- Fix a nasty regression since version 2.0.0 where recovery mode's
otacerts.zip
modifications were lost when using--prepatched
with Magisk on some older devices, like the Pixel 4a (Issue #356, PR #357)- This affected older devices without
vendor_boot
orrecovery
partitions. - This caused sideloading patched OTA updates from recovery mode to break on the affected devices. To fix the problem without wiping the device and starting fresh, please follow the steps in the PR.
- This affected older devices without
- Print a useful error message when trying to prompt for a passphrase without an interactive terminal (PR #336)
- Add a new
--zip-mode seekable
option to allow writing OTA zip files without data descriptors (Issue #328, PR #337) - Add new commands for packing and unpacking logical partition images (
super.img
) (PR #342, PR #343) - Add new commands for packing and unpacking Android sparse images (PR #347)
- Allow
avbroot payload repack
andavbroot payload info
commands to read delta payloads (PR #354) - Switch to passterm library for password prompts (PR #355)
- Add support for gzip compression when computing CoW size estimates (Issue #332, PR #333)
- This allows
--replace
to successfully replace dynamic partitions on legacy devices, like the Pixel 4a 5G
- This allows
- Minor code cleanup (PR #334, PR #335)
- Update all dependencies (PR #329)
- Add new unpack and pack commands for
payload.bin
files (Issue #328, PR #331)
- Fix (unreachable) minor error handling logic when attempting to use unsupported AVB signing algorithms (PR #311)
- Add support for performing signing operations with external programs (Issue #310, PR #312)
- See the linked issue for an example of how to sign with a Yubikey.
- Recompute CoW size estimate when replacing dynamic partitions (Issue #306, PR #307)
- Fixes out of space error when flashing a patched OTA that uses
--replace
to replace a dynamic partition (eg.system
) with a larger or more incompressible image
- Fixes out of space error when flashing a patched OTA that uses
- Add
avbroot payload info
subcommand for inspectingpayload.bin
headers (PR #309)
- Add prebuilt binary for Android (aarch64) (PR #304)
- Add new
--recompute-size
option toavbroot avb pack
to automatically recompute the image size for resizable images (Discussion #294, PR #296) - Add new
--output-info
option toavbroot avb pack
to write a newavb.toml
file containing computed values (PR #297) - Add support for upcoming Magisk Canary 27003 (Issue #301, PR #268)
- Increase hash tree and FEC size limits to accommodate partition images up to 8 GiB (Issue #291, PR #293)
- Fix potential infinite loop when interrupting avbroot at the right moment to a bug in the bzip2-rs library (Issue #285, PR #287)
- Update all dependencies and fix new clippy lints (PR #288)
- Add support for adding the custom AVB public key to the list of trusted keys for DSU (booting signed GSIs) (Discussion #286, PR #289)
- Build universal binary for macOS (Issue #278, PR #279)
- Use
fastboot flashall
for initial setup to avoid needing to manually flash every partition (PR #253) - Remove binary test files in the git repo and generate them at runtime (Issue #265, PR #276)
- Fix portions of a couple error messages being incorrectly quoted (PR #277)
- Cache salted SHA-256 contexts for a small performance improvement (PR #257)
- Fix loading certificates that have extra text outside of the marker lines (PR #261)
- The
OEMUnlockOnBoot
module has been split out to a separate repo (Discussion #235, PR #246)- https://github.com/chenxiaolong/OEMUnlockOnBoot
- The new module supports the automatic update mechanism within Magisk/KernelSU
- Add support for Magisk v27.0 (PR #255)
- Switch to using a proper logging library (PR #251)
- Folks who want to see the juicy details during patching can use
--log-level debug
or--log-level trace
- Folks who want to see the juicy details during patching can use
Behind-the-scenes changes:
Happy New Year! This release brings two major changes:
-
The OTA certificates (
otacerts.zip
) in the system partition are now patched. Theclearotacerts
module from avbroot (or thecustomotacerts
module from Custota) are no longer needed and can be safely uninstalled.This makes it possible to use Pixel's new Repair Mode safely. To do so, follow the instructions in the documentation here.
-
Autodetection for boot partitions is now significantly more reliable. For KernelSU users or folks who have more obscure devices, the
--boot-partition
option is no longer required (and is now ignored).
