adb shell getprop ro.boot.vbmeta.digest
[Hardware Root of Trust] │ ▼ [Bootloader] ──► Reads & Verifies vbmeta.img ──► Generates Crypto Hash │ ▼ [Android Kernel] ◄── Passes Hash via cmdline ──◄ [ro.boot.vbmeta.digest] The bootloader reads the vbmeta partition.
Or you can run it directly in a terminal app on the device:
The specific value contained within ro.boot.vbmeta.digest represents a cryptographic hash—typically SHA-256—calculated across all active within the active boot slot. Rather than summarizing a single data partition, this property maps out a singular cryptographic blueprint of the entire valid ecosystem of signed images currently managing the hardware. ro.boot.vbmeta.digest
[ Bootloader ] ──> Validates ──> [ vbmeta Partition ] │ Generates SHA-256 Digest │ ▼ [ ro.boot.vbmeta.digest ]
This property serves several critical roles for both the system and advanced users:
When you turn on an Android device, the hardware-based Root of Trust initializes and verifies the bootloader. From there, ro.boot.vbmeta.digest is calculated through the following steps: adb shell getprop ro
: It is calculated by the bootloader during startup using libraries like Passing to OS
For developers and security researchers, this property is a "solid" indicator of whether a device's software is authentic and unmodified. You can view your device's specific digest by running the following command in an ADB shell: getprop ro.boot.vbmeta.digest Android Verified Boot 2.0
It is a (represented as a hex string) calculated over the contents of the vbmeta image after it has been signed and structured. It can represent: [ Bootloader ] ──> Validates ──> [ vbmeta
This is why unlocked bootloaders break SafetyNet: When you unlock the bootloader, the device either:
No. It is the hash of the descriptor table that contains the hash of the boot partition. It is one meta-level higher.