[Knowledge] GSI (Generic System Image, Android 10.0) on Lenovo TB-J606F (Xiaoxin Pad) with Magisk Rooted

0x00 Menu

1. Bootloader
   
2. AVB
   
3. Android Dynamic Partitions  
4. A/B Partitions
5. System-as-root
6. Project Treble
   

0x01 The Bootloader

CN variant

     For CN variant Stock ROMs, it's quite easy to unlock the bootloader with a computer with fastboot (android-tools-fastboot) installed.

Notice: Please backup your tablet first! Unlocking bootloader will also delete all your personal data on this device, including your apps, videos, pictures...

1. Click Build number 7 times in System Settings > About
2. Go back and enter Developer Options
3. Turn on OEM unlocking
4. Turn off your tablet, then boot it by holding POWER & Vol-
5. Connect the tablet to your computer, open cmdline (cmd under Windows), type fastboot flashing unlock OR fastboot oem unlock-go and then press enter.
6. Take a look at your tablet, switch highlight to select the option starting with Unlock... by pressing volume keys and press POWER to unlock your phone.

 Other

      BUT OEM unlocking seems not to be available in other variants, and fastboot is also reduced to avoid being hacked. Sometimes modifying stock firmware files (9008 Flashable Files) would do the trick.

0x02 AVB or Android Verified Boot

    Mostly , android devices launched with Android 9+ have AVB 2.0 enabled which restricts users from booting custom firmware/ROMs. Two bits are used inside vbmeta images to check whether verfied boot is disabled or not. This can be disabled with adb or fastboot (with stock firmware downloaded with vbmeta.img and vbmeta_system.img) and you may do this. Otherwise the device may refuse to boot into system and would reboot into fastboot.

fastboot:

• fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
• fastboot flash --disable-verity --disable-verification vbmeta_system vbmeta_system.img

adb:

• adb disable-verity

0x03 Super Partition or Dynamic Partitions

    Android 10 (which is also J606f's initial system) introduced a new partition solution called Dynamic Partitions by merging system*, vendor*, product* partitions into a new partiton super . Supported by Device Mapper , AVB and other encryptions are enabled by default.

    It's safer to use super which is similar to ChromeOS using Device Mapper and Kernel-level decryption . However, it makes users harder to flash third-party images since System Partition is included. One solution is to make mapper R/W, then write raw custom image to System Partition mapped.

    For this, I used blockdev to make mappers write-able and dd to flash the image through adb connecting to a custom recovery. There's only one custom recovery available, which is an unofficial TWRP based on CN variant (kernel).

    Boot the tablet into TWRP mode and connect it to the computer. Type the commands below into your computer's cmd or terminal.

# I used Karl Zheng's version of simg2img.py generating raw image named tmp.img

python2 simg2img.py Havoc-OS-GSI.sparse.img

adb push tmp.img /data/ 

adb shell blockdev --setrw /dev/block/mapper/system # to make system partition writable 

adb shell dd if=/data/tmp.img of=/dev/block/mapper/system # destination requires System-as-root

 0x04 A/B Partitions

    Dynamically update your system? It will take effect after rebooting. Actually, A/B Partitions did it. Bootloader boots up your phone using Partition A by default, and updates are installed to Partition B. System data will be copied (from B to A) after a reboot, which will be finished in recovery.

    Rename system to system_a & system_b, boot  to boot_a & boot_b, etc...

    As what i've said in 0x03, the partition super contains system*, vendor* and product*. A * is a metacharacter(wildcard) which means system* can be system or system_a or system_b, either system of system_a&system_b is right in most of the case.

    But J606F is an exception. There are both system and system_a inside super of J606F, but not have system_b, which is really strange. Once i tried to write GSI into system_a and it said "No space left on device." (writing into system works), which made me really confused. 

0x05 System-as-root

    As we all know, Android has several partitions required to boot, like boot, system(/system) and userdata (/data). A boot contains kernel, initramfs, dtb, etc. Usually initramfs contains bootscripts and, also, boot totally builds up the whole booting process, including hardware initialization and partitions mounting.

    System-as-root gives Android a chance to let a new system fully boot up by its self without modifying two partitions at the same time. The only two things that boot need to do is the AVB(See 0x02) and switch to new root.

    By the way, porting legacy devices from regular boot method to System-as-root boot mode is quite simple, since the init finishs most of the thing. There's a file named fstab* that tells the system how to mount necessary partitions. Merge initramfs(extracted from boot.img) and system(copy to /system/ of initramfs) , then remove mountpoints in fstab (just remove the full line containing system).

0x06 Project Treble

    Do you want to port third-party Android distributions to your device? Before Project Treble was launched, the only way to port other Android distributions to a phone is rebuilding the kernel to make modules work for this specific ROM since vendors created the drivers only for their OSs and phones. Project Treble let drivers as loadable modules and be made only for kernel, which has nothing to do with the Java part of Android. Also with the help of Android Mainline Project, pure linux mainline kernels will be possible to be installed on phones, although there are still some Android-only patches in this project.

[To Be Continued]