avbroot
avbroot copied to clipboard
chenxiaolong
Which newly released phones in the past few years have passed tests and can use avbroot?
I hope those who have tested can leave their phone models for reference. I'm considering getting a new phone recently, and I hope to get some reference. But I would prefer Xiaomi devices and GKI devices.
Any of the recent Google Pixels will work (4 and newer, though older may work as well). Newer OnePlus devices capable of running Android 13 should work as well, though I don't have confirmation of that from people with those devices. I'm not sure about Xiaomi devices. The main requirement is that the bootloader supports custom keys (fastboot flash avb_custom_key) and that the device uses A/B partitions.
Thank you. I know these requirements, so I hope someone can share their test results for others to reference.
Sony Xperia devices start from Xperia 1 does work with avb_custom_key as well
All Pixel phones work, except Pixel(sailfish) and Pixel XL(marlin)
On the Pixel 2, Pixel 2 XL and later Pixel models, the boot loader supports a virtual partition with the name avb_custom_key.
Any of the recent Google Pixels will work (4 and newer, though older may work as well). Newer OnePlus devices capable of running Android 13 should work as well, though I don't have confirmation of that from people with those devices. I'm not sure about Xiaomi devices. The main requirement is that the bootloader supports custom keys (
fastboot flash avb_custom_key) and that the device uses A/B partitions.
Did we get any confirmation about recent OnePlus devices?
Also, do we know if these devices pass PlayIntegrity when signed with a custom key?
Also, do we know if these devices pass PlayIntegrity when signed with a custom key?
I can answer this one for you; no it doesn't affect the Play Integrity in any way if the bootloader is locked with a custom key as far as I'm aware of.
Also, do we know if these devices pass PlayIntegrity when signed with a custom key?
I can answer this one for you; no it doesn't affect the Play Integrity in any way if the bootloader is locked with a custom key as far as I'm aware of.
Cool, thanks!
Also, do we know if these devices pass PlayIntegrity when signed with a custom key?
I don't use any apps that require Play Integrity, so I can't answer this definitively. However, the information provided via hardware attestation is very granular. It doesn't just report whether the bootloader is locked. It can tell the difference between:
- Locked and signed with OEM key
- Locked and signed with custom key
- Unlocked and signed with any key
- Unlocked, but signatures are broken/incorrect
When the signatures are valid, it also reports the hash of the public key used for signing.
If Play Integrity isn't already checking for this, I'd fully expect it to do so in the future.
Did we get any confirmation about recent OnePlus devices?
Unfortunately, from reports by other users, it seems that OnePlus devices that have newer bootloaders (shipped with Android 12+) no longer support custom keys properly. They'll just boot to a black screen when the bootloader is locked. (It's not a brick though--unlocking the bootloader again still works.)
Also, do we know if these devices pass PlayIntegrity when signed with a custom key?
I don't use any apps that require Play Integrity, so I can't answer this definitively. However, the information provided via hardware attestation is very granular. It doesn't just report whether the bootloader is locked. It can tell the difference between:
- Locked and signed with OEM key
- Locked and signed with custom key
- Unlocked and signed with any key
- Unlocked, but signatures are broken/incorrect
When the signatures are valid, it also reports the hash of the public key used for signing.
If Play Integrity isn't already checking for this, I'd fully expect it to do so in the future.
If that will be the case, though, why a user should use this feature? If play integrity fails/will fail anyway, there is no advantage on using a custom avb key compared to just leave the phone unlocked with some custom rom. Right?
Unfortunately, from reports by other users, it seems that OnePlus devices that have newer > bootloaders (shipped with Android 12+) no longer support custom keys properly. They'll > just boot to a black screen when the bootloader is locked. (It's not a brick though-- unlocking the bootloader again still works.)
Oh quite unfortunate, yes.
The main use is for someone who'd like the same security guarantees that the stock OS provides with a locked bootloader, except with a custom OS (or just rooted). For example, it significantly reduces the chance that malware can survive a reboot because the OS partitions cannot be modified without breaking the signatures. It also prevents someone with (brief) physical access from installing something like a keylogger (which can be done quickly and easily with fastboot access).
