{"id":6929,"date":"2018-09-26T15:00:45","date_gmt":"2018-09-26T12:00:45","guid":{"rendered":"https:\/\/www.howtoforge.com\/tutorial\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x\/"},"modified":"2018-09-26T15:00:45","modified_gmt":"2018-09-26T12:00:45","slug":"building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x\/","title":{"rendered":"Building and flashing a secured AOSP build with verified boot and separate lockscreen password for the Nexus 5X"},"content":{"rendered":"<p><strong>Disclaimer and License<\/strong><\/p>\n<p>All data and information provided in this tutorial is for informational purposes only. The author makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this tutorial and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.<\/p>\n<p>In no event, the author or howtoforge will be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this tutorial.<\/p>\n<p><devsite-page-rating position=\"footer\" selected-rating=\"0\" hover-rating-star=\"0\"\/> Except as otherwise noted, the content of this page is licensed under the <a href=\"https:\/\/creativecommons.org\/licenses\/by\/3.0\/\" target=\"_blank\" rel=\"noopener\">Creative Commons Attribution 3.0 License<\/a>, and code samples are licensed under the <a href=\"https:\/\/www.apache.org\/licenses\/LICENSE-2.0\" target=\"_blank\" rel=\"noopener\">Apache 2.0 License<\/a>.<\/p>\n<h2 id=\"motivation\">Motivation<\/h2>\n<p>The Nexus 5X and 6P were the first devices that supported verified boot based on user-supplied (and not vendor-enforced) signing keys. Before its &#8220;implosion&#8221; [1], CopperheadOS (a security-enhanced AOSP variant) used to provide good documenation and scripts for building and flashing a secure AOSP version [2]. However, the project stopped providing any updates in the recent months, so most former users are looking for viable alternatives.<\/p>\n<p>My impression is that many users agree that running a self-built AOSP ROM is a much better alternative to other options such as switching to e.g. LineageOS. There are a number of good reasons for this:<\/p>\n<ul>\n<li>AOSP is plain stock and has only few possibly unwanted features<\/li>\n<li>AOSP can be built as &#8220;user&#8221; instead of &#8220;userdebug&#8221; build vartiant and, thus, is expected to be more secure (I tried compiling user builds of LineageOS, but they seem to be broken due to the invasive changes LineageOS made to the AOSP sources)<\/li>\n<li>Once sources are fetched, AOSP can be simply built. Unlike LineageOS, it does not start downloading additional sources during the build.<\/li>\n<\/ul>\n<p>Since the Nexus 5X is believed to be a well-supported developer device, I expected the process of building AOSP to be easy and well documented. However, it turns out that there are a number of caveats:<\/p>\n<ul>\n<li>including the vendor binaries by following the official documentation results in incomplete builds that cannot be used for incremental updates without unlocking and wiping each time (the vendor partition, radio ROM etc. is not included in the build)<\/li>\n<li>the official documentation does not describe how to use verified build in a way that is directly applicable. There is better documentation in the CopperheadOS docs [05], but the instructions rely on outdated scripts that are not applicable for AOSP.<\/li>\n<li>there is no documentation on how to use a &#8220;weak&#8221; PIN as passphrase but a strong password as disk encryption key (unlike newer Pixel devices, the Nexus 5X is based on the older FDE approach). The methods that work for LineageOS devices are not applicable as they assume the device is rooted which is not the case for regular AOSP user builds.