Magisk icon indicating copy to clipboard operation
Magisk copied to clipboard
verified publisher icon topjohnwu

Patched unsigned boot.img for Allwinner A133 does not boot

Open lprot opened this issue 10 months ago • 18 comments

Device: TBox Lite (Allwinner A133 chip) Android version: 10 Magisk version name: https://github.com/topjohnwu/Magisk/releases/tag/canary-28102 Magisk version code: canary-28102

Patched boot.img does not boot. The boot.img and log are attached here https://github.com/topjohnwu/Magisk/issues/7330#issuecomment-2679352307

lprot avatar Feb 24 '25 19:02 lprot

Some additional info:

  1. This is Allwinner A133 device. The bootloader does not check/use vbmeta. I can generate vbmeta with: python3 avbtool.py make_vbmeta_image --flags 2 --output vbmeta then burn with PhoenixSuit and the stock boot.img still boots.
  2. There are the sha256 salt and digest in the avb0 signature at 0x15b5000 in boot.img. But it is not verified by bootloader, as I wrote 0xFF at 0x15b4fff and such a corrupted boot.img still boots with no issues. So sha256 is not checked at all.
  3. I also recalculated digest in avb0 and corrected the size in it after boot.img was patched by magisk. It does not help and booting of the patched boot.img still fails.
  4. I tried to patch boot.img with magisk v26, v27, v28, v28.1. So far I did not find any magisk version that can correctly patch this boot.img.

If you need full firmware for analysis here it is https://drive.google.com/drive/folders/16WLzis_xRavVn2TbyhvNDRcvDHvl4ont The tool to unpack the image is here https://xdaforums.com/t/tool-imgrepacker-livesuits-phoenixsuits-firmware-images-unpacker-packer.1753473/

In case you would like to add avb0 hash recalculation into the magisk code, recalc_hash.zip is attached too.

lprot avatar Feb 25 '25 05:02 lprot

try to simply unpack and then repack your boot.img with magiskboot without any modification. If it does not work, try unpack -n and then repack -n.

yujincheng08 avatar Mar 04 '25 09:03 yujincheng08

try to simply unpack and then repack your boot.img with magiskboot without any modification. If it does not work, try unpack -n and then repack -n.

Image

Image

Image

Image

boot.img and boot3.img are identical byte by byte compare. boot.img and boot2.img are different and boot2.img does not boot.

lprot avatar Mar 04 '25 19:03 lprot

So the problem is from compression? try unpack -n, mv ramdisk.cpio ramdisk.cpio.gz, gzip -d ramdisk.cpio.gz, gzip -9 ramdisk.cpio, mv ramdisk.cpio ramgisk.cpio.gz, repack -n.

Try different compression ratio, e.g., -9, -3.

yujincheng08 avatar Mar 07 '25 16:03 yujincheng08

So the problem is from compression? try unpack -n, mv ramdisk.cpio ramdisk.cpio.gz, gzip -d ramdisk.cpio.gz, gzip -9 ramdisk.cpio, mv ramdisk.cpio ramgisk.cpio.gz, repack -n.

Try different compression ratio, e.g., -9, -3.

The bug in the magiskboot repacker found:

Image

So basically magiskboot does not check that ramdisk is gzipped without name and correspondingly does not repack correctly

lprot avatar Mar 07 '25 17:03 lprot

what??? It's expected for magiskboot to gzip with -9 because magiskboot will add more files into ramdisk, resulting in a large ramdisk. If magisk does not pack with -9, some devices with a small boot partition cannot flash the larger boot.img.

yujincheng08 avatar Mar 07 '25 17:03 yujincheng08

further, are you sure your device only boots with -6 gzipped ramdisk? any other level does not work? and if so, does -6 always work even if you modify the ramdisk (like adding some files)?

yujincheng08 avatar Mar 07 '25 17:03 yujincheng08

what??? It's expected for magiskboot to gzip with -9 because magiskboot will add more files into ramdisk, resulting in a large ramdisk. If magisk does not pack with -9, some devices with a small boot partition cannot flash the larger boot.img.

It is completely ok that it repacks with -9. The problem it does not check that this is ramdisk packed with gzip -n Looks like Allwinner kernel does not like ramdisks with the name inside.

To fix the bug it is enough to make magiskboot to gzip the patched ramdisk without name if it was initially without name.

lprot avatar Mar 07 '25 17:03 lprot

I see. maybe we should use a less confusing title.

yujincheng08 avatar Mar 07 '25 17:03 yujincheng08

But magiskboot does not add name into gzipped ramdisk...

https://github.com/topjohnwu/Magisk/blob/675471a49e494825547a3b7af3e4e8d731193b46/native/src/boot/compress.cpp#L61

yujincheng08 avatar Mar 07 '25 17:03 yujincheng08

But magiskboot does not add name into gzipped ramdisk...

then problem is not with the compression?

lprot avatar Mar 07 '25 17:03 lprot

that's why I want you to test if your device boots with different compression levels of manually compressed ramdisk (with -n).

yujincheng08 avatar Mar 07 '25 17:03 yujincheng08

that's why I want you to test if your device boots with different compression levels of manually compressed ramdisk (with -n).

Prepared boot6.img, boot7.img, boot9.img this way: ./magiskboot unpack -n boot.img ; mv ramdisk.cpio ramdisk.cpio.gz ; gzip -d ramdisk.cpio.gz ; gzip -6 -n ramdisk.cpio ; mv ramdisk.cpio.gz ramdisk.cpio ; ./magiskboot repack -n boot.img boot6.img ./magiskboot unpack -n boot.img ; mv ramdisk.cpio ramdisk.cpio.gz ; gzip -d ramdisk.cpio.gz ; gzip -7 -n ramdisk.cpio ; mv ramdisk.cpio.gz ramdisk.cpio ; ./magiskboot repack -n boot.img boot7.img ./magiskboot unpack -n boot.img ; mv ramdisk.cpio ramdisk.cpio.gz ; gzip -d ramdisk.cpio.gz ; gzip -9 -n ramdisk.cpio ; mv ramdisk.cpio.gz ramdisk.cpio ; ./magiskboot repack -n boot.img boot9.img

Image Image

Compared original boot.img with boot6.img and they match byte by byte. Flashed boot9.img into the device and it boots without issues.

Moreover, I tried just to repack like: ./magiskboot unpack boot.img ; ./magiskboot repack boot.img bootimg9magisk.img

Then flashed bootimg9magisk.img and device boots without issues. Yes I know that this is the same what we did in the beginning where boot2.img it did not work. Since then I just reflashed fw to more newer version.

So magisk has no issues with the compression but there is some issue with the patch itself. Attaching stock and magisk patched boot for analysis:

stock&patched_boot.zip

lprot avatar Mar 07 '25 19:03 lprot

I am continuing to investigate this further:

  1. ./magiskboot unpack -n boot.img produces ramdisk.cpio with the 758638 bytes size
  2. ./magiskboot unpack -n boot9.img produces ramdisk.cpio with the 758090 bytes size
  3. ./magiskboot unpack -n magisk_patched_does_not_boot.img produces ramdisk.cpio with the 893265 bytes size

Decompressed sizes:

  1. ./magiskboot unpack boot.img produces ramdisk.cpio with the 1362688 bytes size
  2. ./magiskboot unpack boot9.img produces ramdisk.cpio with the 1362688 bytes size
  3. ./magiskboot unpack magisk_patched_does_not_boot.img produces ramdisk.cpio with the 982916 bytes size

Let's compare the content of ramdisk.cpio from boot9.img and magisk_patched_does_not_boot.img:

Image Image Image Image

Not sure what's wrong but looks like this small init from magisk does not start properly on A133.

lprot avatar Mar 08 '25 09:03 lprot

it's not about magiskinit, since simply unpack repack does not work.

yujincheng08 avatar Mar 08 '25 09:03 yujincheng08

it's not about magiskinit, since simply unpack repack does not work.

Unpack/repack works with and without -n, not sure what was wrong with boot2.img on old firmware but on new it works. Problem with the patch now.

lprot avatar Mar 08 '25 10:03 lprot

In this case, you should try to get some log from your device. If adb works, use adb bugreport during bootloop. If it does not, find pstore or last_ksmg from adb bugreport after restoring boot.

yujincheng08 avatar Mar 08 '25 10:03 yujincheng08

pstore

This firmware does not have adb at all (it is blocked even if you enable developer's options). I will try to connect to uart on board

Image

lprot avatar Mar 08 '25 10:03 lprot