4

Background: Please check following links

  1. How to disable dm-verity on Android with “user” build type ROM?
  2. Stuck in boot-loop when unpack and pack system.img?

Update: So, I am trying to disable dm-verity on my Samsung S10 5G device to successfully flash an unpack, unmodified and then packed system.img.ext4.lz4 file(with another ROM files) using Odin.

I have tried the following things:

  1. Removed avb flag from boot.img with following commands:
# magiskboot dtb boot.img print -f
> #345900: fstab
│  [compatible]: [android,fstab]
├── #345940: vendor
│      [compatible]: [android,vendor]
│      [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vendor]
│      [type]: [ext4]
│      [mnt_flags]: [ro,barrier=1,discard]
│      [fsmgr_flags]: [wait,slotselect,avb]
│      [status]: [ok]
└── #346156: vm-linux
       [compatible]: [android,vm-linux]
       [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vm-linux]
       [type]: [emmc]
       [mnt_flags]: [ro]
       [fsmgr_flags]: [wait,slotselect]
       [status]: []
#343692: fstab
│  [compatible]: [android,fstab]
├── #343732: vendor
│      [compatible]: [android,vendor]
│      [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vendor]
│      [type]: [ext4]
│      [mnt_flags]: [ro,barrier=1,discard]
│      [fsmgr_flags]: [wait,slotselect,avb]
│      [status]: [ok]
└── #343948: vm-linux
       [compatible]: [android,vm-linux]
       [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vm-linux]
       [type]: [emmc]
       [mnt_flags]: [ro]
       [fsmgr_flags]: [wait,slotselect]
       [status]: []


# magiskboot dtb boot.img patch

# magiskboot dtb boot.img print -f
> #345900: fstab
│  [compatible]: [android,fstab]
├── #345940: vendor
│      [compatible]: [android,vendor]
│      [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vendor]
│      [type]: [ext4]
│      [mnt_flags]: [ro,barrier=1,discard]
│      [fsmgr_flags]: [wait,slotselect]
│      [status]: [ok]
└── #346152: vm-linux
       [compatible]: [android,vm-linux]
       [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vm-linux]
       [type]: [emmc]
       [mnt_flags]: [ro]
       [fsmgr_flags]: [wait,slotselect]
       [status]: []
#343692: fstab
│  [compatible]: [android,fstab]
├── #343732: vendor
│      [compatible]: [android,vendor]
│      [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vendor]
│      [type]: [ext4]
│      [mnt_flags]: [ro,barrier=1,discard]
│      [fsmgr_flags]: [wait,slotselect]
│      [status]: [ok]
└── #343944: vm-linux
       [compatible]: [android,vm-linux]
       [dev]: [/dev/block/platform/soc/8804000.sdhci/by-name/vm-linux]
       [type]: [emmc]
       [mnt_flags]: [ro]
       [fsmgr_flags]: [wait,slotselect]
       [status]: []
  1. Removed avb and verify flags from dtbo.img with following commands:
# magiskboot dtb dtbo.img print -f
> #126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126800: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]
#126596: fstab
├── #126608: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]# magiskboot dtb dtbo.img print -f
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126796: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126800: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126800: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126800: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,verify,avb]
└── #126800: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,verify,avb]


# magiskboot dtb dtbo.img patch


# magiskboot dtb dtbo.img print -f
> #126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126792: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
#126596: fstab
├── #126608: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126788: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126792: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126792: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126792: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
#126600: fstab
├── #126612: product
│      [compatible]: [android,product]
│      [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/product]
│      [type]: [ext4]
│      [mnt_flags]: [ro,errors=panic]
│      [fsmgr_flags]: [wait,]
└── #126792: vendor
       [compatible]: [android,vendor]
       [dev]: [/dev/block/platform/soc/1d84000.ufshc/by-name/vendor]
       [type]: [ext4]
       [mnt_flags]: [ro,barrier=1,discard]
       [fsmgr_flags]: [wait,]
  1. Patched ramdisk.cpio with following commands:
# magiskboot cpio ./initrd 'patch false true'
Loading cpio: [./initrd]
Patch with flag KEEPVERITY=[false] KEEPFORCEENCRYPT=[false]
Found fstab file [etc/recovery.fstab]
Dump cpio: [./initrd]