<\/li>\n<\/ul>\n<p>This tutorial aims to provide detailed instructions on how to solve these caveats, building and flashing AOSP for the Nexus 5X with verified boot and using separate lockscreen\/encryption secrets. It should also apply for the Nexus 6P with small changes, but I was unable to test it since I didn&#8217;t have a Nexus 6P at hand.<\/p>\n<p>Except for a small script collection (required for properly extracting the vendor blobs from Binaries supplied by Google) and its dependency &#8220;oatdump&#8221; (that is downloaded as binary from on a public share) the instructions do not make use of any &#8220;unofficial&#8221; (in the sense of &#8220;non-Google-provided&#8221;) third-party resources.<\/p>\n<p><span class=\"highlight\">Be aware of the following freedom issues:<\/span><\/p>\n<ul>\n<li><span class=\"highlight\">The AOSP source tree contains a number of prebuilt binaries (e.g. toolchain, Linux kernel, &#8230;). While these binaries could be rebuilt from source, the needed steps are not covered in this tutorial.<\/span><\/li>\n<li><span class=\"highlight\">The source code for the vendor blobs required for using many hardware components of the Nexus 5X is not publically available!<\/span><\/li>\n<li><span class=\"highlight\">The tool &#8220;android-prepare-vendor&#8221; used to extract the proprietary vendor files uses prebuilt binaries itself (some even externally hosted).<br \/><\/span><\/li>\n<\/ul>\n<h2 id=\"requirements-and-assumptions\">Requirements and assumptions<\/h2>\n<p>The tutorial assumes that you have the following prerequisites (other versions\/distributions might work as well but could require other or additional packages):<\/p>\n<p>&#8211; a Nexus 5X with an unlocked bootloader (unlocking is not covered in this tutorial)<\/p>\n<p>&#8211; (virtual) machine running Debian9 in the x86_64 variant, used exclusively for our purpose (we assume you use sudo, if not, adapt the commands)<\/p>\n<p>&#8211; at least 5 GB of RAM (more is better)<\/p>\n<p>&#8211; aprox 200 MB of disk space<\/p>\n<p>&#8211; fast internet connection (we need to download around 30G of data)<\/p>\n<h2 id=\"installing-dependencies\">Installing dependencies<\/h2>\n<p>First, install dependencies as described in the LineageOS build instructions [3] (AOSP build instructions do not provide this list):<\/p>\n<p class=\"command\">sudo apt install bc bison build-essential ccache curl flex g++-multilib gcc-multilib git gnupg gperf imagemagick lib32ncurses5-dev lib32readline-dev lib32z1-dev liblz4-tool libncurses5-dev libsdl1.2-dev libssl-dev libwxgtk3.0-dev libxml2 libxml2-utils lzop pngcrush rsync schedtool squashfs-tools xsltproc zip zlib1g-dev<\/p>\n<p>Now, install additional dependencies:<\/p>\n<p class=\"command\">sudo apt install cmake zip unzip openjdk-8-jdk-headless<\/p>\n<p>Then, setup a bin path in your home directory (in Debian 9 this path is automatically configured in the bash profile):<\/p>\n<p class=\"command\">mkdir -p ~\/bin<\/p>\n<p>Install the repo command:<\/p>\n<p class=\"command\">curl https:\/\/storage.googleapis.com\/git-repo-downloads\/repo &gt; ~\/bin\/repo<br \/>chmod a+x ~\/bin\/repo<\/p>\n<p>Verify the repo binary&#8217;s checksum. It should be <code>e147f0392686c40cfd7d5e6f332c6ee74c4eab4d24e2694b3b0a0c037bf51dc5<\/code> for the current version 1.23. for later versions check the AOSP build instructions page [4]. Use the following command to compute the checksum:<\/p>\n<p class=\"command\">sha256sum ~\/bin\/repo<\/p>\n<p>Next, provide a git identity by running the following commands (you can leave the example data in if you prefer to remain anonymous):<\/p>\n<p class=\"command\">git config &#8211;global user.email &#8220;<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"6910061c290c11080419050c470a0604\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>&#8220;<\/p>\n<p class=\"command\">git config &#8211;global user.name &#8220;Your Name&#8221;<\/p>\n<p>Unfortunately, the brotli package (required to pack the builds) in Debian 9 is too old, so we need to build the current version ourselves. First get the source code and change in its directory:<\/p>\n<p class=\"command\">git clone https:\/\/github.com\/google\/brotli.git<\/p>\n<p>Run the build (replace <span class=\"highlight\">-j15<\/span> by the number of your cpu threads):<\/p>\n<p class=\"command\">cd ~\/brotli<\/p>\n<p class=\"command\">.\/configure-cmake<\/p>\n<p class=\"command\">make -j15<\/p>\n<p>Finally, copy the resulting binary to our bin path:<\/p>\n<p class=\"command\">cp brotli ~\/bin\/<\/p>\n<p>Finally, logout and login again so your bash profile is re-read.<\/p>\n<h2 id=\"getting-the-vendor-blobs\">Getting the vendor blobs<\/h2>\n<p>There are several issues with using the vendors blobs from the binary driver packages provided by Google (see [5]). To solve them, we use the set of external scripts &#8220;android-prepare-vendor&#8221; by &#8220;anestisb&#8221; that extracts the vendor blobs them from the factory images instead.<\/p>\n<p>First, clone the repository:<\/p>\n<p class=\"command\">git clone https:\/\/github.com\/anestisb\/android-prepare-vendor.git<\/p>\n<p>Using Google&#8217;s site [6], find out the latest Build tag for your Nexus 5X (currently it is <span class=\"highlight\">OPM6.171019.030.K1<\/span>).<\/p>\n<p>Change to the repository, create an output directory and run the script (we run the script as root due to issues with fuse in Debian 9):<\/p>\n<p class=\"command\">cd android-prepare-vendor<\/p>\n<p class=\"command\">mkdir bullhead-blobs<\/p>\n<pre><code>sudo .\/execute-all.sh -k -d bullhead -a bullhead -b OPM6.171019.030.K1 -o bullhead-blobs<\/code><\/pre>\n<h2 id=\"downloading-aosp-sources\">Downloading AOSP sources<\/h2>\n<p><span class=\"highlight\">Note: The following steps lack instructions for verifying the downloaded source.<\/span><\/p>\n<p>First, create a directory where the sources will be stored:<\/p>\n<p class=\"command\">mkdir -p ~\/aosp<\/p>\n<p>Knowing the current build tag for the Nexus 5X, find out what the corresponding Android tag is using the overview available at [6]. Then, checkout the Android manifest for the corresponding branch (in this example, we use <span class=\"highlight\">android-8.1.0_r46<\/span>):<\/p>\n<p class=\"command\">cd ~\/aosp<\/p>\n<pre class=\"devsite-terminal\" is-upgraded=\"\">repo init -u https:\/\/android.googlesource.com\/platform\/manifest -b android-8.1.0_r46<\/pre>\n<p>Now, you can edit the <span class=\"highlight\">~\/aosp.repo\/manifest.xml<\/span> to exclude certain repositories or to include others (note: this is purely optional). Use <span class=\"highlight\">&lt;!&#8211;<\/span> and <span class=\"highlight\">&#8211;&gt;<\/span> as usual in XML to comment out repositories. I recommend excluding\/replacing the following:<\/p>\n<ul>\n<li><span class=\"highlight\">&lt;project path=&#8221;packages\/apps\/QuickSearchBox&#8221; name=&#8221;platform\/packages\/apps\/QuickSearchBox&#8221; groups=&#8221;pdk-fs&#8221; \/&gt;<\/span> &#8211; the QuickSearchBox is mostly broken in AOSP anyways<\/li>\n<li><span class=\"highlight\">&lt;project path=&#8221;device\/lge\/bullhead&#8221; name=&#8221;device\/lge\/bullhead&#8221; groups=&#8221;device,bullhead,pdk&#8221; \/&gt;<\/span> &#8211; replace this with a repository that contains a patched device tree where the two faulty cpu cores are disabled. This comes with a ~30% performance penalty. Yet, recommended, even if you have Nexus 5X that is not affected by the bootloop, as it is likely it will be affected in the future.<\/li>\n<li><span class=\"highlight\">&lt;project path=&#8221;packages\/apps\/Calendar&#8221; name=&#8221;platform\/packages\/apps\/Calendar&#8221; groups=&#8221;pdk-fs&#8221; \/&gt;<\/span> &#8211; there are better alternatives to the stock AOSP calendar you can install later (such as Etar)<\/li>\n<li><span class=\"highlight\">&lt;project path=&#8221;packages\/apps\/Messaging&#8221; name=&#8221;platform\/packages\/apps\/Messaging&#8221; groups=&#8221;pdk-fs&#8221; \/&gt;<\/span> &#8211; Silence.im is a better alternative for the AOSP messenging app<\/li>\n<li><span class=\"highlight\">&lt;project path=&#8221;packages\/apps\/Camera2&#8243; name=&#8221;platform\/packages\/apps\/Camera2&#8243; groups=&#8221;pdk-fs&#8221; \/&gt;<\/span> &#8211; OpenCamera is a better alternative for the stock camera<\/li>\n<\/ul>\n<p>Now, fetch all the repositores (can take a long time, mostly depending on your internet connection):<\/p>\n<p class=\"command\">repo sync<\/p>\n<p>Finally, copy the previously generated vendor blobs as root (this is required, or qmus and other blobs will be missing and cause later compilation failure) into the vendor directory of your AOSP tree (replace the factory build number by the current one):<\/p>\n<p class=\"command\">sudo cp -av ~\/android-prepare-vendor\/bullhead-blobs\/bullhead\/opm6.171019.030.k1\/vendor .<\/p>\n<p class=\"command\">sudo cp -av ~\/android-prepare-vendor\/bullhead-blobs\/bullhead\/opm6.171019.030.k1\/vendor_overlay .<\/p>\n<p>Make your user the owner of the vendor directories (or the build will fail later). Replace <span class=\"highlight\">yourusername<\/span> with your actual username:<\/p>\n<p class=\"command\">sudo chown -R yourusername:yourusername ~\/aosp\/vendor<\/p>\n<p class=\"command\">sudo chown -R yourusername:yourusername ~\/aosp\/vendor_overlay<\/p>\n<h2 id=\"generating-keys\">Generating Keys<\/h2>\n<p>Set the build variables:<\/p>\n<p class=\"command\">source build\/envsetup.sh<\/p>\n<p>Build the tool needed for generating the verity key:<\/p>\n<p class=\"command\"><code>make generate_verity_key<\/code><\/p>\n<p>Create a directory for storing your keys (CopperheadOS docs [2] recommend using a separate key for each device, in this case <span class=\"highlight\">bullhead<\/span>):<\/p>\n<p class=\"command\"><code>mkdir -p keys\/bullhead<\/code><\/p>\n<p><code>Now it's time to generate the keys (do not set passwords on your keys):<\/code><\/p>\n<p class=\"command\"><code>cd keys\/bullhead<\/code><\/p>\n<p class=\"command\"><code>..\/..\/development\/tools\/make_key releasekey '\/C=DE\/ST=Hometown\/L=XX\/O=yournamehere\/OU=yournamehere\/CN=yournamehere\/<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"1b7e767a72775a7f7f697e6868267574697e6b77625b7574697e6b7762357d7474\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>'<\/code><\/p>\n<p class=\"command\"><code>..\/..\/development\/tools\/make_key platform '\/C=DE\/ST=Hometown\/L=XX\/O=yournamehere\/OU=yournamehere\/CN=yournamehere\/<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"a6c3cbc7cfcae7c2c2d4c3d5d59bc8c9d4c3d6cadfe6c8c9d4c3d6cadf88c0c9c9\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>'<\/code><\/p>\n<p class=\"command\"><code>..\/..\/development\/tools\/make_key shared '\/C=DE\/ST=Hometown\/L=XX\/O=yournamehere\/OU=yournamehere\/CN=yournamehere\/<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"17727a767e7b567373657264642a79786572677b6e5779786572677b6e397372\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>'<\/code><\/p>\n<p class=\"command\"><code>..\/..\/development\/tools\/make_key media '\/C=DE\/ST=Hometown\/L=XX\/O=yournameher \/OU=yournamehere\/CN=yournamehere\/<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"4c29212d25200d28283e293f3f7122233e293c20350c22233e293c2035622a2323\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>'<\/code><\/p>\n<p class=\"command\"><code>..\/..\/development\/tools\/make_key verity '\/C=DE\/ST=Hometown\/L=XX\/O=yournamehere\/OU=yournamehere\/CN=yournamehere\/<a href=\"https:\/\/www.howtoforge.com\/cdn-cgi\/l\/email-protection\" class=\"__cf_email__\" data-cfemail=\"f59098949c99b4919187908686c89b9a879085998cb59b9a879085998cdb939a9a\" target=\"_blank\" rel=\"noopener\">[email\u00a0protected]<\/a>'<\/code><\/p>\n<p class=\"command\"><code>cd ~\/aosp<br \/><\/code><\/p>\n<p>Convert the verity key to the format required by AOSP:<\/p>\n<p class=\"command\"><code>out\/host\/linux-x86\/bin\/generate_verity_key -convert keys\/bullhead\/verity.x509.pem keys\/bullhead\/verity_key<\/code><\/p>\n<h2 id=\"compiling\">Compiling<\/h2>\n<p>Make sure your build variables are set:<\/p>\n<p class=\"command\">cd ~\/aosp<\/p>\n<p class=\"command\">source build\/envsetup.sh<\/p>\n<p>Create a user-lunchconfig for the bullhead device (replace user by userdebug if you want a userdebug configuration instead):<\/p>\n<p class=\"command\">lunch aosp_bullhead-user<\/p>\n<p>Disable Jack (it often causes compile trouble and has been deprecated in Android 9 anyways):<\/p>\n<p class=\"command\">export ANDROID_COMPILE_WITH_JACK=false<\/p>\n<p>Compile the target-files-package (replace <span class=\"highlight\">-j15<\/span> by the number of your cpu threads):<\/p>\n<p class=\"command\">make target-files-package -j15<\/p>\n<h2 id=\"packaging-and-signing\">Packaging and signing<\/h2>\n<p>Create a directory to store the output files (outside of the usual build directory named <span class=\"highlight\">out<\/span>):<\/p>\n<p class=\"command\">mkdir dist<\/p>\n<p>Run the dist target (replace <span class=\"highlight\">-j15<\/span> by the number of your cpu threads):<\/p>\n<p class=\"command\">make dist -j15<\/p>\n<p>Create a signed-target-files package, replacing the default test keys with your keys (replace <span class=\"highlight\">yourusername<\/span> with your actual username on the system):<\/p>\n<p class=\"command\">build\/tools\/releasetools\/sign_target_files_apks -o -d keys\/bullhead &#8211;replace_verity_public_key keys\/bullhead\/verity_key.pub &#8211;replace_verity_private_key keys\/bullhead\/verity &#8211;replace_verity_keyid keys\/bullhead\/verity.x509.pem out\/dist\/aosp_bullhead-target_files-eng.yourusername.zip dist\/signed-target-files.zip<\/p>\n<p>Create a signed OTA package:<\/p>\n<p class=\"command\"><code> build\/tools\/releasetools\/ota_from_target_files -k keys\/bullhead\/releasekey dist\/signed-target-files.zip dist\/signed-ota-update.zip<\/code><\/p>\n<h2 id=\"flashing\">Flashing<\/h2>\n<p>Boot your Nexus 5X device into bootloader (hold volume down, then hit power).<\/p>\n<p>Connect your device via USB to your machine (and make it available to the VM in case you build in a VM). You can also copy the contents from the dist directory to another machine and flash from there, but we assume you flash from using the fastboot\/adb binaries built from AOSP sources (if you flash from outside, make sure your fastboot binary is recent).