Magisk
Magisk copied to clipboard
topjohnwu
Recovery install boots, direct install bricks on FireOS devices (amonet support)
@topjohnwu Magisk used on many FireOS devices for root and more. It's TWRP recovery need to rewrite itself into kernel after any boot image flash, so Magisk installed and works fine when flashed from recovery. But after direct install / update from system and Magisk Manager itself device become completely unbootable and it required even apply short-pin NAND unlock again. So many users broke their devices with Magisk update. Is there a way to disable direct Magisk install from Manager for fireos devices? I can provide additional info and system properties and implement this feature by myself if you point me to right direction where it can be done. Thanks!
Device: Fire TV 4K Android version: 7.1.2 Magisk version name: 24310 Magisk version code: 24310
How does the custom TWRP write itself into the kernel, though? And why doesn't it persist after Magisk Direct install? That would be the thing to fix here, not disabling the feature.
How does the custom TWRP write itself into the kernel, though? And why doesn't it persist after Magisk Direct install? That would be the thing to fix here, not disabling the feature.
There is custom twrp recovery action which restore itself on every flash in boot partition from reserved space and it's nature of unlock and twrp placement, and this can't be fixed there (because it just works but only in recovery itself when Magisk flashed from it). FireOS doesn't have recovery partition at all so twrp is placed with kernel itselt in boot partition. Direct magisk install screw it and make device unbootable and without access to recovery so only option is to make full unlock and twrp recovery flash again from pc via fastboot and do original boot restore from original OS image after. And there is much harder to implement this required rewrite on direct Magisk install from Manager. You can inspect unlock and its trick for recovery here - https://github.com/amonet-kamakiri/kamakiri/blob/master/lk-payload/main.c https://github.com/amonet-kamakiri/kamakiri/blob/7d3bf90137cc5d056b9e519a84b9f3d82b909130/META-INF/com/google/android/update-binary#L96-L105
That would be the thing to fix here, not disabling the feature.
As this behaviour can't be fixed in bootloder and twrp, the only option to avoid bricking FireOS devices is to disallow direct magisk flash (so users will do Magisk install / updates from twrp itself with no harm). I just want some hints where it's possible to implement this on Magisk (Manager) side to make a PR
Ah, I knew this rang a bell: https://github.com/topjohnwu/Magisk/pull/2840#issuecomment-636204251
Relevant bits from my research and implementation for AIK amonet support:
Detection: https://github.com/osm0sis/Android-Image-Kitchen/commit/94e33e000c611127fd522b5245ab23dcbeae080e#diff-eaa2c4e5d6677c9e84e95b4342f94ab6788625d30ac34f0987979d54457db96dR35-R36
Unpacking: https://github.com/osm0sis/Android-Image-Kitchen/commit/94e33e000c611127fd522b5245ab23dcbeae080e#diff-8cab25a87eb22e45b3d01b96b9cf1d9e65f6e61f250e6344a1d7d393987ec86dR135-R145
Repacking: https://github.com/osm0sis/Android-Image-Kitchen/commit/94e33e000c611127fd522b5245ab23dcbeae080e#diff-2806377b37f5f32702c6d2fc69d6937a6e32197359cc140b1fd1b14b3d6c2de7R312-R319
It's beyond me to add it to magiskboot though, but perhaps @chaosmaster (k4y0z @ xda-developers) might consider if he has any time, since he's a bit of an expert on it and has successfully added complex zimage decompression support to magiskboot recently.
Relevant bits from my research and implementation for AIK amonet support
as I understand, Magisk can unpack, inject, repack boot correctly (system boots and Magisk works when installed from twrp). But also need to implement same actions after direct install (not sure twrp partitions mounts equals system partitions):
PART_PREFIX=/dev/block/platform/soc/11230000.mmc (on Mantis)
dd if=${PART_PREFIX}/by-name/recovery of=/tmp/recovery_kamakiri.hdr bs=512 count=2
dd if=${PART_PREFIX}/by-name/boot of=/tmp/boot_kamakiri.hdr bs=512 count=2
dd if=${PART_PREFIX}/by-name/boot of=/tmp/boot_kamakiri.hdr2 bs=512 count=2 skip=2
grep "ANDROID!" /tmp/boot_kamakiri.hdr2
if [ $? -ne 0 ] ; then
ui_print "- patching boot"
dd if=/tmp/boot_kamakiri.hdr of=${PART_PREFIX}/by-name/boot bs=512 count=2 seek=2
fi
ui_print "- updating microloader"
dd if=/tmp/recovery_kamakiri.hdr of=${PART_PREFIX}/by-name/boot bs=512 count=2
but just disable direct install from Manager is failsafe and enough to avoid accidental devices break
@tsynik We are adding support for your device. Stop asking Magisk to disable direct install for your device.
