Now according to the documentation MM supports rooting after A/B Slot OTA. The problem is after i rooted mine (i think beginning of apri) i never got an OTA message again. Only got the OTA from march to april. Even though it's rooted with the latest stable magisk, and magisk hide (default settings) is enabled. Play store says "device is certified" and i pass satefy net. Am i missing something here, is there another setting/switch preventing system OTA notification? Manual check always says "device is up to date"
You have to restore images for OTA to work. It's a pretty easy process, just follow Magisk's official tutorial:
https://github.com/topjohnwu/Magisk/blob/master/docs/tutorials.md
Tried that on the first OTA i should be getting, didn't work. and still doesn't. Restored, manual checked for updates "System is up to date"
Been like that for many Pixel users for some time now. As far as I know, nobody's found out why...
So it's not like having usb debugging enabled can cause? Think i read that somewhere, just don't know where anymore
Related
OK I got the notification to update today it's MMB29S, I am on K. I am rooted but stock, unlocked using systemless root for root. I've always been rooted and expected it to fail and have to install manually but this time because I'm not rooted like the old way. So i downloaded and went to install to my surprise dead Android with the triangle didn't show but it went to custom recovery screen twrp. I just hit restart because I've never not had a fail and never seen it do this before. Well when it restarted I was not updated and still on K. I also for the life of me can't get it to redo the ota. Tried to clear system service in apps and recheck but nothing.
So my question is since I'm new to systemless root what should I have done when it went to custom recovery? So that way if I can get it to pop up again I can be updated. Thank you in advance for any help and it would be awesome if possible to update this way without having to manually do it.
My best guess, based on what Chainfire replied to me when I asked about OTA, is that because you're somehow rooted the OTA will refuse to install. He said that using the "unroot" function in v2.63 (and I suppose in subsequent versions) he was able to apply the OTA and then just had to re-root.
As to the OTA, I read in the long-distant past that once it's been provided to your device you sort of go to the back of the queue, and even pressing the "check for system update" button has no effect. One day your turn will come again. When it happens, before you press the "install now" button, use the unroot function, reboot, and give it another go.
And I would really appreciate it if you could report back on the success or failure, just so we all know - thanks...
And before I close... your alternative is just to download the full ROM from Google, unzip everything in sight (including the zip within the zip), copy system.img to a convenient folder, and use Fastboot to flash system. After that you'll need to re-root (simple flash) and when you reboot everything will be as it was, apart from the version and security update date. I did it myself to MMB29S a week or so ago.
But my lawyer advises me to advise you to take a full backup first and store it off your device before you do anything to your device - just in case, you know?
I will definitely reply if I get the update again in a few days. If it doesn't I'll probably do it manually. I was just really surprised I hadn't gotten the error, just so used to it. Thank you for the info though.
Correct me if I'm wrong, but to install an OTA don't you need to be completely stock, including recovery?
If I'm not mistaken but since 4.3 (I'm probably wrong) if your rooted (before systemless root) when you try to the ota you will always get the dead Android because rooting changes the system files causing the update when it does is checks to think your system is corrupt.
Also it was really bad when people tried going from 5.x.x to 6.x even doing it manually some of us got bootlooped or when starting the phone up after updating manually saying system is corrupt but still starting up fine. Leaving like me having to completely clear out everything and installing the factory image just to not be corrupt and able to use Android pay.
Systemless root though I've not had a single problem and still able to use AP. And is also the first time in years I've gotten as far as I did with the OTA.
Rbh50815 said:
OK I got the notification to update today it's MMB29S, I am on K. I am rooted but stock, unlocked using systemless root for root. I've always been rooted and expected it to fail and have to install manually but this time because I'm not rooted like the old way. So i downloaded and went to install to my surprise dead Android with the triangle didn't show but it went to custom recovery screen twrp. I just hit restart because I've never not had a fail and never seen it do this before. Well when it restarted I was not updated and still on K. I also for the life of me can't get it to redo the ota. Tried to clear system service in apps and recheck but nothing.