<\/p>\n<p>Unpack the images from the signed-target-files.zip:<\/p>\n<p class=\"command\">cd ~\/aosp\/dist<\/p>\n<p class=\"command\">unzip <code>signed-target-files.zip IMAGES\/*<br \/><\/code><\/p>\n<p>Now, flash all the images:<\/p>\n<p class=\"command\">..\/out\/host\/linux-x86\/bin\/fastboot\u00a0flash boot boot.img<\/p>\n<p class=\"command\">..\/out\/host\/linux-x86\/bin\/fastboot\u00a0flash recovery recovery.img<\/p>\n<p class=\"command\">..\/out\/host\/linux-x86\/bin\/fastboot\u00a0flash vendor vendor.img<\/p>\n<p class=\"command\">..\/out\/host\/linux-x86\/bin\/fastboot\u00a0flash system system.img<\/p>\n<p>Select &#8220;reboot system&#8221; using your device&#8217;s physical buttons and make sure your new system works.<\/p>\n<p>Finally, reboot back to the bootloader, and re-lock it (will erase all data):<\/p>\n<p class=\"command\">out\/host\/linux-x86\/bin\/fastboot\u00a0flash oem locking<\/p>\n<p>That&#8217;s it!<\/p>\n<h2 id=\"setting-separate-bootlockscreen-secrets\">Setting separate boot\/lockscreen secrets<\/h2>\n<p>Setting a separate boot\/lockscreen password can be done with a small trick:<\/p>\n<ul>\n<li>Unlock the bootloader (wipes all data)<\/li>\n<li>compile and flash a userdebug build (see above)<\/li>\n<li>lock the bootloader<\/li>\n<li>set a lockscreen pin\/password using the Android UI. Make sure you choose the right one because you won&#8217;t be able to change it again without wiping your data once you switch to the user build.<\/li>\n<li>connect to the device via adb<\/li>\n<li>as root, run the following command: vdc cryptfs changepw password your-new-password<\/li>\n<li>reboot, and make sure it works<\/li>\n<li>compile a regular user build (do not unlock the bootloader!)<\/li>\n<li>flash the user build<\/li>\n<\/ul>\n<p>Note: Without additional steps, the recovery does not allow to flash older builds. Thus, you need to flash a user build that is newer than your userdebug build!<\/p>\n<h2 id=\"handling-updates\">Handling updates<\/h2>\n<p>If you want to upgrade to a newer AOSP release, you first need to find out the new release number.<\/p>\n<p>Then, wipe the old manifest (make a backup, in case you made changes you want to redo on the updated one):<\/p>\n<p class=\"command\">cd ~\/aosp<\/p>\n<p class=\"command\">rm -rf .repo\/manifests.git<\/p>\n<p class=\"command\">rm -rf .repo\/manifest.xml<\/p>\n<p>Also, wipe the (then outdated) vendor blobs and the prepare-vendor repository:<\/p>\n<p class=\"command\">rm -rf ~\/android-prepare-vendor<\/p>\n<p class=\"command\">rm -rf vendor<\/p>\n<p class=\"command\">rm -rf vendor_overlay<\/p>\n<p>Also, clean the build tree and the build artifacts:<\/p>\n<p class=\"command\">rm -rf out<\/p>\n<p class=\"command\">rm -rf dist<\/p>\n<p>Then, redo <strong>ONLY<\/strong> the following steps:<\/p>\n<ul>\n<li>Getting the vendor blobs<\/li>\n<li>Downloading AOSP sources (this will be much quicker, because only the changes will be pulled in)<\/li>\n<li>Compiling<\/li>\n<li>Packaging and signing<\/li>\n<\/ul>\n<p>In theory, you should be able to sideload updates as new OTA packages from recovery without wiping (since it will be signed signed with the same &#8211; your &#8211; keys). In practice, it does not work yet (see the next section). There, you will also have to proceed as follows:<\/p>\n<ul>\n<li>Backup all your data<\/li>\n<li>Unlock the bootloader (your data will be wiped)<\/li>\n<li>Flash the updated images and re-lock your bootloader as described in the section &#8220;Flashing&#8221;<\/li>\n<\/ul>\n<h2 id=\"wip-signed-ota-updates\">WIP: Signed OTA updates<\/h2>\n<p><span class=\"highlight\">This section is WIP, the described instructions do not work yet!