This commit is contained in:
eric
2026-04-04 15:52:20 -05:00
parent c59cd2da52
commit e141bc000f
3 changed files with 59 additions and 16 deletions

View File

@@ -29,9 +29,9 @@ It keeps only the parts that were actually used:
## Offline archive ## Offline archive
The repo tracks the offline bundle metadata under [offline](C:/Users/admin/Desktop/redroid-android13/offline). The large zip/apk/tar payloads are intentionally kept out of Git and should be stored locally under `offline/downloads/` and `offline/images/`. The repo tracks the offline bundle metadata under [offline](offline). The large zip/apk/tar payloads are intentionally kept out of Git and should be stored locally under `offline/downloads/` and `offline/images/`.
Use [offline/manifest.json](C:/Users/admin/Desktop/redroid-android13/offline/manifest.json) for checksums and source metadata, and [offline/README.md](C:/Users/admin/Desktop/redroid-android13/offline/README.md) for the expected local layout. Use [offline/manifest.json](offline/manifest.json) for checksums and source metadata, and [offline/README.md](offline/README.md) for the expected local layout.
Expected local files: Expected local files:
@@ -40,9 +40,22 @@ Expected local files:
- `offline/downloads/libhoudini_hack.zip` - `offline/downloads/libhoudini_hack.zip`
- `offline/downloads/magisk.apk` - `offline/downloads/magisk.apk`
- `offline/downloads/magisk.version` - `offline/downloads/magisk.version`
- `offline/images/redroid-redroid-13.0.0-latest.tar` - `offline/images/redroid-redroid-13.0.0-latest.tar` (optional if the base image is already in local Docker storage)
`redroid.py` now tries to pull `redroid/redroid:13.0.0-latest` first. If that fails, it falls back to the local image cache, then to `offline/images/redroid-redroid-13.0.0-latest.tar`. ### Build resource order (`redroid.py`)
- **Base image:** prefers an existing local `redroid/redroid:<ver>-latest`, then `offline/images/redroid-redroid-13.0.0-latest.tar` (`docker load`), then a registry pull (skipped when offline-only).
- **Zips / APK:** prefers files under `offline/downloads/` whose **MD5** matches the pinned upstream artifacts; downloads only if missing or mismatch (skipped when offline-only).
- **Strict no-network builds:** pass `--offline` or set `REDROID_OFFLINE=1` so missing bundles fail fast instead of downloading.
### Verify script notes
```bash
python verify_offline_bundle.py
```
- `magisk.version` is checked against exact **size** and **sha256** from `manifest.json`. A short version string without the expected newline/padding will report `size mismatch` even when `magisk.apk` is fine for the image build.
- A missing `offline/images/*.tar` is expected to **FAIL** here if you rely on a pre-pulled Docker image instead; that does not block `redroid.py` when the base image already exists locally.
## Dependencies ## Dependencies
@@ -50,18 +63,20 @@ Expected local files:
python -m pip install -r requirements.txt python -m pip install -r requirements.txt
``` ```
## Verify the offline bundle
```bash
python verify_offline_bundle.py
```
## Build the 5570 image ## Build the 5570 image
```bash ```bash
python redroid.py -mtg -i -m python redroid.py -mtg -i -m
``` ```
Air-gapped (requires a complete `offline/` tree):
```bash
REDROID_OFFLINE=1 python redroid.py -mtg -i -m
# or
python redroid.py -mtg -i -m --offline
```
Expected image tag: Expected image tag:
```bash ```bash
@@ -70,6 +85,8 @@ redroid/redroid:13.0.0_mindthegapps_houdini_magisk
## Launch the container ## Launch the container
Headless servers have **no screen** to approve the USB debugging RSA dialog. Always pass **`--adb-insecure`** so boot props disable ADB RSA checks and apply **before** the Pixel user profile (`androidboot.adb.secure=0`, `ro.adb.secure=0`, `ro.secure=0`, `ro.debuggable=1`). **Do not expose the ADB port on a public network.**
```bash ```bash
python run_redroid.py \ python run_redroid.py \
--image redroid/redroid:13.0.0_mindthegapps_houdini_magisk \ --image redroid/redroid:13.0.0_mindthegapps_houdini_magisk \
@@ -77,7 +94,22 @@ python run_redroid.py \
--device-profile pixel-7-pro \ --device-profile pixel-7-pro \
--data-dir ~/data-redroid13 \ --data-dir ~/data-redroid13 \
--port 5570 \ --port 5570 \
--replace --replace \
--adb-insecure
```
Then:
```bash
adb kill-server && adb start-server
adb connect 127.0.0.1:5570
adb devices
```
If you still see `unauthorized` after an upgrade, stop the container, remove persisted keys on the host, and retry:
```bash
rm -rf ~/data-redroid13/misc/adb
``` ```
## Apply the 5570 hardening ## Apply the 5570 hardening
@@ -98,7 +130,7 @@ This post-boot step:
- allows `com.android.shell` to use mock location - allows `com.android.shell` to use mock location
- applies the `Pixel 7 Pro / user / release-keys / locked / green` identity - applies the `Pixel 7 Pro / user / release-keys / locked / green` identity
With `--install-extreme-script`, the validated script [assets/redroid_extreme_post_fs_data.sh](C:/Users/admin/Desktop/redroid-android13/assets/redroid_extreme_post_fs_data.sh) is copied to `/data/adb/post-fs-data.d/20-redroid-extreme.sh` so that: With `--install-extreme-script`, the validated script [assets/redroid_extreme_post_fs_data.sh](assets/redroid_extreme_post_fs_data.sh) is copied to `/data/adb/post-fs-data.d/20-redroid-extreme.sh` so that:
- `vendor/bin/su` stays visible to app namespaces after reboot - `vendor/bin/su` stays visible to app namespaces after reboot
- `Pixel 7 Pro` properties are re-applied on every boot - `Pixel 7 Pro` properties are re-applied on every boot

