Skip to content
This repository was archived by the owner on May 12, 2026. It is now read-only.

Commit 53913c4

Browse files
toraidlcodex
andcommitted
fix(firmware): set vbmeta AVB flags to 0x01 to prevent Android 16 fastboot lock
The vbmeta patch routine previously forced AVB flags to 0x03. On Android 16 base builds (for example Xiaomi 17), this can lead to persistent fastboot boot failure after flashing. This change updates _patch_vbmeta() to write 0x01 at the AVB flags offset (123) instead of 0x03, preserving the intended AVB relaxation while avoiding the device-specific fastboot lock behavior. What changed: - Updated FLAGS_TO_SET from b"\x03" to b"\x01" in FirmwareModifier._patch_vbmeta(). - Added a focused regression test that creates a synthetic vbmeta image with AVB magic and verifies byte offset 123 is patched to 0x01. Verification: - .venv/bin/pytest -q tests/core/test_firmware_modifier.py - .venv/bin/pytest -q tests/test_workflow.py Co-authored-by: Codex <codex@openai.com>
1 parent 2d58b55 commit 53913c4

2 files changed

Lines changed: 36 additions & 1 deletion

File tree

src/core/modifiers/firmware_modifier.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,8 @@ def _patch_vbmeta(self):
9595

9696
AVB_MAGIC = b"AVB0"
9797
FLAGS_OFFSET = 123
98-
FLAGS_TO_SET = b"\x03"
98+
# Use AVB flag 0x01 to avoid fastboot bootloop issues on Android 16 base builds.
99+
FLAGS_TO_SET = b"\x01"
99100

100101
try:
101102
with open(vbmeta_img, "r+b") as f:
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
from pathlib import Path
2+
from types import SimpleNamespace
3+
4+
from src.core.modifiers.firmware_modifier import FirmwareModifier
5+
6+
7+
def _build_context(tmp_path: Path) -> SimpleNamespace:
8+
magiskboot = tmp_path / "magiskboot"
9+
magiskboot.write_bytes(b"stub")
10+
11+
repack_images = tmp_path / "target" / "repack_images"
12+
repack_images.mkdir(parents=True, exist_ok=True)
13+
14+
return SimpleNamespace(
15+
target_dir=tmp_path / "target",
16+
tools=SimpleNamespace(magiskboot=magiskboot),
17+
device_config={},
18+
)
19+
20+
21+
def test_patch_vbmeta_sets_avb_flags_to_one(tmp_path: Path):
22+
ctx = _build_context(tmp_path)
23+
vbmeta_img = ctx.target_dir / "repack_images" / "vbmeta.img"
24+
25+
payload = bytearray(256)
26+
payload[0:4] = b"AVB0"
27+
payload[123] = 0x00
28+
vbmeta_img.write_bytes(payload)
29+
30+
modifier = FirmwareModifier(ctx)
31+
modifier._patch_vbmeta()
32+
33+
patched = vbmeta_img.read_bytes()
34+
assert patched[123] == 0x01

0 commit comments

Comments
 (0)