<\/span><\/p>\n<p>In theory, it should be possible to create and flash signed OTA updates from recovery. However, all my attempts to do this resulted in a &#8220;Signature verification failed&#8221; error. Since this works when using the Google-supplied vendor files directly instead of using android-prepare-vendor, I assume it is related to the vendor files or other files (like the bootloader or radio images) not being properly signed.<\/p>\n<p>Create the signed OTA package as follows:<\/p>\n<p class=\"command\"><code> build\/tools\/releasetools\/ota_from_target_files -k keys\/bullhead\/releasekey dist\/signed-target-files.zip dist\/signed-ota-update.zip<\/code><\/p>\n<p>Reboot to recovery using your device&#8217;s physical buttons.<\/p>\n<p>In recovery,you will see a small android symbol. Hold down the power button and press volume up to get into the recovery menu.<\/p>\n<p>Now, select &#8220;update from adb&#8221; using your device&#8217;s physical buttons.<\/p>\n<p>Sideload your signed OTA package:<\/p>\n<p class=\"command\">out\/host\/linux-x86\/bin\/adb sideload dist\/<code>signed-ota-update.zip<\/code><\/p>\n<h2 id=\"references\">References<\/h2>\n<p>[1] https:\/\/www.reddit.com\/r\/CopperheadOS\/comments\/8qdnn3\/goodbye\/<\/p>\n<p>[2] https:\/\/copperhead.co\/android\/docs\/building<\/p>\n<p>[3] https:\/\/wiki.lineageos.org\/devices\/bullhead\/build<\/p>\n<p>[4] https:\/\/source.android.com\/setup\/build\/downloading<\/p>\n<p>[5] https:\/\/github.com\/anestisb\/android-prepare-vendor<\/p>\n<p>[6] https:\/\/source.android.com\/setup\/start\/build-numbers.html#source-code-tags-and-builds<\/p>\n<div>\n<p><b>Share this page:<\/b><\/p>\n<p>\n<a href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fwww.howtoforge.com%2Ftutorial%2Fbuilding-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x%2F\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/09\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x.png\" height=\"20\" alt=\"\" title=\"\"><\/a><br \/>\n<a href=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Fwww.howtoforge.com%2Ftutorial%2Fbuilding-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x%2F&amp;text=Building+and+flashing+a+secured+AOSP+build+with+verified+boot+and+separate+lockscreen+password+for+the+Nexus+5X&amp;via=howtoforgecom&amp;related=howtoforgecom\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/09\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x-1.png\" height=\"20\" alt=\"\" title=\"\"><\/a><br \/>\n<a href=\"https:\/\/twitter.com\/howtoforgecom\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/09\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x-2.png\" height=\"20\" alt=\"\" title=\"\"><\/a><br \/>\n<a href=\"https:\/\/plus.google.com\/share?url=https%3A%2F%2Fwww.howtoforge.com%2Ftutorial%2Fbuilding-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x%2F\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/09\/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x-3.png\" height=\"20\" alt=\"\" title=\"\"><\/a>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Disclaimer and License All data and information provided in this tutorial is for informational purposes only. The author makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this tutorial and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-6929","post","type-post","status-publish","format-standard","hentry","category-36"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=6929"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6929\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=6929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=6929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=6929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}