Skip to main content

Ro.boot.vbmeta.digest -

When an app calls SafetyNetApi.attest() or Play Integrity API:

If ro.boot.vbmeta.digest does not match the official signed build for that device model, Hardware-backed attestation fails. This is why unlocked bootloaders break SafetyNet: When you unlock the bootloader, the device either:

Some OEMs ship with an empty or placeholder vbmeta on unlocked engineering units. In this case, the bootloader may set ro.boot.vbmeta.digest to the digest of an empty string (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 – the SHA-256 of zero bytes). This is a telltale sign of a development build. ro.boot.vbmeta.digest

Inside vbmeta, there is a rollback_index field. If the bootloader enforces rollback protection, it compares the rollback_index inside vbmeta against a stored value in tamper-resistant storage.

Myth 1: ro.boot.vbmeta.digest is the hash of my boot partition. No. It is the hash of the descriptor table that contains the hash of the boot partition. It is one meta-level higher. When an app calls SafetyNetApi

Myth 2: Changing ro.boot.vbmeta.digest via setprop will bypass SafetyNet. Absolutely not. The property is a read-only reflection of the bootloader’s memory. Even if you could edit the property (you can't without kernel modifications), the Keymaster reads the digest directly from the secure hardware token, not the Android property. Modifying the property is cosmetic at best.

Myth 3: A missing digest means the device is insecure. Not necessarily. Legacy devices (Android 7 and below) don't have AVB. Also, some OEMs (e.g., Samsung with Knox) implement their own verification (ro.boot.warranty_bit) and may not propagate the standard AVB digest. However, a missing digest on a modern (Android 10+) device usually indicates a corrupt or disabled verification chain. If ro

adb shell getprop ro.boot.vbmeta.digest
# or
cat /proc/cmdline | grep vbmeta.digest

| Property | Description | |----------|-------------| | ro.boot.vbmeta.device_state | locked or unlocked | | ro.boot.vbmeta.hash_alg | Hash algorithm (e.g., sha256) | | ro.boot.vbmeta.size | Size of vbmeta partition | | ro.boot.vbmeta.digest | The actual hash |

With the advent of Virtual A/B and Dynamic Partitions (Android 10+), ro.boot.vbmeta.digest has grown more complex. The digest now often represents a "chain" of VBMeta structs:

The digest in ro.boot.vbmeta.digest is the root of this hash tree. If any chained VBMeta fails to match its parent descriptor, the bootloader aborts boot. This ensures that even dynamic partitions cannot be injected with malicious code.