Security issues surounding bootloader unlocking and installing custom recovery - OnePlus 3T Questions & Answers
Given the situation that I needed to unlock bootloader and install TWRP inorder to be able to do full image backup (i.e. Nandroid), I have been wondering what are the underlying security issues to be faced after unlocking and installing TWRP (without moving onto root) in a specific situation where the device is lost or stolen?
Lets say if I am on stock OOS with encryption enabled + Fingerprint and password/pin set on lock screen + USB debugging disabled + locked bootloader + stock recovery, in the unfortunate event where my device were to get lost or stolen, I can expect my personal data to be safe from prying eyes since the person who has gotten a hold of my phone will have to do a factory reset to get into the phone or unlock bootloader which all meant my personal data will be wipe. So that's a good outcome in an unfortunate one.
But let's say if now I were to (i) unlock my bootloader and (ii) install TWRP (but retaining it as read only without system modification), (iii) restore all app, data and settings, and go on to (iv) perform a nandroid backup. And after that, proceed to (v) disable USB debugging and (vi) re-enable encryption and (vii) set fingerprint and password on lock screen. And I shall stopped there without rooting or flashing dm verity. Can I still expect my personal data to be safe from prying eyes in the event of lost or stolen? Meaning that whoever gets a hold of my device will likewise need to wipe it clean before he/she is able to use it? Is this the case or can the person access my data using some hacks now that the device runs custom recovery?
An interesting guide I had came across contained various means of accessing personal data (read - https://forum.xda-developers.com/showthread.php?t=2620456) by bypassing android password, patterns, etc set on the locked screen, and some methods required USB debugging to be enabled while some required custom recovery installed.
To be sure if I am still able to protect my personal data when device is stolen/lost with an unlocked/TWRP installed device, my curiosity took me on an investigative path using an old Samsung Note 3 to unlock bootloader and install TWRP, then proceed to enable encryption and disable USB debugging and set lockscreen password. And now for the next couple of days where I can find free time, I will try out all 7 methods to see if an unlocked Note3 with TWRP is susceptible to these security compromise. I will come back to this thread later to update my findings.
I really welcome any information or inputs too!
To summarize, the state of my old Note 3 used in this investigation is as follows:
1) Bootloader unlocked
2) TWRP (3.0.2) installed as "read only" without system modification
3) ROM (CM13) encryption enabled
4) Locked screen password set
5) Device not rooted
6) USB debugging disabled
When I boot into TWRP, I realized that even if I set it to read only, any person who has gotten hold of my device can set it to system modification since TWRP is not password or pin protected. Therefore setting to "read only" is sort of irrelevant in this investigation to find out how vulnerable the device is right now.
The second thing I realized, is TWRP will ask me for android password to mount my internal sdcard since my ROM is encryption enabled. This is a good thing, since in this case TWRP internal file manager will not be able to access my device internal sdcard containing some of my personal data.
The 1st method I tried is:
METHOD I
Solution For Everyone With Recovery (Cwm, Twrp, Xrec,Etc...) Installed:
INSTRUCTIONS:
1. Download this zip Pattern Password Disable (Download from attachments) on to your sdcard (using your PC, as you cant get into your phone, right )
2. Insert the sdcard into your phone
3. Reboot into recovery mode
4. Flash the zip
5. Reboot
6. Done!
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
The steps I took:
A) Set TWRP to system modification
B) When TWRP asked me for password to mount partition, I choose "cancel" since I am trying to imitate the person who has gotten hold of my device won't be able to guess my password
C) Flashed the pattern password disable zip file
And voila!... my password on locked screen is still intact. Meaning that entering any random password does not gain access into android. Only the original password can.
Good news certainly. Don't know why this hack doesn't work, probably it is outdated or probably due to my system is still encrypted when I flashed the hack zip file.
As to the 2nd method, I didn't try out as I don't know how to use Cygwin...
METHOD 2
Solution For Everyone Without Recovery Installed - ADB :
What You Need:
=>A computer running a Linux distro or Windows+Cygwin
=>USB cable to connect your phone to the PC
=>Adb installed
How to install adb:
1. Open Terminal
2. Type:
Code:
sudo apt-get install android-tools-adb
Hit [Enter]
3. Follow the instructions until everything is installed.
INSTRUCTIONS:
1. Connect you (turned on) Phone to the Computer via USB.
2. Open a terminal window.
3. Type:
Code:
adb devices
adb shell
cd data/system
su
rm *.key
4. Done...Now You Just Have To Reboot.
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
Method 3 is irrelevant to this investigation therefore it has been omitted.
METHOD 3
Solution For Everyone Before Lock Accident :
SMS Bypass - Download Link - Install It On Your Device (Download from attachments)
This App Allows You To Remotely Bypass Your Phone's Screen Lock By Sending A SMS.
It Removes Your Gesture Pattern Or Password After Receiving A Preset Keyword Along With A Secret Code Via SMS.
SMS Bypass App Requires Root.
INSTRUCTIONS:
1.First, make sure you give permanent root access to the app.
2.Change the secret code to your preferred choice. The default password is : 1234
3.To reset your screen lock, send the following message from another phone:
Code:
secret_code reset
Example:
Code:
1234 reset
Note 1 : There is a space between your secret code and reset. Also the secret code is case sensitive.
Note 2 : There is an option available to change the preset keyword. Default is : reset - Your phone will restart and your lock screen will be reset.
Note 3 : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
Given that method 5 is in fact similar to method 2 therefore it has been omitted as well.
METHOD 5
Solution For Everyone Via Adb - File Removal :
INSTRUCTIONS:
=>Type This Command In Your Terminal (CMD Prompt) :
Code:
adb shell rm /data/system/gesture.key
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
Method 6 will not work since that hack required USB debugging to be enabled.
METHOD 6
Solution For Everyone With USB Debugging Enabled :
INSTRUCTIONS:
Primary Step for all method:
Download & Extract to anywhere - Bypass Security Hack (Download from attachments)
Open SQLite Database Browser 2.0.exe in SQLite Database Browser.
Run pull settings.db.cmd inside By-pass security Hacks folder to pull out the setting file out of your phone.
Drag settings.db and drop to SQLite Database Browser 2.0.exe program.
Navigate to Browse data tab, At table there, click to list down the selection & selete secure
Instruction To Remove Pattern Lock:
Now, find lock_pattern_autolock, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove PIN Lock:
Now, Find Or Create lockscreen.password_type, double-click & change it's value to 65536, Apply changes!
Now, find lock_pattern_autolock, Delete Record, If doesn't exist, Ignore
Close & save database
Run push settings.db.cmd and reboot your phone
Instruction To Remove Password Lock:
Now, find lockscreen.password_salt, Delete Record
Now, find lockscreen.password_type, Delete Record
Close & save database
Run push settings.db.cmd and reboot your phone
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
I then tried out method 7 using the Aroma file manager however all these 3 versions (Version 2.00 [BETA1]- KACAPI, aromafm-1.91, and aromafm-1.90) does not open up after flashing the zip with system modification enabled on TWRP. Mostly likely these outdated versions of the Aroma file manager are not supported by the latest version of TWRP (3.0.2) since the developers have ceased all work related to it.
METHOD 7
Solution For Everyone With Recovery Installed :
INSTRUCTIONS:
1.Download and Copy Aroma File manager.zip (Download from attachments or http://forum.xda-developers.com/show....php?t=1646108) to your memory card.
2. Open your recovery (press volume Down + Power button or it can be different according to the phones. Generally the phones who have press able button on the middle they have to press all three buttons. Google for you pattern there are lots)
3. There’ll b an option in recovery called “mount”. Go in that option and then mount all the cache and everything it is there.
4. Then select “update” and select “apply update from SD/external” and select aroma file manger.zip file that you downloaded using above QR code above.