View File

@@ -95,7 +95,7 @@ def build_layers(args):
def print_recommended_flow(image_name): def print_recommended_flow(image_name):
print("\nRecommended 5570 launch") print("\nRecommended 5570 launch (headless: always pass --adb-insecure)")
print( print(
"python run_redroid.py " "python run_redroid.py "
"--image {} " "--image {} "
@@ -103,7 +103,8 @@ def print_recommended_flow(image_name):
"--device-profile pixel-7-pro " "--device-profile pixel-7-pro "
"--data-dir ~/data-redroid13 " "--data-dir ~/data-redroid13 "
"--port 5570 " "--port 5570 "
"--replace\n".format(image_name) "--replace "
"--adb-insecure\n".format(image_name)
) )
print("Recommended post-boot hardening") print("Recommended post-boot hardening")
print( print(

View File

@@ -262,8 +262,8 @@ def main():
"--adb-insecure", "--adb-insecure",
action="store_true", action="store_true",
help=( help=(
"Disable ADB RSA authorization (ro.adb.secure=0 + androidboot.adb.secure=0). " "Headless ADB: early androidboot.adb.secure=0, ro.adb.secure=0, ro.secure=0, ro.debuggable=1 "
"Passed early so init applies it before other ro.* props (see redroid-doc #579)." "(before device profile; see redroid-doc README / #579). Overrides user-build secure props."
), ),
) )
args = parser.parse_args() args = parser.parse_args()
@@ -298,10 +298,14 @@ def main():
# Init applies read-only props in order; later ro.adb.secure=0 is ignored if adb.secure # Init applies read-only props in order; later ro.adb.secure=0 is ignored if adb.secure
# was already set (redroid-doc #579). Put these immediately after the image name. # was already set (redroid-doc #579). Put these immediately after the image name.
if args.adb_insecure: if args.adb_insecure:
# Must precede device_profile_props (ro.secure=1 / ro.debuggable=0): init keeps first ro.* value.
# redroid-doc README: ro.secure=0 yields working adb shell without RSA prompt.
cmd.extend( cmd.extend(
[ [
"androidboot.adb.secure=0", "androidboot.adb.secure=0",
"ro.adb.secure=0", "ro.adb.secure=0",
"ro.secure=0",
"ro.debuggable=1",
] ]
) )
cmd.append("androidboot.redroid_gpu_mode={}".format(args.gpu_mode)) cmd.append("androidboot.redroid_gpu_mode={}".format(args.gpu_mode))
@@ -323,6 +327,12 @@ def main():
print_color("Selected launch preset: {}".format(preset), bcolors.GREEN) print_color("Selected launch preset: {}".format(preset), bcolors.GREEN)
if device_profile != "none": if device_profile != "none":
print_color("Selected device profile: {}".format(device_profile), bcolors.GREEN) print_color("Selected device profile: {}".format(device_profile), bcolors.GREEN)
if args.adb_insecure:
print_color(
"ADB insecure: injecting boot props immediately after image name "
"(check Command: line starts with androidboot.adb.secure=0 …).",
bcolors.GREEN,
)
print("Command:\n{}\n".format(quote_cmd(cmd))) print("Command:\n{}\n".format(quote_cmd(cmd)))
if args.dry_run: if args.dry_run: