refactor(firmware): simplify AVB disabling by patching only vbmeta.img

toraidl · toraidl · commit f79e9791f323 · 2026-03-18T22:31:57.000+08:00
- Remove _patch_vendor_boot_fstab() method that modified fstab in vendor_boot
- Remove _disable_avb_verify() helper method
- Change _patch_vbmeta() to only patch vbmeta.img instead of all vbmeta*.img files
- Fix vbmeta.img path to use repack_images subdirectory
- Update README.md and README_EN.md to reflect the new AVB disabling approach

This change fixes DSU compatibility issues. Previously, modifying fstab in
vendor_boot to disable AVB verification would break DSU (Dynamic System Updates)
functionality. By directly patching vbmeta.img to disable AVB (setting flags
at offset 123 to 0x03), we achieve the same goal without interfering with
fstab-based verity checks, allowing DSU to work properly on newer devices.

Note: Newer devices only require vbmeta.img modification; patching other
vbmeta images (vbmeta_system, vbmeta_vendor, etc.) can cause fastboot loops.

Signed-off-by: HyperOS Port Tool
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@
 - 🛠️ **流程自动化**: 从底包/移植包 ZIP 到可刷入产物的完整流程。
 - 💉 **系统补丁**: 按规则修改固件、系统、框架和 ROM 属性。
 - 🧬 **GKI 支持**: 针对 GKI 2.0 (5.10+) 及标准 GKI 设备提供 KernelSU 注入能力。
-- 🔓 **Android 16 支持**: 针对 KMI 6.12 提供专用的 `vendor_boot` fstab 修补，跳过标准 VBMETA 以防止 Fastboot 卡死。
+- 🔓 **AVB 禁用**: 通过直接修改 `vbmeta.img` 禁用 Android 验证启动 (AVB)，避免修改 fstab 导致的 DSU 无法使用问题。
 - 🚀 **Wild Boost（狂暴引擎）**: 将红米机型的狂暴引擎适配并移植到小米机型；要求内核版本一致，当前已验证小米 12S 与小米 13。
 - 🧩 **模块化配置**: 通过简单的 JSON 文件开启/关闭功能（AOD、AI 引擎等）。
 - 🌏 **EU 本地化**: 为 Global/EU 底包恢复国内特有功能（NFC、小米钱包、小爱同学）。
diff --git a/README_EN.md b/README_EN.md
@@ -14,7 +14,7 @@ A HyperOS ROM porting tool for Xiaomi/Redmi devices. It covers the common workfl
 - 🛠️ **Workflow Automation**: From stock/port ZIPs to flashable output in one pipeline.
 - 💉 **System Patching**: Rule-based modifications for firmware, system, framework, and ROM properties.
 - 🧬 **GKI Support**: KernelSU injection support for GKI 2.0 (5.10+) and standard GKI devices.
-- 🔓 **Android 16 Ready**: Specialized `vendor_boot` fstab patching for KMI 6.12 to prevent fastboot bootloops.
+- 🔓 **AVB Disabling**: Disables Android Verified Boot (AVB) by directly patching `vbmeta.img`, avoiding DSU compatibility issues caused by fstab modifications.
 - 🚀 **Wild Boost (Rage Engine)**: Ports the Redmi-specific rage engine to Xiaomi targets; requires matching kernel versions. Currently validated on Xiaomi 12S and Xiaomi 13.
 - 🧩 **Modular Configuration**: Toggle features (AOD, AI Engine, etc.) via simple JSON files.
 - 🌏 **EU Localization**: Restore China-exclusive features (NFC, XiaoAi) to Global/EU bases.
diff --git a/src/core/modifiers/firmware_modifier.py b/src/core/modifiers/firmware_modifier.py
@@ -21,9 +21,7 @@ def __init__(self, context):
         self.bin_dir = Path("bin").resolve()
 
         if not self.ctx.tools.magiskboot.exists():
-            self.logger.error(
-                f"magiskboot binary not found at {self.ctx.tools.magiskboot}"
-            )
+            self.logger.error(f"magiskboot binary not found at {self.ctx.tools.magiskboot}")
             return
 
         self.assets_dir = self.bin_dir.parent / "assets"
@@ -39,9 +37,7 @@ def __init__(self, context):
 