5. After Flashing or updating, the aroma file manger will open. Use volume keys for up/down and power button 2 select like you use to get into recovery.
6. In aroma File manager , Go to menu , which is located in bottom strip and then select Settings.
7. Go to bottom n select “mount all partition in startup ” then exit from aroma file manger.
8. Now after exit , re-update that aroma file again and it will open again.
9. Go to data >> and then System.
Then find ‘gesture.key’ (for pattern lock) and ’password.key’ (for password lock) then long touch on gesture.key or password.key and sum option will be prompted , choose delete and delete that file and restart.
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
And now onto the last method which is method 4 using SQL command. After starting adb daemon, adb devices are not found and hence the following steps could not be taken. I think this could be due to the device having USB debugging disabled. Hmmm...
METHOD 4
Solution For Everyone Via Adb - SQL Command :
INSTRUCTIONS:
=>Type This Commands Separated In Your Terminal (CMD Prompt) :
Code:
adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit
=>Now You Just Have To Reboot.
Note : If You See The Gesture Pattern Grid Or Password After Restarting, Don't Worry. Just Try Any Random Pattern Or Password And it Should Unlock.
After going through all these methods, I am inclined to think that personal data is still protected in an unlocked/TWRP installed device as long as USB debugging is DISABLED and ROM is encrypted and fingerprint/password set on lock screen. What do you think?
As long as your data is encrypted, it is safe and not accessible to any 3rd party.
But with an unlocked bootloader, you are open to a new forms of attacks like:
1. someone could steal your phone, modify your system to leak your data / password and then return it to you. Since dm-verity is OFF, you will not know, that your system is compromised.
2. someone could use a remote exploits (to launch his code and gain root privileges) to modify your system and leak your data / password and since dm-verity is OFF, you will not know, that your system is compromised.
+ with the unlocked bootloader, FRP is not working, so a thief can just reset your phone and sell it.
If your data security is a huge concern to you, DO NOT unlock the bootloader.
If you are a potential target to a hacker attacks, DO NOT use a OnePlus phone. Get a Nexus 6P or a Pixel.
Also make sure, that your apps are not leaking your data. Apps with a storage permission and access to the internet could leak your data.
Michalko5896 said:
As long as your data is encrypted, it is safe and not accessible to any 3rd party.
But with an unlocked bootloader, you are open to a new forms of attacks like:
1. someone could steal your phone, modify your system to leak your data / password and then return it to you. Since dm-verity is OFF, you will not know, that your system is compromised.
Click to expand...
Click to collapse
Many thanks for your response! This is very useful information to me.
Am I right to assume that even if my device is unlocked but with encryption enabled and no root, the person who has gotten hold of my phone will still be able to flash "dm-verity and forced encryption disabler" zip and supersu zip files to root my device in TWRP even when he fails to enter the password prompted by TWRP?
And this force encryption disabler as the name suggest only disable force encryption and it does not decrypt my already encrypted personal data? Which means he still does not have access to my data and after he had done the system modification and returns the phone back to me, the first thing I should do is to wipe clean every partition and restore back my nandroid which would consist of backups to all partitions. So it seems this is an acceptable risk all for the convenience of performing nandroid backup via the unlock/TWRP route.
2. someone could use a remote exploits (to launch his code and gain root privileges) to modify your system and leak your data / password and since dm-verity is OFF, you will not know, that your system is compromised.
+ with the unlocked bootloader, FRP is not working, so a thief can just reset your phone and sell it.
If your data security is a huge concern to you, DO NOT unlock the bootloader.
If you are a potential target to a hacker attacks, DO NOT use a OnePlus phone. Get a Nexus 6P or a Pixel.
Also make sure, that your apps are not leaking your data. Apps with a storage permission and access to the internet could leak your data.
Click to expand...
Click to collapse
Very good point here. May I ask in what ways are Nexus 6P and Pixel more secure than Oneplus? Pixel seemed quite an attractive phone.
I am on OOS 3.5.3, is there anyway to find out what apps have access to internet and restrict that?
The app permission section of settings only allows changing permission to storage (among others) but I couldn't find any internet access permission.
The main security risk is that it allows anyone to flash something harmful without you knowing on to your system. Your data may be encrypted and protected but they can still flash something onto another partition.
You could be happily using your phone unaware there's a rogue app capturing and sending data to someone.
Zegnalabel said:
Many thanks for your response! This is very useful information to me.
Am I right to assume that even if my device is unlocked but with encryption enabled and no root, the person who has gotten hold of my phone will still be able to flash "dm-verity and forced encryption disabler" zip and supersu zip files to root my device in TWRP even when he fails to enter the password prompted by TWRP?
And this force encryption disabler as the name suggest only disable force encryption and it does not decrypt my already encrypted personal data? Which means he still does not have access to my data and after he had done the system modification and returns the phone back to me, the first thing I should do is to wipe clean every partition and restore back my nandroid which would consist of backups to all partitions. So it seems this is an acceptable risk all for the convenience of performing nandroid backup via the unlock/TWRP route.
Very good point here. May I ask in what ways are Nexus 6P and Pixel more secure than Oneplus? Pixel seemed quite an attractive phone.
I am on OOS 3.5.3, is there anyway to find out what apps have access to internet and restrict that?
The app permission section of settings only allows changing permission to storage (among others) but I couldn't find any internet access permission.
Click to expand...
Click to collapse
Your data is safe, it can't be decrypted, even with an unlocked bootloader And yes, if you wipe every partition, lock the bootloader and got no dm-verity error, after your stolen phone was returned to you, you should be safe.
Both Nexus 6P and Pixel are much safer than OnePlus, because they are getting a complete security patches every month. OnePlus is getting an imcomplete security patches and much later after their release.
You can limit access to internet via app settings. Open "about app", data usage and there you can turn off both access to wifi and mobile data.
Upgrade to OOS 4.0, it cointains important security patches and enhancements.
Michalko5896 said:
Your data is safe, it can't be decrypted, even with an unlocked bootloader And yes, if you wipe every partition, lock the bootloader and got no dm-verity error, after your stolen phone was returned to you, you should be safe.
Both Nexus 6P and Pixel are much safer than OnePlus, because they are getting a complete security patches every month. OnePlus is getting an imcomplete security patches and much later after their release.
You can limit access to internet via app settings. Open "about app", data usage and there you can turn off both access to wifi and mobile data.
Upgrade to OOS 4.0, it cointains important security patches and enhancements.
Click to expand...
Click to collapse
Thank you so much! Found the data usage setting and updated to 4.0. :laugh:
Michalko5896 said:
As long as your data is encrypted, it is safe and not accessible to any 3rd party.
But with an unlocked bootloader, you are open to a new forms of attacks like:
1. someone could steal your phone, modify your system to leak your data / password and then return it to you. Since dm-verity is OFF, you will not know, that your system is compromised.
2. someone could use a remote exploits (to launch his code and gain root privileges) to modify your system and leak your data / password and since dm-verity is OFF, you will not know, that your system is compromised.
...
Click to expand...
Click to collapse
Quick question, does the latest systemless SuperSU still leave dm-verity OFF ? It was my understanding that using it you don't need to flash the dm-verity-OFF script, is that true?
xclub_101 said:
Quick question, does the latest systemless SuperSU still leave dm-verity OFF ? It was my understanding that using it you don't need to flash the dm-verity-OFF script, is that true?
Click to expand...
Click to collapse
For root, you need to unlock the bootloader. And with the bootloader unlocked, dm-verity is not working and thus attacker could modify your system.
Michalko5896 said:
For root, you need to unlock the bootloader. And with the bootloader unlocked, dm-verity is not working and thus attacker could modify your system.
Click to expand...
Click to collapse
The bootloader being locked/unlocked should have little to do (directly) with dm-verity, dm-verity is only hash-checking the system partition.