So my question is since I'm new to systemless root what should I have done when it went to custom recovery? So that way if I can get it to pop up again I can be updated. Thank you in advance for any help and it would be awesome if possible to update this way without having to manually do it.
Click to expand...
Click to collapse
These small ota's can be done with boot modifications because they don't include any boot.img changes and if they do then they just blanket overwrite what's already there. The only part that is checked is /system. However TWRP won't ever install an ota update for compatibility reasons. Even if you reflash the stock recovery then you'll fail the ota because when you installed TWRP it protected itself (by modifying /system) from being overwritten by the stock recovery which is what unmodded stock android will always do on boot by default. And there are 2 things the ota verification looks for when updating: 1. It looks for whether /system has been ever mounted as Read/Write. 2. It hash checks the /system, if it finds any mismatch it fails. As for the update not showing up again, the ota checker hides the update after a failure to stop from flooding the download server. If you want to extract the update zip you can look in /cache for the zip. But since you don't have an unmodded /system you might as well just download the newest factory image and manually flash the system.img
You can use Wug NRT, unroot with MMB29S provided in the NRT , then root.
I haven't been getting the monthly auto OTA's on my Magisk rooted Pixel 3XL any more. I understand from another thread that Google has changed the update software so that the first time it sees a new update, it checks to see if the phone is rooted, and it is sets a flag that prevents the download for that month.
I like using the install to inactive slot after OTA method in Magisk, which of course I can't use without Google doing the auto OTA download.
1) Is it possible to make this method work with a manually downloaded OTA from the factory site.
2) Is there a way to trick the update software into doing the download even though I'm rooted? I know some people do this by unrooting just before the new update comes available. Given how variable these release dates can be, this doesn't appeal to me.
It took me a long time but I have finally gotten things settled down and working adequately on my new 405QA with Android 9, root w/Magisk, etc. I read here <https://www.theandroidsoul.com/lg-v40-update/> and elsewhere there may be an Android 10 coming. While for some that may be great news, for me it isn't. I need to rest and recover from the migration from my old Samsung Note 3 with 4.4.2!
So the question is: how do I 100% avoid any new Android OS updates from being (a) downloaded and (b) installed? In developer options, I have turned OFF "automatic system updates". But I fear this is not enough.
On my old Samsung, rooted with SuperSu, this alone seemed to prevent OS updates. But somehow I wonder if using Magisk and all will make preventing updates a bit different. What is the best way to handle this?
Thanks!
So, what you have done already is enough. Also, for a number of carriers you only get OTA if you are with the original firmware so if you cross-flashed your phone to unlocked US kdz, it is unlikely you would get any OTA updates even if you didn't disable in developer options. Any further options, you'd need to be rooted (which you are), disable/freeze both 'Software Update' apps and 'Fota Update' app. Titanium Backup is the best to freeze these.
Android# said:
So, what you have done already is enough. Also, for a number of carriers you only get OTA if you are with the original firmware so if you cross-flashed your phone to unlocked US kdz, it is unlikely you would get any OTA updates even if you didn't disable in developer options. Any further options, you'd need to be rooted (which you are), disable/freeze both 'Software Update' apps and 'Fota Update' app. Titanium Backup is the best to freeze these.
Click to expand...
Click to collapse
Thanks. Have not cross-flashed but I have used Magisk debloat to deal with fota and software updater. I feel better/safer now. Cheers
I want to use a work profile and enroll my device using company portal to access my work email/teams while my phone is rooted.
I have burned a lot of time attempting to achieve this, thus far without success, so I'm hoping for some community help. My attempts can be categorized as performed on official FW (+root) and on a custom ROM (BeyondROM).
Using official samsung firmware
I have ODIN-flashed the latest BULF firmware on my SM-998B with a full wipe. Using original AP package, so no magisk yet. Company Portal then fails me with a somewhat generic "Cannot create a work profile - The security policy prevents the creation of a managed device because a custom has been installed on this device". At this point, device is not rooted and there are no signs of magisk lingering, so either this is a bug, or it queries Knox for the tripped efuse.
