Netflix, Google Play Services, Google Play Store, Google Play Protect, and Google Service Framework are all "ticked" with all their sub-selections ticked as well. Also, be aware that after implementing any/all of these, usually clearing all these Google services data and cache is required & a reboot of the device is a must, but re-entering your cards will also be required as well; as well as signing back into some Google services. Then, if all that doesn't work, there's Universal SafetyNet Fix -- or even Displax's Mod branch if the official USNF isn't enough. Then also any of the further root hiding methods; Shamiko, Magisk Delta, HideMyApp, etc..
Kotofeus said:
Would really appreciate any other feedback etc for a person who is completely new to this
Thank you very much!
Click to expand...
Click to collapse
Again, I'm coming only from Pixels and have absolutely no experience with Xiaomi and I can't be sure any of these will apply since you have a "custom" ROM (sort of) so things might not be as usual. These are just general dealings with Magisk and Android OS as I know them... But you state that you are "completely new to this", so I'm just trying to cover all the bases as much as I can, even if you would be already knowledgeable of them. If anything, these can be taken as just ideas and/or pointing to a direction that might work...
simplepinoi177 said:
I'm not sure how to completely proceed as I am totally unfamiliar with Xiaomi, but I had a couple of ideas...
I imagine you can find exactly what ROM you are using in the Settings -> "About Phone" or something similar; Probably under something like "Android version" or "Build number". You can google search (most likely by build number or something similar) and find the Factory image needed to flash/install the ROM. Once you download that specific ROM installation file (most likely a .zip file), you should be able to extract it (or go inside the zipped file and extract the specific boot.img file) to be able to patch it in Magisk.
Best place to get the adb (and you'll also need fastboot.exe so you'll also get it from) is from the Platform Tools from Google's developer's site here: https://developer.android.com/studio/releases/platform-tools
I'm unsure (but I doubt) if Xiaomi Mi 11 Ultra has 2 slots (A and B), but if it does, don't download the latest version of platform tools but version r33.0.3 because any version r34.0.0 and above has a known bug that will wreck devices with 2 slots (namely Google Pixels).
Anything else you'd need is to be sure to have USB debugging enabled and the proper Google USB drivers installed on your computer (there are Windows, Mac, and Linux drivers that can be installed).
There are a number of root hide methods that hide root from Netflix and Google Wallet. One usually starts with using Magisk and Zygisk Denylist and making sure that Wallet, Netflix, Google Play Services, Google Play Store, Google Play Protect, and Google Service Framework are all "ticked" with all their sub-selections ticked as well. Also, be aware that after implementing any/all of these, usually clearing all these Google services data and cache is required & a reboot of the device is a must, but re-entering your cards will also be required as well; as well as signing back into some Google services. Then, if all that doesn't work, there's Universal SafetyNet Fix -- or even Displax's Mod branch if the official USNF isn't enough. Then also any of the further root hiding methods; Shamiko, Magisk Delta, HideMyApp, etc..
Again, I'm coming only from Pixels and have absolutely no experience with Xiaomi and I can't be sure any of these will apply since you have a "custom" ROM (sort of) so things might not be as usual. These are just general dealings with Magisk and Android OS as I know them... But you state that you are "completely new to this", so I'm just trying to cover all the bases as much as I can, even if you would be already knowledgeable of them. If anything, these can be taken as just ideas and/or pointing to a direction that might work...
Click to expand...
Click to collapse
Thank you very much for taking time and going through all my queries, really appreicate it!
I started losing hope really as looked through a number of vide tutorials involving installing magisk via custom recovery, which would mean I needed to install a custom recovery first... so this was becoming a bit of a Russian Doll thing and a never ending quest.
Looked at "Detailed info and specs" on my phone and I have:
Baseband version
Kernel Version
I presume I can search by Kernel Version to find the ROM - will try that.
If I can't find the ROM, than the only way is to try and install custom recovery, download Magisk apk, rename it into zip, get into custom recovery mode and try to flash the zip file. Saw a few tutorials on youtube like that and it looked fairly straightforward, however not sure how easy or difficult it would be to install a custom recovery like TWRP on this phone.
I also looked through a tutorial of using Magisk with Zygisk and Denylist and again, looked pretty straightforward, but Magisk needs to be properly installed of course.
Yes, thank you - I understand that you need to clear cash and re-enter the cards once again, that would have been the least of my troubles.
Will try to search that kernel number on google once I have a moment and see if I get any luck.
Will also reasearch on how to install TWRP. If that's easier than I may go with that option instead of extracting and patching the boot.img
Kotofeus said:
Looked at "Detailed info and specs" on my phone and I have:
Baseband version
Kernel Version
I presume I can search by Kernel Version to find the ROM - will try that.
Click to expand...
Click to collapse
You can't find what MIUI version you have? That's all you basically need...
From a small bit of research, you state you are on a "global ROM" of a Xiaomi Mi 11 Ultra, which should just be a "global" version of the MIUI. You just need to find the MIUI global version and extract it (boot.ini) from the firmware update file. Once you find the version, you could search and find the firmware update file in places like here: https://xiaomirom.com/en/rom/mi-11-pro-ultra-11-ultra-star-global-fastboot-recovery-rom/ or other sites I imagine.
It's just important that you get the exact right version of the MIUI Global ROM you are currently running as patching and flashing a boot.ini of a different version could soft-brick/bootloop your device....

Categories

Resources