That being said after some checking various detailed threads from Chainfire apparently SuperSU is still removing the dm-verity on the system partition since other than rooting in itself most rooted people also tend to touch the system partition with stuff like busybox and so on, so I guess this is it.
xclub_101 said:
The bootloader being locked/unlocked should have little to do (directly) with dm-verity, dm-verity is only hash-checking the system partition.
That being said after some checking various detailed threads from Chainfire apparently SuperSU is still removing the dm-verity on the system partition since other than rooting in itself most rooted people also tend to touch the system partition with stuff like busybox and so on, so I guess this is it.
Click to expand...
Click to collapse
well, google is stating, that unlocking bootloader will turn off the dm-verity.
This is an interesting discussion- I have a Nexus 5X, but I use a custom configuration:
1) locked bootloader
2) verity turned on for the system partition so that I can check the key fingerprint and verify integrity.
3) customized cm recovery - I installed my adb keys so I can connect to it. I also changed the signing keys, so I have to sign any roms that get flashed.
4) encrypted userdata with pattern protection. I think a password would be stronger, but I'm using a larger, complex pattern. Fingerprint unlock is turned on, which has its own attack surface.
I think the fingerprint sensor is the biggest risk. This is mitigated at reboot since the pattern will be required. If I built the recovery properly, the only way to flash anything would be to have access to my signing keys or adb keys. Of course, this is all still vulnerable to any unpatched exploits.
Related
[GUIDE] Dirty flash from lpv to LRX21O
So like many of you who were running the awesome LPV build for the past few months and just recently tried updating to official Lollipop (LRX21O) have likely run into issues on first boot (black screen with only a back button). In this state/issue the phone will respond to "OK Google" but nothing else. The pulldown shade will also be present but show nothing. The issue appears to be related to the lock screen. The following is how I fixed my issue, and I will be looking at this thread to try and update the OP as we pin down the EXACT issue, but I believe I have a fix: NOTE: If you've already updated and are AT the black screen, I hope you have a backup to restore as you'll need to revert to change some settings. If not, you may find flashing the system.img or zip of your old build (LPV) allows you access to your phone again to access these settings. 1. Restore backup or revert if necessary so you can access settings BEFORE flashing LRX21O. 2. Settings-Security-Screen Lock Make sure you have one set other than swipe so you can perform the next step (we will change this back later) 3. Go to "Trust Agents" on the same screen (Security) and turn OFF SmartLock 4. Go back to screen lock, now select SWIPE (or none if present, but I don't believe it's an option on most) 5. (Optional) I chose to both enable USB debugging as well as going into SuperSU (if present) and setting it to grant all requests. I did not need this, however if you're having issues it may help your troubleshooting to have root adb access. 6. With your lock screen set to swipe and smart lock off, now try flashing LRX21O, followed by a custom kernel (or boot.img if you have it) and/or root in that order if you'd like. 7. Upon boot, it SHOULD have resolved the black-screen issue. I did still have the "non-working home button" issue that was quickly resolved by running the setup wizard again with the following command via adb: adb shell am start -n com.google.android.setupwizard/.SetupWizardTestActivity When it asks about restoring backups or setting up as a new device, choose set up as new device. The "Restore" would simply re-download and restore apps that are already installed. "Set up as new device" simply tells setup to do nothing, which is fine, because all your data is already there 8. SDcard Fix (root required): If you have issues seeing SD card content, use these ADB commands below (credit to rootSU here su restorecon -FR /data/media/0 That's IT! You should be set. I love dirty flashing (I know everyone hates it because yes, it does cause a lot more chatter in the forums, but that's half the fun ) and problem solving. Everytime I see someone claiming they fixed a problem by factory resetting I'm thinking "...that's like saying you fixed your car by buying a new car". I hope I this makes other's lives a little easier
Schiziodd's ROM flavors for HTC desire
in the subsequent posts below, you will find all the info you need for not only the device but the ROMs I have had my hands in. each person who I pulled the files from will get a thanks in the posts as necessary
NonSense 1.04 Disclamer: these files are meant specifically for the HTC Desire 510. Use these files at your peril, you assume any responsibility for loss or damage that may result from use of these files or procedures. what has been included in this tutorial is for the HTC Desire 510 You have been warned. note: from now on CRI signifies cricket, and B-S signifies sprint/boost if those signifiers aren't used, it applies to both type of this phone now to the goodies..... List of supplies: 1. Phone (HTC Desire 510) 2. USB cord that syncs with the PC 3. USB drivers installed for the phone 4. the zip files from this location. click here 4.1 there are 2 different versions of the same ROM, but the *1.04-lean.zip is US only (refer to changes to see why). 4.2 CRI for cricket/att, B-S for boost/sprint 5. read these instructions completely before attempting before we get started make sure you have supersu (which can be downloaded from here), and NonSense1.04.zip copied to the root of your external SD card NETWORK UNLOCK (I.E. switching services) as this phone is LTE compatible, it takes a SIM card no matter the service to receive calls and data. so it stands to presume all you need to do is network unlock the device (Sprint calls it UICC unlock, others it's the Network Unlock Code) the phone needs to be network (SIM) unlocked in order to switch it from cricket to sprint, or from sprint to virgin mobile, etc. to network unlock the phone: 1. make sure you are on stock ROM (the one that came with the phone, not the one listed in this post nor CM) 2. call the respective original service provider of the phone (i.e. cricket, sprint, etc.) and tell them that you are leaving the country (like to Australia) and you want to unlock the SIM so you can use your device for service down there. 2.1 if you bought the phone second-hand or don't have service on it, you will have to find a reputable unlock service online 2.2 for sprint customers, your account HAS to be at least 6 months old before they will give you the UICC(SIM unlock) code 2.3 for boost customers, your account HAS to be at least a year before they will give you the UICC(SIM unlock) code 3. once you have the SIM unlock code, pull battery from phone, remove the original SIM, put your services respective SIM in (i.e. originally a cricket phone now running a T-Mobile SIM), put in battery, boot phone, and enter the unlock code where it asks. 4. once your back into device, you'll notice you will have no data. 4.1 what needs to be done is to program the APN (google will be your best friend here - for example sprint lte apn settings, or T-Mobile lte apn settings). 5. now that you have the APN settings, you can program them into the phone. 5.1 APNs can be found in the device by going to settings, then mobile data, clicking on access point names. in there in the upper right hand corner should be 3 dots that are verticle. click on that and then on new APN. 5.2 add the respective settings, click save and then make sure it has a green dot next to it. 6. sit back and enjoy the fruits of your labor APNs for this device can only be written once the phone has been UNLOCKED and the original (cricket) service providers SIM is NOT inserted, and your using another service Provider ( sprint, T-Mobile, etc.) SIM. UNLOCKING BOOTLOADER 1. for the drivers, use the ones contained here in the HTCDrivers.zip and extract them to the desktop 1. extract and use the file contained in adb.zip to flash unlock token 2. follow this tutorial and choose all other supported devicess when it asks about device. INSTALLING TWRP AND KERNEL in the adb file you should notice a file called recovery.img. that is TWRP recovery for the device there is also a file called boot.img. this will allow read/write permissions at the System level once root is obtained if you have either the sprint, boost or another service provider's variety of this phone, try flashing their respective kernel after you install the ROM or before you root (no guarantees that flashing the respective kernel will work. as I have the cricket variety of this phone, I am only developing for that one) 1. from home screen, go to settings and scroll down to power and then scroll all the to the bottom of that and uncheck "fast boot" 2. shut down phone completely 3. go back into fastboot (vol down + power) 4. Select fastboot from the menu list and press the power button. 