Next I attempted to create a work profile using Shelter, Island and SecureFolder. Each of them seem to run into the exact same error (worded slightly differently).
My gut feeling is that there is an issue with the underlying work profile functionality within Android itself, and I'm not being held back by simply the Knox bit -- surely Island doesn't mind a custom OS.
I then proceeded to root the official firmware with magisk (23016 canary, and since yesterday 24000 beta). Attempted every combination of denylist, zygisk, shamiko and USNF. None of it makes any difference: every attempt to instantiate a work profile immediately fails.
Using custom ROM
Custom ROM specifically mentions that Samsung's SecureFolder *works* with it, so while I generally prefer to customize the OS myself, I figured flashing this was worth a shot. So I did, and indeed, work profile functionality is not borked anymore. Even before installing the Magisk romdisk, both Shelter and Island manage to create a work profile, and I can install apps inside it. No need for root hiding at all, it seems.
Then I moved on to Company Portal. The enrollment procedure now actually appears to start and after ~3 seconds I am told: we need to encrypt the device. It's definitely getting further than it did on official firmware. I'm okay with encrypting the device. At full battery/charger inserted I can seemingly start this procedure, but it then hangs at a black screen with centered android picture. At this point my buttons and statusbar are made inaccessible. After an hour of nothing happening I restarted - no data was lost, I'm sure it never even started to encrypt.
Enabling encryption from the Biometric & Security menu is not presented as an option either.
If anyone has insights as to why work profile creation completely fails on stock firmware (and how to fix that), or if anyone knows the we can enable encryption while running a custom ROM, please reply.
By using MagiskHidePropsConf I was able to set `ro.crypto.state` from `unencrypted` to `encrypted`. This allowed me to create a full work profile, without it asking me to encrypt first.
Next a bunch of "rooted" issues came up, but Shamiko and USNF solved that.
I could then access the apps within the work profile, but the device is still not in compliance because it insists I should enable 'secure startup', i.e. ask a full password/pin after reboot -- this actually does happen on reboots, but I cannot find any corresponding menu entry for it.
That said, I can access the apps inside the portal now, which is the main thing. Perhaps I can even trick it into thinking the device is in compliance.
was your bootloader unlocked when you tried with the official firmware?
Yes, it has been unlocked for over a year. I did not re-lock before trying official firmware though.
Intune is supposed to work only on unmodified devices
see here https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
according to microsoft it won't work on
Devices that fail basic integrity
Devices with an unlocked bootloader
Devices with a custom system image/ROM
Devices for which the manufacturer didn't apply for, or pass, Google certification
Devices with a system image built directly from the Android Open Source Program source files
Devices with a beta/developer preview system image
Hi @zzattack ,
I am in the exact point like you, but I am on S9+ NOBLEROM (based on stock).
With crDroid ROM, all is working ok with Company Portal (encryption working, and I used Magisk to hide root).
But I would like to use NOBLEROM. I also set build prop ro.crypto.state to encrypted. For me 'Secure startup' is not showing in Biometrics and security, an no password required on boot. It is up only for Lock screen.
Did you managed to overcome secure startup ? Maybe it is a posibility to trick 'secure startup' is enabled, even it is not.
Obs. In my case, I can not run apps from work profile, even it is created and apps visible.
Thanks
I've wondered this ever since my Tab S8+ reported it's device status as official despite me having flashed the tablet with magisk-patched firmware and asked me to update. This same exact scenario has happened with my rooted Tab S7+. However, I rooted that by flashing Magisk in TWRP rather than flashing patched firmware with Odin. I don't think anyone has tried applying an OTA update on their rooted Tab S8 device since the latest firmware isn't available yet, and could result in needed to flash patched firmware again. Then again, most rooted device will have their devices report as custom instead of official, so that may be why.
I'm willing to try this out on my Tab S7+ first as that device has TWRP, and I can easily restore my device to a rooted state afterwards. Since both tablets are relatively similar, I'll assume that if root persists after updating in the Tab S7+ then it should be safe to do so on the S8+ I'm curious of doing this solely for stability and performance updates in combination with everything root access grants.
