xda developers' android hacker's toolkit: the complete guide to rooting, roms and theming
TRANSCRIPT
XDADevelopers’Android™Hacker’sToolkitTableofContents
Introduction
FirstThingsFirst:WhatIsXDA?
TheDragonsthatLieAhead
WhoThisBookIsFor
WhatThisBookCovers
HowThisBookIsStructured
WhatYouNeedtoUseThisBook
PartI:WhatYouNeedtoKnow
Chapter1:AndroidOSInternals:UnderstandingHowYourDeviceStarts
ThePenguinDownBelow
HowYourAndroidDeviceStarts
Bootstrapping
AddingaCustomBootloader
UnderstandingtheBootloaderProcess
CustomRecoveries:TheHolyGrail
Chapter2:RootingYourAndroidDevice
WhyShouldYouRoot?
IncreasingtheServiceLifeoftheDevice
FixingOEMDefects
IncreasingCapability
CustomizingtheDevice
BackingUpData
ContactInformation
ApplicationsandTheirData
DataontheSDCard
HowYouCanRootandLeaveYourOEM’sControl
OEMFlashSoftware
Exploits
NativeFastbootFlash
ScriptedandOne-ClickMethods
RootingTwoDevices
NexusOne
HTCThunderbolt
TheRootofItAll
Chapter3:TheRightToolfortheJob
Ready,Set,...WaitIHavetoHaveWhat?
ConnectingaPhonetoaComputer
HackingTools
USBCables
USBDebugging
What’sDrivingThisThing?
UsingtheAndroidDebugBridge
CheckingDeviceConnectivity
RestartingtheADBService
CopyingFilestoandfromYourDevice
RebootingaDevice
ThePowerofFastboot
UnlockingaDevice
UpdatingaDevice
FlashingaDevice
RebootingaDevice
HarnessingthePowerofthePenguinwithADBShell
FileSystemNavigation
FileManagement
FileAccessPermissions
RedirectionandPiping
Concatenation
BusyBox:GivingthePenguinBackItsPower
TheddCommand
TheechoCommand
Themd5sumCommand
Chapter4:RootingandInstallingaCustomRecovery
HowtoUseExploits
ExploitScripts
ExploitApplications
UsingaScriptorApplicationonaDevice
HackingUtilities
OEMTools
DeveloperUtilities
ImageFiles
RecoveryMode
WhatIsRecoveryMode?
MakeItAllSoEasy:GetACustomRecovery!
UsingClockworkModRecovery
RebootingtheDevice
UpdatingaDevicefromtheSDCard
ResettingaDevicetoFactoryCondition
WipingtheCache
InstallingaZipFilefromtheSDCard
BackingUpandRestoringaDevice
MountingPartitionsandManagingStorage
AdvancedFunctions
BackupandDisasterRecovery
PrecautionsforSuccessandDataRecovery
BackingUpApplications
BackingUpThroughaRecoveryProcess
BackingUpThroughanApplication
WhatHappensifItGoesReallyWrong?
Chapter5:Theming:DigitalCosmeticSurgery
ChangingtheLookandFeelofAndroid
ThemingtheLauncher
ThemingwithanAdd-onLauncher
ToolsUsedinTheming
APKManager
AndroidSDK
Eclipse
AROMofYourChoice
7-Zip
Paint.NET
Update.zipCreator
Amend2Edify
TheEditingProcess
WalkthroughforCreatingThemeFiles
WalkthroughforCreatingaFlashableZIPFile
Chapter6:You’veBecomeSuperuser:NowWhat?
PopularMulti-DeviceCustomROMs
CyanogenMod
AndroidOpenKangProject
VillainROM
KernelTweaks
BacklightNotifications
VoodooEnhancements
PerformanceandBatteryLifeTweaks
RootApplications
SetCPU
AdfreeAndroid
Chainfire3D
TitaniumBackup
PartII:ManufacturerGuidelinesandDevice-SpecificGuides
Chapter7:HTCEVO3D:ALockedDevice
ObtainingTemporaryRoot
UsingS-OFFandPermanentRootRequirements
RunningtheRevolutionaryTool
InstallingaCustomRecovery
InstallingtheSuperuserBinary
InstallingaSuperUserApplication
Chapter8:NexusOne:AnUnlockableDevice
RootMethodsAvailable
ResourcesRequiredforthisWalkthrough
Walkthrough
PlacingtheNexusOneinFastbootMode
FlashingaBootPartition
GettingFullRootAccess
InstallingaCustomRecovery
Chapter9:HTCThunderBolt:ATightlyLockedDevice
RootMethodsAvailable
ResourcesRequiredforthisWalkthrough
Walkthrough
PushingFilestotheDevice
GainingTemporaryRoot
CheckingaFile’sMD5Signature
WritingtheTemporaryBootloader
DowngradingtheFirmware
GainingTemporaryRoottoUnlocktheMMC
RewritingtheBootloader
UpgradingtheFirmware
Chapter10:DroidCharge:FlashingwithODIN
ResourcesRequiredforthisWalkthrough
Walkthrough
ConnectingtheDevicetoODIN
FlashingtheDevice
Troubleshooting
Chapter11:NexusS:AnUnlockedDevice
ConnectingtheDevicetoaPC
ResourcesRequiredforthisWalkthrough
Walkthrough
UnlockingtheDevice
FlashingtheDevicewithaRecovery
FlashingtheDevicewiththeSuperUserapplication
Chapter12:MotorolaXoom:AnUnlockedHoneycombTablet
ResourcesRequiredforthisWalkthrough
Walkthrough
PushingtheRootFiletotheSDCard
UnlockingtheXoom
FlashingtheDevicewithaRecovery
FlashingtheDevicewithaUniversalRoot
Chapter13:NookColor:RootingwithaBootableSDCard
ResourcesRequiredforthisWalkthrough
Walkthrough
CreatingaBootableSDCard
BootingtheDevicefromtheSDCard
MakingtheDeviceMoreUsable
AppendixA:SettingUpAndroidSDKandADBTools
XDADevelopers’Android™Hacker’sToolkitTheCompleteGuidetoRooting,ROMSandThemingJasonTylerwithWill
VerduzcoThisworkisaco-publicationbetweenXDADevelopersandJohnWiley&Sons,Ltd.
Thiseditionfirstpublished2012
©2012JohnWileyandSons,Ltd.
RegisteredofficeJohnWiley&SonsLtd,TheAtrium,SouthernGate,Chichester,WestSussex,PO198SQ,UnitedKingdomFordetailsofourglobaleditorialoffices,forcustomerservicesandforinformationabouthowtoapplyforpermissiontoreusethecopyrightmaterialinthisbookpleaseseeourwebsiteatwww.wiley.com.
TherightoftheauthortobeidentifiedastheauthorofthisworkhasbeenassertedinaccordancewiththeCopyright,DesignsandPatentsAct1988.
Allrightsreserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,electronic,mechanical,photocopying,recordingorotherwise,exceptaspermittedbytheUKCopyright,DesignsandPatentsAct1988,withoutthepriorpermissionofthepublisher.
Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbeavailableinelectronicbooks.
Designationsusedbycompaniestodistinguishtheirproductsareoftenclaimedastrademarks.Allbrandnamesandproductnamesusedinthisbookaretradenames,servicemarks,trademarksorregisteredtrademarksoftheirrespectiveowners.Thepublisherisnotassociatedwithanyproductorvendormentionedinthisbook.Thispublicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothesubjectmattercovered.Itissoldontheunderstandingthatthepublisherisnotengagedinrendering
professionalservices.Ifprofessionaladviceorotherexpertassistanceisrequired,theservicesofacompetentprofessionalshouldbesought.
Trademarks:WileyandtheWileylogoaretrademarksorregisteredtrademarksofJohnWileyandSons,Inc.and/oritsaffiliatesintheUnitedStatesand/orothercountries,andmaynotbeusedwithoutwrittenpermission.AndroidisatrademarkofGoogle,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Ltd.isnotassociatedwithanyproductorvendormentionedinthebook.
XDA,XDADevelopersisatrademarkofJBOnlineMedia,LLC
AcataloguerecordforthisbookisavailablefromtheBritishLibrary.
ISBN978-1-11995138-4(paperback);ISBN978-1-119-96154-3(ebook);978-1-119-96155-0(ebook);978-1-119-96156-7(ebook)Setin9.5/11.5MinionProRegularbyIndianapolisCompositionServicesPrintedintheUnitedStatesbyCourierWestford
Publisher’sAcknowledgements
Someofthepeoplewhohelpedbringthisbooktomarketincludethefollowing:EditorialandProduction
VPConsumerandTechnologyPublishingDirector:MichelleLeeteAssociateDirector–BookContentManagement:MartinTribeAssociatePublisher:ChrisWebb
AssistantEditor:EllieScott
DevelopmentEditor:ShenaDeucharsCopyEditor:Shena
Deuchars
TechnicalEditor:AkshayDashrathEditorialManager:JodiJensen
SeniorProjectEditor:SaraShlaerEditorialAssistant:LeslieSaxmanMarketing
AssociateMarketingDirector:LouiseBreinholtSeniorMarketingExecutive:KateParrettCompositionServices
Compositor:IndianapolisCompositionServicesProofreader:LindaSeifert
Indexer:EstalitaSlivoskey
AbouttheAuthorsJasonTylerhasbeenanITinstructorandiscurrentlyDirectorofTechnologyforTypefrag.com.AnavidAndroidhacker,JasonhasbeenrootingandROMingeveryAndroidphonehecangethishandsonsincetheOGDroid.
WillVerduzcoisaJohnsHopkinsUniversitygraduateinneuroscienceandisnowcurrentlystudyingtobecomeaphysician.HeisalsoPortalAdministratorforXDA-Developers,andhasbeenaddictedtomobiletechnologysincetheHTCWizard.StartingwiththeNexusOne,however,hisgadgetloveaffairhasshiftedtoGoogle’slittlegreenrobot.
ForewordTheXDADevelopers(XDA)websitewasopenedin2003.Nineyearsmaynotseemlikethatlongago,butFacebookwasn’tevenathingthen.TheiPhoneandthefirstAndroidhandsetweren’treleaseduntil2007.So,inInternettime,XDAisold.Insmartphonetime,we’reancient.
xda-developers.comisastrangeURL—notasimaginative,shortorcatchyasmosthigh-trafficsites.There’sasimplereasonforthis:thesitewasn’tcreatedforyou.Weneverenvisionedasmartphonerevolution—orifwedid,weneverenvisionedthatmillionswouldcaresomuchaboutwhatwashappeningonourlittledeveloper-focusedforum.
XDAwascreatedfordevelopersanditisstillasitefordevelopers.Theyareincrediblysmart,generallyselfless,andhard-workingindividualswhosharetheircreations(forfree)withtheworld.Whentheyseeabooklikethis,theygetconcernedthattheirsitewillbeoverrun(morethanitalreadyis)by“newbs”withannoyingquestionsanddemands.Theyseethetitleofthisbook—withthatoverused“H”-word—androlltheireyes.
So,whydidXDAlenditsnametothisguide?Honestly?It’sbecausewecan’tstopyouallfromcomingandwe’dratheryoubeabitbettereducatedwhenyouarrive.Peoplespendmoretimetouchingtheirphonesthantheirspousesandmanyofthosepeoplewanttheirphonestobecompletelycustomizable(evenastheirspousesaregenerallynot).TheywanttoremoverestrictionsplacedonthedevicesbycarriersandOEMsandmakethephonetheirs.
ThisbookwaswrittenbyamemberofXDA.HisgoalwastosharehisenthusiasmaboutwhathefoundonthesiteandacrosstheInternetaboutthecustomizabilityoftheAndroidoperatingsystem,togetyoujustasexcited,andtoshowyouthetoolsyouneedtoputthatexcitementintoaction.Aswithmosttech-relatedbooks,muchofthetexthereinisoutdatedbythetimeithitstheshelves.Butthat’sOK.Evenifthecontentisslightlystale,evenifyoudon’thaveanyofthedeviceslistedinthetutorialchapters,westillurgeyoutoreaditcarefullysothatyouarebetterpreparedtounderstandasyou
exploreXDAforyourdevice.
Asasitefordevelopers,XDA’sgoalistomakesureyouhaveyourespectforallthosewhohaveblazedthetrailtomakeallthisgoodstuffpossible.WewantyoutouseXDAresponsibly—readeverythingbeforeposting,understandtherisksofrootingandcustomizingyourdevice,and,asyoulearn,becomeahelpful,contributingmemberofthecommunity.
TheXDAAdminTeam
Introduction
There’sareasonmostAndroidgeekshavesuchdisdainfortheothermajorsmartphoneoperatingsystem.TheiPhoneshacklestheuser,withitsclosedsourcecodeandecosystemruledwithanironfist.Android,ontheotherhand,freesdeveloperstotearapartandrebuildnearlyeveryaspectoftheuser’sexperiencewiththeoperatingsystem.Beyondtheworldofdeveloper-createdapplications(apps),thereisavastuniverseofdeepercustomizations—customkernelsandROMs,themes,CPUoverclocks,andmore.
Inmostcases,thesetasksbeginwithgaining“root”accesstoyourdevice.ThegoalofthisbookistogetyoucomfortablewiththetoolsandvocabularyofAndroidhacking,togetyouinthe“root”mindset,andtopointyoutowardsthebestonlineresourcesforexpandingyourknowledgeevenfurther.
FirstThingsFirst:WhatIsXDA?TheXDADevelopers(XDA)website,athttp://www.xda-developers.com,isthelargestsmartphonecommunityontheInternet.Asthenameimplies,thesite—launchedin2003—isadestinationfordevelopers.“XDA”wasalineofphonesbasedonWindowsMobilethatwerebrandedbyO2anddevelopedbyasmall(atthetime)TaiwanesemanufacturercalledHighTechComputerCorporation(HTC).AccordingtoXDAhistory:
ItwastheseearlyO2XDAdevicesthatthefoundersofoursitethoughthadmuchmorepotentialthanthesellersO2andHTCweregivingthemcreditfor.Withtheirgeekyhatsontheycrackedthemopenandbegantodevelopthembeyondthestandardfairlyboringbrandedversions.Tospreadtheword,theysetupasmallwebsiteandnaturallycalleditxda-developers.Intheearlydaystheyhadlessthanadozenmembers(2003).