5. open command prompt and use the CD command to get it to the root of the adb folder (CD C:/users/sky/desktop/adb). 6. plug in device and wait for it to say fastboot USB 7. type in command prompt "fastboot flash recovery recovery.img' (should complete within 4 seconds) 8. in the same command window type "fastboot flash boot boot.img" (should complete within 4 seconds) 8.1 step 8 can be skipped if your just flashing *NonSense1.04*.zip 9. pull battery once that is completed and put it back in. 10. power device on (skip this step if rooting) OBTAINING ROOT (can be skipped if installing NonSense1.04 as it's already rooted) 1. re-enter fastboot mode and choose recovery. press power to select it 2. once in recovery select install and go to external SD and select the supersu update package. 3. once selected, you should see a slider on the bottom of the screen that says swipe to confirm. do so 4. once package is installed you should see a button that says reboot device. do so 5. wait for it to fully load INSTALLING NonSense 1.04 1. re-enter fastboot mode and choose recovery. press power to select it 2. once in recovery select install and go to external SD and select the NonSense1.04.zip. 3. once selected, you should see a slider on the bottom of the screen that says swipe to confirm. do so 3.1 beware, it may take a bit to install. just be patient, it's working. 4. once package is installed you should see a button that says reboot device. do so 5. wait for it to fully load. be forewarned, it may take about 15 minutes to load CHANGES CRI versions 1. DEODEXed the ROM 2. added external SD support into the ROM 3. fixed FC on clock app (switched clock/alarm from stock worldclock.apk to AOSP clock) 4. changed bootanimation.zip, boot sound, and stock ringtones and sounds. 5. added more stable kernel to flash file. 6. added Pandora (no-ads vers. 5.5), SpiritUL (FM radio support), Facebook, RootBrowser, Adobe reader, Adobe flash player, and Viper4android (DSP/equalizer) 6.1 all apps that have been listed in 6 can be uninstalled without the need for root 7. root and SU have been added and are up to date in this rom as of 11:45PM MST on 3/1/215 8. added apns-conf.xml from CyanogenMod 9. got native APP2sd support thanks to pattyboi's kernel B-S versions 1. mostly DEODEXed the ROM 2. fixed FC on clock app (switched clock/alarm from stock worldclock.apk to AOSP clock) 3. changed bootanimation.zip, boot sound, and stock ringtones and sounds. 4. added more stable kernel to flash file. 5. added Pandora (no-ads vers. 5.5), SpiritUL (FM radio support), Facebook, RootBrowser, Adobe reader, Adobe flash player, Wifi Tether, and Viper4android (DSP/equalizer) 5.1 all apps that have been listed in 5 can be uninstalled without the need for root 6. root and SU has been added *1.04-lean list of removed apps 1. Dropbox (can be found in playstore) 2. Google plus (can be found in playstore) 3. Hangouts (can be found in playstore) 4. HTC Dot View(can be found in playstore) 5. keyboard language packs for Arabic, Chinese, English UK, French, German, Greek, Italian, Portuguese, Russian, and Spanish (not in play store) if needed, flash language.zip found here 6. VPN dialogs (not in play store) if needed, flash missing.zip found here 7. HTC Zoe (can be found in playstore) BUGS CRI versions 1.USB internet pass-through not working 2.WiFi direct (miracast) not working 3. want to get rid of annoying volume too loud warning B-S versions 1. native hotspot says internet when connected to win 7 machine, but will not allow it to go through. Have included wifi tether as a workaround until the issue can be resolved THANKS CRI versions I thank wolfaas12345 for his awesome tutorial on bootloader unlocking, pattyboi for providing a more stable kernel, and chainfire for providing a great solution to provide the SU binary and app for rooted devices. and of course, CraviingCritic for providing the original ROM in which this wouldn't be possible B-S versions I thank wolfaas12345 for his awesome tutorial on bootloader unlocking, pattyboi for providing the current kernel, and chainfire for providing a great solution to provide the SU binary and app for rooted devices. and of course, LarryBoyG for providing the original ROM in which this wouldn't be possible please feel free to let me know if there's any issues with this release and i will fix them as they are found for now as this device is the one i primarily use as of right now. I will also be keeping the links updated for as long as I own the device (being that my HTC Desire 510(Cricket) is network unlocked, that may be a long time - or until I get a better device). UPDATES for those of you who have downloaded the ROM since first release, I will include an CRI_NSupdate.zip or B-S_NSupdate.zip file found here. it will include the changes I have made to the rom since it's initial upload. the file by the name of NSupdate.szip will include update that pertain to both the CRI and B-S ROMS to install the updates, just put the update file onto the root of the SD card, reboot into recovery, choose install, pick the update file, swipe the blue button on the bottom, reboot and enjoy. EDITING THE BOOTUP location of files mentioned is in /system/customize/resource to change boot animation 1. find your favorite boot animation 2. rename it to AIO_bootup.zip 3. copy/move and overwrite the original with a root explorer to /system/customize/resource to change the boot sound 1. find a sound file you like and want to hear every time the phone boots (can be changed at any time) 2. convert it to wav (the file has to be wav in order for the phone to recognize it) 3. rename it to CRICKET_LOGO_24bit28k_STEREO.wav 4. copy/move and overwrite the original with a root explorer to /system/customize/resource reboot and enjoy... THINGS NOTICED WHILE CREATING ROMs 1. both (cricket and boost/sprint) phones are exactly the same except for the boost/sprint ones contain a CDMA chipset. 1.1 the only things I had to change from the cricket rom to the boost rom was apns.xml in framework-res, apns-conf.xml, and the preferred network type in build.prop. 2. all kernels work for both (US) versions 3. the same recovery is used on both (US based) devices so essentially, if we develop for the boost/sprint version of the device, change a few things, it will be ready to roll for the cricket version as well TO FIX NATIVE TETHER ON B-S VERSIONS 1. Install Script Manager – SManager app from the Play Store. 2. Open the app and grant it root access when prompted. 3. Now, navigate to /system/etc/init.d and tap “tether” script. 4. Click on SU and Boot (Android skull and gear icons, respectively) 5. Click on Run and Save options. The issue should be fixed now. Reboot and enjoy! thanks goes to qwerty6532 and LarryBoyG for the fix. now to add that permanently to the ROMs and then they'll be absolutely stable enough for me to be happy and start working on CM11
CM11 I will be building CM11 for the device for both the cricket and boost models. look for the info here as I update it a I need ****edit**** ok so I figured out some of the issue with CM11 not wanting to install apps. I got the internal memory pulling the 1.1 gbs but now I need to symlink the external memory where it goes. ****edit**** so I have figured out what needs to be done...... the kernel for CM11 needs to be built from the ground, up (or one needs to be built that is compatible with it). i'll upload the current one that fixes the memory error (look in downloads).
reserved so as i have not been actively developing on the phone i will no longer supply updates. all flash files are up to date as of 8 months ago and should be working with out an issue.
again, reserved same to you...
This would have to be one of the most comprehensive tutorials I have read. 10 out of 10 and kudos. Pity I have a 64 bit device and can't use most of it lol.
Burtrum57 said: This would have to be one of the most comprehensive tutorials I have read. 10 out of 10 and kudos. Pity I have a 64 bit device and can't use most of it lol. Click to expand... Click to collapse if I had a 64-bit version for this device, I would have it out as soon as I could. and thanks
Great job. Off and running now
I'm not sure how to add the tether fix to the ROM. Not really a developer more of a tester.. Wish I could get into developing don't really know where to start lol. If you need any help testing or working on CM11 for Boost shoot me a PM I'd be glad to help Sent from my 0PCV1 using XDA Free mobile app
Question to you Schizoidd......If I install the new 1.04lean over the previous build, do I still need to flash that update or is is already included in 1.04lean. I already falshed that some time ago when you first put it out, so I'm just not sure if its needed again or not. Thanks bro.