# magiskboot cpio ./initrd extract
# cat etc/recovery.fstab
> # Copyright (c) 2013, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
#       copyright notice, this list of conditions and the following
#       disclaimer in the documentation and/or other materials provided
#       with the distribution.
#     * Neither the name of The Linux Foundation nor the names of its
#       contributors may be used to endorse or promote products derived
#       from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#<src>                                    <mnt_point>    <type>    <mnt_flags and options>    <fs_mgr_flags>
/dev/block/bootdevice/by-name/boot        /boot           emmc        defaults                  recoveryonly
/dev/block/bootdevice/by-name/recovery    /recovery       emmc        defaults                  recoveryonly
/dev/block/bootdevice/by-name/system      /               ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/userdata    /data           ext4        defaults                  wait,length=-16384
/dev/block/bootdevice/by-name/cache       /cache          ext4        defaults                  recoveryonly
/dev/block/mmcblk0p1                      /sdcard         vfat        defaults                  recoveryonly
/dev/block/bootdevice/by-name/sec_efs     /efs            ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/sec_efs     /sec_efs        ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/carrier     /carrier        ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/hidden      /preload        ext4        defaults                  recoveryonly

# FOTA
/dev/block/bootdevice/by-name/apnhlos     /modem          emmc        defaults                  recoveryonly
/dev/block/bootdevice/by-name/modem       /mdm            emmc        defaults                  recoveryonly
/dev/block/bootdevice/by-name/dsp         /dsp            emmc        defaults                  recoveryonly
/dev/block/bootdevice/by-name/vendor      /vendor         ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/product     /product        ext4        defaults                  recoveryonly

# Add misc for GOTA
/dev/block/bootdevice/by-name/misc        /misc           emmc        defaults                  recoveryonly

# Samsung ODE
/dev/block/bootdevice/by-name/keydata     /keydata        ext4        defaults                  recoveryonly
/dev/block/bootdevice/by-name/keyrefuge   /keyrefuge      ext4        defaults                  recoveryonly

#Auto-generated code by FOTA Portal
/dev/block/bootdevice/by-name/dtbo  /dtbo   emmc    default recoveryonly

After patching, I have converted dtbo.img to dtbo.img.lz4 using lz4 compression tool and created new recovery.img image with patched initrd file.

After that. I have tried to flash magisk_patched.tar file with AP contents as one of the following:

  • Overwritten all three patched file in points 1, 2 and 3 above. -> Stuck at splash screen when trying to go to recovery after successfully flash with Odin. Download mode is appearing on splash screen.
  • Overwritten 1.boot.img and 2.dtbo.img.lz4 above. -> Successfully rooted but when trying to edit the system_root partition then I am facing the following problem:
D:\>adb shell
beyondxq:/ $ su
beyondxq:/ # mount -o rw,remount /system
beyondxq:/ # cd system
beyondxq:/system # echo "Test /system mounting" > temp.txt
beyondxq:/system # cat temp.txt
Test /system mounting
beyondxq:/system # cd ..
beyondxq:/ # mount -o rw,remount /system_root
beyondxq:/ # echo "Test /system_root mounting" > temp.txt
/system/bin/sh: can't create temp.txt: Read-only file system           ---> Error here
1|beyondxq:/ # cat system/temp.txt
Test /system mounting
beyondxq:/ # cat system_root/temp.txt
cat: system_root/temp.txt: No such file or directory              ---> Verify: File not created
1|beyondxq:/ # exit
1|beyondxq:/ $ exit

D:\>adb remount
Not running as root. Try "adb root" first.

D:\>adb root              ---> It didn't work as the next command is not working

D:\>adb remount                            
Not running as root. Try "adb root" first.