With any part of the firmware patched, OTAs won't work - they'll fail. You could also wind up with a brick - most likely one you can recover from but I wouldn't bet either way on that. As always, have everything backed up in case the worst happens.
Since I still won't get my Tab S8 Ultra for another 10 days (unless they delay again), I haven't paid too close attention to the rooting instructions specific to this, and have only made note of them, however, the basic rule still applies - if any part of the firmware has been modified from stock, then OTAs will recognize that it's been modified and fail to apply - or as I said, it could possibly try to apply what it can but you could wind up with a mix and match of different firmware versions due to the OTA failing eventually, which would need some manual work to recover from - or very worst, you might need to start over from scratch and lose everything.
When I'm on any rooted device, I go into Developer options and disable Automatic system updates. It's still possible you could get an update prompt if you manually check for an update, but it's not advised to use OTAs when rooted.
I've always been a practitioner on all devices of flashing the full new firmware updates and re-rooting, however, I know that at least with devices with dual system partitions like Google Pixels (as far as I'm aware, Samsung still hasn't adopted dual partitions yet), there have been ways to apply Magisk to a manually sideloaded OTA, although I've observed other users who do this and something inevitably goes wrong with the process from time to time.
Not that full firmware flashes are immune to things going wrong.
Edit: If you try an OTA on yours, by all means, let us know what happens.
Edit 2: Adding TWRP to the mix may, or may not, affect the viability of applying OTAs. I've hardly used TWRP on any device in the last five years, so I'm not sure if it's smart about some things and can take root into account, but since TWRP doesn't exist on the Tab S8 (I don't have any older Tab), it won't matter for me.
roirraW edor ehT said:
With any part of the firmware patched, OTAs won't work - they'll fail. You could also wind up with a brick - most likely one you can recover from but I wouldn't bet either way on that. As always, have everything backed up in case the worst happens.
Since I still won't get my Tab S8 Ultra for another 10 days (unless they delay again), I haven't paid too close attention to the rooting instructions specific to this, and have only made note of them, however, the basic rule still applies - if any part of the firmware has been modified from stock, then OTAs will recognize that it's been modified and fail to apply - or as I said, it could possibly try to apply what it can but you could wind up with a mix and match of different firmware versions due to the OTA failing eventually, which would need some manual work to recover from - or very worst, you might need to start over from scratch and lose everything.
When I'm on any rooted device, I go into Developer options and disable Automatic system updates. It's still possible you could get an update prompt if you manually check for an update, but it's not advised to use OTAs when rooted.
I've always been a practitioner on all devices of flashing the full new firmware updates and re-rooting, however, I know that at least with devices with dual system partitions like Google Pixels (as far as I'm aware, Samsung still hasn't adopted dual partitions yet), there have been ways to apply Magisk to a manually sideloaded OTA, although I've observed other users who do this and something inevitably goes wrong with the process from time to time.
Not that full firmware flashes are immune to things going wrong.
Edit: If you try an OTA on yours, by all means, let us know what happens.
Edit 2: Adding TWRP to the mix may, or may not, affect the viability of applying OTAs. I've hardly used TWRP on any device in the last five years, so I'm not sure if it's smart about some things and can take root into account, but since TWRP doesn't exist on the Tab S8 (I don't have any older Tab), it won't matter for me.
Click to expand...
Click to collapse
Just attempted to OTA update on my Tab S7+ after making a backup, and it failed. When it rebooted to start applying the update, it booted into recovery to start flashing, but since I have TWRP installed, it booted to that instead, went straight to the main menu, and didn't apply the update. It's extremely ironic; my tablet says it's running unauthorized software and will no longer receive firmware updates, but it also says my device status is official and allows me to download and install updates if I check for them (it'll even mention there's an update available without having automatic download installed).