         # Make these values configurable via device config
         if hasattr(self.ctx, "device_config") and self.ctx.device_config:
-            self.repo_owner = self.ctx.device_config.get(
-                "ksu_repo_owner", self.repo_owner
-            )
+            self.repo_owner = self.ctx.device_config.get("ksu_repo_owner", self.repo_owner)
             self.repo_name = self.ctx.device_config.get("ksu_repo_name", self.repo_name)
             self.ksu_config_url_template = self.ctx.device_config.get(
                 "ksu_gh_api_url_template",
@@ -62,15 +58,8 @@ def run(self):
         kmi_version = self._get_kmi_version()
         if kmi_version:
             self.logger.info(f"Detected KMI Version: {kmi_version}")
-            if kmi_version == "android16-6.12":
-                self.logger.info(
-                    "KMI android16-6.12 detected. Skipping vbmeta patching and modifying vendor_boot fstab instead."
-                )
-                self._patch_vendor_boot_fstab()
-            else:
-                self._patch_vbmeta()
-        else:
-            self._patch_vbmeta()
+
+        self._patch_vbmeta()
 
         if getattr(self.ctx, "enable_ksu", False):
             self._patch_ksu(kmi_version)
@@ -94,195 +83,33 @@ def _get_kmi_version(self) -> Optional[str]:
 
         return self._analyze_kmi(analysis_target)
 
