Merge pull request #240 from chenxiaolong/system_otacerts

Add support for replacing otacerts.zip in the system image
chenxiaolong · Dec 28, 2023 · c1095b8 · c1095b8
2 parents d819014 + 17504a7
commit c1095b8
Show file tree

Hide file tree

Showing 17 changed files with 563 additions and 230 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -19,12 +19,14 @@ Having a good understanding of how AVB and A/B OTAs work is recommended prior to
 
 ## Patches
 
-avbroot applies two patches to the boot images:
+avbroot applies the following patches to the partition images:
 
 * The `boot` or `init_boot` image, depending on device, is patched to enable root access. For Magisk, the patch is equivalent to what would be normally done by the Magisk app.
 
 * The `boot`, `recovery`, or `vendor_boot` image, depending on device, is patched to replace the OTA signature verification certificates with the custom OTA signing certificate. This allows future patched OTAs to be sideloaded from recovery mode after the bootloader has been locked. It also prevents accidental flashing of the original unpatched OTA.
 
+* The `system` or `my_engineering` image, depending on device, is also patched to replace the OTA signature verification certificates. This prevents the OS' system updater app from installing an unpatched OTA and also allows the use of custom OTA updater apps.
+
 ## Warnings and Caveats
 
 * **Always leave the `OEM unlocking` checkbox enabled when using a locked bootloader with root.** This is critically important. Root access allows the boot partition to potentially be overwritten, either accidentally or intentionally, with an image that is not properly signed. In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and `fastboot flashing unlock` will not be allowed. This effectively renders the device **_hard bricked_**.
@@ -218,22 +220,22 @@ To stop using avbroot and revert to the stock firmware:
 
 4. That's it! There are no other remnants to clean up.
 
-## avbroot modules
-
-avbroot's Magisk/KernelSU modules can be downloaded from the [releases page](https://github.com/chenxiaolong/avbroot/releases).
-
-### `clearotacerts`: Block OTA Updates from default updater app
+## OTA updates
 
-Unpatched OTA updates are already blocked when booted into recovery mode because the original OTA certificate has been replaced with the custom certificate. However, this doesn't prevent the Android's system updater app from attempting to install an unpatched OTA update.
+avbroot replaces `/system/etc/security/otacerts.zip` in both the system and recovery partitions with a new zip that contains the custom OTA signing certificate. This prevents an unpatched OTA from inadvertently being installed both when booted into Android and when sideloading from recovery.
 
-Disabling the system updater app is recommended. To do so:
+Disabling the system updater app is recommended to prevent it from even attempting to install an unpatched OTA. To do so:
 
 * Stock OS: Turn off `Automatic system updates` in Android's Developer Options.
 * Custom OS: Disable the system updater app (or block its network access) from Settings -> Apps -> See all apps -> (three-dot menu) -> Show system -> (find updater app).
 
-As an extra safety measure, flashing the `clearotacerts` module will intentionally make OTAs fail to install while booted into Android. It does so by overriding `/system/etc/security/otacerts.zip` with an empty zip containing no certificates so that even if an OTA is downloaded, signature verification will fail. This may cause some custom OS' system updater app to get stuck in an infinite loop downloading an OTA update and then retrying when signature verification fails, so make sure the system updater app is disabled.
+This is especially important for some custom OS's because their system updater app may get stuck in an infinite loop downloading an OTA update and then retrying when signature verification fails.
 
-As an alternative to this module, see [Custota](https://github.com/chenxiaolong/Custota) for a custom OTA updater app that installs updates from a self-hosted OTA server.
+To self-host a custom OTA server, see [Custota](https://github.com/chenxiaolong/Custota).
+
+## avbroot modules
+
+avbroot's Magisk/KernelSU modules can be downloaded from the [releases page](https://github.com/chenxiaolong/avbroot/releases).
 
 ### `oemunlockonboot`: Enable OEM unlocking on every boot
 

diff --git a/avbroot/Cargo.toml b/avbroot/Cargo.toml
@@ -11,6 +11,7 @@ publish = false
 [dependencies]
 anyhow = "1.0.75"
 base64 = "0.21.3"
+bitflags = "2.4.1"
 bstr = "1.6.2"
 byteorder = "1.4.3"
 cap-std = "2.0.0"

diff --git a/avbroot/src/cli/avb.rs b/avbroot/src/cli/avb.rs
@@ -195,7 +195,7 @@ fn write_raw_and_update(
         AppendedDescriptorMut::HashTree(d) => {
             d.hash_algorithm = promote_insecure_hash_algorithm(&d.hash_algorithm).to_owned();
             d.image_size = image_size;
-            d.update(&raw_file, &raw_file, cancel_signal)
+            d.update(&raw_file, &raw_file, None, cancel_signal)
                 .context("Failed to update hash tree descriptor")?;
         }
         AppendedDescriptorMut::Hash(d) => {
@@ -642,7 +642,7 @@ fn repack_subcommand(cli: &RepackCli, cancel_signal: &AtomicBool) -> Result<()>
         // There could have been errors in the original FEC data itself.
         if let AppendedDescriptorMut::HashTree(d) = info.header.appended_descriptor_mut()? {
             d.hash_algorithm = promote_insecure_hash_algorithm(&d.hash_algorithm).to_owned();
-            d.update(&file, &file, cancel_signal)?;
+            d.update(&file, &file, None, cancel_signal)?;
         }
 
         update_dm_verity_cmdline(&mut info)?;