my doogee s96, with the TWRP no more able to boot, probably due to the dm-verity check.
I tried several things, install Magisk or patching boot.img, but I always failed. The phone starts and suddendly swicth to TWRP without launching Android.
With the suggestion of @alecxs I pulled the super partition through adb and umpacked with lpunpack.
The idea is to manually disable the avb/dm-verity control.
Now I have product.img + system.img + vendor.img. I can open them with 7z and, for instance, i found many lines on /vendor.img/etc/fstab.mt6785 using avb:
system /system ext4 ro wait,,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
vendor /vendor ext4 ro wait,,avb,logical,first_stage_mount
product /product ext4 ro wait,,avb,logical,first_stage_mount
or the system.img/init.rc with the line
exec -- /system/bin/fsverity_init
and system.img/system/bin/fsverity_init:
# Enforce fsverity signature checking
echo 1 > /proc/sys/fs/verity/require_signatures
Load all keys
for cert in /product/etc/security/fsverity/*.der; do
/system/bin/mini-keyctl padd asymmetric fsv_product .fs-verity < "$cert" ||
log -p e -t fsverity_init "Failed to load $cert"
done
Prevent future key links to .fs-verity keyring
/system/bin/mini-keyctl restrict_keyring .fs-verity ||
log -p e -t fsverity_init "Failed to restrict .fs-verity keyring"
The question is:
Is it possible to manually edit the imgs, repack the super and adb push it to make my phone start again?
What should I do?
Thank you in advance!
State of the art:
from adb i pulled the superpartition from the device
adb pull /dev/block/platform/bootdevice/by-name/super super.img
i extracted it with lpunpack in two folders:
./otatools/bin/lpunpack --slot=0 ./super.img ./superA/
mounted and enlarged the partition + edited the fstab.mt6785
sudo mount -t ext4 -o loop,rw,noexec,noatime vendor.img /mnt/vendor
sudo dd if=./vendor.img bs=1MiB of=./vendor.img conv=notrunc oflag=append count=5 #to add 5MB
sudo losetup | grep vendor #get the right loop device, in my case loop25
sudo losetup -c /dev/loop25
sudo resize2fs /dev/loop25
sudo vim /mnt/vendor/etc/fstab.mt6785 #removed the avb options in vendor, system and product
sudo umount /mnt/vendor
Following this guide, I built a new super.new.img:
$e2fsck -yf vendor.img
$resize2fs -M vendor.img
$e2fsck -yf vendor.img
$stat -c '%n %s' *
super.img 3758096384
product.img 1596944384
system.img 1128718336
vendor.img 544976896
$../otatools/bin/lpmake --metadata-size 65536 --super-name super --metadata-slots 1 --device super:3758096384 --group main:3270639616 --partition system:readonly:1128718336:main --image system=./system.img --partition vendor:readonly:544976896:main --image vendor=./vendor.img --partition product:readonly:1596944384:main --image product=./product.img --sparse --output ./super.new.img
lpmake I 02-17 12:18:27 2646704 2646704 builder.cpp:1012] [liblp]Partition system will resize from 0 bytes to 1128718336 bytes
lpmake I 02-17 12:18:27 2646704 2646704 builder.cpp:1012] [liblp]Partition vendor will resize from 0 bytes to 544976896 bytes
lpmake I 02-17 12:18:27 2646704 2646704 builder.cpp:1012] [liblp]Partition product will resize from 0 bytes to 1596944384 bytes
Invalid sparse file format at header magic
Invalid sparse file format at header magic
Invalid sparse file format at header magic
even though the size of super.new.img is not the same of super.img (is it normal??)
$stat -c '%n %s' super.new.img
super.new.img **3248851200**
when I flash it with adb the phone goes straight to the recovery without booting android. Please note that 3248851200 is not divisible by 512, which is a requirement of lpmake....
Any suggestion?
dm-verityimplementation depends onvoldflag:verify=infstab, and thefstabentry for super partition is in the DTB, you definitely need to modify the DTB; be it a separate partition or appended to the kernel blob. I've no personal experience with super partition though. – Irfan Latif Feb 19 '21 at 17:56