I rebooted to system, it said they the update failed, and prompted me to download the update again and try again. I can't tell if anything got affected since it seems like because the update failed, nothing got applied or changed. This makes me slightly less willing to try and OTA update on the Tab S8+. However, since the stock recovery is still in place (no TWRP yet), the update process would probably go a long smoother. Not to mention, if something was to go wrong, and I needed to flash patched firmware again, I could just flash HOME_CSC instead of the regular CSC so I can keep my data. There's no guarantee that will work, as a failed update could require my system to prompt me to factory data reset anyway, but it's definitely an option that's available.
I'll backup whatever I can before attempting this, and I'll post the results later.
Answer would be no, doing OTA requires bootloader to be locked. But since you rooted, then you have unlocked the bootloader. So if your tab s8+ has locked bootloader then OTA will pass without a problem.
Jake.S said:
Answer would be no, doing OTA requires bootloader to be locked. But since you rooted, then you have unlocked the bootloader. So if your tab s8+ has locked bootloader then OTA will pass without a problem.
Click to expand...
Click to collapse
Really? I thought having an unlocked bootloader would be a non-issue since you can flashing official and unofficial firmware with an unlocked bootloader. Not to mention that the recovery has remained unaffected, and stock recovery needs to be accessed to apply the update.
SavXL said:
Really? I thought having an unlocked bootloader would be a non-issue since you can flashing official and unofficial firmware with an unlocked bootloader. Not to mention that the recovery has remained unaffected, and stock recovery needs to be accessed to apply the update.
Click to expand...
Click to collapse
when unlocking bootloader you have to manually flash the stock firmware. Since OTA becomes unavailable when bootloader is unlocked. So if root is done in for example android 12 and you get a monthly patch then it will revoke the root since root usually modifies the OS files and gives you the root access sort off and flashing a update will write over those files and your root privileges will be removed.
Jake.S said:
when unlocking bootloader you have to manually flash the stock firmware. Since OTA becomes unavailable when bootloader is unlocked. So if root is done in for example android 12 and you get a monthly patch then it will revoke the root since root usually modifies the OS files and gives you the root access sort off and flashing a update will write over those files and your root privileges will be removed.
Click to expand...
Click to collapse
Huh. I thought that doing an OTA update wouldn't remove anything that was already a part of the system and would just just update whatever needed to be updated and called it a day. With the method of patching the firmware and flashing it, I assume root would just be a regular part of the system, and an OTA update wouldn't affect it. Odd...
SavXL said:
Huh. I thought that doing an OTA update wouldn't remove anything that was already a part of the system and would just just update whatever needed to be updated and called it a day. With the method of patching the firmware and flashing it, I assume root would just be a regular part of the system, and an OTA update wouldn't affect it. Odd...
Click to expand...
Click to collapse
That is because your normal access is only admin not root. So it has almost full rights, but when you add root access it is mostlikely a modification that you have to do, either by a command or flashing a file. But updating the OS will revoke the root since method you used becomes unavailable for next update which is why it can reset your changes backwards so your root privileges becomes lost and your access is back to default as before. But I wouldn't touch bootloader since doing that also bricks KNOX so features for KNOX will become permanently disabled since it requires a working Knox chip to work, but since KNOX chip fuse becomes blown when bootloader is unlocked then feature like Samsung pass, samsung secret folder and such will no longer work.
Jake.S said:
That is because your normal access is only admin not root. So it has almost full rights, but when you add root access it is mostlikely a modification that you have to do, either by a command or flashing a file. But updating the OS will revoke the root since method you used becomes unavailable for next update which is why it can reset your changes backwards so your root privileges becomes lost and your access is back to default as before. But I wouldn't touch bootloader since doing that also bricks KNOX so features for KNOX will become permanently disabled since it requires a working Knox chip to work, but since KNOX chip fuse becomes blown when bootloader is unlocked then feature like Samsung pass, samsung secret folder and such will no longer work.
Click to expand...
Click to collapse
Turns out you were absolutely correct. I downloaded and attempted to install the update, it booted into the stock recovery and got to 25% before erroring out. It booted back into Android and said that the update failed. Thankfully, nothing ended up getting removed or corrupted, and I still have root access. Guess I gotta stick to finding the latest firmware and patching it. ¯\_(ツ)_/¯