We are adding support for your device. Stop asking Magisk to disable direct install for your device.
This behavior exists about 2 years from Magisk 20.3 and I know at least 30+ Fire TV users who broke their sticks by accident update and spent hours and days in opening, short-pinning and restoring their devices. I think I can implement asked on apk side and it's better have this option disabled until proper direct install will be implemented (after another 2 years?). Can you point me to lines of code where device detection for other devices exists to switch some Manager behavior based on it? Or there is no such cases at all?
We added Nook bootloader hack support way back, for example: https://github.com/topjohnwu/Magisk/commit/28350e3ad92dc8f11d05ec79f4f863caa4ce0c61 https://github.com/topjohnwu/Magisk/commit/d780b5a0e4107c81beb6e5df7f5f0dff54681daa https://github.com/topjohnwu/Magisk/commit/2ff5d9606b575726bd30d89c6d029e30f33a90a3
There are a lot more developers now too, so things may happen more quickly, but either way please be patient.
@topjohnwu workaround is just 3 lines of code:
From 84db24c065ce60a0eb91be30c6c13926ab0b7770 Mon Sep 17 00:00:00 2001
From: nikk gitanes <[email protected]>
Date: Fri, 20 May 2022 09:08:12 +0300
Subject: [PATCH] disable direct install on Amazon FireTV devices
---
app/src/main/java/com/topjohnwu/magisk/core/Info.kt | 1 +
.../java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt | 1 +
app/src/main/res/layout/fragment_install_md2.xml | 2 +-
3 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/app/src/main/java/com/topjohnwu/magisk/core/Info.kt b/app/src/main/java/com/topjohnwu/magisk/core/Info.kt
index aa1b73dbe..0b122da8c 100644
--- a/app/src/main/java/com/topjohnwu/magisk/core/Info.kt
+++ b/app/src/main/java/com/topjohnwu/magisk/core/Info.kt
@@ -39,6 +39,7 @@ object Info {
@JvmField var hasGMS = true
val isSamsung = Build.MANUFACTURER.equals("samsung", ignoreCase = true)
+ val isAmazonTV = Build.MANUFACTURER.equals("amazon", ignoreCase = true) && AppContext.packageManager.hasSystemFeature("amazon.hardware.fire_tv")
@JvmField val isEmulator =
getProperty("ro.kernel.qemu", "0") == "1" ||
getProperty("ro.boot.qemu", "0") == "1"
diff --git a/app/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt b/app/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt
index 5541f292e..d0513c23e 100644
--- a/app/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt
+++ b/app/src/main/java/com/topjohnwu/magisk/ui/install/InstallViewModel.kt
@@ -41,6 +41,7 @@ class InstallViewModel(
val hideVbmeta = Info.vbmeta || Info.isSamsung || Info.isAB
val skipOptions = Info.isEmulator || (Info.isSAR && !Info.isFDE && hideVbmeta && Info.ramdisk)
val noSecondSlot = !isRooted || !Info.isAB || Info.isEmulator
+ val isAmazonTV = Info.isAmazonTV // FIXME: temporary FireOS workaround, see https://github.com/topjohnwu/Magisk/issues/5833
@get:Bindable
var step = if (skipOptions) 1 else 0
diff --git a/app/src/main/res/layout/fragment_install_md2.xml b/app/src/main/res/layout/fragment_install_md2.xml
index 64bd12709..48f501612 100644
--- a/app/src/main/res/layout/fragment_install_md2.xml
+++ b/app/src/main/res/layout/fragment_install_md2.xml
@@ -202,7 +202,7 @@
<RadioButton
android:id="@+id/method_direct"
style="@style/WidgetFoundation.RadioButton"
- gone="@{!viewModel.rooted}"
+ gone="@{!viewModel.rooted || viewModel.isAmazonTV}"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:text="@string/direct_install" />
--
2.32.0 (Apple Git-132)
Do I need make PR for it?
Could you provide an example boot.img?
Original boot.img is not what you need. The nature of amonet unlock is inject custom booloader and add TWRP recovery into boot partition (Amazon doesn't have recovery). And modify boot on device without reapply hack to it (which is done in TWRP on every flash) will break device. I can dump magisk modified boot partition from device if it will help.
boot-magisk-working.img.zip recovery-twrp.img.zip
And here is original images from fw update
as i understand, those steps must be implemented on direct install too - https://github.com/topjohnwu/Magisk/issues/5833#issuecomment-1126770597
Here's one I kept in my collection: https://gitlab.com/osm0sis/boot-img-collection/-/blob/master/aosp-amonet-amazon_fhd8-karnak-twrp-recovery.img
Recovery image, but you'll see how the patching works.
Try if this version works with direct install
yes, direct install from app passed. Booted OK