-    def _patch_vendor_boot_fstab(self):
-        """Modify fstab in vendor_boot to disable AVB for KMI 6.12."""
-        self.logger.info("Patching vendor_boot fstab...")
-        vendor_boot = self.ctx.repack_images_dir / "vendor_boot.img"
-        if not vendor_boot.exists():
-            self.logger.warning("vendor_boot.img not found, skipping fstab patch.")
-            return
-
-        with tempfile.TemporaryDirectory(prefix="vendor_boot_patch_") as tmp:
-            tmp_path = Path(tmp)
-            shutil.copy(vendor_boot, tmp_path / "vendor_boot.img")
-
-            try:
-                self.shell.run(
-                    [str(self.ctx.tools.magiskboot), "unpack", "vendor_boot.img"],
-                    cwd=tmp_path,
-                )
-            except Exception as e:
-                self.logger.error(f"Failed to unpack vendor_boot.img: {e}")
-                return
-
-            ramdisk = tmp_path / "ramdisk.cpio"
-            if not ramdisk.exists():
-                self.logger.error("ramdisk.cpio not found in vendor_boot")
-                return
-
-            # Attempt to decompress the ramdisk explicitly, as 'raw' format in v4 images
-            # might still be compressed in a way magiskboot cpio doesn't auto-detect.
-            try:
-                self.shell.run(
-                    [
-                        str(self.ctx.tools.magiskboot),
-                        "decompress",
-                        "ramdisk.cpio",
-                        "ramdisk.cpio.dec",
-                    ],
-                    cwd=tmp_path,
-                )
-                if (tmp_path / "ramdisk.cpio.dec").exists():
-                    shutil.move(tmp_path / "ramdisk.cpio.dec", ramdisk)
-                    self.logger.info("Successfully decompressed vendor_boot ramdisk.")
-            except Exception:
-                # If decompression fails, it might actually be raw, so we continue
-                pass
-
-            # Extract all files to find fstab using system cpio if magiskboot fails
-            extract_dir = tmp_path / "extracted_ramdisk"
-            extract_dir.mkdir(parents=True, exist_ok=True)
-            try:
-                # Try system cpio first as it is often more robust for extraction
-                self.shell.run(
-                    f"cpio -id < {ramdisk}",
-                    cwd=extract_dir,
-                    shell=True
-                )
-            except Exception as e:
-                self.logger.warning(f"System cpio failed, trying magiskboot cpio: {e}")
-                try:
-                    self.shell.run(
-                        [str(self.ctx.tools.magiskboot), "cpio", "ramdisk.cpio", "extract"],
-                        cwd=extract_dir,
-                    )
-                except Exception as e2:
-                    self.logger.error(f"Both cpio methods failed: {e2}")
-                    return
-
-            fstab_files = list(extract_dir.rglob("fstab.*"))
-            if not fstab_files:
-                self.logger.info("No fstab files found in vendor_boot ramdisk.")
-
-            patched = False
-            for fstab_path in fstab_files:
-                # Use relative path for entry name in cpio
-                fstab_entry_name = str(fstab_path.relative_to(extract_dir))
-                self.logger.info(f"Checking {fstab_entry_name} in vendor_boot ramdisk...")
-                
-                with open(fstab_path, "r") as f:
-                    content = f.read()
-
-                new_content = self._disable_avb_verify(content)
-
-                if new_content != content:
-                    with open(fstab_path, "w") as f:
-                        f.write(new_content)
-
-                    # Add back to ramdisk
-                    # magiskboot cpio <cpio> 'add MODE ENTRY INFILE'
-                    self.shell.run(
-                        [
-                            str(self.ctx.tools.magiskboot),
-                            "cpio",
-                            "ramdisk.cpio",
-                            f"add 0644 {fstab_entry_name} {fstab_path}",
-                        ],
-                        cwd=tmp_path,
-                    )
-                    patched = True
-                    self.logger.info(f"Successfully patched {fstab_entry_name} in vendor_boot.")
-
-            # Also patch DTB if it exists
-            dtb_file = tmp_path / "dtb"
-            if dtb_file.exists():
-                self.logger.info("Found DTB in vendor_boot, attempting optional fstab patch...")
-                # Note: magiskboot dtb patch might fail if it doesn't find fstab nodes,
-                # we set check=False to avoid error logs in ShellRunner.
-                try:
-                    res = self.shell.run(
-                        [str(self.ctx.tools.magiskboot), "dtb", "dtb", "patch"],
-                        cwd=tmp_path,
-                        check=False,
-                        capture_output=True
-                    )
-                    if res.returncode == 0:
-                        patched = True
-                        self.logger.info("DTB fstab nodes patched successfully.")
-                    else:
-                        self.logger.info("No patchable fstab nodes found in DTB, skipping.")
-                except Exception as e:
-                    self.logger.debug(f"Optional DTB patch failed: {e}")
-
-            if patched:
-                self.logger.info("Repacking vendor_boot.img...")
-                # magiskboot repack will automatically compress ramdisk.cpio 
-                # based on the format detected in the original vendor_boot.img
-                try:
-                    self.shell.run(
-                        [str(self.ctx.tools.magiskboot), "repack", "vendor_boot.img"],
-                        cwd=tmp_path,
-                    )
-                    new_img = tmp_path / "new-boot.img"
-                    if new_img.exists():
-                        shutil.move(new_img, vendor_boot)
-                        self.logger.info("vendor_boot.img repacked with patched fstab.")
-                    else:
-                        self.logger.error("Failed to repack vendor_boot.img: new-boot.img not found")
-                except Exception as e:
-                    self.logger.error(f"Failed to repack vendor_boot.img: {e}")
-
-    def _disable_avb_verify(self, content: str) -> str:
-        """Port of the shell function disable_avb_verify.
-        
-        Original logic:
-        sed -i "s/,avb_keys=.*avbpubkey//g" $fstab
-        sed -i "s/,avb=vbmeta_system//g" $fstab
-        sed -i "s/,avb=vbmeta_vendor//g" $fstab
-        sed -i "s/,avb=vbmeta//g" $fstab
-        sed -i "s/,avb//g" $fstab
-        """
-        # Remove avb_keys pattern
-        content = re.sub(r",avb_keys=[^, \n]*avbpubkey", "", content)
-        # Remove specific avb flags
-        content = re.sub(r",avb=vbmeta_system", "", content)
-        # Handle some variations that might exist
-        content = re.sub(r",avb=vbmeta_vendor", "", content)
-        content = re.sub(r",avb=vbmeta", "", content)
-        content = re.sub(r",avb", "", content)
-        
-        return content
-
     def _patch_vbmeta(self):
-        """Patch vbmeta images to disable AVB."""
-        self.logger.info("Patching vbmeta images (Disabling AVB)...")
+        """Patch vbmeta.img to disable AVB."""
+        self.logger.info("Patching vbmeta.img (Disabling AVB)...")
 
-        vbmeta_images = list(self.ctx.target_dir.rglob("vbmeta*.img"))
+        vbmeta_img = self.ctx.target_dir / "repack_images" / "vbmeta.img"
 
-        if not vbmeta_images:
-            self.logger.warning("No vbmeta images found in target directory.")
+        if not vbmeta_img.exists():
+            self.logger.warning("vbmeta.img not found in repack_images directory.")
             return
 
         AVB_MAGIC = b"AVB0"
         FLAGS_OFFSET = 123
         FLAGS_TO_SET = b"\x03"
 
-        for img_path in vbmeta_images:
-            try:
-                with open(img_path, "r+b") as f:
-                    magic = f.read(4)
-                    if magic != AVB_MAGIC:
-                        self.logger.warning(
-                            f"Skipping {img_path.name}: Invalid AVB Magic"
-                        )
-                        continue
-
-                    f.seek(FLAGS_OFFSET)
-                    f.write(FLAGS_TO_SET)
-                    self.logger.info(f"Successfully patched: {img_path.name}")
+        try:
+            with open(vbmeta_img, "r+b") as f:
+                magic = f.read(4)
+                if magic != AVB_MAGIC:
+                    self.logger.warning(f"Skipping {vbmeta_img.name}: Invalid AVB Magic")
+                    return
 