If these sorts of things aren't important for your own use case, then there's not really a reason to use avbroot.
If Play Integrity isn't already checking for this, I'd fully expect it to do so in the future.
I'm pretty sure they do. I have to verify with a rootless setup, but I have never passed any integrity tests once rooted. You will also fail the supposedly hardware backed STRONG test.
There are still some ways to bypass the BASIC and DEVICE tests, but these are getting more limited literally by the day.
If Play Integrity isn't already checking for this, I'd fully expect it to do so in the future.
I'm pretty sure they do. I have to verify with a rootless setup, but I have never passed any integrity tests once rooted. You will also fail the supposedly hardware backed STRONG test.
There are still some ways to bypass the BASIC and DEVICE tests, but these are getting more limited literally by the day.
Well it depends how you rooted the device. If you use magisk or kernelSU, you'll not pass play integrity in any case (without trying to hide them). The real test would be for example to just resign the stock image from the vendor with the custom keys and see how it works.
Well it depends how you rooted the device. If you use magisk or kernelSU, you'll not pass play integrity in any case (without trying to hide them). The real test would be for example to just resign the stock image from the vendor with the custom keys and see how it works.
Well now I was really curious and just gave it a try. Signed the stock rom with the avbroot rootless option and I passed only the 'MEETS_BASIC_INTEGRITY' check. I did not do a factory reset, so there are still some leftovers from my previous rooted setup (such as the /data/adb/ contents), but I highly doubt those are the reasons the other checks failed.
Interesting to note however is that with Magisk installed, but no modules enabled, I did not pass any checks. You can pass the BASIC_INTEGRITY check again by hiding Magisk with Shamiko for the Play Store and Play Services (maybe both not necessary, but it worked). To pass the DEVICE_INTEGRITY check, you need other methods.
Well it depends how you rooted the device. If you use magisk or kernelSU, you'll not pass play integrity in any case (without trying to hide them). The real test would be for example to just resign the stock image from the vendor with the custom keys and see how it works.
Well now I was really curious and just gave it a try. Signed the stock rom with the avbroot rootless option and I passed only the 'MEETS_BASIC_INTEGRITY' check. I did not do a factory reset, so there are still some leftovers from my previous rooted setup (such as the
/data/adb/contents), but I highly doubt those are the reasons the other checks failed.Interesting to note however is that with Magisk installed, but no modules enabled, I did not pass any checks. You can pass the BASIC_INTEGRITY check again by hiding Magisk with Shamiko for the Play Store and Play Services (maybe both not necessary, but it worked). To pass the DEVICE_INTEGRITY check, you need other methods.
Did you also locked the bootloader after flashing the custom-signed image?
Yes, my bootloader has been locked all the time with my custom key.
This is a Nothing phone 1 with custom keys with custom rom and locked bootloader, passing play integrity. So probably you need to clean/format data as you previously had magisk installed.
Interesting! Is it a clean install as well? If I ever get to reset my device, I'll try as well.
Well now I was really curious and just gave it a try. Signed the stock rom with the avbroot rootless option and I passed only the 'MEETS_BASIC_INTEGRITY' check.
I got this very same result with NOS 2.5.2 SpacewarEEA stock rom. Interestingly it gave no integrity for the first query, but basic integrity for all subsequent query. :shrug:
Yes, the BL was locked. Yes, it was a clean install. Yes I used --rootless flag.
I PM-ed roberto-sartori-gl about the picture above: he just forwarded that.
As @chenxiaolong mentioned in https://github.com/chenxiaolong/avbroot/discussions/260#discussioncomment-8655088, I suspect the hardware attestation part on the Nothing bootloader is buggy or it was just an erroneous result returned by the Play Integrity API. If you can't reproduce this, even with a Nothing Phone 1, then I suspect the latter.
If you can't reproduce this, even with a Nothing Phone 1 ...
I didn't try too hard so my results don't mean much! But I would like to check the NP1 Telegram groups how to repro that picture or at least to get DEVICE_INTEGRITY without root.
Well if you find out, please let us know! :wink: It seems highly unlikely so far.
I've created (and pinned) #299 to act as a centralized place for listing the devices that are known to work.