This commit is contained in:
eric
2026-04-04 15:52:20 -05:00
parent c59cd2da52
commit e141bc000f
3 changed files with 59 additions and 16 deletions

View File

@@ -29,9 +29,9 @@ It keeps only the parts that were actually used:
## Offline archive
The repo tracks the offline bundle metadata under [offline](C:/Users/admin/Desktop/redroid-android13/offline). The large zip/apk/tar payloads are intentionally kept out of Git and should be stored locally under `offline/downloads/` and `offline/images/`.
The repo tracks the offline bundle metadata under [offline](offline). The large zip/apk/tar payloads are intentionally kept out of Git and should be stored locally under `offline/downloads/` and `offline/images/`.
Use [offline/manifest.json](C:/Users/admin/Desktop/redroid-android13/offline/manifest.json) for checksums and source metadata, and [offline/README.md](C:/Users/admin/Desktop/redroid-android13/offline/README.md) for the expected local layout.
Use [offline/manifest.json](offline/manifest.json) for checksums and source metadata, and [offline/README.md](offline/README.md) for the expected local layout.
Expected local files:
@@ -40,9 +40,22 @@ Expected local files:
- `offline/downloads/libhoudini_hack.zip`
- `offline/downloads/magisk.apk`
- `offline/downloads/magisk.version`
- `offline/images/redroid-redroid-13.0.0-latest.tar`
- `offline/images/redroid-redroid-13.0.0-latest.tar` (optional if the base image is already in local Docker storage)
`redroid.py` now tries to pull `redroid/redroid:13.0.0-latest` first. If that fails, it falls back to the local image cache, then to `offline/images/redroid-redroid-13.0.0-latest.tar`.
### Build resource order (`redroid.py`)
- **Base image:** prefers an existing local `redroid/redroid:<ver>-latest`, then `offline/images/redroid-redroid-13.0.0-latest.tar` (`docker load`), then a registry pull (skipped when offline-only).
- **Zips / APK:** prefers files under `offline/downloads/` whose **MD5** matches the pinned upstream artifacts; downloads only if missing or mismatch (skipped when offline-only).
- **Strict no-network builds:** pass `--offline` or set `REDROID_OFFLINE=1` so missing bundles fail fast instead of downloading.
### Verify script notes
```bash
python verify_offline_bundle.py
```
- `magisk.version` is checked against exact **size** and **sha256** from `manifest.json`. A short version string without the expected newline/padding will report `size mismatch` even when `magisk.apk` is fine for the image build.
- A missing `offline/images/*.tar` is expected to **FAIL** here if you rely on a pre-pulled Docker image instead; that does not block `redroid.py` when the base image already exists locally.
## Dependencies
@@ -50,18 +63,20 @@ Expected local files:
python -m pip install -r requirements.txt
```
## Verify the offline bundle
```bash
python verify_offline_bundle.py
```
## Build the 5570 image
```bash
python redroid.py -mtg -i -m
```
Air-gapped (requires a complete `offline/` tree):
```bash
REDROID_OFFLINE=1 python redroid.py -mtg -i -m
# or
python redroid.py -mtg -i -m --offline
```
Expected image tag:
```bash
@@ -70,6 +85,8 @@ redroid/redroid:13.0.0_mindthegapps_houdini_magisk
## Launch the container
Headless servers have **no screen** to approve the USB debugging RSA dialog. Always pass **`--adb-insecure`** so boot props disable ADB RSA checks and apply **before** the Pixel user profile (`androidboot.adb.secure=0`, `ro.adb.secure=0`, `ro.secure=0`, `ro.debuggable=1`). **Do not expose the ADB port on a public network.**
```bash
python run_redroid.py \
--image redroid/redroid:13.0.0_mindthegapps_houdini_magisk \
@@ -77,7 +94,22 @@ python run_redroid.py \
--device-profile pixel-7-pro \
--data-dir ~/data-redroid13 \
--port 5570 \
--replace
--replace \
--adb-insecure
```
Then:
```bash
adb kill-server && adb start-server
adb connect 127.0.0.1:5570
adb devices
```
If you still see `unauthorized` after an upgrade, stop the container, remove persisted keys on the host, and retry:
```bash
rm -rf ~/data-redroid13/misc/adb
```
## Apply the 5570 hardening
@@ -98,7 +130,7 @@ This post-boot step:
- allows `com.android.shell` to use mock location
- applies the `Pixel 7 Pro / user / release-keys / locked / green` identity
With `--install-extreme-script`, the validated script [assets/redroid_extreme_post_fs_data.sh](C:/Users/admin/Desktop/redroid-android13/assets/redroid_extreme_post_fs_data.sh) is copied to `/data/adb/post-fs-data.d/20-redroid-extreme.sh` so that:
With `--install-extreme-script`, the validated script [assets/redroid_extreme_post_fs_data.sh](assets/redroid_extreme_post_fs_data.sh) is copied to `/data/adb/post-fs-data.d/20-redroid-extreme.sh` so that:
- `vendor/bin/su` stays visible to app namespaces after reboot
- `Pixel 7 Pro` properties are re-applied on every boot

View File

@@ -95,7 +95,7 @@ def build_layers(args):
def print_recommended_flow(image_name):
print("\nRecommended 5570 launch")
print("\nRecommended 5570 launch (headless: always pass --adb-insecure)")
print(
"python run_redroid.py "
"--image {} "
@@ -103,7 +103,8 @@ def print_recommended_flow(image_name):
"--device-profile pixel-7-pro "
"--data-dir ~/data-redroid13 "
"--port 5570 "
"--replace\n".format(image_name)
"--replace "
"--adb-insecure\n".format(image_name)
)
print("Recommended post-boot hardening")
print(

View File

@@ -262,8 +262,8 @@ def main():
"--adb-insecure",
action="store_true",
help=(
"Disable ADB RSA authorization (ro.adb.secure=0 + androidboot.adb.secure=0). "
"Passed early so init applies it before other ro.* props (see redroid-doc #579)."
"Headless ADB: early androidboot.adb.secure=0, ro.adb.secure=0, ro.secure=0, ro.debuggable=1 "
"(before device profile; see redroid-doc README / #579). Overrides user-build secure props."
),
)
args = parser.parse_args()
@@ -298,10 +298,14 @@ def main():
# Init applies read-only props in order; later ro.adb.secure=0 is ignored if adb.secure
# was already set (redroid-doc #579). Put these immediately after the image name.
if args.adb_insecure:
# Must precede device_profile_props (ro.secure=1 / ro.debuggable=0): init keeps first ro.* value.
# redroid-doc README: ro.secure=0 yields working adb shell without RSA prompt.
cmd.extend(
[
"androidboot.adb.secure=0",
"ro.adb.secure=0",
"ro.secure=0",
"ro.debuggable=1",
]
)
cmd.append("androidboot.redroid_gpu_mode={}".format(args.gpu_mode))
@@ -323,6 +327,12 @@ def main():
print_color("Selected launch preset: {}".format(preset), bcolors.GREEN)
if device_profile != "none":
print_color("Selected device profile: {}".format(device_profile), bcolors.GREEN)
if args.adb_insecure:
print_color(
"ADB insecure: injecting boot props immediately after image name "
"(check Command: line starts with androidboot.adb.secure=0 …).",
bcolors.GREEN,
)
print("Command:\n{}\n".format(quote_cmd(cmd)))
if args.dry_run: