-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bootloop with resigned boot][A11]RMX3511(ums9230) #77
Comments
i think that is a bug in unisoc's uboot/lk code, some digest/hash are not updated after boot changed |
Hi thanks for your comment. I tried the following :
However it is still in bootloop. Do I need a modified Thanks in advance ! |
Hey, how do you get into fastboot when it bootloops? In my case I need to execute the bootloader unlocker script to get into it since I have no way to turn off the device. |
Hey, I don't go into fastboot mode when bootloop, I can't either. What I tried is the following :
fastboot flash boot_a magisk_boot.img
fastboot flash boot_b magisk_boot.img
fastboot flash vbmeta_a vbmeta-sign.img # The vbmeta-sign.img from PAC file
fastboot flash vbmeta_b vbmeta-sign.img
# Then since it is in fastboot I can go into recovery mode and erase userdata However none of this worked, I still get bootloop
But again, none of this worked and I still can't get a rooted device even though the bootloader is unlocked. @TomKing062 any other suggestion on that ? |
have no idea, maybe change magisk version |
Yeah, I still get the bootloop too, I flashed the SIGNED magisk_boot.img and the vbmeta-sign.img file in all the a/b partitions, but nothing of this worked. |
I was able to flash magisk on another brand using this exploit but unable to make it work on the Realme C35 RMX3511.
However, when the phone bootloops, we can only see the first message, then it bootloops :
These messages are printed during the second stage FDL2(uboot) if I understood correctly. Isn't there a way to patch FDL2 in order to prevent the bootloop ? Do you think it is possible @TomKing062 ? |
Android Verified Boot (AVB)I think the problem is the Android Verified Boot (the one responsible for making us have to sign the patched boot.img), if it wasn't, we could just flash the unsigned .img file, so, could there be a way to disable AVB?, so we can skip this verification. |
A possible solutionI saw a couple of guides on hovatek on how to disable Android Secure Boot, and after reading I think I have a possible solution. |
own-signed vbmeta will not work |
Are you sure that with the flag --disable-verity the device will not enter in a bootloop? |
--disable-verity works on android 11 zte voyage 30s (ums9620) |
sign boot is uboot/lk check sign status but not check signer after unlock |
@dsfusetrjdsfllkzek Can you try? |
Ah, I see, so, the private keys you have in your GitHub are only for those devices that use the "default" keys, right? |
I did some tests.
adb reboot fastboot
fastboot flash vbmeta_a vbmeta-sign.img
fastboot flash vbmeta_b vbmeta-sign.img Simply doing this causes the device to bootloop, however not at the same place, it now passes the 2 warning messages, but after showing the realme logo for like 30 seconds, it will shutdown. |
Same results with : fastboot --disable-verity flash vbmeta vbmeta-sign.img |
However, if I do :
Then without restarting now, going to recovery and factory reset does not causes a bootloop after logo. (I'm am still testing with original |
Same for : fastboot --disable-verity flash vbmeta vbmeta-sign.img |
Doing the following causes bootloops (the quick one, with only one warning message), even with factory reset : fastboot --disable-verity --disable-verification flash vbmeta vbmeta-sign.img |
We have the same issue but on RMX3581(Realme C30) phone. We've tried to flash signed patched boot, flash custom vbmeta, blank vbmeta but none of them worked. I'll attach an uboot_log, also I've checked this log but I didn't find out why it rejects custom signed boot |
Hi @RadGoodNowYT, thanks for the logs! How did you get them ? |
Also, do you have a log where it boots correctly (with original boot.img) ? Checking where it differs may help finding the problem. |
|
Ok thks!
[00003384] allow_verification_error is 1
[00007017] allow_verification_error is 0 Don't know if it is important but I noticed that so I put it here |
@RadGoodNowYT how did you get the logs if the device is in bootloop ? Does your logs come from a device that is booting or bootlooping ? |
via rooted GSI |
try change between slot a and b, and may still need to wipe data |
Hello, how to do this? Just if you can change the files in partition a and b this solved 1 problem on my device Realme 8i |
Hi, I flashed boot_magisk.img, it works. |
Hi, can you explain how you able to get root on your devices? do you have realme signature.pem to sign the boot? |
Well, if anyone stumbling across this. I finally able to root my device. Just flash patched boot to boot_a without flashing any vbmeta partition. |
When booting the phone (Realme RMX3511 Android 11, board
ums9230_nico
), I have the following message :So the bootloader seems unlocked.
However when I take the boot.img from PAC file, send it to phone, patch it with magisk app, flash it back (using either fastboot or ResearchDownload R22.19.1301), the phone bootloops. The only way to get it working again is to flash the original boot.img from PAC file. I tried the different methods in the wiki get Magisk, but it always ends with the phone bootlooping.
Any idea ?
Thanks for the work done by the way !
The text was updated successfully, but these errors were encountered: