Ensure that PrepatchedImagePatcher runs before other patchers

[chenxiaolong]

On older devices, like the Pixel 4a, where boot is used for both Android and recovery mode, the image will be patched by OtaCertPatcher and PrepatchedImagePatcher. OtaCertPatcher was always set to run first, so when PrepatchedImagePatcher used the user-supplied image as-is, prior modifications got wiped out. This made is so users could no longer flash further patched OTAs.

This is an unfortunate regression that was introduced in avbroot 2.0.0. The e2e tests never caught this issue because the --prepatched test was being fed the boot image previously patched by --magisk. That already had valid certs so the result of OtaCertPatcher's modifications being lost were not visible. This commit also fixes the e2e tests so that this type of issue will be caught in the future.

Fixes: #356

[chenxiaolong]

Unfortunately, since this caused recovery mode to no longer have the proper OTA certificate for verifying sideloaded OTAs, a workaround is necessary to recover from this without unlocking the bootloader and starting fresh.

To fix this, you can install the patched OTA while booted into Android using my other project, Custota. It's normally used for installing patched OTAs from your own server (similar to how the stock OS's OTA updates work), but it can also install from local files. This method works because Android has its own copy of otacerts.zip that is separate from recovery mode's copy.

1. Patch the OTA using an avbroot version that includes the fix (>= 3.7.0). For peace of mind, you can run:

   avbroot ota verify -i path/to/ota.zip.patched

   to confirm that the issue is no longer present.

2. Download Custota-<version>-release.zip from https://github.com/chenxiaolong/Custota/releases and flash it from Magisk/KernelSU.

3. Download custota-tool-<version>-<os>.zip for your desktop OS and unzip it.

4. Generate a .csig file for your patched OTA. Use the same OTA key and cert that you used for avbroot.

   ./custota-tool \
       gen-csig \
       --input path/to/ota.zip.patched \
       --key path/to/ota.key \
       --cert path/to/ota.crt

5. Generate a .json file that points to your patched OTA.

   ./custota-tool \
       gen-update-info \
       --file <device codename>.json \
       --location <ota filename>.zip.patched

   • <device codename> would be sunfish for the Pixel 4a.
   • <ota filename> should be just the filename, without any folders.

6. Copy your patched OTA, .csig file, and .json file to a folder on your phone.

7. From the Custota app, go to OTA installation source -> Use local path -> Select directory, and select the folder that contains the 3 files.

8. Hit Check for updates. A notification should pop up, asking to install your OTA. The OTA will install in the background and will show a notification when complete.

9. Reboot and everything should be back to normal. Sideloading OTAs from recovery mode should work again. It's safe to uninstall Custota now.