Asmoreandmorephoneswerereleased,theXDAadministratorslaunchedanewforumforeachone.Thesitewasbuiltaroundthespiritofcommunityandcooperation.XDAitselfisnotanorganizationofdevelopers.Thesiteismerelyasandboxwheredeveloperscongregate.
Fromthoseearlyfewmembers,XDAbecameknownasthego-tosourceforinformationonhowtomakephonesdomoregreatstuffandhowtofixaphonethatwasotherwisebroken.Asmorepeoplewereattractedtothesite,enthusiastsweregivenahometosharetheawesomenessofmobiledevicedevelopment.Fromthatearlycoreofafewdozenenthusiasts,geeksanddevelopers,theXDAwebsitenowreceivesmorethantenmillionvisitorspermonthandthousandsofinformativepostseveryday.
ThematerialinthisbookdrawsheavilyontheworkdonebythefantasticcommunityatXDA.ThebookcombinestheworkoftheXDAcommunity,mytechnicalteachingexperience,andmyworkasanAndroiddevelopertoprovidealaunchingpointforthebuddingAndroidhacker.
TheXDAforumshavebecometheforemostInternetdestinationforinformationaboutmobiledevices:howtofixthem,howtohackthemand,generally,howtomakethembetterthanthemanufacturersmakethem.http://forum.xda-developers.comislaidoutinforumsdedicatedtoindividualdevices.Eachforumcontainsacoregroupofpeoplewhoworkwithandlovethedevice,aswellasthousandsofhelpfulindividualsonthesamejourneyasyou.WhenyouvisitXDA,youcanusethe“Forums”linkandnavigatethroughtheforumstofindyourspecificdevice(seeFigure1).
Figure1:Thedevice-specificforumsathttp://forum.xda-developers.com
TheDragonsthatLieAheadThefreedomofferedtoyouwhenyourdeviceisrootedisliberating.Itaffordsyousuchwondersas:
•completebackupofallapplicationsandtheirdata•GoogleApps,iftheywerenotincludedwithyourdevice
•overclockingyourdevice(speedingituptorunfasterandbetter)•fixingmanufacturerissues,suchasGPSerrorsorcalldropping
•wirelesstetheringtocreateaquickie“hotspot”•completelychangingandcustomizingthedeviceinterface.
AllofthisandmoreisavailabletothosewhostepoutonalimbandroottheirAndroiddevice.However,therearetwocaveatstokeepinmindbeforeyougetstarted.
Youshouldknowbeforeyoureadanyfurtherthatbyeventhinkingaboutrootingyourdeviceyoumayhavevoidedyourwarranty.
Notreally,ofcourse,butattemptinganyofthecustomizationsthatyoureadaboutinthisbookwillvoidyourmanufacturer’swarrantyandanyinsurancewarrantyyoumayhavepurchased.Manufacturersandmobileservicecarrierssellmillionsofdeviceseveryweek.Foreverydevicetheysell,theyhavetosupportacertainpercentageofthosedevicesthataredefective.AsfarasyourcarrierandOEMareconcerned,whenyoumesswiththestufftheyhavespentmillionsonmaking,theirresponsibilitytosupportyouends.
Therearenoexceptionstothisrule.MostOEMs,carriersandsupportcompanieswillinstantlyrejectanysortofsupportorreplacementrequestwhentheyfindthedevicehashaditssoftware,firmwareorhardwarealteredoutsidenormalparameters.Evenso-called“developer”devices,suchastheNexusrange,ceasetobesupportedwhenyoustartdevelopingonthem.
Thesecondbigcatchisthatyoucandopermanentirreversibledamagetoyourdevice.Intheparlanceofthemobiledevicehacker,thisisknownas“bricking”becauseitturnsyour$400smartphoneintosomethingasusefulasabrick.Someoftheexploitsthatareusedtogain“root”accessareedge-of-the-knifeproceduresthatcancompletelyruinadeviceifthetiniestmistakeismade.
Somedevicesaremorerobustthanothersandarelesslikelytobebricked.TheoriginalMotorolaDroidfromVerizon,forinstance,wasknownforbeingalmostimpossibletopermanentlybrick.ButeventhevenerableDroidhasbeenbrickedbyhastyorextremelyadventuroushackers.
Manyofthisbook’stutorials,whethertoachieverootorothercustomizations,requireyoutobefamiliarwithacommandpromptwindow,suchastheoneshowninFigure2.IfyouareatypicalWindowsuser,youprobablydonothavemuchexperiencewiththecommandline.Althoughyoucanfindshortcuts,scripts,andworkarounds,Istillrecommendyougetcomfortablewiththecommandline.BythetimeyoumakeitthroughChapter4,you’llbeacommandpromptpro.
Figure2:Thecommandpromptwindow
Mostofthestepsinthisbookassumethatyouhavetheabilitytoconnectyourdevicetoyourcomputerandthatyourcomputerhasallthedriversitneedstocommunicatewithyourdevice.Ifyouareunsureofthis,youmayneedtoreadthroughAppendixAtogetyourphoneconnectedtoyourcomputer.YourbestshotatgettingyourparticulardeviceconnectedtoyourcomputeristodoaquicksearchoftheXDAforumstolocatethedrivers.Don’tdoallthehardworkoflocatingtherightdriversifoneofthewonderfulpeopleatXDAhasalreadylocatedthem.
TheotherdragonthatcangobbleupthenewhackeristhatmostAndroiddevicehackingrequirestheSoftwareDevelopmentKit(SDK)tobeinstalledonyourcomputer.InAppendixA,IwalkyouthroughsettinguptheAndroidSDKandpointoutthefewpiecesthatyouactuallyneedforhackingyourAndroiddevice.
Formanydevices,muchoftheriskhasbeenremovedbydevelopersandhackerswhohavecreatedscripts,one-clickmethods,andhelpertoolstorootandcustomizeyourdevice.TheXDAforumsareanawesomecommunityofcuriousandextremelyintelligentpeoplethatcangetyououtofmostdeadendswhenhackingyourphone.
Inordertoaccessthewealthofinformationundoubtedlyavailableforyourdevice,youmustfirstnavigatetoyourdevice-specificforum.Findingthededicatedforumforyourdeviceisasimpletaskthatcanbeaccomplishedseveralways.Whileyoucouldcombthroughtheforumindexandfindyourdevicemanually,thiscanbecomequitefrustratinggiventheextremelylargenumberofdeviceforums.
Aneasiermethodtofindyourdevice-specificforumistousethe“FindYourDevice”boxintheupper-righthandcornerofthescreen,seeFigure3(top).
Simplytypethenameofyourdevice,orevenafewletters,andyouwillbepresentedwithalistofallmatchingdeviceforums.Alternatively,youcanjumptodevicesfromaparticularmanufacturerbyusingthe“DevicesbyOSorManufacturer”drop-downmenuatthetopcenterofthepage,seeFigure3(bottom).
Figure3:Searchingforyourdevicebyname(top)orbymanufacturer(bottom)
Ifyoudecidetocontinuetorootyourdevice,customizeitandslipthesurlybondsofOEMtyranny,youmustproceedatyourownrisk.Youhavetoaccepttheveryrealpossibilitythatyoucoulddoyourdevicepermanentharmorevenbrickit.JohnWiley&Sons,XDADevelopersandIarenotresponsibleifyouturnabeautifulshinyAndroiddeviceintothemostexpensivepaperweightever.
Youhavebeenwarned.
WhoThisBookIsFor
ThisbookisfortheAndroiduserwhowantstogetstartedwithhackingAndroiddevices.Ifyouhaveheardof“rooting”anAndroiddeviceandwonderwhatitmeansandhowitisdone,thenthisbookisforyou.ThisbookisalsofortheuserwhowantstogetmoreoutoftheirAndroiddeviceandincreaseitslifeandfunctionality.
WhatThisBookCoversThisbookcoversgeneralAndroidknowledgeandmobiledeviceconcepts.Italsoincludeschaptersthatgivethereadertheskillsnecessarytobeginhackingandexploringontheirown.Itcoversinstallingthetoolsneeded,suchastheAndroidSDK.Laterchapterscovertherootingproceduresforspecificdevices.Althoughdevices,andAndroiditself,changeveryquickly,readingawalkthroughcanprepareyouforwhatyoucanexpectinrootingyourdevice.
HowThisBookIsStructuredThisbookisdividedintotwoparts.ThefirstpartgivesabasicoverviewofAndroidandtheshell.ShellcommandskillswillbethecoreofyourAndroid-hackingcareer.Thesecondpartgivesexamplewalkthroughsonrepresentativedevices,fromtheverytightlylockedtothewideopen.Somedevicesfrommajormanufacturersaregivenadetailedwalkthroughtodemonstratehowtheskillslearnedearliercanbeapplied.TheappendixwalksyouthroughgettingyourcomputingenvironmentsetuptohackAndroid.
WhatYouNeedtoUseThisBookYouneedaPCwithWindows(XPorlater),afreeUSBport(USBhubsarenotgenerallyrecommended),andanInternetconnection.YouneedtobefamiliarwithnavigatingtheXDAforumsinordertoaccessthelatestupdatesandinformation.AndroidhackingcanbedoneverywellfromcomputersrunningMacorLinuxbutthisbookfocusesonthePCuser.YouneedanAndroiddeviceifyouwishtofollowalongwiththeexamplesandtutorialwalkthroughs.
PartI:WhatYouNeedtoKnow
Chapter1:AndroidOSInternals:UnderstandingHowYourDeviceStartsChapter2:RootingYourAndroidDeviceChapter3:TheRightToolfortheJobChapter4:RootingandInstallingaCustomRecoveryChapter5:Theming:DigitalCosmeticSurgeryChapter6:You’veBecomeSuperuser:NowWhat?
Chapter1:AndroidOSInternals:UnderstandingHowYourDevice
Starts
Inthischapter:
•Thepenguindownbelow:theLinuxkernel•Bootstrapping:Howyourdevicestarts
•Anintroductiontocustombootloaderandcustomrecoveryprocesses
Tofullyunderstandtheprocessofrootingyourdevice,gainingthecontrolandpoweryouneedtotrulycustomizeit,youneedtounderstandalittleabouthowtheAndroidoperatingsystemworks—howthedevicegoesfrombeingpoweredofftoafullyfunctioningstate.Itisinthisprocessthatdevelopersusuallyexploitweaknessestogainfullaccesstothedevice.Usuallysomestepinthebootprocessallowsadevelopertoinsertabitofcodeorascript,andthusaccessfunctionalitynotintendedbytheOriginalEquipmentManufacturer(OEM).
LinuxDevelopmentandOpenSourceLinuxbeganin1991withLinusTorvaldsworkingtomakeacompletelyfreeandopensourceoperatingsystemthatcouldbeusedbyhobbyists,academiaandhackers.Hisoperatingsystemhasgrowntobeoneofthemostpowerfulandflexibleintheworldtoday.Fromahandfulofunknowngeeks,thedeveloperbasehasmaturedtoincludethousandsofcontributorseveryyear.SomeofthefinestnamesincomputerscienceandprogrammingworkonthedevelopmentnotonlyofLinuxbutalsoofAndroid.
Linuxremainscompletelyfreeandcompletelyopensource.Thisallowscompaniesandindividualstohaveaccesstothepowerofcomputingdeviceswithoutthecomplexlegalandcopyrightconcernsthatcomewithclosedsourcesoftware.
ThePenguinDownBelowAndroidisanoperatingsystembuiltontheLinuxkernel.ThankstoGoogleandtheOpenHandsetAlliance,LinuxanditspenguinmascothavefoundahomeonAndroiddevices.AndroidisessentiallyahighlycustomizeddistributionofLinuxwithvarioustweaksorientedtowardsmobiledevices.
IfyouarefamiliarwiththeLinuxoperatingsystemthenyouaregoingtofeelquiteathomewithmanyaspectsoftheAndroidoperatingsystem.Ifyouarecomfortablewithanyothercommand-lineoperatingsystem,suchasDOSortheWindowscommandline,manyofyourskillstherewillbeusefulaswell.
Androidis,atitscore,animplementationoftheLinuxoperatingsystem.ManyofthecommandsyouwillbeusinginhackinganAndroiddeviceareLinuxcommands.However,youdonotneedtobeaprogrammertobecomeanAndroidhobbyistorenthusiast.Usingtheskillstaughtinthisbook,youcanbecomeadeptatexploringandalteringyourAndroiddevice.
ThedifferencesbetweenyourAndroiddeviceandaLinuxdesktopcomputeraremany.Themoststrikingdifferenceisthewayinwhichyourdevicebootstraps(starts)whenyoupoweriton.Itisinthisstartupprocessthatthehackersandelitedevelopersfindthevulnerabilitiestoexploit.BecauseLinuxhasalonghistoryofbeingthego-tooperatingsystemofdevelopers,hobbyistsandhackers,therearemanyprogrammersandprofessionalexpertsworkingontoolsthathelpyouwiththerootprocess.Mostofthe“heavylifting”isdonelongbeforetheaverageAndroidhackergetsaccesstorootonhisorherdevice.
AlthoughyoudonotneedtobeaLinuxnerdtorootandcustomizeyourAndroiddevice,beingfamiliarwiththeLinuxcommandline,andcommandlinesingeneral,willhelpyoufeelmorecomfortable.ForanexcellentreferencetotheLinuxcommandline,checkoutLinuxCommandLineandShellScriptingBible,2ndEditionbyRichardBlum(Wiley,2011).
HowYourAndroidDeviceStartsTheAndroidoperatingsystemhasacomplexandmultistagestartuproutine.Manufacturerslockthestartupprocesstoprotectrevenueandmaintaincontrolofthedeviceyoupurchase.ThenatureoftheAndroidstartupprocessallowsdevelopersandhackerstoreplacepartsofittoachievefullcontrolofanAndroiddevice.
BootstrappingBootstrapping(orbooting)isatermthatdescribeswhatacomputingdevicedoeswhenturnedon.It“pullsitselfupbyitsbootstraps.”WhenyoupoweronanAndroiddevice,atinypieceofcodeonamemorychipinitializesthememoryandCPU.Usuallythebootstrapcodeisreferredtoasthebootloader.Thebootloaderisdifferentfromdevicetodevice,althoughallbootloadersdothesamethings:theycheckforhardwarefeaturesandloadthefirstpartoftheoperatingsystemintothedevice’smemory.
TheencryptedbootloaderisthebeginningofallthingsAndroid,effectivelylockingouttheuserfromcustomizingthefirmwareandsoftware.LockingthebootloaderistheroughequivalenttoacomputermanufacturerforcingyoutouseaparticularversionofWindows,alongwithathemeoftheirchoosing.Thebootloaderistheprimarypointofcontentionbetweenownersofmobiledevicesandtheoriginalequipmentmanufacturer(OEM).Many,ifnotmost,OEMsspecificallydonotwantyoutohaveaccesstothatbootloadercode.ThereasonsthatOEMsdonotwantuserstohaveaccesstothiscodearevariedbutfallintothefollowingcategories:
•Thecostofhonoringwarranties:Alteringthebootloadercodecanpermanentlydisablethedevice.Thisisproblematicfordevicemanufacturersbecausebrokendevicesarereturnedtothemunderwarranty.Itisdifficulttodetermineifadeviceisbrokenbecausetheuserdidsomethingsillytoitorifitis,infact,defective.Thismeansthatthemanufacturermayhavetoreplaceadevicethatbecamedefectivethroughnofaultofthemanufacturer.Replacingdefectivedevicescostsmoneyandthosecostsmaybepassedontotheconsumer.•Theneedtoprotectcarrieragreements:Carriersarepaidtopre-installapplicationsfromthirdpartiesondevices.Manyorganizations,fromcarrentalcompaniestostreamingvideostartups,haveamobileapplication.Togetexposurefortheirproducts,theypaycarrierstoincludethoseapplicationsonyourdevice;toensurethatexposure,thecarrierblockstheuser’sabilitytoremovetheapplication.Afterall,itsimplywouldn’tdotohaveBlockbusterpayhundredsofthousandsofdollarstohavetheirapplicationonyourdeviceonlytohaveyouremoveittomakeroomforAngryBirdsthreeminutesafteryouwalkoutofthestore.LockingthebootloaderallowscarriersandOEMs
todeclaresomeapplicationsas“system”applications.Thisremovesthemfromtypicalmanagementtasks,suchasdeletionormovingthemtoanSDcard.•Plannedobsolescence:DeviceswithaverylonglifearebadforOEMs.Thedevelopmentandreleasecycleofnewmobiledeviceshasbecomeincrediblyfast,outpacingevenoldstandardsintechnology.Whenadeviceisreleased,thedevicethatwillobsoleteitisoftenalreadyinproduction.Androidoperatingsystemupdateshavenewfeaturesandstabilitythatusersdesire.BecauseOEMsdependonsellingnewfeaturesandthelatestAndroidoperatingsystem,theyneedconsumerstowantthenewestdevices.AllowingconsumerstoupdatetheoperatingsystemandsoftwarethemselveseffectivelyreducestheneedtopurchasethelatestdevicefromtheOEMorcarrier.
Inessence,plannedobsolescencefromthecarriersandOEMsisdesignedtomaketheconsumerspendmoremoneytogetthelatestAndroidupdates.Ifyoucanhackthoseupdatesintotheperfectlygooddeviceyoupurchasedsixmonthsearlier,theOEMslosemoney.
WhenyoupoweronanAndroiddevice,thebootloaderisthefirstprogramcodethatruns.Bootloadingistypicallyatwo-partprocess,utilizingaprimaryandasecondarybootloader.
OnmostAndroiddevices,theprimarybootloadercannotbereplaced.Thisisbecausetheprimarybootloaderishardcodedintoanapplication-specificintegratedcircuit(ASIC)inthedevice.Thesehardcodedinstructionsloadthesecondarybootloaderintomemoryandtellitwherethememory,CPUandoperatingsystemarelocatedandhowtheycanbeaccessed.
TakingResponsibilityforYourHacksItisimportanttonotethatifyouchoosetohackyourdevice,youtakeresponsibilityforreplacingit.ItisunfairandunethicaltodosomethingsillytoyourdevicethatdisablesitandthenexpectthecarrierorOEMtoreplaceit.Goodhackersgointotheirhacksknowingthepossibleoutcomesandwillingtotakeresponsibilityfortheirownfailures.WhenitcomestoOEMandcarrierill-willtowardshackers,ensureyouarepartofthesolutionnotpartoftheproblem.Nevertrytoreturnabrickedordisableddeviceforreplacement.Learnhowtofixitortakeresponsibilityandreplaceit.
AddingaCustomBootloaderAcustombootloaderisasecondarybootloaderthatallowsyoutogainaccesstothefilesystemwithmorecontrolthanyoucanwithanOEMbootloader.Custombootloadersopenupthepossibilitiesofreplacingtheoriginaloperatingsystemfileswithcustomizationsasvariedasanewuserinterfaceorasuperchargedkernel.Despitethemanufacturer’sobjections,thehacker’sgoalistointerruptthestandardbootloadingprocessanduseacustombootloaderthatenableshackingofthedevice.
UnderstandingtheBootloaderProcessYourAndroiddevicefollowscertainstepswhenbootingup.ThefollowingstepsandFigure1-1aresimplifiedandmadegenerictoapplytomostAndroiddevices.
1.Specialcodeinthebootread-onlymemory(ROM)locatesthefirst-stagebootloaderandloadsitintomemory.ThebootROMisanASICthathasitscodepermanentlyprogrammed.2.Thefirst-stagebootloaderloadsthesecond-stagebootloaderafterinitializingsomememoryandgettingthehardwareready.
Thebootloadercheckstoseeifthesecurityflagison(S-ON).Ifitison,thenthebootloaderwillloadonlysigned(official)kernels.Ifthesecurityflagisoff(S-OFF),thenthebootloadernolongerchecksforsignatures.SettingS-OFFalsoreleasesothersecuritylockdowns,makingtheentirefilesystemwritableandenablingothergoodies,suchasallowingyoutoinstallacustomrecoveryprocessonthedevice.Thisisthestepinwhichyouwantyourcustombootloadertobeloaded.Theholygrailofhackingamanufacturer’shandsetistoloadacustombootloadersothatacustomkernelcanbeloaded.
Figure1-1:TheAndroidbootprocess
Fastboot(seeChapter3)isaprotocolthatallowslow-levelcommandstobesenttoadevicetodosuchthingsaswritefiles(suchascustombootloaders,recoveriesandROMs)totheoperatingsystem.Mostmanufacturers,therefore,disabletheFastbootprotocolatthefactory.Becausethesecond-stagebootloaderisthestepinthebootprocesswheretheFastbootprotocolisenabledordisabled,thispartofthecodeisfrequentlyencryptedorotherwiselockeddownbyOEMs.Somedevices,suchasNexusdevicesandtheXoom,canbeunlocked,allowingthe
Fastbootprotocoltobeenabled.
3.ThebootloaderloadsaLinuxkernelandcustomizationsintomemory.
Atthispoint,thebootloaderhandsoffcontrolofthehardwaretotheLinuxkernel.TheLinuxkernelandanysoftwareorfirmwarecustomizationsareusuallyallpackagedtogether.Onsomedevices,theyarecalledaROM.ThenameROMisaslightmisnomerbecauseNANDstorageisnottrulyread-only.Otherdevicesrequirecustomimages(inIMGformat)tobewrittentomemory;stillothershavethekernelpackagewrittenfromanRUUfile.Howeverthekernelpackageisplacedonthedevice,thebootloadermustknowwhereitislocatedandhowtohandoverthereinstoit.4.Thelaststepistheinitialization(INIT)process.TheINITprocessisthemotherofallotherprocessesthatrunonyourdevice.Itinitializesalloftheprocessesnecessaryforbasichardwareaccessanddevicefunctionality.ItalsostartsuptheDalvikvirtualmachineprocesseswheremostapplicationsareexecuted.
Throughthiswholestartupprocess,theimportantthingforyoutounderstandisthatmostofthehoopsyouhavetojumpthroughwhenrootingyourAndroidaretoachieveoneorbothoftwogoals:
•tosetS-OFF,therebyallowingyoutoloadyourowncustomkernelpackage
•toinstallacustomsecond-stagebootloadertoallowyoutoignoretheS-ONorS-OFFstateandloadyourowncustomkernelpackage.
Onsomedevices,neithergoalisachievableandyoumustuseworkaroundstocarryoutdevicecustomizations.Deviceswithcompletelyencryptedbootloaders,suchastheMilestoneandDroidX,canstillbecustomizedtosomeextent.Theamountofcustomizationyouareabletoachieveonthesedevicesislimitedandtheprocessisusuallyalittlemorecomplex.
CustomRecoveries:TheHolyGrailArecoveryisaseparate,standalonepieceofcodeonapartitionthatcanbebootedinordertoupdateAndroidandmaintainthedevice.AlmostallAndroiddeviceshavearecoverymodeintowhichtheycanbebooted.Oneof
yourgoalsasanAndroidhackeristogetacustomrecoveryontoyourdevice.Customrecoveriesallowyoutoincludemanyextrafeatures,includingeasycustomizationandbackup.
Arecoveryallowsyoutodousefulthingssuchasresettingadevicetofactorysettings,clearingthedatacache,andinstallinganofficialsignedupdatetotheAndroidoperatingsystem.Figure1-2showstheAmonRarecoveryscreen.Unfortunately,thecatchisthatthedefaultrecoveryprocessformostdevicesonlyinstallsupdatestoAndroidthathavebeensignedwiththeOEM’sdigitalsignature.
Ifyoucanachievefullrootandfullcustomrecovery,youcaneasilychangetheROMorfirmwarepackageinstalledonyourAndroiddeviceandcreatefullfilesystembackups,includingbackingupapplicationdata.DevelopersofcustomrecoveryprocessesincludemanyoptionsnotincludedinthestandardAndroidbootprocess.Figure1-3showsthescreenforthepopularClockworkModrecovery.ThisrecoverygivesyouthecapabilityofflashingacustomfirmwarepackagetoyourAndroiddeviceveryeasily,aswellasbackingupthefirmware,data,andcacheandstoringthemonyourSDcard.
Figure1-2:AmonRarecoveryscreen
Whichcustomrecoveryyouusedependsonpersonaltasteandthecompatibilityofyourdevice.TheAmonRaandClockworkModrecoverieseachworkonsomedevices.TheXDAforumsareagoodresourcetoseeifyourdeviceissupportedbyeitherofthosecustomrecoveries.Typically,the
processofrootingadeviceincludesinstallingoneoftheserecoveries.Ifyourdeviceissupportedbyacustomrecovery,youshouldinstallitimmediatelyafterrooting.Youcancheckthedeveloperwebsitesfordevicesupport.
Chapter4includesacompletewalkthroughfortheClockworkModrecovery.
Figure1-3:TheClockworkModrecoveryscreen
Chapter2:RootingYourAndroidDevice
Inthischapter:
•Whatisrooting?
•WhyyouwouldwanttorootyourAndroiddevice•Backingupdatabeforerooting•DifferentmethodsofrootinganAndroiddevice
•Howtogainrootpermissionsontwospecificdevices
YouhaveprobablyheardyourlocalAndroidgeekmentionrootingorreadontheWebsomewhereaboutrootinganAndroiddevice.Rootingmaysoundmagicalandmysterious,butitisafairlysimpleidea.Atitscore,rootinggivestheownerofadevicemorecontrolandaccess.
ThehighestlevelofprivilegeyoucanhaveonaLinuxsystemistobeloggedintothedeviceastherootuser,sometimescalledthesuperuser.Theterms“superuser”and“root”bothrefertothesamething.
WhyIsItCalled“Root”?ThetermrootcomesfromthehierarchicalnatureofthefilesystemandpermissionsinUNIXandLinuxoperatingsystems.Thebranchesofthefilesystemandusersresembleaninvertedtree.Therootofafilesystemisthebeginningofallthefilesanddirectories.Therootofthepermissionssystemisthebeginningofallpermissionsand,thereby,themostpowerfulandprivileged.
TherootlevelofpermissionexistsonLinuxsystemstoprovideadministrativeaccess.Loggedinasroot,thereislittlethatyoucannotdo.Roothaspermissiontoreadandwritemostplacesinthefilesystemandchangesystemsettings.Becauseofthis,thehighestgoalforanyhackeristoobtaintheabilitytologintoaLinuxdeviceasroot.
ItisthisveryhighlevelofprivilegethatyouareseekingwhenyourootanAndroiddevice.YouneedtherootlevelofpermissiontocustomizeyourAndroiddeviceinmanyways.
WhyShouldYouRoot?Thebenefitsofrootingyourdeviceincludesavingmoney,asyouextendthelifeandusefulnessofyourdevice,andfixingproblemscreatedduringdevelopmentormanufacture.Therearealsosidebenefitsofaddingfunctionalityandremovingrestrictionsimposedbythecarrierororiginalequipmentmanufacturer(OEM).However,thereareinherentrisksinusingroot-levelapplications,astheyaregivenaccesstoalldatafromallapplicationsinstalledonthedevice.Luckily,thisriskcanbemitigatedbyonlygivingrootpermissionstotrustedapplications.
IncreasingtheServiceLifeoftheDeviceOneofmyco-workerspurchasedoneofthefirstAndroiddevicesreleased,theHTCDream,alsoknownastheG1.Mattlovedthephone,butquicklyrealizedthatnewversionsofAndroidwouldrunslowlyornotatallonhisdevice.
AftertheÉclairreleaseofAndroid,itwassimplynotintheinterestoftheOEMsorthecarrierstoinvestinrecompilingAndroidforoldhardwareandworkingoutallthebugs.Matt’sG1wouldeventuallygetthenewversion—butnotsoonenough.CarriersandOEMswouldpreferyoutopurchaseanewdevicewiththelatestAndroidversion.However,developersintheAndroidandphone-hackingcommunitiesaredeterminedtoportnewversionsofAndroidtoolderdevicestoextendtheirliveswithadditionalcapabilitiesandfeatures.DeveloperssuchasKoushik(Koush)DuttaandotherteamsworkingseparatelyandinconjunctionhaveportednewversionsofAndroidtoolderhardwarethatOEMsandcarriershavelongsinceabandonedandstoppedsupporting.ToinstallanewerversionofAndroidonolderhardware,youneedtoberootedandhavefullfilesystemaccess.
ThatoriginalG1purchasedbyMattisstillhiseverydayphone.ThankstohackersatXDAandintheAndroidcommunity,itsportstheFroyoreleaseofAndroid.TheG1wasneversupposedtohavesuchalonglife.MattwouldhavehadtopurchaseatleasttwomoredevicesaftertheG1toaccessthemanufacturer-suppliedfeaturesofAndroidFroyo.Thankstorootaccess,MattwillbeusinghisG1forawhiletocome.(Yep,heiscoollikethat.)
FixingOEMDefectsAsaresultofthebreakneckpaceofmobiledevicedevelopment,fartoomanyAndroiddeviceshaveshippedwithsomeformofdefect.Someofthedefectsareminor,suchasdroppingcallsorwritingslowlytotheSDcard.Otherdeviceshaveshippedwithmajorfunctionaldefects.Forexample,theSamsungGalaxySdevice(knownastheFascinatewhensoldbyVerizonandbyothernameswhensoldbyothercarriers)wasdesignedwithprettycurvesthatforcedtheGPSantennaintoabadpositionandcausedthedefaultGPSsignalcomputationcodetogeneratenoorerroneouslocationdata.Anotherwisebeautifulandpowerfuldevicewasgivenanunnecessaryandirritating,ifnotfatal,flaw.
TheXDAforumsandotherAndroidhackingcommunitiesusuallyhaveafixfordesigndefectsfairlyquickly—eventhoughitisdifficult,ifnotimpossible,toaddressahardwaredefectwithasoftwarefix.However,installingapatchorfixfrequentlyrequiressystemwriteaccess,forwhichyouneedrootpermissions.AndroidusershavecometoexpectthatanydefectorusageirritationcanbefixedorpatchedbytheAndroidhackercommunity.IthasbeensaidthatevenOEMssometimeswaittoseehowtheAndroidcommunityfixesbrokenfirmwarebeforereleasingtheirownpatches.
AndroidVersionCodenamesTheinitialreleaseofAndroidhadnoname,butsubsequentreleaseshaveallhadaprojectnameatGoogle.ThefirstAndroiddevicetobepopularlyreleasedwassimplycalledtheG1.ItranAndroid1.5,knownasDonut.
SomeoneatGooglemusthaveasweettoothbecauseeveryversionhasbeennamedaftersomesweetconfection,startingwithDonut.ThesubsequentversionshavebeencalledÉclair,Froyo,Gingerbread,andHoneycomb(thelatterseemstobypassthesweetconfectionsthemeandcutstraighttothesweetsource).Thelatestversion,Android4.0,iscalledIceCreamSandwich.
IncreasingCapabilityManyOEMsbuilddeviceswithcomponentsthathavecapabilitiestheyneverintendtoemploy.Forexample,manyAndroiddeviceshavethecapabilitytotuneintoFMradiosignalsbutthatfeaturewasneverenabledandapplicationswerenotcreatedforradiotuning.AsaresultoftheworkoftheAndroiddevelopmentcommunity,theNexusOnegainedbothanFMradioandtheabilitytorecordin720presolution.
OverclockingAlmosteveryAndroiddevicehasaCPUthatcanrunatspeedsfasterthanthoseenabledbytheOEM.TheCPUsareoftenclockeddowntoenhancebatterylifeorreducethepossibilityofheatissues.Asdistributed,theXoomrunsat1GHz,butitcanbemadetorunsafelyandstablyat1.4or1.5GHz.Thisgivesanincredibleperformanceboosttoanalreadygreatdevice.ManyotherAndroiddevicescanhavetheirCPUspeedupgraded,givingfasterperformanceandgreatercapabilitytotheuser.SpeedinguptheCPUiscalledoverclockingandisagoodreasontorootyourAndroiddevice.
CreatingaPortableHotspotManycarriersproducedevicesthatprovideawirelessconnectionpoint(a“portablehotspot”)towhichyoucanconnect,justasyouwouldtoanyWi-Fihotspot.Suchdevicesenableyoutocarryahotspotaroundwithyou.Aportablehotspotsendsdataoverthecellnetworkinthesamewayasyourphone.ThereislittlefunctionaldifferencebetweenyourmobiledevicerequestingInternetdataandaportablehotspotrequestingdatafromtheInternet.HotspotsfrequentlycostasmuchasasmartphoneandrequireanexpensivedataconnectionpackageinadditiontowhatyoualreadypaytoaccessthesamedataonyourAndroiddevice.
RootingyourAndroiddeviceenablesyoutouseyourphoneasaportablehotspotdevice.Itisvaluabletobeabletocreateatemporaryhotspotinanemergencyorforatravelingbusinesspersontobeabletodosoregularly.Sinceyoupayfordatafromyourcarrier,howyouaccessthatdatashouldbeyourchoice.MostOEMsdisablethisfeatureonyourAndroiddeviceunlessyoupurchaseanexpensivehotspotpackage,andcarriershaveavestedinterestinyoupurchasingmoredevicesandmoredataplans.It’sworthnotingthat,moreoftenthannot,usingyourphoneasahotspotviolatesthetermsofservicewithyourcarrier,sotreadcarefully.
CustomizingtheDeviceAlthoughperhapsnotthemostcompellingfactor,thedesiretohavecompletepoweroverthelookandfeelofyourdeviceisfrequentlythefirstreasonforahackertowanttorootadevice.Unlessyouhavethepowertowritetoanyportionofthefilesystem,yourcustomizationswillbetemporaryorlimitedin
scope.
Onceyouhaveinstalledacustomrecovery,youcanwritecompletefilesystemportions,includingportionsthatareusuallycompletelyunchangeable.Installingcustomizedfirmwareusuallyinvolvesflashingafirmwareorkernelpackagethatincludesuserinterfaceimagesandlayouts,scripts,applicationpackages,andmuchmore.Thetimerequiredtocreatethesecustomizationswouldpreventmostpeoplefromdoingit.However,dedicateddevelopersspendthelong,geekyhoursnecessarytochangethedefaultfirmwareandreleaseitasaROMorotherfirmwarepackagethatenablesrooteduserstoflashalargegroupofcustomizationsallatonce.ManydevelopersreleaseorannouncenewROMpackagesontheXDAforums.
OverclockingaDeviceOverclockingisatermthatmeans“givingmorespeed.”Itcomesfromthetechnicalideathatacomputer’sspeedisbasedon“clockcycles”measuredinhertz.Speedsof500MHz,800MHzand1GHzaremeasurementsofhowmanyclockcyclesaprocessorgoesthroughinamillisecond.Overclockingmeansforcingachiptorunataclockspeedthatishigherthanitsnative,orset,speed.Thisusuallymeansincreasingthevoltagetothechip,whichresultsinusingmorebatterypower,generatingmoreheatand,mostimportantly,providingmorespeedtothedeviceuser.
Thedrawbacksofoverclockingarethattheincreasedheatanddropinbatterylifemayreducethelifeofthedevice.Manufacturersspendmonthsperfectingtherightfrequencyforthehardwarebasedontheplacementofchips,lifespanrequired,heatdissipation,andsoon.
BackingUpDataMostuserdataissafefromthedestructiveactionstakenduringrooting.However,applicationsandapplicationdataareremovedbyrootingorunlockingadevice.Forexample,usingtheFastbootOEMunlockdescribedinChapter3resultsinallofthe/datapartitionbeingwiped.Itisimportanttobackupimportantdataandassumethatyouwilllosealldatawhenhacking.
Afteryouhavesucceededinrootingyourdevice,backinguptheentireAndroidfilesystembecomesveryeasyandprovidesgreatpeaceofmindwhenyouchangedevicesorcustomizeadevice.ArooteddevicecaneitherperformacompleteNANDroidbackup,ifithasacustomrecovery,oramorefinelytunedapplication-specificbackup,usingaprogramsuchasTitaniumBackup.
ContactInformationGooglekeepsallofyourAndroidphoneandemailcontactinformationinitsdatacloud(thatis,theinformationisstoredonGoogle’sservers).Whenyouactivateaphonewithyourlogininformation,itpullsallofyourstoredcontactsbacktothephone.Aslongasyoudonotspecificallycreateacontactthatisstoredonlyonthephone,AndroiddevicesautomaticallysynchronizeallcontactstotheGoogleserversandyouneedneverfearlosingcontactdata.
BootingfromanSDCardSomeAndroiddevices,suchastheNookColorandWonderMediatablets,requireacustomSDcardforrooting.AspecialfilesystemandupdatescriptiswrittentoanSDcardusingaPC.TheSDcardistheninsertedintothedeviceandthedeviceisrebooted.ThedevicebootsfromtheSDcardandflashescustomfirmwareandbootloaders.
IfyoufindoutfromtheXDAforumthatyourdeviceneedstobootfromanSDcard,itisbesttouseaseparateSDcardonwhichyouhavenotstoreddata.MostmethodsofmakinganSDcardbootablewillcompletelyerasethedatafromit.
Often,rootingaphoneorAndroiddevicesetsthephonebacktofactorydefaults,resultingindata(includingcontactinformation)beingwipedfromthephone.ThismeansthatyouneedtosignintoyourGoogleaccountandletitsynchronizeallofyourinformation.Manyone-clickrootmethodsthatrunanexploitonyourdevicewillnotwipeyourdata,thoughyoushouldalwaysbeparanoidwhenitcomestobackingup.
ApplicationsandTheirDataAsimilarsituationexistswhenitcomestoGoogleAppsMarketplaceapplications.Whenyoudownloadandinstallanapplication,arecordthatconnectsyourlogininformationwiththatapplicationisstoredontheGoogleservers.Whenyoureactivateadevicewithyourlogininformation,itsynchronizesautomaticallywiththeGoogleAppsMarketplaceandautomaticallyinstallsanymissingapplications.
Althoughapplicationsarerestored,anydatastoredbyanapplicationwillmostlikelybelostunlessitwasspecificallybackeduporstoredtotheSDcard.Onsomedevices,youalsorisklosingalluser-createddata,suchasphotosanddocuments.Ifyouhaveimportantdatathathasbeencreatedbyanapplication,it’sagoodideatofindouthowtobackupandrestoreit(lookon
theXDAforum).Itisbesttoassumethatanyhackingprocesswillcauseallyourdatatobewiped.
DataontheSDCardAndroidstorescamerapicturesandvideosonyourSDcard,andyoumaywanttobackthoseuppriortohackingthedevice.DatastoredontheSDcardofanAndroiddeviceis,typically,safefromrootingactivities.However,it’salwaysagoodideatousetheMediaTransportProtocol(formostAndroid3.0+devices—USBMassStoragemodeforothers)ortheADBPULLcommand(seeChapter3)tocopyallofthedatafromyourSDcardtoabackupfolderonyourcomputer.
HowYouCanRootandLeaveYourOEM’sControlTheprocessofrootinganAndroiddevicevariesbasedonthemodelofyourdevice.Adevicethathasbeenavailableforawhilemayhavemultiplerootingmethods.Inthenextsection,wewalkthroughtheprocessofrootingwithtwodevices.Chapters3and4covermostofthecommonskillsandtoolsneededtoobtainroot.
Themethodsofobtainingrootfallintobroadcategories:
•OEMflashsoftwareforwritingfirmware•exploits•nativeFastbootflash
•scriptedorautomatedmethods.
TheseareverybroadandsubjectivecategoriesthatIhavecreatedfororganizationofthissection.Manydeveloperswilllikelytakemetotaskforthecategorizationoftheirmethodorutility.
YoucanfindoutwhatrootingmethodsareavailablebylookingintheXDAforumforyourspecificdevice.Forinstance,therootinginformationandproceduresformyXoomtabletarelocatedintheXoomAndroidDevelopmentsubforumoftheMotorolaXoomforum(http://forum.xda-
developers.com/forumdisplay.php?f=948).Mostprovenrootproceduresare“stickied”atthetopofthelistofpostssothattheyareeasytolocate.
Whetherthebootloaderorrecoveryisreplacedonyourdeviceusingflashsoftware,anexploitortheFastbootprotocol,theprincipleisthesame:rootpermissionisthefirststeptowarddevicecustomization.
OEMFlashSoftwareOnsomedevices,thefirsttimeyouacquireroot,youmustusethenativeOEMdiagnosticorflashsoftware.Afterflashingthefirmwareandaccessingroot,youwillusuallyuseacustomrecoveryforfurtherfirmwarechanges.
EducatingYourselfItisveryimportantthatyoureadeverythingthatisavailableaboutyourdevice.Readtheinitialrootinstructionsandanystickiedposts.Readtheentirethreadthatisconnectedtoyourdevice’srootprocedure.Plantospendacoupleofdaysjustreadinguponotherpeople’sexperienceswithrooting,themingandROMingyourdevice.Mostnewbiemistakesareeasilyavoidedifyoutakealongviewandhaveenoughpatiencetoreadeverythingavailableforandaboutyourdevice.Ahackerisaself-educatedandverypatientanimal.
Becauseyouareacceptingalltheriskandresponsibilityfordestroyingyourdeviceormakingitbetteryoushouldthinkmore“marathon”than“sprint”whenbeginningintherootingandhackingcommunity.ReadalotandaskquestionsonlyafterusingthesearchfunctionintheXDAforum.
Inparticular,it’sagoodideatoknowyourunbrickoptions(ifthereareany)beforeyouattempttorootyourdevice.IntheXDAforum,searchfortheterm“unbrick”andyourdevicename.
RootcanoftenonlybeachievedbyflashingacompletesignedfirmwarepackagewithOEMtools.Ifyourdevicerequiresanexternalprogram(otherthanthenativeAndroidSDKtools—AndroidDebugBridge(ADB)andFastboot)towritethenewfirmwarethefirsttime,thenitwillneedacompletesignedfirmwarepackage.Forexample,thefirstrootmethodavailablefortheDroid1involvedusingMotorola’sRSDLitetechniciantooltoflashacustombootloadertothebootsectionofthefilesystem.Similarly,manydevicesfeaturingtheNVIDIATegra2processorrequiretheuseofNVFlashandSamsungdevicesoftenmakeuseofODIN.
SometimestheonlywaytorecoverabrickeddeviceistouseOEMflashsoftware.
TheadvantagesofusingOEMflashsoftwarearethat:
•Itisusuallyfairlysafeandstraightforwardtoattempt.•Therearerelativelyfew,uncomplicatedstepsintheprocess.
ThedisadvantagesofusingOEMflashsoftwarearethat:
•Itissometimesdifficulttouseorunderstand.Atbest,theinterfaceissparse;atworse,itcanbeinlanguagethatyoudonotunderstand.
•OEMdebuggingsoftwarecanbedifficulttofindandkeepupdated.
ExploitsAnexploitisavulnerability(or“crack”)intheoperatingsystemthatcanbeexploitedbyahacker.Exploitscomeinmanytypesandformats.Forinstance,oneoftheearliestmethodsforgainingrootontheEVO4GwasanexploitofasecurityvulnerabilityintheAdobeFlashapplication.
IntheworldofLinuxoperatingsystems,hackingthroughtoauseableexploitispartscience,partartandalotofgutinstinctbuiltonexperience.Findingavulnerabilitythatcanbeexploitedisthefirstgoalofthedevelopercommunitywhenanewdeviceisreleased.Advancedhackersandgeeksracetobetheonestofindthecrackinthecodethatcanbeusedtofreealocked-downdevice.ThreadsexploringpossibilitiesontheXDAforumcanstretchtothousandsofposts.
ExploitsaresomeofthemostfunandrewardingwaystorootyourAndroiddevice.AbouthalfwaythroughrootingmyfirstHTCThunderboltusingScottWalker’sASHexploit,Irememberthinking“Wow,Iamreallyhackingthisthing.IfeellikeanactorinMissionImpossible.”ThatpsneuterexploitwrittenbyScottWalker(scotty2walkertotheAndroidhackercommunity)isagoodexampleofasimpleexploitthatwasusedtodosomereallycoolstufftogetaccesstoroot.ThepsneuterscripttakesadvantageofthefactthattheAndroidDebugBridge(seeChapter3),ifitcannotdeterminetheS-ON/S-OFFstate,assumesS-OFFanddefaultstomountingthefilesystemasreadableandwritablewhenyoulauncharemoteshellaccesstoanunrooteddevice.Thislittleexploitcanbeutilizedtowritetosectionsofthefilesystem,suchasbootsectionsandrecoverysections,thatwouldotherwisebeinaccessible.
Iamnotexperiencedenoughanddonothavethecodingskillstoprogramthe
psneuterexploit,butScottWalkerreleasedthecodetotheAndroidcommunity.Asaresult,IcanuseittofreemyAndroiddevice.IhaveneverhadmorefunthanwhenparticipatingwiththeAndroidcommunityattheXDAforumtohackanewAndroiddevice.
Theadvantagesofusinganexploitarethat:
•ItcanallowaccesstoatightlylockedOEMdevice.•Itisfunandmakesyoufeellikeahacker.
•ItisusuallydifficultfortheOEMtopatchandeliminatetheexploit.•Anyonecandoitusingtheskillsoutlinedinthisbook.
Thedisadvantagesofusinganexploitarethat:
•Itisacomplexprocessthatrequiresknowledgeandskill.
•Itiseasytodosomethingincorrectly.•Thereisahighpossibilityofbrickingthedevice.
NativeFastbootFlashWhenadeviceisleftunlockedorisunlockable,itcanbebootedintoFastbootprotocolmodetoacceptFastbootcommands.Fastbootallowsyoutoflashacompletefilesetorafilesystembundledintoasinglefile(knownasan“image”)todifferentareasofthefilesystem,suchasbootorsystem.
Mostfirst-generation“Googleexperience”devices,suchastheNexusOne,Xoom,andNexusS,haveunlockablebootloadersthatallowthesecurityswitch(S-OFF)tobeturnedoff,usuallyviatheFastbootcommand.However,notalldevicessupportFastbootnatively.Inotherwords,unlesstheOEMintendedyoutouseFastbootcommandsfromyourPC,youwillnotbeabletodoso.TheFastbootcommandanditscapabilitiesarecoveredinChapter3.
TheadvantagesofusingFastbootarethat:
•Theinstructionsaresimpleandfairlyeasytofollow.•Itisaneasymethodwithrelativelylowrisk.
ThedisadvantagesofusingFastbootarethat:
•Alimitednumberofdevicessupportit.•Command-lineskillsarerequired.
•PerformingaFastbootOEMunlockwillclearthe/datapartitiononthedevice.
ScriptedandOne-ClickMethodsThisisaverybroadcategorythatincludesmethodsfromtheverysophisticated,suchastheunRevokedrootmethod,tosimpleADBscripts.Scriptedmethodsusuallyinvolvealotlessuserinteractionthanstep-by-steprootingmethodsthatuseADBorOEMtools.Asaresult,theytendtobeeasierandmorereliable.Custombinarymethods,suchasunRevoked,relyonaproprietarylinkacrossyourUSBconnectionorrunninganapplicationdirectlyonyourdevice.Evenso,proprietarymethodsperformthebasicfunctionofreplacingthebootloaderorrecoveryprocessonthefilesystem.
DebateaboutScriptedandOne-ClickRootsThereisanongoingdebateintheAndroidcommunityaboutone-clickandscriptedmethods.SomedevelopersfearthatOEMswillcrackdownonthesemethods.Othersarguethatmakingrootingeasierlowersthebar:theeasieritis,themorepeoplewillaccidentallybricktheirdevicesandattempttoreplacethemunderwarranty,causingOEMstomakerootingmoredifficultintheirnextrelease.
Theclearadvantageofusingascriptedorone-clickrootmethodisthattheprocessismucheasier.
Thedisadvantagesofusingscriptedandone-clickmethodsarethat:
•Thehackerhaslesscontrolovertheprocess.•Theendresultisachievedwithoutlongperiodsoffrustration.•Fewerdevicesarecompatiblewiththesemethods.
RootingTwoDevicesThissectionprovidesageneraloverviewcomparingtwomethodsofrootingattwolevelsofdifficultyontwophones.TheNexusOneisadeveloper’sphone;itwasdesignedtobeveryeasytorootandcustomize,andweuse
Fastboottorootit.TheThunderboltismoredifficulttoroot,andweusethepsneuterexploitscript.
Don’tworryaboutanyterminologyyoudonotunderstand.Itwillbecomemorefamiliartoyouasyouproceed.
NexusOneInthissection,weunlockandrootaNexusOnephone.Googleplacedaremovablelockonthebootloader,sofirstyouhavetounlockitusingadevelopertoolcalledFastboot.Onceunlocked,thedeviceissimpletohackandroot.WhenanOEMallowscommunityunlocking,itmakeseverythingthatfollowssimpler.
1.ConnecttheNexusOnephonetoyourcomputerwithaUSBcable.2.PlacethephoneinFastbootmodebybootingwhileholdingacombinationofkeys(thespecificcombinationdiffersbasedonyourdevice).FastbootmodeallowsthephonetoacceptcommandsfromtheFastbootprotocol.3.Fromacommandshellwindowonyourcomputer,runthefollowingcommandtounlockthebootloader:fastbootOEMunlock
4.RebootthephoneonceagainintoFastbootmode.5.Runascripttoinstallthe“superboot”bootloaderonthedevice.
Atthispoint,theNexusOneiscompletelyrooted.
HTCThunderboltAmoredifficultrootisexemplifiedbytheThunderboltfromHTC.HTClockedthebootloaderandmadeitverydifficulttoaccessthefilesystemasarootuser.Thisoverviewshowstheincreasedlevelofcomplexitythatcomeswithalockedbootloader.Itisahigh-levelviewofthestepsnecessary—seeChapter9forthedownanddirtydetails.
1.ConnecttheThunderbolttoyourcomputerwithaUSBcable.2.UsetheADBdevelopertooltopushthefollowingitemstotheSDcard:
•thepsneuterexploitscript
•theBusyBoxutility
•anewbootloaderimagefile.3.UseADBshellcommandstochangethepermissionsonthepsneuterscriptandBusyBoxsotheycanbeexecuted.
4.UseADBshellcommandstorunthepsneuterexploitscripttogaintemporaryrootaccesstothesystemfiles.5.UsetheBusyBoxMD5SUMcommandtomakesuretheimagefileisexactlythesameastheoriginalfromwhichitwasdownloaded.6.UsetheBusyBoxDDcommandtowritetheimagefiletothebootloadersectionofmemory.
7.UseADBshellcommandstopushadowngradefirmwaresignedbytheOEMtotheSDcard.8.Forcethephonetorebootandinstallthesigneddowngradefirmware.
9.UsetheADBdevelopertooltopushthefollowingitemstotheSDcard:•thepsneuterexploitscript
•theBusyBoxutility
•thewpthisscript.
10.SetthepermissionsonpsneuterandrunittogainADBshellrootaccess.11.Setpermissionsonwpthisandrunittogainaccesstothelockedbootloader.
12.UseADBtopushanewbootloaderimagetotheSDcard.13.Writethenewbootloadertothecorefirst-levelbootloader.
14.UsetheBusyBoxMD5SUMcommandtomakesurethehashofthenewbootloadermatchesthebootloaderimagefile.15.IftheMD5SUMisincorrect,repeatSteps12–14untiltheMD5SUMiscorrect.16.PushanewunsignedcustomsystemfirmwaretotheSDcard.
17.Rebootthephoneandletthenewbootloaderloadthecustomfirmware.
Atthispoint,theThunderbolthastheS-OFFbootloader.Therearethen10morestepstoinstalltheSuperUserapplicationandgainpermanentrootaccess.Asyoucansee,rootingadevicethathashaditsbootloaderlockedbytheOEMissignificantlymorecomplexthanrootinganunlockeddevice.Hackingalockeddevicetoafreeandopendeviceisarewardingexperiencethat,onceaccomplished,willhaveyouseekingtorootmoredevices.
TheRootofItAllOnceyourdeviceisrooted,it’sreallyjustthebeginning.Applyingcustomfirmware,knownasaROM,requiresrootaccess.IfyouwanttoremoveOEMandcarrierbloatware,yourequirerootaccess.
AT&Tpreviouslypreventednon-marketapplicationsbeinginstalledondevicesitsupplied.Rootingoneofthesedevicesalloweduserstoinstallnon-marketandcustomapplicationsonanotherwiseseverelylimitedphone.
BloatwareAsmentionedinChapter1,carriersandOEMstakemoneyfromservicevendorsordeveloperstoplaceapplicationsonyourAndroiddevice.Thishelpsthemoffsetthecostofthedevice(orboostexecutivebonuses,dependingonyourpointofview).
Whateverthereasonstheseapplicationsareinstalled,theyarepermanentwhenyourdeviceisinitsunrootedstate.Youcannotuninstallthemorremovethem.Thisisroughlyanalogoustopurchasingacomputerthatcanonlyhave19programsinstalledonitandthemanufacturerforcesyoutohave5specificprogramsthatyoudon’twanttouse.Thisbloatwareoccupiestheverylimitedmemoryonyourdeviceandsometimesrunsservicesyoudon’tneedorwant,consumingbatteryanddatastorage.
Somelow-budgettabletsandphonescannoteveninstallapplicationsfromtheofficialGoogleAppsMarketplace.Ifyourootsuchadevice,youcaninstalltheGoogleAppsMarketplaceandaccessallthegoodiesthatmoreexpensivedevicescanaccess.
Asyoucansee,rootingyourAndroiddeviceisthedoorwaythroughwhichyoucantrulyownyourdevice.Iteliminatescarrierrestrictionsandremovesthelimitationsthatmightotherwiseforceyoutoupgradeorpurchaseadifferentdevice.
Chapter3:TheRightToolfortheJob
Inthischapter:•Hardwareandprerequisitesforhacking•AndroidDebugBridgebasiccommands•Fastbootcommands
•TheADBshell
Mostrootproceduresrelyonsimilartools.Theprocesses,exploits,andlevelofaccessmaydiffer,butthetoolkityouusetogetadevicetorunwithS-OFForrootfilesystemaccesswillalwaysbefairlysmall.Asolidunderstandingofthetoolsandhowtheyareusedwillhelpyouwithyourcomfortlevelwhenrootinganewdevice.
Ready,Set,...WaitIHavetoHaveWhat?Beforestartingmosthackingjobs,orevenanAndroidexploratorymission,youneedtobeabletoconnectyourphonetoyourcomputerandyouneedaccesstohackingtools.
ConnectingaPhonetoaComputerYouneedtomakesurethatyouhaveanappropriatecableforthephysicalconnectiontoaPCanddriverstoenableyourcomputertomakesenseoftheconnection.Manydevicesshipwithoutdrivers—theydependonnativedriversincludedwiththeoperatingsysteminstalledonyourcomputer.
Dependingonthemodesyourdevicehaswhenconnectedtoacomputer,thecomputermayrecognizeitasamass-storagedeviceandconnecttoitasifitwereanexternalharddriveormemorycard.
YouneedtoinstallsomeformofdebugordeveloperdriveronyourcomputerandmakesurethatUSBDebugging(debugmode)isenabledforanyinteractionsbetweenthecomputerandthephone.Debugmodeopensthe
connectionwithyourcomputerandallowssignalsandcommandstobesenttoandreceivedfromAndroid.
HackingToolsAndroidhackingtoolsfallintothreebasiccategories:
•developertoolsfromtheSDKandthirdparties•scripts•Linuxexecutablesandcommandsonthephone.
DevelopertoolsincludetheAndroidDebugBridge(ADB)andmoreadvancedtools,suchassmaliandbaksmali,fortakingapartAndroidapplicationpackage(APK)filesandputtingthembacktogether.
SomeLinuxshellcommandsareincludedontheAndroiddevice;othersareplacedonthedeviceduringthehackingprocess.ThemostpopularandeasiestbundleofLinuxshellcommandsforAndroidistheBusyBoxpackage(moreonBusyBoxlaterinthischapter).Thesecommandsareoftenexecutedinascript—aseriesofLinuxshellcommandsthatcanberuneitherfromtheAndroiddeviceorfromanADBshellonaconnectedcomputer.
OtherOptionsSomedevices,suchastheNookColorandoff-brandbudgettablets,arehackedbycreatingaspeciallyformattedSDcardthatcontainscustomfirmwareandscriptstoberunbytheAndroiddeviceonboot.Forthosedevices,theprerequisitesarealittledifferent.Youusuallyneed:•ablankSDcard•adiskimagefilewiththecustomAndroidROMandscripts
•anapplicationonyourcomputertowriterawdiskimages.
USBCablesYourdevicelikelyshippedwithacabletoconnectfromthedevicetoacomputer.ThemostpopularcableandconnectiontypeistheUSBmicro,showninFigure3-1.
Figure3-1:AUSBmicrocable
Dependingonhowmuchandhowroughlyacablehasbeenused,itmaybeabletochargeaphoneortabletbutbecompletelyunabletoreliablytransmitdata.Somecheapcables(usuallyfoundwithcheapcarchargers)onlyhavethechargingpinsofthemicroUSBjackconnected,sotheywillneverbeabletoconnecttoyourcomputerfordatatransfer.IfyourOEM’scableisingreatconditionwithoutharshbends,kinksorcattoothmarks,thenyoushouldbefine.However,ifyouhavelost,damagedorreplacedyourOEMcablemakesurethatyoureplaceitwithasimilarcable.
AUSBcableisaUSBcable.However,notallUSBcablesarecreatedequallyintermsofqualityandfit.ThemicrojackendofaUSBcableisparticularlypronetohaveapoorfitthatgivesabadconnectionorpoorlysupportsthedelicatejacksocketcomponents.Unfortunately,USBcableissuescanbedifficulttodiagnoseordetect.Unlessyouhavedisconnectionissuesthatareobviouslyrelatedtomovement,youwillneedtohaveasparecabletoswapwithasuspectedbadcable.
IfyouconnectyourdeviceviaaUSBhuboraUSBportonthefrontofyourcomputer,youarelikelytoexperienceconnectionissues.YourdeviceshouldbeconnectedtoaUSBportonthebackofyourcomputeroroneyouknowisdirectlyconnectedtothemainUSBbus.
IstruggledforhourswithmyXoomUSBcablepluggedintoafrontUSBport.
Thedeviceconnectsbutappearsas“offline”.Itinstantlyconnects“online”whenIplugtheUSBcableintotherearofmycomputer.
USBDebuggingWithaknown,orassumed,goodUSBcableconnection,youneedtoturnonUSBdebuggingonyourphoneortablet.DebugmodeallowsADBsystemcommandstotravelbetweenyourdeviceandyourcomputer.Youcanalsoviewsystemlogsandthefilestructure,andpushorpullapplicationsandfiles.However,somecautionmustbeexercisedwhenenablingUSBdebugging,asaconnectedcomputercanpotentiallyinstallapplications,copydata,andreadlogsonthedevice.
ItisimportanttorememberthatmanyoperationsyouperformwhileindebugmodeendbyautomaticallyresettingorturningoffUSBdebugging.Thismeansthatbeforeeachmajorstepinahackingprocedureyouneedtocheckthatyourdeviceisindebugmode.LuckilyAndroidmakesthisveryeasy.Wheneveryourdeviceisindebugmode,youwillseethedebugmodeiconinthenotificationbar(seeFigure3-2).
Ifyoudon’tseethedebugicon,youdonothavedebugconnectivityandADBwillnotwork.OnmostAndroiddevices,thefollowingstepsturnonUSBdebugging:
1.Accessthedevicesettings,usuallybytappingtheMenukeyorsoftbuttononthehomescreen.(OntheXoomandsomeothertabletdevices,youmusttaptheareaneartheclockandthentapSettings.)2.OntheSettingsmenu,tapApplications.
3.TapDevelopment.4.TaptheUSBdebuggingcheckbox.
5.ClickOKonthenotification.
ThedebuggingiconshouldbevisibleinthenotificationsareaasinFigure3-2.
Figure3-2:DebugmodenotificationsfromtheNexusOne(top)andtheEVO3D(bottom)
SomeAndroiddeviceshavetheabilitytoputtheUSBportintoothermodes,suchas“chargeonly”or“massstorage”.YoumayneedtoexperimenttodeterminewhichUSBportsettingsallowyourdevicetoworkwithADB.Usuallythe“chargeonly”or“Sync”settingsallowyoutostarthackingacrosstheADBconnection.ChecktheXDAforumforyourdevice—itislikelythatsomeonehasalreadyfiguredouttherequiredsettingsforyoutoconnectcleanly.
What’sDrivingThisThing?Thefirsttimeyouconnectyourdevice,adefaultsetofoperatingsystemdriversarelikelytobeused.ThesedriversarelikelytobegoodenoughforSDcardaccessandcharging.However,ADBneedsspecifickindsofconnectivitythatusuallyrequiresdeveloperorOEMdrivers.Thenextsectionshowsyouhowtoverifythatyouhavethecorrectconnectivity.
Toverifythedriverthatyouhaveinstalledonyourcomputer,youwillwanttoseethatthereisadriverwith“ADB”or“DebugDriver”inthedescription.Thestepsaredifferentfordifferentoperatingsystems.OnWindows,usetheDeviceManagertolookforanitemthatreferstoyourdeviceOEM’sname.Inotherwords,ifyourdeviceismanufacturedbyMotorola,youarelooking
foradevicewith“Motorola”orsomethingsimilarinthename.IfyouseeanitemwithADBinthedevicename,thecorrectdriversareinstalled.However,ifthereisawarningorerroricon(anexclamationpointorredX),thecorrectdevicedrivermaynotbeinstalledortheconnectionmaybemalfunctioning.
Tolocatethecorrectdriversforyourdevice,youusuallyneedtodownloadthemfromyourOEM’ssupportwebsite.Itisnotalwayseasytolocatethecorrectdevicepackagesevenwhenyouknowwhatyouarelookingfor.TheXDAdeviceforumsfrequentlyhavea“sticky”postthatcontainslinkstodevicedriverdownloads.SomeOEMs,suchasMotorola,haveadevicedriverhelperthatscansforconnecteddevicesanddownloadsthecorrectdrivers.
UsingtheAndroidDebugBridgeInthissection,wedemystifytheAndroidDebugBridgeandwalkthroughallofthecommandsyouneedtostartfreeformhackingortofollowrootinginstructions.TheAndroidDebugBridge(usuallycalledADB)allowsyoutoconnectyourAndroiddevicetoyourcomputer.
ADBisacommand-linetoolthatrunswithvariousswitchesorparameterstododifferenttasks.Intoday’sworldofprettypoint-and-clickinterfaces,returningtoacommand-lineinterfacemayseemcounterintuitive,thoughanygoodhackerworthhisweightinunlockedcellphonesiscomfortableusingacommandline.
Thecommandswithwhichyouneedtobefamiliarcanbebroadlyseparatedintotwocategories:
•CommandsthatdosomethingtotheAndroiddevice.ThesecommandsstartwithoneoftheAndroidSDKcommands,suchasadborfastboot.
•CommandsthatdosomethingonorintheAndroiddevice.ThesecommandsarerunintheAndroidshellandareusuallyenteredonacommandlinethatstartswithahashsymbol(#)oradollarsign($).
SomeofthecommandsyouwillusearenotADBorAndroidcommandsbutcommandsforyourcomputer’soperatingsystem.Themostcommonoperatingsystemcommandsyoumayneedare:
•changedirectory:tochangethecommandpromptcontexttoadifferentfolder(cdonWindows,MacandLinux)
•directorylisting:tolistthefilesandfoldersinthecurrentfolder(dironWindows;lsonMacandLinux)
•makedirectory:tomakeasubfolderinthecurrentfolder(mkdironWindows,MacandLinux).
Connectivitybetweenyourdeviceandyourcomputeristhestartingpointforallhacking.FamiliaritywithADBanditsbasiccommandswillhelpyouasyoufollowmoredetailedrootingorhackinginstructions.Ihavefoundthatafearof,orunfamiliaritywith,ADBistheprimarystumblingblockforbeginnerhackers.Ifyouuseeachofthecommandsonceduringthiswalkthrough,youwillbesettofollowactualhackingwalkthroughs.
Noneofthefollowingexamplesandwalkthroughsmakeharmfulchangestoyourdevice.However,ifyouwanttoplayitverysafe(likeareallygoodhacker),makesureyoubackupanydatafromyourdevice’sSDcard.Youmustselecttheappropriateoptioninyourdevice’sPrivacySettingsmenutoenablebackingupandrestoringofyourdataandapplications.
ContactsandapplicationsyouhavedownloadedfromtheGoogleAppsMarketplacearestoredintheGooglecloudandwillrestorethemselvesifnecessary.
TherestofthischapterassumesyouhavetheAndroidSDKtoolsinstalledonyourcomputer.RefertoAppendixAfortheSDKsetupprocedureifyougetthemessageshowninFigure3-3.
Figure3-3:MessageindicatingthattheAndroidSDKisnotsetupornotinthecurrentfolder
CheckingDeviceConnectivityThissectiondescribesthemosteffectivewaytodetermineifyourcomputerhastherightamountandcorrectkindofconnectivitywithyourcomputer.
TheadbdevicescommandallowsyoutoseethedevicesconnectedtoyourcomputerintheAndroiddebugcontext.ItisalsothecommandmostAndroiddeveloperswillaskyoutorunatthebeginningofanytroubleshootingsteps.
MakesurethatyourAndroiddeviceisconnectedtoyourcomputerandyouhavethedriversinstalledbeforecontinuing.RefertotheappropriateXDAforumforlinkstodevicedriversyoumayneed.
1.Openacommandpromptwindow.(InWindows,pressWindows+R;typecmdintheRundialogboxandpressEnter.)
2.Typeadbdevices.
TheresultsshouldbeasshowninFigure3-4ifyourdeviceisconnectedandthecorrectdriversareinstalled.Ifnodeviceserialnumberislisted,thenADBisworkingcorrectlybutyourdeviceisnotconnectedorthedriverisn’tinstalled(seethe“TroubleshootingaConnection”sidebar).
Figure3-4:TheadbdevicescommandshowingaconnectedHTCdevice
IfyougettheresponseshowninFigure3-3,thentheADBfolderisprobablynotsetupcorrectlyinyourPATHvariable.RefertoAppendixAforsettingupADBsothatitisaccessiblefromanyfolder.
Ifeverythingiscorrectlyconnected,theadbdevicescommandreturnsalistofdevicesconnectedtothecomputer.IfyouhavemorethanoneconnectedAndroiddeviceindebugmode,eachislistedwithitsserialnumber.AnyAndroidemulatorsyoumayhaverunningalsoshowup.
YoucanspecifythedevicetowhichyouwanttosendanADBcommandbygivingitsserialnumber.Thisisverytediousanditiseasiertoconnectonlythedevicewithwhichyouarecurrentlyworking.
RestartingtheADBServiceRestarttheADBservicefromthecommandpromptwiththefollowingsteps:
1.Typeadbkill-serverandpressEnter.
2.Typeadbstart-serverandpressEnter.
ThisshutsdowntheADBservicegracefullyandre-initializesit.Youcanthencheckagainfordeviceconnectivityusingadbdevices.
TroubleshootingaConnectionSometimesyourdevicewillloseitsconnection.Whenthishappens,theadbdevicescommandreturns“Listofconnecteddevices”followedbytheword“offline”.ThismeansthatADBknowsthereisadeviceconnectedbutitcannotcommunicatewiththedevice.
UsethemnemonicDUCKtoremindyouofthestepstotakeintroubleshootingaconnection:•Debugmode:Makesurethedeviceisindebugmode.
•USB:MakesuretheUSBcableisconnectedtoanappropriate(rear)portandthattheAndroiddeviceisintheproperUSBmode.•Context:MakesureyouarerunningyourADBcommandfromafolderinwhichtheADBbinaryexecutableisaccessible.
•Kill:Iftheconnectionstilldoesnotfunction,youmayhavetokillandrestarttheADBserver.
YoumayhavetorebootboththecomputerandtheAndroiddevice.Youshouldverifythatthedriveriscorrectlyinstalledandreinstallifnecessary.
YoushouldalsochecktheXDAforumforcommonorknownconnectionissueswithyourdevice.
CopyingFilestoandfromYourDeviceOneofthemostusefulthingsyoucanbecomfortabledoingis“pushing”filestoand“pulling”filesfromyourdevice.MostrootandS-OFFhacksrequirepushingascripttoadeviceandthenrunningitlocallyonthedevice.This
walkthroughhasyoupushasimpletextfiletoyourSDcardandlookonyourdevicetoseethatitislocatedthere.Doingthisoncewithaninnocuoustextfilewillgiveyouthecomfortlevelyouneedtopushothertypesoffiletoyourdevice.
Makesureyouhavealocalfilesystemexploreronyourdevice,suchasRootExplorerorESFileExplorer.Youneedtobeabletoexplorethedevicefilesystemtoverifythatpushingafiletoyourphonehasworked.
First,youneedtocreateatextfile:
1.Openacommandpromptwindowandnotethepath.2.UseWindowsExplorertonavigatetothatfolder.
3.Right-clickinWindowsExplorerandselectNew→TextFile.4.Renamethetextfiletosample.txt.
Theadbpushcommandusesthefollowingpattern:
adbpush<desiredlocalfile><desiredtargetlocation>
Copythetextfiletothedevice.Switchbacktothecommandpromptwindowandenterthefollowingcommand:
adbpushsample.txtsdcardsample.txt
TheresponseshouldbesimilartoFigure3-5.