Full list of changes:
- Add support for AVB 2.0 format 1.3.0 (for Android 15) (PR #210)
- Add new
avbroot key decode-avb
command for converting AVB-encoded public keys to the standard PKCS8-encoded format (PR #219) - Improve autodetection of boot images (Issue #218, PR #221, PR #237)
- Build precompiled executables as statically linked executables (Issue #222, PR #224, PR #227)
- Limit critical partition check to bootloader-verified partitions (Issue #223, PR #226)
- Improve patching performance by spliiting new partition images into chunks and compressing them in parallel (PR #228)
- Also verify whole-partition hashes when running
avbroot ota verify
(PR #229) - Add support for patching
otacerts.zip
on the system partition (Issue #225, PR #240, PR #244) - Document how to use Repair Mode safely (Issue #216, PR #243)
Behind-the-scenes changes:
- Fix lint warnings introduced in Rust 1.74.0 (PR #211)
- Temporarily silence RUSTSEC-2023-0071 warning in cargo-deny (PR #214)
- Add support for partially updating FEC data (PR #230, PR #231, PR #234)
- Fix hash tree calculation for images smaller than one block (PR #232)
- Refactor hash tree code and add tests, CLI commands, and support for partial updates (PR #233)
- Generate mock OTAs to use for end-to-end tests (PR #241)
- Update all dependencies (PR #245)
- Add support for XZ-compressed ramdisks (Issue #203, PR #207)
- Merge property and kernel command line AVB descriptors when replacing partitions (Issue #203, PR #208)
- Improve error messages when using
--replace
with an image that has the wrong AVB descriptor type (Issue #201, PR #202) - Automatically update legacy
dm=
kernel command line descriptor when packing AVB images (Issue #203, PR #205) - Automatically promote insecure hash algorithms (eg. sha1) to sha256 when packing AVB images (Issue #203, PR #206)
- Mark Magisk 264xx as supported (PR #199)
- Fix missing
--help
text foravbroot avb unpack
's--ignore-invalid
option (PR #183) - Group
avbroot ota patch --help
output into more readable sections (PR #184) - Add more checks to ensure that the OTA has a secure AVB setup (PR #188)
- OTAs with blatantly insecure or missing AVB configuration are now more likely to be rejected by avbroot to avoid providing a false sense of security.
- Allow
avbroot avb verify
andavbroot ota verify
to work for dm-verity partitions that use insecure SHA1 hashes (PR #190) - Add support for legacy Android 11 OTAs (Discussion #195, PR #196)
Behind-the-scenes changes:
- Bump maximum payload manifest size to 4 MiB (PR #182)
- Rework file handle reopen functionality to use traits instead of callbacks (PR #189)
- Don't set signature algorithm field for indirectly signed boot images (PR #191)
- Update dependencies (PR #197)
It's Android 14 release day! All versions of avbroot, including the old Python version, are compatible with Android 14 OTAs.
Changes:
- Add new unpack and pack commands for cpio archives (ramdisks) (PR #173, PR #178)
- Rename
header.toml
toboot.toml
for the boot image unpack and pack commands (PR #175)- Also changes the file format a bit to make it more readable.
Behind-the-scenes changes:
- Add streaming CPIO reader and writer (PR #172)
- Update dependencies (PR #174, PR #181)
- Switch to prost for protobuf encoding/decoding (PR #176)
This release is all about hardening avbroot against untrusted (or corrupted) inputs. While all of avbroot's parsers are memory-safe, it's still possible for crashes to occur due to logic issues like allocating too much memory or dividing by zero. With this release, most of these potential issues have been fixed and fuzz tests have been added to help find more of these situations.
On the filesystem side of things, it is no longer possible for a nefarious program to cause avbroot to write to unintended locations by eg. swapping out an output directory or temp directory with a symlink while it is running.
Behind-the-scenes changes:
- Consolidate logic for handling
--pass-file
and--pass-env-var
(PR #156) - cargo-deny: Block executables in dependencies (PR #133)
- Implement size limits for parsers to prevent allocating too much memory (Issue #157, PR #158, PR #159, PR #164, PR #168, PR #169, PR #170)
- Add fuzzers to help catch panics/crashes (Issue #160, PR #161, PR #162, PR #163, PR #165, PR #167)
- Use handle-based directory operations instead of path-based directory operations (Issue #166, PR #171)
- Add support for dm-verify FEC (forward error correction) (Issue #145, PR #146)
ota verify
andavb verify
will now check the FEC data.
- Print status and warning messages to stderr (PR #149)
- Add new
avb unpack
,avb pack
, andavb repack
commands for AVB images (Issue #144, Issue #148, PR #152)avb verify
now optionally accepts--repair
to fix corrupted dm-verity images.
Behind-the-scenes changes:
- Remove unnecessary use of
Arc
(PR #147) - Use bstr crate to escape mostly UTF-8 binary data (PR #150)
- Improve error fields and error contest (PR #153)
- Upgrade xz version in precompiled binaries (Issue #138, PR #139)
- This fixes the
ota extract
andota verify
commands in some multithreaded situations.
- This fixes the
- Add
--version
option to print out avbroot's version (Issue #138, PR #140)
- Fix
data_offset
being set for payload operations that don't need it (PR #136)- This fixes patched stock OnePlus images from being rejected when flashing.
Behind-the-scenes changes:
- Move full OTA check to CLI functions to allow library functions to parse delta OTAs (PR #135)
- Remove unnecessary use of
anyhow
macro (PR #137)
- Add support for Magisk 263xx (PR #132)
- Initial Rust release. The old Python implementation can be found in the
python
branch. (PR #130)