CSP III said: Question to you Schizoidd......If I install the new 1.04lean over the previous build, do I still need to flash that update or is is already included in 1.04lean. I already falshed that some time ago when you first put it out, so I'm just not sure if its needed again or not. Thanks bro. Click to expand... Click to collapse When you flash the new one, wipe the system partition and then use an explorer to remove v4a from the user apps. Which is located in /data/apps and reboot
qwerty6532 said: I'm not sure how to add the tether fix to the ROM. Not really a developer more of a tester.. Wish I could get into developing don't really know where to start lol. If you need any help testing or working on CM11 for Boost shoot me a PM I'd be glad to help Sent from my 0PCV1 using XDA Free mobile app Click to expand... Click to collapse Well it's added to it. It just needs to be activated for now until I can figure out how to add it to automatically start from the first run of the Sprint/boost ROM
schizoidd said: When you flash the new one, wipe the system partition and then use an explorer to remove v4a from the user apps. Which is located in /data/apps and reboot Click to expand... Click to collapse Sorry, not following "wipe the system partition" ???
CSP III said: Sorry, not following "wipe the system partition" ??? Click to expand... Click to collapse if you in recovery, go to wipe and then advance wipe and check system. wipe it like u would as if ur doing a factory reset
schizoidd said: if you in recovery, go to wipe and then advance wipe and check system. wipe it like u would as if ur doing a factory reset Click to expand... Click to collapse Yeah, I figured as much. Should have been clearer with my ? Is that before or after I flash the new lean. I though if I did it after, that it would set me back to square one. As in having to start fresh setting everything up again, which I really dont want to have to do. Apologies for my unclearness.
CSP III said: Yeah, I figured as much. Should have been clearer with my ? Is that before or after I flash the new lean. I though if I did it after, that it would set me back to square one. As in having to start fresh setting everything up again, which I really dont want to have to do. Apologies for my unclearness. Click to expand... Click to collapse it'll leave ur data alone, just delete the OS. do not touch internal memory, davlik, data, or cache and ur stuff will be safe. I have done it and my stuff is fine
schizoidd said: it'll leave ur data alone, just delete the OS. do not touch internal memory, davlik, data, or cache and ur stuff will be safe. I have done it and my stuff is fine Click to expand... Click to collapse Right on buddy. I'll take you at your word on it. I've never had to do that before so it naturally made me a little nervous. Not that I couldnt have just restored a backup, but still . Many thanks.
Problems System UI force closes and power button doesn't turn the screen back on when I flash the latest cricket version.
schizoidd said: I for those of you that build the kernels, do you think u can build one that is AOSP and compatible with the device for android 4.4.4? Click to expand... Click to collapse we cant really do a "aosp" kernel because of htc's modifications to the board and pins,and they have their own dtb issues...im 99% sure mine works with android 4.4.x because of larry using it in gpe,just repack the ramdisk the zimage and it should be okay
Bobby060 said: System UI force closes and power button doesn't turn the screen back on when I flash the latest cricket version. Click to expand... Click to collapse If you're going from bone stock to this, you need to do a factory data reset. Just make ssure you back up your data and use nandroid manager to pull it data back into the new ROM
Did I found a Security Hole?
I take too serious the security in my device. I'm not a computer technician or anything, just a normal-to-advanced user who tends to change things in my device more frequently than my pants. This happend accidentally while trying to replace my SystemUI.apk with a modified one. My phone uses a pattern to unlock it at system level (lockscreen protection, not SIM). So I changed the SystemUI, I've set permissions and rebooted. For some reason the apk didn't worked, resulting in a constant "Android is Upgrading" window. I pressed the power button to lock it, and the screen went off. I pressed it again and my device booted directly to my homescreen with a message saying that my System UI has stopped working. But wait: No pattern unlock? I connected my device via USB to my PC and I was able to see all my files inside (normally, if your device is locked with pattern/pin/finger/etc and connect it to a PC it will not show any file in sdcard0, just an empty folder). The phone was almost unusable because if I press OK in the FC popup a new one would appear 0.5sec later, but I was able to open multiple apps and even type with the keyboard to a Whatsapp contact (with a little of patience) within one popup and another. I even replaced my corrupted SystemUI with root explorer... So the question is: Is this a security hole? For now this could happen only to Rooted users since there's no way to modify a System apk without root privileges. But if someone manages to break the SystemUI without needing to root the device, he would have access to anything inside your device... Here's my device info: Samsung Galaxy Note 4 N910C Android Version 5.0.1 Build: N910CXXU1BOC5 Deodexed If anyone experience in security read this, please give me an opinion. Thanks!
It's not a security hole, the keyguard doesn't really do much in the way of security. Device encryption is another matter entirely - that's sure to protect your device if the attacker doesn't know the passcode. Rooting sidesteps many of the security measures put into place by the OS, and that's why rooting trips the Knox counter.
galaxynote2 said: I take too serious the security in my device. I'm not a computer technician or anything, just a normal-to-advanced user who tends to change things in my device more frequently than my pants. This happend accidentally while trying to replace my SystemUI.apk with a modified one. My phone uses a pattern to unlock it at system level (lockscreen protection, not SIM). So I changed the SystemUI, I've set permissions and rebooted. For some reason the apk didn't worked, resulting in a constant "Android is Upgrading" window. I pressed the power button to lock it, and the screen went off. I pressed it again and my device booted directly to my homescreen with a message saying that my System UI has stopped working. But wait: No pattern unlock? I connected my device via USB to my PC and I was able to see all my files inside (normally, if your device is locked with pattern/pin/finger/etc and connect it to a PC it will not show any file in sdcard0, just an empty folder). The phone was almost unusable because if I press OK in the FC popup a new one would appear 0.5sec later, but I was able to open multiple apps and even type with the keyboard to a Whatsapp contact (with a little of patience) within one popup and another. I even replaced my corrupted SystemUI with root explorer... So the question is: Is this a security hole? For now this could happen only to Rooted users since there's no way to modify a System apk without root privileges. But if someone manages to break the SystemUI without needing to root the device, he would have access to anything inside your device... Here's my device info: Samsung Galaxy Note 4 N910C Android Version 5.0.1 Build: N910CXXU1BOC5 Deodexed If anyone experience in security read this, please give me an opinion. Thanks! Click to expand... Click to collapse So you gave the user root access and you say you are concerned about security? :silly: A silly screen unlock pattern is not going to save you, as anyone with a a computer can access everything on your phone and make any changes they want (granted they have access to you phone).
Security hole can be said of you are uprooted. You changed (corrupted) systemui means you have rooted device and since screen guard is part of systemui so how can you expect to work normally. Also not difficult to reproduce. Simply delete systemui with root explorer, your device will reboot normally without pattern though you have set it. Even you can explore all files with root explorer (that means you can do almost anything) and can change pattern lock with setting too. Just you will have black wallpaper and no status bar. Once you replace systemui you will have your pattern lock back. In sort you are rooted users your are no more secured. Even not rooted but simply having custom recovery you are not secured. Any script having command to delete your pattern /pw it can be deleted from that even device is not rooted as custom recovery can mount partition and can edit it. That's why Samsung trip knox even by flashing custom recovery. Sent from my SM-N910G using xda premium
OOs 4.0.3 / Encryption / Tracking
My OP3T has OOs 4.0.3 and I have set it up with fingerprint lock. However when I go into TWRP recovery and connect the phone I can see all the internal storage contents. Does this mean that the phone is un-encrypted? I want to keep the contents safe so that no one can access them in case it is lost. Not even in recovery mode. Does TWRP also recognize fingerprints? Should I encrypt the phone? Is it safe / recommended? Would it slow down the phone? What is the best solution? Are there any tracking features or apps which can be used in case the phone is lost?