Figure3-5:Theresultsoftheadbpushcommandsequence
Ifthefileyouwanttopushtothedeviceisnotinthecurrentcontextfolder,youneedtouseitsfullpath,asshowninFigure3-6.
Figure3-6:Thesyntaxoftheadbpushcommandsequence
Ifadbpushreturnsanerrormessagesayingthatthefilesystemis“readonly”,restarttheADBserverandattempttheactivitiesagain.Ifyoustillhaveproblems,tryreplacingthepathtotheSDcardwiththepathtothetmpfilearea(datalocal/tmp)towhichyoumayhavemoreaccessonanunrooteddevice.
Nowlet’schecktheSDcardonyourdevicetoseethepushedfile.Openthefileexploreronthedevice.NavigatetotherootofyourSDcard.Dependingonthefileexplorer,itmaybethedefaultfolder;ifnot,itwillbeafolderlistedintherootofthefilesystem.Figure3-7showsthefileontheSDcardusingESFileExplorer.
Figure3-7:Thesample.txtfileontheSDcardinESFileExplorer
Nowyouaregoingtopullthefilefromthedevicebacktoyourcomputer.Theadbpullcommandusesthefollowingpattern:
adbpull<desireddevicefile><desiredlocalfile>
ThecommandsyntaxissimilartothatshowninFigure3-6,withpullinsteadofpush.
Inyourcommandpromptwindow,enterthefollowingcommand:
adbpullsdcardsample.txtsample2.txt
RemembertopresstheEnterkeyafteryouenterthecommand.
Nowtypedir*.txtandthenpresstheEnterkey.Thiswillgiveyoualistofallthe.txtfilesinthecurrentfolder.Youshouldseethesample2.txtfilethathasbeenpulledfromyourAndroiddevice.
Thepullcommandpulledafilenamedsample.txtandwroteittoyourlocalfilesystemunderthenewnamesample2.txt.YouwillseethisagaininthesectionaboutfilemanagementandwilldoitmanytimeswhenfollowingarootinstructionguidefromtheXDAforum.Pullingafiletoanewnameallowsyoutokeepcopiesofthefilestraightandissometimesnecessarytocorrectlyflashimagefilesorupdates.
YoumayoftenwanttobackupsomepartofyourAndroiddevice’sfilesystemtoyourcomputer.Youmaywanttopullaspecificapplicationorsystemfile,alteritonyourlocalcomputerandthenpushitbacktoyourAndroiddevice.Youcancopyanyfileusingtheadbpullandadbpushcommands.
RebootingaDeviceAfterflashinganimageorwritingafiletothefilesystem,itissometimesnecessarytorebootthedevicecleanly.TheadbrebootcommandallowsyoutorebootyourAndroiddevicefromthecommandlineofyourcomputer.Youcanusetheadbrebootcommandwithoneoftwoswitches:
•bootloader:Thisoptionbootsthedeviceintothebootloadermenu(asshowninFigure3-8).ThebootloadermenuissometimesusedtoaccessFastbootandtoflashofficialfirmwareupdates.Fromthebootloadermenu,youcanbootthebootloadersequence,rebootthedeviceorpowerdownthedevice.•recovery:Thisoptionbootsthedeviceintotherecoveryinstalledonthedevice.Itrebootsintothefirmware(thefactoryrecoveryoracustomrecovery)installedintherecoverypartition.
Figure3-8:TheBootloaderscreenoftheMotorolaXOOMafterrunningadbrebootbootloader
ThePowerofFastbootTheFastbootcommandfromtheAndroidSDKisapowerfultoolforwritingtothefilesystempartitionsofanAndroiddevice.YouwillmostlyuseFastbootcommandstoflashimagefilesandthecontainedfilesystemstovariouspartitionssuchasthesystem,bootandrecoverypartitions.
FastbootcommandsarenotsomuchexploratoryorhackingtoolsastheyarespecifictoolsusedwhenyouaregoingtofundamentallychangethefilesystemonanAndroiddevice.Assuch,youshouldonlyusethemwhenyouknowspecificallywhatyouaretryingtoaccomplish.NotalldevicescanboottoFastbootmode.Typically,youonlyuseFastbootcommandsondevicesthathavetheabilitytounlockthebootloader.
TheFastbootcommanddoesnotliveinthesamefolderastheadbcommand.FastbootisintheC:\ProgramFiles(x86)\Android\android-sdk-windows\tools\folder.
Aswiththeadbcommand,youusevariouscommandsandoptionsfollowingfastboottochangewhattheFastbootcommanddoes.ThewalkthroughsandactivitiesbelowrequirethatyourphonebeinFastbootmode.FollowthestepsbelowtoattempttoputyourdeviceinFastbootmode:
1.Connectyourdevicetoyourcomputerandverifyconnectivityusingadbdevices.
2.TypeadbrebootbootloaderandpressEnter.
Yourdeviceshouldrebootintothebootloader.Makesuretoselect“FASTBOOT”orequivalentfromthebootloadermenu(seeFigure3-8).
UnlockingaDeviceAfewdevices,suchastheNexusOneandXoomtablets,haveabuilt-inabilitytounlockandallowthefollowingcommandtoberun:
fastbootOEMunlock
ThiscommandsequenceunlocksthebootloaderandallowsyoutorunFastbootflashandothercommandssothatrootcanbeacquired.
UpdatingaDeviceThefollowingcommandflashesanupdate.zipfiletotheAndroiddevice:
fastbootupdate
Thiscommandisnotusedmuchinhackingorrootingproceduresalthoughitcanbeusedtobringbackadevicethatissoftbricked.IfthedevicecanreceiveFastbootcommandsandyouhaveafullfilesysteminanupdate.zipfile,youcanrestorethedevicefromthatfile.
FlashingaDeviceTheflashcommandisperhapsthemostusefulFastbootcommand.ItallowsyoutowritethecontentsofanimagefiletoanamedpartitiononyourAndroiddevice.Theargumenttothecommandnamesthepartitionthatistobeflashed:
fastbootflashboot
fastbootflashsystem
fastbootflashrecovery
Ondevicesthathavebeenunlocked,theflashcommandisfrequentlyusedto
flashafilesystemwithrootaccess.Forexample,ifyouhaveanewboot.imgfilethatcontainsanunlockedbootloaderorrootaccesspermissions,youcanusetheflashcommandtowritethecontentstothebootpartition.
Itisimportanttonotethatflashingthewrongthingorinterruptingtheflashingprocesscanpermanentlybrickyourdevice.NeverflashanimagefiletoapartitionunlessyouarecertainthatyouhavethecorrectfileforyourdeviceandyouhavereadupontheprocessintheappropriateXDAforum.
RebootingaDeviceThiscommandissometimesusedaftertheFastbootflashcommandtorebootthedevicesothattheflashedfilesystemcanbebooted:
fastbootreboot
Insteadofbootingnormally,thefollowingcommandbootsyourAndroiddevicedirectlyintothebootloader:
fastbootreboot-bootloader
HarnessingthePowerofthePenguinwithADBShellADBcanalsobeusedasadirectconnectiontotheAndroidoperatingsystemandharnessthepowerofLinux.Thecommandsthatcanberunfrominsidetheoperatingsystemshellaremanyandvaried.
TheadbshellcommandopensupyourAndroiddevicetoallowyoutoruncommandsdirectlyonthedevice.TheshellisfrequentlyutilizedtomakechangestothebaseAndroidoperatingsystemfiles.
WhenyouconnecttoanAndroiddeviceusingADBshell,thecommandpromptonyourcomputerchangestoindicateyouarenolongerenteringcommandsthatarebeingpickedupandinterpretedbyyourlocalcomputer.InsteadyouareintheAndroidoperatingsystemandthecommandsyouenteratthepromptarepickedupandinterpretedbyit.
Toloadtheshell,typethecommandadbshell.Thefamiliarcommand
promptchangestoanenigmatic$or#.Thedollarsign($)istheAndroidoperatingsystem’swayoftellingyouthatitiswaitingforinputbutthatyouarenota“privileged”usersoyoucan’treallyharmanythingbypokingaround.Youonlyseethehashtag(#)promptifyouareintheAndroidoperatingsystemasrootuser.ThehashtagisabeautifulthingtotheAndroidhacker:itmeansthatyouhaveultimatecontrolovertheAndroidfilesystem.
WhileintheADBshell,youneedtoenterLinux(notDOS)commands.Forinstance,togetalistingoffilesandfoldersinafolder,youenterthecommandlsinsteadofdir.
YoucansendshellcommandstoyourAndroiddevicewithoutstartingtheinteractiveshell.Forexample,ifyouenterthefollowingcommand:
adbshellcpsdcardsample.txt
sdcardsample2.txt
itisperformedasifithadbeenenteredonthecommandlineoftheshell.ManyrootinginstructionshaveyourunADBshellcommandsinthisway.ItisashortcutthatallowsinteractivecommandstoberunwithoutactuallybeingintheAndroidshell.
FileSystemNavigationInthisexample,youopentheADBshellanduseafewLinuxcommandstonavigatethefilesystem.ThecommandswecoverhereareincludedinthedefaultAndroidconfiguration.BecauseAndroidisaslimmeddownandcustomizedversionofLinux,itonlyusesaverysmallsubsetofthepossibleLinuxcommands.AlatersectiondealswiththemorecomplexLinuxcommandsthatyouinstallwiththeexcellentBusyBoxpackage.
Inthissection,weopenanADBshellprompt,navigatethroughthefilesystemandexitfromthefilesystem.
AccessingtheADBShellPromptFollowthesestepstoopenanADBshellprompt:
1.Openacommandpromptwindowonyourlocalcomputer.2.Enterthecommandadbshell.
IfyourADBenvironmenthasbeensetupcorrectly,youareintheAndroidshell.Ifyoureceiveanerrormessage,checkforconnectivity(remembertheDUCKtroubleshootingmodel).
Ifyourphoneiscurrentlyunrooted,youshouldseethepromptchangetoadollarsign($)followedbyaflashingcursor(seeFigure3-9).
Yourcommandpromptwindowisnolongeroperatinginthecontextofyourlocalcomputer.Insteaditisa“shell”thatismirroringdirectlytotheAndroidoperatingsystem.
Figure3-9:TheADBshellintheAndroidoperatingsystem
ListingtheFilesinaFolderNowtakealookatthefilesandfoldersinyourcurrentAndroidfolder.TypethecommandlsfollowedbytheEnterkey.(Remember,commandsarenotexecuteduntilyoupresstheEnterkey.)
Lookatthelistedfilesandfolders.Itisnotreadilyapparentwhicharefoldersandwhicharefiles.Unlessyouaddflagstothelscommand,Linux(and,therefore,Android)doesnotmakeanyvisualdistinctionbetweenfilesandfolders.PokingaroundinAndroidsometimesmeanstypingamoreadvancedversionofthelistcommandtoseewhatkindoffileisinaparticularfolderlisting.
Anytimeyouseeafileorfolderwiththenameprecededbyaperiod,itisahiddenfileorfolder.Atthispoint,youarenotlikelytoseehiddenfilesorfolders.Thecommandls–sallowsyoutoseetheselessobviousfiles.
NavigatingtheFileSystemThenextactivitywalksyouthroughtheimportantskillsofviewingyourcurrentfoldercontentsandnavigatingfromfoldertofolder.
1.IntheADBshellwindow,typethefollowingcommandtogototherootofthefilesystem:cd/.
2.Enterthecommandls.Nowyoushouldseefilessuchassystemandetcinthefolderlisting.
3.Enterthecommandcdsystemtochangeyouractivefoldercontexttothesystemfolder.
4.Typethecommandls.Youshouldseethefilesandfoldersthatarelocatedinthesystemfolderscrollpast.
5.Nownavigatebacktotherootofyourfilesystembyusingthecommandcd/.
Linux,andthusAndroid,isacase-sensitiveoperatingsystem.SothecommandcdSystemreturnsanerror.ItisimportanttokeepthiscasesensitivityinmindasyoubeginhackinginAndroid.RememberthatCASEMATTERS!
Usingthecdcommand,youcanwanderallthroughyourAndroidfilesystem.Usingthelscommand,youcanseethefoldersandfilesinthecurrentfolder.
ItwillhelpifyoukeepinmindthattheAndroidfilesystemislikeaninvertedtree(seeFigure3-10),withtheotherfoldersbranchingdownfromtherootfolder.Usingthecdcommandtonavigateintoaparentfoldertakesyouupinthehierarchy.
Figure3-10:TheAndroidfilesystem“tree”
Youcanusethefollowingshortcutcommandtonavigateuponelevelinthe
folderhierarchy:
cd..
Ifyoustartatrootandnavigateto/sdcardandthento/myfolder,yourfullpathissdcardmyfolder.Enteringthecommandcd..thenmovesbackupfromyourcurrentlocationto/sdcard.
FileManagementHackingisallaboutgettingaccessandpermissionsthatarenotstandard.Soyouneedthreebasicskillsforhacking:
•navigatingandmanagingfiles•determiningwhohaswhatkindofaccesstofiles•changingwhohaswhatkindofaccesstoafile.
Wehavecoverednavigationandnowwegoontolearnhowtomanipulatefilesandtheaccesstothem.
Intheprocessofhackingcertaindevices,youwillneedtomovefilestoandfromtheSDcard.TheSDcardisalow-privilegefilesystem,whichmeansthatyoucanplacefilesontheSDcardandthenpullthemintotheprimaryfilesystem,usuallyafterexploitingsomepartofthesystemwithascriptsuchaspsneuter.
SomefilemanagementtoolsarenotavailableuntilyoufollowthestepstoinstallBusyBoxonarooteddevice.WediscussBusyBoxattheendofthischapterandinthedevicewalkthroughs.
CopyingFilesThefirstthingyouneedtodoisbeabletocopyfilesfromonelocationtoanother.InanyLinux-basedoperatingsystem,youusethecpcommandtocopyfilesorfoldersfromonelocationtoanother.Thecpcommandusesthepattern:
cp<sourcefilename><destinationfilename>
Forexample,thecommandcpsample.txtsample2.txttakesthesample.txtfileandcopiesittoanewfilenamedsample2.txt.Sotherewouldthenbetwofiles:sample.txtandsample2.txt.