-            except Exception as e:
-                self.logger.error(f"Failed to patch {img_path.name}: {e}")
+                f.seek(FLAGS_OFFSET)
+                f.write(FLAGS_TO_SET)
+                self.logger.info(f"Successfully patched: {vbmeta_img.name}")
+
+        except Exception as e:
+            self.logger.error(f"Failed to patch {vbmeta_img.name}: {e}")
 
     def _patch_ksu(self, kmi_version: Optional[str] = None):
         """Patch KernelSU into boot image."""
@@ -298,19 +125,15 @@ def _patch_ksu(self, kmi_version: Optional[str] = None):
             patch_target = target_boot
 
         if not patch_target:
-            self.logger.warning(
-                "Neither init_boot.img nor boot.img found, skipping KSU patch."
-            )
+            self.logger.warning("Neither init_boot.img nor boot.img found, skipping KSU patch.")
             return
 
         if not self.ctx.tools.magiskboot.exists():
             self.logger.error("magiskboot binary not found!")
             return
 
         if not kmi_version:
-            kmi_version = self._analyze_kmi(
-                target_boot if target_boot.exists() else patch_target
-            )
+            kmi_version = self._analyze_kmi(target_boot if target_boot.exists() else patch_target)
 
         if not kmi_version:
             self.logger.error("Failed to determine KMI version.")
@@ -331,9 +154,7 @@ def _analyze_kmi(self, boot_img: Path) -> Optional[str]:
             shutil.copy(boot_img, tmp_path / "boot.img")
 
             try:
-                self.shell.run(
-                    [str(self.ctx.tools.magiskboot), "unpack", "boot.img"], cwd=tmp_path
-                )
+                self.shell.run([str(self.ctx.tools.magiskboot), "unpack", "boot.img"], cwd=tmp_path)
             except Exception as e:
                 self.logger.debug(f"Magiskboot unpack failed: {e}")
                 return None
@@ -378,15 +199,11 @@ def _prepare_ksu_assets(self, kmi_version):
             ko_file_expected = self.ctx.device_config.get(
                 "ksu_module_filename", f"{kmi_version}_kernelsu.ko"
             )
-            init_file_expected = self.ctx.device_config.get(
-                "ksu_init_filename", "ksuinit"
-            )
+            init_file_expected = self.ctx.device_config.get("ksu_init_filename", "ksuinit")
             ko_asset_name_pattern = self.ctx.device_config.get(
                 "ksu_module_asset_pattern", f"{kmi_version}_kernelsu.ko"
             )
-            init_asset_name = self.ctx.device_config.get(
-                "ksu_init_asset_name", "ksuinit"
-            )
+            init_asset_name = self.ctx.device_config.get("ksu_init_asset_name", "ksuinit")
         else:
             ko_file_expected = f"{kmi_version}_kernelsu.ko"
             init_file_expected = "ksuinit"
@@ -451,9 +268,7 @@ def _apply_ksu_patch(self, target_img, kmi_version):
             tmp_path = Path(tmp)
             shutil.copy(target_img, tmp_path / "boot.img")
 
-            self.shell.run(
-                [str(self.ctx.tools.magiskboot), "unpack", "boot.img"], cwd=tmp_path
-            )
+            self.shell.run([str(self.ctx.tools.magiskboot), "unpack", "boot.img"], cwd=tmp_path)
 
             ramdisk = tmp_path / "ramdisk.cpio"
             if not ramdisk.exists():
@@ -492,15 +307,11 @@ def _apply_ksu_patch(self, target_img, kmi_version):
                 cwd=tmp_path,
             )
 
-            self.shell.run(
-                [str(self.ctx.tools.magiskboot), "repack", "boot.img"], cwd=tmp_path
-            )
+            self.shell.run([str(self.ctx.tools.magiskboot), "repack", "boot.img"], cwd=tmp_path)
 
             new_img = tmp_path / "new-boot.img"
             if new_img.exists():
                 shutil.move(new_img, target_img)
-                self.logger.info(
-                    f"KernelSU injected successfully into {target_img.name}."
-                )
+                self.logger.info(f"KernelSU injected successfully into {target_img.name}.")
             else:
                 self.logger.error(f"Failed to repack {target_img.name}")