You can check if your phone is encrypted by going into Settings > Security > (scroll to bottom of page). The phone is encrypted out of the box and will remain so unless you format your /data partition after rooting. The fingerprint itself is not the encryption key, the key is generated by the OS. While TWRP can find your encryption key and use it to access certain parts of your internal storage that it needs to function, it cannot mount User Storage (/data/media) and retrieve data other than zips/imgs. TWRP itself cannot access user data, but ADB can. You can turn off USB debugging to prevent someone from pulling data. Encryption is definitely useful if you want to keep your data safe, though it really depends on individual usage. I personally don't keep any important data on my phone and like to keep it decrypted. By decrypting, you experience fewer problems when flashing different ROMs. The phone also boots a bit faster as you don't have to decrypt each time. There are services that you can use to track and remote access lost phones. Check out Cerberus Anti Theft, which has some unique features such as being able to install as a system app to avoid deletion via factory reset. For basic tracking, Google actually had built in tracking. As long as your phone is on and has network access, you can use Google Device Manager to locate your phone. You also have the option to remotely lock and erase your phone if needed, though keep in mind that this requires internet access. Services such as Cerberus allows you to send commands to your phone through texts and other means even when data is disabled.
Anova's Origin said: You can check if your phone is encrypted by going into Settings > Security > (scroll to bottom of page). The phone is encrypted out of the box and will remain so unless you format your /data partition after rooting. The fingerprint itself is not the encryption key, the key is generated by the OS. While TWRP can find your encryption key and use it to access certain parts of your internal storage that it needs to function, it cannot mount User Storage (/data/media) and retrieve data other than zips/imgs. TWRP itself cannot access user data, but ADB can. You can turn off USB debugging to prevent someone from pulling data. Encryption is definitely useful if you want to keep your data safe, though it really depends on individual usage. I personally don't keep any important data on my phone and like to keep it decrypted. By decrypting, you experience fewer problems when flashing different ROMs. The phone also boots a bit faster as you don't have to decrypt each time. There are services that you can use to track and remote access lost phones. Check out Cerberus Anti Theft, which has some unique features such as being able to install as a system app to avoid deletion via factory reset. For basic tracking, Google actually had built in tracking. As long as your phone is on and has network access, you can use Google Device Manager to locate your phone. You also have the option to remotely lock and erase your phone if needed, though keep in mind that this requires internet access. Services such as Cerberus allows you to send commands to your phone through texts and other means even when data is disabled. Click to expand... Click to collapse When I go to Settings > Security > Encrypt it has a button to start the encryption so I guess that the phone is not encrypted. I also am not keeping very important data on the phone. However just in case it is lost I don't want people to see my Contacts, WhatsApp messages, photos etc. Will encryption encrypt all of these? If I press Encrypt, will it retain the data or should I take a backup first? If I encrypt the phone and have a fingerprint lock, does it mean that no one else can access my data? Not even through TWRP? How will I know the encryption key? Once encrypted, can I update the phone? Thanks for the advice on Cerberus, If there are any other suggestions, I would like to know.
Encrypting the phone will not erase any data, just click the button and it does so automatically. You can't see the actual encryption key, it's maintained by the OS. I believe that if you set a password in addition to your fingerprint, TWRP may ask for the password on boot. I'm not too sure how this works exactly, there'll likely be more accurate sources online somewhere. Encryption will encrypt all user data, including photos and most appdata. TWRP doesn't have access to user data by design, that's why nandroids can't backup Storage. TWRP itself also cannot see or access any user data in its built-in file explorer. Keep in mind that while encryption works well, nothing is perfect. You never know when someone will find another exploit, especially if you leave your bootloader unlocked and modify your phone with root/custom ROMS/recoveries/etc. As for Cerberus alternatives, I've got no idea. I've never really looked into these services and only know about Cerberus due to its popularity.
General System root + Passed Safety Net Pixel 5a
Hey everyone, after some trial and error, I was able to pass Safety Net. I just want to mention what I did in the process to get there. May have been a combination of things or just one... 1. I followed this guide, but make sure you notice that It's for the Pixel 5 not 5a. But the process is similar. This process didn't fix the issue. However, it's also a good how-to on how to root. I did also modify the props to the 3a. How to Root the Pixel 5 & Still Pass SafetyNet — Full Guide for Beginners & Intermediate Users The Pixel 5 is a great value proposition in this era of $1,500 phones. With its reasonable price tag, fully open-sourced software, and unlockable bootloader, it's also an ideal phone for rooting. android.gadgethacks.com 2. When that didn't work, I followed this video, and hid all my banking apps besides the Google Play Services: 3. When that didn't work, I installed these both using Magisk from this post: Magisk General Support / Discussion This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread forum.xda-developers.com 4. Cleared my data and cache with Google Play and GPay + any other banking apps. That worked for me! EDIT: IF GOOGLE MAPS reports the wrong location, its likely XPrivacy-LUA, Google Services. Uncheck some of them.
Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro!
anubis2k3 said: Oh man....the only thing holding me back is the safety net thing, and it looks like we have a work around tell someone has an actual method made for this phone. Not sure if I'm ready to actually mess with this yet...but thanks for the post, bro! Click to expand... Click to collapse Didnt think it was that big of a deal to me. But it was fun with a new phone with nothing on it.
This was the Magisk module that worked to pass safety net for me. I didn't need any others. Releases · kdrag0n/safetynet-fix Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix github.com Google Pay "appears" to be working too. Haven't gone out and tried it yet though.
joemommasfat said: Google Pay "appears" to be working too. Haven't gone out and tried it yet though. Click to expand... Click to collapse That's the part that I use the most, and the reason I haven't rooted yet. Please let us know if it works. Much appreciated!
I can confirm that using google pay (newer GPay app) on my rooted 5a works at merchants. I've already used it several times over the last week or so with no problems.
Deadmau-five said: 3. When that didn't work, I installed these both using Magisk from this post: Click to expand... Click to collapse Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions. Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous.
borxnx said: Why? Isn't the shim version just for Samsungs? Either way, it's the same mod, just different versions. Someone who actually knows what they're doing needs to write up a tutorial. Following instructions posted by people who have no idea what they're doing but "it works" for them is dangerous. Click to expand... Click to collapse You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now. I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following: They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case. You will definitely need kdragOn/safetynet-fix. Hopefully that's all you need. I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems. Best best is to check the following threads and see what's going on: Actually see this post and the 2 posts immediately following Magisk General Support / Discussion This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread forum.xda-developers.com That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a.
I only mentioned what works for me since there was no step-by-step guide. Dangerous how? Doing any mods to your phone is "dangerous". I fail to see how this is more so than others. Modifying your phone is risky. If it didn't work I wouldn't have posted this guide. I only mentioned the steps that I took. It's not really a guide, just how I passed safety net. But, my 5a has still been working great since then. GPay included.
jcmm11 said: You're absolutely correct about the dangers in following instructions posted by who knows who. I'll go further and say when it comes to root and associated items stay away from anything posted on a site other than XDA. In many cases even if the instructions were correct at some point in time they may well be outdated now. I haven't rooted yet for a few reasons yet but will, hopefully sometime very soon. In the meantime I can state the following: They're is no need to modify props. Modifying props to identify as a different phone would only be required for custom ROMs that don't handle it themselves (or some non-certified Chinese phones, which doesn't apply here). If you're running stock just leave that portion alone. And, if I'm not mistaken (although not 100% certain) I think safetynet-fix takes care of that for you in any case. You will definitely need kdragOn/safetynet-fix. Hopefully that's all you need. I'm not sure which version of Magisk you'll need. Unless you know what you're doing and how to get out of trouble I recommend staying away from the current alphas, they're extremely cutting edge and you can expect problems. Best best is to check the following threads and see what's going on: Actually see this post and the 2 posts immediately following Magisk General Support / Discussion This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread forum.xda-developers.com That should pretty much cover things for the moment. If nobody else (@hfam ?) has done it by the time I get around to rooting I'll write something up specific for the 5a. Click to expand... Click to collapse Just a quick note to say I just finished with everything (new Pixel 5a 5G, rooted + Safety net, restored all my apps, etc) and it's a flawless victory, ALL banking apps work great, SafetyNet passes, no hiccups. I'd be happy to craft up a step by step and post it if there's some interest. It's not often I get to give back to this outstanding community, so it's the least I can do jumping on the opportunity. UFC 266 Main card is just starting, so I'll get started right after the fight and post it here in this thread. Great to see ya again @jcmm11! Coming back to root a new phone feels like a family reunion, so great to see many of you active folks still here helping out!! hfam
Alright, as promised, here is my writeup for a step-by-step tutorial for rooting your new Pixel 5a and getting SafetyNet up and going. I know it looks like a book, but I wanted to put it into plain language and attempt to explain the process for everyone, even absolute first timers. I know when I first started I really appreciated when the person helping didn't presume I had any knowledge, so for those that may have some experience, sorry for the wordiness. I'll also include how I apply updates when a new Android security update is pushed out. I understand that there are now elegant ways to accept OTA updates, but that is out of the scope of this tutorial as I have always had issues with OTA, and have to catch up on how that works myself. I can attest to years of using this method though (using a full factory image) to perform the "monthly" security updates, and I have never had anything but full success, so I'll share that here below the rooting tutorial. *Disclaimer and heads-up* this is for an UNLOCKED PIxel 5a purchased directly from Google Store. At the time of this writing that is the only place I'm aware of which currently offers the PIxel 5a. Once carriers like Verizon, etc, offer this device, there may be some changes to the process, so just know up front this is for the unlocked Pixel 5a* *WARNING*! When you unlock the bootloader on your phone it WILL WIPE YOUR PHONE and reset it to factory. If you've already used your phone and set it up, you're going to lose that setup. If you can't bear it, then the rest of this isn't for you, as root cannot be achieved without unlocking the bootloader. First, you'll need a few things - https://developers.google.com/android/images and download the latest FACTORY IMAGE for "barbet", which is the Pixel 5a. You want to download the SAME VERSION that is currently installed on your device. At the time of this writing, it's the September release. From that same page, you will need the ADB+Fastboot platform tools which will allow you to perform the required tasks, download from this link: - https://developer.android.com/studio/releases/platform-tools.html I use Windows 10, and extract this tools download to a folder in the root of C: called "platform-tools". You will then need to add "c:\platform-tools" to your environment path. On the Pixel 5a, you need to enable developer options. Go into Settings/About Phone/and tap "Build Number" 7 times. This enables developer options and it will let you know when you've unlocked this as you tap 7 times. Once developer options is unlocked, go back to Settings/System/Advanced, and you'll see Developer Options is now available. Select Developer Options, and enable "USB Debugging" and also enable "OEM Unlocking". (**NOTE** For now at least, until you decide how you want to proceed with handling updates in future (more on that later), I strongly recommend turning OFF "Automatic System Updates" as well, just a few items below "OEM Unlocking". This prevents any updates happening automatically on a phone reboot. You don't want to wake up and find an OTA update pushed out and removed root, or worse. You can always turn it back on later.) Plug your phone into a USB port on your PC. Allow the PC to do it's thing. You can open up Computer Management on the PC (right click the windows menu button icon lower left of your toolbar and select "Computer Management". Select "Device Manager" on the left panel. You should see "Android ADB Device" appear at the top of the right pane list of devices. if not, then visit: Install OEM USB drivers | Android Studio | Android Developers Discover links to the web sites for several original equipment manufacturers (OEMs), where you can download the appropriate USB driver for your device. developer.android.com and download the appropriate USB driver for your system and retry the above directions. First thing we have to do is unlock the bootloader. On the PC, open a command prompt and change directory to "C:\platform-tools" as discussed above. Now, type in "adb reboot bootloader". The phone will reboot into bootloader. (you may receive a dialog on the phone which says something to the effect of not recognizing the PC. Go ahead and allow it, check the box to allow it in the future, and proceed. Phone is now at the bootloader, and shows you some info letting you know it's so, including that the bootloader is locked. Also, look at the Device Manager we opened earlier and confirm that you see Android ADB Device (or similar) which confirms your PC recognizes the phone and setup for ADB commands . To unlock the bootloader, in the command prompt type: fastboot flashing unlock This will unlock the bootloader, you will likely see a warning that it's going to wipe the phone. Proceed and allow the unlock. The phone will then reboot and take you to your wiped phone just as you received it out of the box, except the bootloader is now unlocked and Developer Options are still available. Let the phone continue through it's first-time setup, and leave the phone plugged into the PC. If you unplugged no biggie, but we're going right back to the PC shortly and it will need to be plugged back in before the next step to accept the file we're going to push to it. Now, you want to open a browser on the phone and go to (at the time of this writing, v23.0 is the current stable Magisk): Release Magisk v23.0 · topjohnwu/Magisk This release is focused on fixing regressions and bugs. Note: Magisk v22 is the last major version to support Jellybean and Kitkat. Magisk v23 only supports Android 5.0 and higher. Bug Fixes [App]... github.com Scroll down and under "Assets" select that Magisk 23.apk file, download and install it. Open Magisk if it doesn't open on install, and just let it sit, we're coming back to it shortly. PATCHING THE BOOT.IMG FILE On the PC, go back to the Factory Image you downloaded, and extract it to a temporary directory. You will see 6 files; a few "flash-all" files, a radio image, a bootloader image, and a ZIP file called "image-barbet-XXXXXXXXXXX.zip (the xxx's are whatever the version number is you've downloaded). Double click that ZIP file and you will see a dozen files. The one we need to root the device is "boot.img". Copy (don't move!!) this file to c:\platform-tools. Now, go back to your command prompt (still pointing to c:\platform-tools) and type in: adb push boot.img /sdcard/Download Now back on the phone, within the Magisk app we left open, at the top where it says Magisk, choose to install. A dialog box will open, select Patch Boot File Image. Point the process to your /sdcard/Download, and select the boot.img file we just pushed there. Now allow it to patch the boot.img and Magisk will show you it's patching it, and in a moment tell you it was successful. Close the Magisk app, open "Files" and direct it to sdcard/Download. Note the name of the patched boot file, which is called "magisk_patched-XXXXX_xxxxx.img (the X's are the Magisk version, and the x's are 5 random chars). Feel free to leave it there as you go back to the PC... Back on the PC, in the command prompt, now type: adb pull /sdcard/Download/magisk_patched-XXXXX_xxxxx.img make certain you get the name exact or it won't go, no worries, just get it correct. The file now resides in the "c:\platform-tools" directory along with the unpatched "boot.img" and your ADB+Fastboot tools. Just about done rooting, here we go! Now, in the command prompt type: adb reboot bootloader The phone reboots into bootloader. Now type: fastboot flash boot magisk_patched-XXXXX_xxxxx.img (again, use the numbers and letters in YOUR patched file!) Lastly, type: fastboot reboot Your phone reboots, and you should be rooted!! Unplug your phone from the PC, open up Magisk App and confirm, the Magisk entry at the top of the main Magisk App screen should now show you the version you installed, etc! Time to get your banking apps (and any others that may detect unlocked bootloaders/root/etc) working! In the Magisk App, on the bottom of the screen is a 4 item menu bar. Select the right-most icon, which is "Modules". At the top of the screen select "sorting