Skip to content

Explanation: How patching vbmeta works

Jump to bottom
Tim edited this page Feb 12, 2023 · 3 revisions

To understand how the command fastboot --disable-verity --disable-verification flash vbmeta vbmeta.img works, we can take a look at fastboot's implementation in fastboot.cpp in Google's Git repo.

    // There's a 32-bit big endian |flags| field at offset 120 where
    // bit 0 corresponds to disable-verity and bit 1 corresponds to
    // disable-verification.
    //
    // See external/avb/libavb/avb_vbmeta_image.h for the layout of
    // the VBMeta struct.
    uint64_t flags_offset = 123 + vbmeta_offset;
    if (g_disable_verity) {
        data[flags_offset] |= 0x01;
    }
    if (g_disable_verification) {
        data[flags_offset] |= 0x02;
    }

As mentioned in the comment, there's a 32-bit big endian flag field at offset 120, with disable-verity flag at bit 0 and disable-verification flag at bit 1. Since it's big-endian, we can set the bit 0 and bit 1 of byte 123 to set the flags, and that's what the script does.

Clone this wiki locally