D:\>adb shell
beyondxq:/ $ su
beyondxq:/ # ls sdcard
Alarms Android DCIM Download Movies Music Notifications Pictures Podcasts Ringtones Samsung selinux_policy_modified
beyondxq:/ # mount -o rw,remount /system_root
beyondxq:/ # cp sdcard/selinux_policy_modified /system_root/sepolicy
cp: /system_root/sepolicy: Permission denied      ---> Permission Denied here
1|beyondxq:/ #
  • Overwritten 1.boot.img and 2.dtbo.img.lz4 above with unpack and packed system.img.ext4.lz4 -> The result is boot-loop after successful flashing.

Please suggest what went wrong or am I missing any step.

Vatish Sharma
  • 1,001
  • 4
  • 21
  • 36
  • check if kernel allows context switching https://github.com/MrBIMC/SELinuxModeChanger/releases – alecxs Nov 15 '19 at 06:49
  • 1
    Debug the app and verified that the kernel is not allowing the context switching. Also tried to run beyondxq:/ # setenforce permissive but beyondxq:/ # getenforce is always Enforcing. – Vatish Sharma Nov 15 '19 at 07:27
  • 1
    Also Tried beyondxq:/ # su --context u:r:magisk:s0 -c "/system/bin/setenforce 0" and beyondxq:/ # su --context u:r:magisk:s0 -c "echo 0 > /sys/fs/selinux/enforce" i.e. with magisk context but the mode is still Enforcing. – Vatish Sharma Nov 15 '19 at 07:43
  • if you can read code you might have a look in one of these shell scripts https://forum.xda-developers.com/showthread.php?t=3919714 https://forum.xda-developers.com/showthread.php?t=3817389 – alecxs Nov 15 '19 at 09:45
  • The target file has a zip format but I have only option to flash through Odin and Odin doesn't support this format. – Vatish Sharma Nov 15 '19 at 10:59
  • The zip file contains only update-binary file under /META-INF/com/google/android/. So, this is made to be flashed using CWM or TWRP and both are out of options. Another reason for not using this zip file is that it doesn't support the Qualcomm model of Samsung S10 5G(SM-G977U). – Vatish Sharma Nov 15 '19 at 11:05
  • look inside update-binary it is a shell script (qualcomm is supported too, based on magisk) https://github.com/Zackptg5/Disable_Dm-Verity_ForceEncrypt/blob/master/META-INF/com/google/android/update-binary – alecxs Nov 15 '19 at 12:05
  • Shall I run it with su adb shell? – Vatish Sharma Nov 15 '19 at 12:14
  • 1
    not recommended. besides you have to replace ui_print with echo the script propably won't work because the tools and mount points differ between system mode and recovery mode – alecxs Nov 15 '19 at 12:47
  • 1
    not sure if related https://chainfire.eu/articles/885/On_LPX13D_SELinux_and_root – alecxs Nov 24 '19 at 08:20
  • there is official TWRP for Qualcomm you could try to boot from fastboot or at least try to port for your device

    https://forum.xda-developers.com/showthread.php?t=3980463

    then flash the multi-disabler-zip which now also supports qualcomm

    https://forum.xda-developers.com/showthread.php?t=3919714

     – alecxs Dec 10 '19 at 09:34
  • @alecxs This TWRP doesn't support SM-G977U. I have tried it anyway but it's not working. – Vatish Sharma Dec 11 '19 at 10:12

1 Answers1

0

I use a simple script put into my su.d folder, named 'permissive.sh' (0755). It would merely "echo '0' >> sys.fs.selinux.enforce" after boot-up, much like init.d; allowing my V4A and other 'dangerous' software to function w/o hassle while letting me pass Google's & Magisk's tests even after i installed /systemless SuperSU into my /system. Seems easier that way, w/o repacking img's & such, especially with the treble/system as root builds.

Rick Calbert
  • 11
  • 1