order" and sort alphabetically. Scroll down to "riru" and select the module that is JUST "RIRU", (not any of the other "riru _______" modules). Choose to download it, then choose to install it. You'll be prompted to reboot the phone, so reboot the phone. Next, we're going to install drag0n's Universal SafetyNet fix (at the time of this writing it's currently v 2.1.1) You will need to download this via a browser on your phone, so open a web browser and go to: GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk Google SafetyNet attestation workarounds for Magisk - GitHub - kdrag0n/safetynet-fix: Google SafetyNet attestation workarounds for Magisk github.com On the right-hand side, you'll find "Releases", and v2.1.1 is the latest. Select that, then scroll down to "Assets" and download "safetynet-fix-v2.1.1.zip" By default this will download to sdcard/Download. Go back into the Magisk App, select the "Modules" menu as above, and at the very top select the "Install from Storage" bar. Point to the file we just downloaded and install it (don't extract it, etc, it requires the zip exactly as downloaded and will do it's thing). Again, it will install the module and prompt you to reboot. Reboot. Almost there! At this point, if you havent installed your banking apps, do so. DON'T RUN THEM, just install them. I also have a Nintendo Switch Online app which failed because of root, so if you also have or want this app, install it now, again, do NOT run it yet, just install. Same with any other apps you are aware which have root/bootloader unlocked issues, get them installed, but don't run 'em. Now, we're going to use MagiskHide to hide these apps and complete the process for passing SafetyNet and running apps which may not run due to root. in the Magisk App, at that 4 item menu bar at the bottom, select the 2nd from left, or "MagiskHide". Select the MagiskHide item and it will open to a scan of all the apps on your system. By default I believe Magisk sets up to hide Google Play Services. You will see it selected, and all the other apps on your system unselected. Select each of the banking apps, the Nintendo Switch Online (if you have it), and any other apps that YOU ARE SURE will complain about unlocked bootloaders and/or root. Any onilne gaming that's popular are good choices, but again, it's easiest to NOT RUN them PRIOR to hiding them via MagiskHide. Pokemon GO comes to mind as one I've seen that needs hiding, etc, so make it easy on yourself and do a little research on any suspect apps prior to running them, then hide them if needed. Anyhow, select your banking apps to hide them. Now, we're going to check SafetyNet to make sure youll now pass. On the Home menu in the Magisk App, select "Check SafetyNet". You will be prompted to download some proprietary SafetyNet shhhhhhhtuff....so let it download. Once done, SafetyNet check will open, and you should show a blue screen which says SUCCESS, and "basicintegrity" and "ctsProfile" will be checkmarked, evalType will show BASIC. You're good to go, rooted, SafetyNet works perfect, and you can now open your banking apps and should open right up!! If you find any specific issues about specific apps not working, or detecting root, etc, the best place to get help is in the Magisk General Discussion forum: Magisk General Support / Discussion This is the place for general support and discussion regarding "Public Releases", which includes both stable and beta releases. All information, including troubleshoot guides and notes, are in the Announcement Thread forum.xda-developers.com I owe those folks eternally for showing me what I know, and always having the answers for any issues I've ever had. Some of the nicest, smartest people Ive had the pleasure of knowing, they're always helpful, and even maintain fantastic sites for FAQ and chock full of great info about every aspect of Magisk. BONUS ITEM: As I indicated above, I'd share the method I know, trust, and have used many many times, trouble free, to apply a system update to the phone without overwriting anything, and not hitting any issues many encounter using the OTA method (though I understand that's been vastly improved, I haven't educated myself as to that process and will likely continue to use this method). Security Update (monthlies) Process using Full System Image As above, download the newest Full Factory Image from the site. Extract this full image to a directory inside C:\platform-tools In this directory, if you're on Windows, open the "flash-all.bat" file (don't run it, open it with Notepad or something similar, I really like Notepad++ as it's free, has a LOT of great functionality and, like the native Notepad, doesn't do any goofy formatting/fonting/etc when modifying and saving a file.) In flash-all.bat, look for the "-w" entry in the fastboot command near the end of the file and REMOVE ONLY THE "-w", leaving the line correctly formatted (don't leave an extra space or something goofy), then save the file over the top of the original with the same name. This will remove the overwriting of your data when pushing the image, the "-w" tells the process to overwrite, so we remove it. Open up a Windows Explorer and go to your c:\platform-tools directory. Delete (or move to another location) any "boot.img" files along with any "magisk_patched-XXXXX_xxxxx.img" files from previous operations. Also note and confirm that you have correctly extracted the latest Full System Image to it's own directory, residing in c:\platform-tools. Now, connect your phone to the PC. Open your command prompt and point to "C:\platform-tools" again. Type: cd <name of Full system Image directory> In command prompt, type: adb reboot bootloader The phone is now in bootloader. In command prompt, confirm you're pointing to "C:\platform-tools\<Full System Image extract dir>" Type: flash-all This will do a full factory image push to your phone, you'll see a couple quick writes and phone reboots, then begins writing the rest of the image to your phone, but since we removed the "-w" from "flash-all.bat", it's NOT overwriting your data, just the necessary system files to update it to the latest version! Reboot your phone, let it do any optimizing and updating it needs to do, and don't run anything yet, we're not quite done, just let the phone settle in and finish booting and doing it's thing. Now, go back and perform the steps above listed under "PATCHING THE BOOT.IMG FILE" to patch the newest boot.img from the Full System Image we just updated the phone with (push the boot.img to sdcard/Download, patch with Magisk App, pull magisk_patched-XXXXX_xxxxx.img to your PC, blast it back using fastboot), and you've now rerooted the phone. Lemme just say again that I know this was a friggin' book, and I tried to make it as clear and plain language as I could to help even a first timer, so my apologies if it seems like an onerous process. It's really not, and once you've done this once or twice, it's a cakewalk and takes about 10 minutes of your time from start to finish to do the whole system update and reroot. Again, the newer methods to take OTA without losing root may be something you'd like to look into, i definitely will, but I'm very confident in sharing this method as I know it works like a champ and is foolproof if you take your time the first few times and make sure you do what's required (remove the "-w" from the flash-all.bat, etc) Lastly, I've been using this method since the Pixel 2, and just performed it on my new 5a, it worked exactly as it has for years for me on the P2, so you can be confident moving forward that, if you follow instructions and take your time until it's all familiar, you'll be successful in rooting, passing SafetyNet, and applying system updates without screwing up the A/B slots or overwriting your data in the process. I hope this helps even one person, and since I rarely find myself able to give back to the community in any real meaningful way (many of these folks are WAAAY beyond my modest skills and know so much!!), I hope that this provides some folks with a useful and meaningful tutorial, providing confidence that anyone can root their P5a (or about any Pixel it seems) without being a Magisk/Android prodigy. @Didgeridoohan, @pndwal, @zgfg, @jcmm11, and so many others over the years have been so helpful, I couldn't have done any of this without their selfless help, so give those folks a big thanks also if this is any help to you. Best of luck, hfam
Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app. Appreciate you!
nsoult said: Thanks for the write-up @hfam, it's good to know that some of the steps that i tried aren't really necessary, like using props config or hiding the actual magisk app. Appreciate you! Click to expand... Click to collapse Awww, thanks! Glad to do it and really hope it helps some folks tackle rooting their phones and passing SN!
Rooted with magisk v.23 - flashed zip as a module
So has anyone installed the October update yet?
GrandAdmiral said: So has anyone installed the October update yet? Click to expand... Click to collapse Yep, good to go. I used the same method I shared above.
Is this working with Android 12? Which Magisk version to use?
This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says: failed to load/verify boot images Any advice? My Magisk is v23. Do I need to use a beta version?
Poking around in this thread, it seems that android 12 root is a much more involved process, requiring factory wipe and additional steps. [Guide] Flash Magisk on Android 12 Trying to root the Pixel 5 running Android 12 by flashing a magisk-patched boot image results in the phone only booting to fastboot mode ("failed to load/verify boot images") Some users have reported that booting (instead of flashing) the patched... forum.xda-developers.com
tintn00+xda said: This method did not work for Android 12. I updated my rooted phone to android 12 OTA. It returned to stock. I followed the method above to patch the factory boot.img file with magisk. After flashing my phone in bootloader with the patched boot.img, my phone will not reboot. says: failed to load/verify boot images Any advice? My Magisk is v23. Do I need to use a beta version? Click to expand... Click to collapse As you stated, you are correct. You need to perform a full wipe or flash the factory image with a wipe and then root works fine and phone boots. Tried myself and works fine.