Magisk: Unable to patch init scripts via overlay system on system-as-root devices

Created on 14 Jul 2020  路  7Comments  路  Source: topjohnwu/Magisk

Setup

  • Pixel3a (SAR + A/B)
  • Android 10 June 2020
  • Magisk stable (2.4) & canary (latest)

Problems

  • Unable to patch an init script during the boot process

Objective

  • Patch init scripts to enable adb (for brevity, lets write an empty file in /data/local/tmp/pwned as POC)

Info

  • After reading Magisk docs about the root directory overlay system and failing plenty of times while testing and more testing, I decided to ask for some pointers. Also to mention that I read some examples where the folder [ramdisk]/overlay.d/ was used to disable Magisk modules 1, 2 , 3, thus I attempted to reproduce the behavior with no success so far.

Test Done

  1. Patch a boot.img via MagiskManager (file: boot_root.img)
  2. Flash this image & verify it works fine
  3. Magisk boots from recovery after kernel patches
  4. Unpack boot_root.img
  5. Create overlay.d folder in the ramdisk and init RC (it'll be somehow concatenated to init.rc) and shell script in sbin
  6. Repack into boot_root_overlay.img
  7. Fastboot and flash-boot the generated Magisk-patched boot image

Steps 4, 5 and 6

./magiskboot unpack boot_root.img
./magiskboot cpio ramdisk.cpio "add 700 overlay.d/init.custom.rc init.custom.rc"
./magiskboot cpio ramdisk.cpio "add 700 overlay.d/sbin/custom.sh init.custom.sh"
./magiskboot repack boot_root.img

init.custom.rc

on property:sys.boot_completed=1
    exec u:r:magisk:s0 root root -- /sbin/init.custom.sh
    #exec_background u:r:magisk:s0 -- /sbin/init.custom.sh

init.custom.sh

#!/system/bin/sh

# setprop persist.sys.usb.config adb,mtp
# setprop persist.service.adb.enable 1
# /system/bin/adbd &

touch /data/local/tmp/pwned && reboot # as proof-of-concept
picture enovella

Most helpful comment

./magiskboot unpack boot_root.img
./magiskboot cpio ramdisk.cpio \
"mkdir 0700 overlay.d" \
"add 0700 overlay.d/init.custom.rc init.custom.rc" \
"mkdir 0700 overlay.d/sbin" \
"add 0700 overlay.d/sbin/custom.sh init.custom.sh"
./magiskboot repack boot_root.img
picture topjohnwu on 14 Jul 2020
👍2

All 7 comments

./magiskboot unpack boot_root.img
./magiskboot cpio ramdisk.cpio \
"mkdir 0700 overlay.d" \
"add 0700 overlay.d/init.custom.rc init.custom.rc" \
"mkdir 0700 overlay.d/sbin" \
"add 0700 overlay.d/sbin/custom.sh init.custom.sh"
./magiskboot repack boot_root.img
topjohnwu picture topjohnwu on 14 Jul 2020
👍2

can someone explain this? im in the same situation... bootloop, no twrp, no volume buttons for safemode, and giving a *.rc script command to disable isnt working

diabl0w picture diabl0w on 15 Jul 2020

I'm afraid you need to elaborate a bit more your issue if you expect some help. The solution is explained above, it worked on my end.

enovella picture enovella on 15 Jul 2020

I'm afraid you need to elaborate a bit more your issue if you expect some help. The solution is explained above, it worked on my end.

is "magiskboot" something that i can run on my desktop? or is it a binary that runs on the device. if it runs on the device, do i need to have root to use it? basically i have two things i can currently do... have a bootloop with magisk, or install stock and not have root because there is a module causing a bootloop.

I cant remove the module in twrp because there is no twrp for my rare chinese tablet (onyx boox max 3). intried to compile a twrp but there is no source code from the manufacturer so i was unsuccessful. there is only a home button and a power button on the device so i cant install canary magisk and use the new safemode feature. and i also tried many different types of scripts by decompiling the ramdisk and having them run after init.rc but they dont run

diabl0w picture diabl0w on 15 Jul 2020

Magiskboot is part of the Magisk suite which is OSS, therefore you can compile it for desktop.

Why dont you enter in fastboot mode and reflash the entire OS? Either-way, you can leverage magiskboot to patch scripts or config files at boot time.

enovella picture enovella on 15 Jul 2020

Magiskboot is part of the Magisk suite which is OSS, therefore you can compile it for desktop.

Why dont you enter in fastboot mode and reflash the entire OS? Either-way, you can leverage magiskboot to patch scripts or config files at boot time.

thanks for the prompt reply... you mean reflash as in wiping data? i am doing anything i can to avoid that... i have a lot of info on there and it is normally rsynced to backup. but i just looked at my server and there hasnt been a successful backup in about 3 months apparently. so i am finding myself in an unfortunate position

diabl0w picture diabl0w on 15 Jul 2020

okay, i think i got it to work but a slight new problem... the custom script has "touch /cache/.disable_magisk && reboot" . If i fastboot flash the new image, then it just keeps rebooting over and over. at first i thought this is probably what would happen, then i realized that after reboot, it shouldnt be running that script anymore more than the first time since magisk is then disabled right?

EDIT: I just made a script that did "rm -rf /data/adb/*" and it seems to have worked

diabl0w picture diabl0w on 15 Jul 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pbbqdd picture pbbqdd  路  4Comments
Madis0 picture Madis0  路  3Comments
dg28gadhavi picture dg28gadhavi  路  3Comments
Displax picture Displax  路  4Comments
georgekav2 picture georgekav2  路  3Comments