GrapheneOS over the air updates (OTAs) patched with Magisk using avbroot allowing for AVB and locked bootloader and root access.
Can be upgraded over the air using Custota and its own OTA server.
Allows for switching between magisk and rootless via OTA upgrades.
⚠️ OS and root work in general. However, zygisk does not (and likely never will) work, leading to magisk being easily discovered by other apps and lots of banking apps not working.
See bellow for alternatives.
- Pixel 9 Pro
- Pixel 6
All other devices have been discontinued because the amount of GitHub actions minutes required for maintaining that many devices exceed my spending limit.
If you have the Magisk preinit string (see .github/workflows/release-multiple.yaml) for your device, you can easily fork this repo and build your own OTAs.
These are only changes related to rooted-graphene, not GrapheneOS itself.
See grapheneos.org/releases for that.
- Discontinued all devices but Pixel 6 and Pixel 9 Pro, because the amount of GitHub actions minutes required for
maintaining that many devices exceed my spending limit.
Please fork this repo and build your own OTAs. - Switch from custota signature file version 1 to 2 (introduced with custota 5 in october 2024)
- If you're using custoa magisk module version < 5, please upgrade.
Even better: Delete custota magisk module, because it is now packaged in the OTA.
- Start shipping custota app with OTA
- This allows for OTA updates even when rootless and relieves you of the burden to keep the magisk module up to date.
Starting with the next version, this will allow you to switch root and off by installing OTA updates! - In the
-magiskflavor of rooted-graphene, the custota magisk module should be automatically disabled on start. You can safely remove it. Custota is now a system app. - In the
-rootlessflavor the custota should be new, so no problems.
Except when you had it installed as magisk module before (using the-magiskflavor).
Then you shouldadb sideloadthe-magiskfirst. Then custota should work as a system app. Then you should be able to switch to-rootlesswith custota working. Here are some troubleshooting tipps.- test, if an upgrading works by long pressing
Versionin custota and then selectingAllow reinstall.
This way you can also switch from-magiskto-rootless(and back if everything works as planned). - you might have to change ownership or delete these files:
/sdcard/Android/data/com.chiller3.custota//data/ota_packagecare_map.pb
- test, if an upgrading works by long pressing
- Make sure the versions of the unpatched version initially installed and the one taken from this repo match.
- You might want to start with the version before the latest to try if OTA is working before initializing your device.
- Don't mix up factory image and OTA
- The following steps are basically the ones described at avbroot using the
avb_pkmd.binfrom this repo.
Using the web installier is easier, but will always install the latest version. So it's not possible to verify if OTA upgrades work right away.
Use the web installer to install GrapheneOS:
- Write down the installed version, e.g.
Downloaded caiman-install-2024123000.zip release. - Stop at
Locking the bootloaderand close the browser. We'll lock the bootloader later!
Alternative method to Web installer.
Download factory image and follow the official instructions to install GrapheneOS.
TLDR:
-
Enable OEM unlocking
-
Obtain latest
fastboot -
Unlock Bootloader: Enable usb debugging and execute
adb reboot bootloader, orThe easiest approach is to reboot the device and begin holding the volume down button until it boots up into the bootloader interface.
fastboot flashing unlock
-
flash factory image
bsdtar xvf DEVICE_NAME-factory-VERSION.zip # tar on windows and mac ./flash-all.sh # or .bat on windows
-
Stop after that and reboot (leave bootloader unlocked)
Once GrapheneOS is installed
-
Download the OTA from releases with the same version that you just installed.
-
Obtain latest
fastboot -
Install avbroot
-
Extract the partition images from the patched OTA that are different from the original.
avbroot ota extract \ --input /path/to/ota.zip.patched \ --directory extracted \ --fastboot -
Set this environment variable to match the extracted folder:
For Linux/macOS:
export ANDROID_PRODUCT_OUT=extractedFor Windows (powershell):
$env:ANDROID_PRODUCT_OUT = "extracted"
or (bat):
set ANDROID_PRODUCT_OUT=extracted
-
Flash the partitions using the command:
fastboot flashall --skip-reboot
-
Set up the custom AVB public key in the bootloader.
fastboot reboot-bootloader fastboot erase avb_custom_key curl -s https://raw.githubusercontent.com/schnatterer/rooted-graphene/main/avb_pkmd.bin > avb_pkmd.bin fastboot flash avb_custom_key avb_pkmd.bin -
[Optional] Before locking the bootloader, reboot into Android once to confirm that everything is properly signed.
Install the Magisk or KernelSU app and run the following command:adb shell su -c 'dmesg | grep libfs_avb'If AVB is working properly, the following message should be printed out:
init: [libfs_avb]Returning avb_handle with status: Success
-
Reboot back into fastboot and lock the bootloader. This will trigger a data wipe again.
fastboot flashing lock
-
Confirm by pressing volume down and then power. Then reboot.
-
Remember: Do not uncheck
OEM unlocking! (to avoid hard-bricking)
That is, in Graphene's startup wizard, leave this box unticked 👇️
Note: The OTA contains OEMUnlockOnBoot, so OEM locking should be impossible.
Still, better safe than sorry, keep it unlocked.
- Disable system updater app.
- Open Custota app and set the OTA server URL to point to this OTA server: https://schnatterer.github.io/rooted-graphene/magisk
Alternatively you could do updates manually via adb sideload:
- reboot the device and begin holding the volume down button until it boots up into the bootloader interface
- using volume buttons, toggle to recovery. Confirm by pressing power button
- If the screen is stuck at a
No commandmessage, press the volume up button once while holding down the power button. - using volume buttons, toggle to
Apply update from ADB. Confirm by pressing power button adb sideload xyz.zip- See also here.
To remove root, you can change to the "rootless" flavor.
To do so, set the following URL in custota: https://schnatterer.github.io/rooted-graphene/rootless/
And then upgrade.
(if custota should tell you that you're on the latest version, you can force an upgrade by long pressing Version and
then selecting Allow reinstall).
If you want to gain root again, just switch back to this URL in custota: https://schnatterer.github.io/rooted-graphene/magisk/ And then upgrade.
You can use the script in this repo to create your own OTAs and run your own OTA server.
# Generate keys
bash -c 'source rooted-ota.sh && generateKeys'
# Enter passphrases interactively
DEVICE_ID=oriole MAGISK_PREINIT_DEVICE='metadata' bash -c '. rooted-ota.sh && createRootedOta'
# Enter passphrases via env (e.g. on CI)
export PASSPHRASE_AVB=1
export PASSPHRASE_OTA=1
DEVICE_ID=oriole MAGISK_PREINIT_DEVICE='metadata' bash -c '. rooted-ota.sh && createRootedOta' For IDs see grapheneos.org/releases. For Magisk preinit see,e.g. here.
See GitHub actions for automating this:
- release single device
- release multiple devices regularly (using cron)
GITHUB_TOKEN=gh... \
GITHUB_REPO=schnatterer/rooted-graphene \
DEVICE_ID=oriole \
MAGISK_PREINIT_DEVICE=metadata \
bash -c '. rooted-ota.sh && createAndReleaseRootedOta'As magisk does not seem a perfect match for GrapheneOS, you might be looking for alternatives.
I had a first go at patching kernelsu which booted but did not provide root. Patching kernelsu is much more complex that patching magisk. It might even be impossible to run GrapheneOS with it, without building GrapheneOS from scratch. Also, some parts of kernelsu seem to be closed source, which feels suspicious and inappropriate for a tool with so much influence on your device.
Another alternative might be to use a version of magisk (like the one maintained by pixincreate) that contains patches to make zygisk work.
This still has some limitations, like certain modules checking for magisk's signature won't work.
Another option might be Kitsune magisk.
In general, using magisk and especially zygisk with Graphene seems to have the risk of breaking things with every new release.
It's good to have the rootless version as a fallback!
# DEBUG some parts of the script interactively
DEBUG=1 bash --init-file rooted-ota.sh
# Test loading secrets from env
PASSPHRASE_AVB=1 PASSPHRASE_OTA=1 bash -c '. rooted-ota.sh && key2base64 && KEY_AVB=doesnotexist createAndReleaseRootedOta'
# Avoid having to download OTA all over again: SKIP_CLEANUP=true or:
mkdir -p .tmp && ln -s $PWD/shiba-ota_update-2023121200.zip .tmp/shiba-ota_update-2023121200.zip
# Test only patching
export PASSPHRASE_AVB=x PASSPHRASE_OTA=y
SKIP_CLEANUP=true DEVICE_ID=oriole MAGISK_PREINIT_DEVICE='metadata' bash -c '. rooted-ota.sh && createRootedOta'
# Test only releasing
GITHUB_TOKEN=gh... \
DEBUG=true \
GITHUB_REPO=schnatterer/rooted-graphene \
OTA_VERSION=2025021100 \
RELEASE_ID='' \
bash -c '. rooted-ota.sh && releaseOta'
# Test only GH pages deployment
GITHUB_REPO=schnatterer/rooted-graphene \
DEVICE_ID=oriole \
MAGISK_PREINIT_DEVICE=metadata \
bash -c '. rooted-ota.sh && findLatestVersion && checkBuildNecessary && createOtaServerData && uploadOtaServerData'
# e2e test
GITHUB_TOKEN=gh... \
GITHUB_REPO=schnatterer/rooted-graphene \
DEVICE_ID=oriole \
MAGISK_PREINIT_DEVICE=metadata \
SKIP_CLEANUP=true \
DEBUG=1 \
bash -c '. rooted-ota.sh && createAndReleaseRootedOta'See release-multiple.yaml for examples.
How to extract:
- Get boot.img either from factory image or from OTA via
avbroot ota extract \ --input /path/to/ota.zip \ --directory . \ --boot-only - Install magisk, patch boot.img, look for this string in the output:
Pre-init storage partition device ID: <name> - Alternatively extract from the pachted boot.img:
avbroot boot magisk-info \ --image magisk_patched-*.img - See also: https://github.com/chenxiaolong/avbroot/blob/master/README.md#magisk-preinit-device
https://github.com/MuratovAS/grapheneos-magisk/blob/main/docker/Dockerfile
https://xdaforums.com/t/guide-to-lock-bootloader-while-using-rooted-otaos-magisk-root.4510295/