Thecpcommandcanalsotakefullpathnamestocopyonefiletoanotherlocation.Tocopyafiletonewlocation,specifythefullpathforthedestination:
cpsample.txtsdcardmy_folder/sample2.txt
Frequently,youwilluseadbpushtoputanexploitscriptorfirmwarefileontoyourSDcardandthenusecptomoveandrenameit.
DeletingFilesTheremove(rm)commandallowsyoutodeletefilesandfoldersfromthefilesystem.Theremovecommandusesthepattern:
rm<pathandfilename>
ThereisnorecyclebininAndroid,sotheresultsofthiscommandarenotreversible.
MovingFilesThemovecommandisequivalenttocopyingafileanddeletingtheoriginal.WhenBusyBox(coveredlaterthischapter)isinstalledonarooteddevice,themovecommandisavailable.
mvsample.txtsdcardsample2.txt
Theabovecommandcopiesthesample.txtfiletoanewfileontheSDcardnamedsample2.txtandthenremovessample.txtfromthecurrentfolder.
FileManagementWalkthroughIfyoustillhavethesample.txtfilefromthe“CopyingFilestoandfromYourDevice”sectiononyourSDcard,youcannowusefilemanagementcommandstoplayaroundwithit.IfyoudonothavethefileonyourSDcard,pushasample.txtfiletoyourSDcard.
1.StartADBshellbyrunningadbshellfromthecommandpromptwindow.2.Atthe$prompt,enterthecommandcd\sdcard.
3.Enterthecommandls–l.
4.Verifythatthefilesample.txtislisted.
5.Enterthecommandcpsample.txtsamplecopy.txt.
Nowlet’smakeanewfolderandcopythesamplecopy.txtfiletoit.
1.Enterthefollowingcommand:mkdirMyDirectory.
2.Enterthefollowingcommand:cpsamplecopy.txtMyDirectorysamplecopy2.txt
FilenamesandcommandsinLinuxandAndroidarecasesensitive,somydirectoryisanentirelydifferentnamefromMyDirectory.
Nowdeletetheoldcopyofsamplecopy.txtandverifythefilewasmovedtoMyDirectory.
1.Enterthecommand:rmsamplecopy.txt.
2.Enterthecommandls–landcheckthatsamplecopy.txtisnotthere.
3.EnterthecommandcdMyDirectory.
4.Enterthecommandls–landcheckthatsamplecopy.txtisthere.
FileAccessPermissionsManycommandsintheAndroidshellcantake“switches.”Aswitchisaparameterthatisenteredwiththecommandtochangethewaythecommanddoesitsjob.Let’slookattheswitchesforthelist(ls)commandyoulearnedearlier.IntheADBshell,typethefollowingcommand:
ls-?
Theshellthrowsanerrorbutthenshowsyoualltheacceptableswitchesforthelscommand.Ifyouuseanyunacceptablesyntaxwithacommand,itshowsyouaquicklistingoftheacceptedswitchesandparameters.Inafull
Linuxinstallation,youwouldbeabletousethemancommandtoseetheappropriatemanualpage.Androidisatrimmed-downversionofLinuxanddoesnotincludethemanualpagesforcommoncommands.
SeeingFileAccessPermissionsNoticethatoneoftheswitchesthatyoucanusewithlsisthe-l(that’salowercaseL,notanumeric1)switch.Whenyouusethisswitch,thelscommandshowsmuchmoreinformation.Let’stryit.TypethefollowingcommandinyourADBshell:
ls-l
YouroutputshouldresembleFigure3-11.Noticeallthegibberishatthestartofeachline—lotsofDs,Rs,WsandXs.
Figure3-11:Outputfromls-l
YoucanconsidertheleftmostcolumnofinformationinFigure3-11tobeatableofrowsandcolumns.Eachrowreferstothefileontherightandthecolumnscontaininformationaboutthatfile(seeTable3-1).Column1indicatesafolderbytheletter“d.”Thenextninecolumnsrefertotheaccesspermissionsforaclassofperson.Columns2–4showtheaccesspermissions
fortheUserclass;columns5–7fortheGroupclass;andcolumns8–10fortheOthersclass.
ThetwoaspectsofpermissionsonanAndroidfilearewhohasthepermissionandwhatkindofpermissiontheyhave.Thewhodefinitionisbrokendownintothreeclassesofpeople:
•Useristheownerofthefile.•Groupmeansalltheuserswhoareinthesamegroupasthefile’sowner.
•Othersmeansalltheotherusersonthedevice.
Eachgroupofthreecolumnsrecordsthekindsofpermission(Read,WriteandeXecute)thattheclassofpeoplehaveonthefile.Table3.1showsthepossiblevalueofeachcolumn.Ifaclassdoesnothaveaparticularpermission,thereisadashinthatcolumn.
OnanAndroiddevice,theimportantpermissioncolumnsarethoseforUserandOthers.Youwillneedtochangethepermissionlevelsofsomescriptsandbinaryfilesyouaddtoanunhackeddevice.
ChangingFileAccessPermissionsThechangemodecommand(chmod)isoneofthesinglemostimportantcommandsyoucanlearninAndroidhacking.Itisthecommandthatchangesthepermissionsandaccesstofilesandfolders.
YoucansetthepermissionlevelforacertainclassusingU,GandOtoindicateUser,GroupandOthersandusinganoperator(+or-)toaddorremoveapermission.Forexample,thefollowingcommandwouldsetthereadandexecutepermissionsfortheUserandOthersclasses:
chmoduo+rx<filename>
Nowthatmayseemsimpleenoughbutinstructionsandwalkthroughsusually
don’tusechmodinthatway.Instead,theyuseanumericvalueforaparticularlevelofpermissionforeachclass.ThepossiblenumericvaluesandtheirmeaningsarelistedinTable3-2.
Table3-2OptionsforthechmodcommandValue Permission
7 Full
6 Readandwrite
5 Readandexecute
4 Readonly
3 Writeandexecute
2 Writeonly
1 Executeonly
0 None
Asinglenumericvaluerepresentsthepermissionforeachofthethreeclassesofuserorgroup.Ifyoudeterminethatyoursample.txtfileshouldgivefullrightstoUserandread-onlyaccesstotheGroupandOthersclasses,thenthatpermissioncouldbesetusingthefollowingcommand:
chmod0744sample.txt
Ifyoudonothaverootaccess,youmaynotbeabletocarryoutthefollowingactivityonfilesinyourSDcardfolder.Ifthisisthecase,pushthesample.txtfiletothedatalocal/tmpfolderonyourdeviceandthentrytheactivityagain.
1.InyourADBshellwindow,enterthecommandcd/sdcard.
2.Enterthecommandlstoverifythatsample.txtisstillthere.
3.Enterthecommandls-lsample.txttoseewhichpermissionlevelsaresetforthefile.4.Enterthecommandchmod0775sample.txttomakesample.txtexecutable.
5.Enterthecommandchmod0766sample.txttochangethepermissionsforGroupandOtherstoreadandwriteonly.
Atfirst,thechmodcommandcanseemverydauntingandconfusing.Usuallyyoudonotneedtoworryabouttheoverallstructureofpermissionsforfilesandfolders;theinstructionsforarootingproceduresimplytellyouwhichfiletochangepermissionsonandhowtodoit.
RedirectionandPipingRedirectionallowsyoutowritetheoutputofacommandtodisk.Theredirectionoperator(>)causestheoutputofacommandtobewrittentoanamedfile(ifthefilealreadyexists,itisoverwritten).Forexample,thefollowingcommandputsthelistoffilesintolisting.txt:
ls-l>listing.txt
Pipingmeansusingtheoutputofonecommandastheinputofanothercommand.Thepipeoperator(|)takestheoutputofacommandandsendsitasinputtoanothercommand.Forexample,thefollowingcommandtakesthefolderlistingandpipesittothemorecommand(whichdisplaystheoutputonescreenatatimeandpromptstheuserforthenextscreen):
ls-l|more
1.InyourADBshellwindow,enterthecommandls-l>
\sdcard\listing.txt.
2.Enterthecommandmore\sdcard\listing.txttodisplaythecontentsofthelisting.txtfilecreatedwiththeredirectionsymbol.
3.Enterthecommandls–l|moretoseethatthepipegivesthesameresultasSteps1and2.
ConcatenationTheconcatenatecommand(cat)takesthecontentofafileorfilestructureandstreamsitouttoafileortothescreen.Forexample,youcanstreamthecontentsofafilesystemtoasinglefileusingtheredirectionoperator.Forinstancetogetabitbybitcopyofafilesystem,youcouldusethefollowingcommand:
cat/data >data.img
Thiscommandoutputsthecontentsofthe/datafoldertoanimagefile.
BusyBox:GivingthePenguinBackItsPowerOnlyahandfulofLinuxoperatingsystemcommandsareincludedwithAndroid.BusyBoxisanexcellentmulti-utilitybinarythatwasoriginallydevelopedbyBrucePerensandhasmaturedintoanincredibleSwissArmyknifeofLinuxutilities.ItiscurrentlymaintainedbyStericson,aseniormoderatoratXDA.WhenyouinstalltheBusyBoxbinary,yougetamuchlargersubsetofLinuxcommands,alloptimizedforsmallsystemsandlimitedresources.BecausetheBusyBoxutilitiesareinasinglebinary,theycansharecode,whichmakesforasmallinstallationpackage.
BusyBoxwillbeaconstantcompanioninyourhackingofAndroiddevices.AlotoftheadvancedLinuxtoolsyourequirearenotavailableuntilBusyBoxisinstalled.Forthisreason,installingBusyBoxisfrequentlyoneofyourfirsttasksinarootingorhackingsession.TheprocessofinstallingandlinkingtheBusyBoxcommandsdiffersbetweendevices.RootinginstructionsusuallyhaveinstallingBusyBoxasastep.SearchtheXDAforumsforinstructionsoninstallingBusyBoxonyourdevice.
SomeapplicationsthatrequirerootmayalsorequirethatBusyBoxisinstalledastheymaydependonsomeofthecommandsinBusyBox.
Over200commandscanbecompiledintoBusyBox.Inthecourseofhacking,youwillprobablyuseonlyafractionofthem.HerewecoverthreeofthemostfrequentlyusedcommandsfromtheawesomeBusyBoxbinary.TheyareusedfromyourAndroidcommandshelloranAndroidterminalprogram.
TheddCommandTheddcommandisaspecializedcommandthatuseslow-levelbitcopyingtocopyandconvertdatafromasourcetoagivendestination.InAndroidhacking,ddisfrequentlyusedtowriteanimagefiletoamemorylocationorfilelocationwhenthedataandresultmustbeexact,sothatitcanbeverifiedandusedforcriticalprocessessuchasoperatingsystembootfiles.
Theddcommandusesthefollowingsyntax:
ddif=<sourcefile>of=<targetfile>
•Theif(inputfile)parametertellsthecommandwheretofindthesourcefile.•Theof(outputfile)parametertellsthecommandwheretowritethetargetfile.
Youshouldtakespecialcarewiththeparameters:reversingtheifandofparameterswouldbecatastrophic.
TheechoCommandTheechocommandsimplywritesastringtothescreen(knownasstdoutinLinux).InAndroidhacking,itissometimesusedtotrickthesystemintobelievingithasreceivedaspecializedsystemmessagesuchas“Hey,thereisanupdateavailableontheSDcard—youshouldinstallit.”
Themd5sumCommandThemd5sumcommandallowsyoutohashafileusingtheMD5algorithmand
seetheoutput.Thisisaveryaccurateandeasywaytoseeiffilesindifferentlocationsarethesame.Whensomeonehasusedthemd5sumcommandtohashafile,theypublishtheshorthashstringandyoucancompareittothehashyoucreatelocally.Iftwohashstringsmatch,nomatterhowmanytimesthefileiscopied,moved,downloadedoruploaded,youcanbesurethatitisidenticaltotheoriginalfile.
InAndroidhacking,md5sumisfrequentlyusedtoverifythatcriticalsystemfiles(whichwillbeusedtoreplaceexistingfiles)areexactlyastheyneedtobebeforebeingpushedtothesystempartition.Itisalsousedtoverifyafileafterithasbeenwrittentomemoryorthefilesystem.
Toverifyafile,carryoutthefollowingsteps:
1.InacommandpromptwindowonyourlocalPC,enterthefollowingcommandtoopentheADBshellininteractivemode:adbshell.
Yourcommandpromptchangesto#,indicatingthatyouhaverootaccesstothefilesystem.
2.Enterthefollowingcommandatthe#prompttocheckthehashvalue,forexample,ofthesample.txtfileontheSDcard:datalocal/busyboxmd5sumsdcardsample.txt
Forthisfile,theoutputfromthehashcommandshouldbe4deed76681853806d45e141a96f606dc.(Forotherfiles,theoutputwillbeasimilarstring.)3.Iftheoutputstringdeviatesinanywayfromtheexpectedstring,youneedtorepeattheprocessofdownloadingorcopyingthefileandpushingittotheSDcard.
IfanMD5SUMhashdoesnotmatch,itisveryimportantthatyoudonotrebootyourdevice.YoumustcopythefileagainuntilyougettheexpectedMD5hashcode.
Chapter4:RootingandInstallingaCustomRecovery
Inthischapter:•Exploitsandhowtousethem•Hackingutilities•Recoverymode
•UsingtheClockworkModrecoveryapplication•Backupanddisasterrecovery
AnexploittakesadvantageofaknownvulnerabilitytoallowtheAndroidusertheabilitytoincreasehisorherlevelofprivilegeandaccessroot.MostexploitsarefoundduringthebootstrapprocesscoveredinChapter1.TheyarediscoveredbyexperiencedAndroidorLinuxdevelopersandprogrammerswhodreaminbinaryandliveonenergydrinksalone.Whentheyfindacrackinthelockdownthatoriginalequipmentmanufacturers(OEMs)andcarriersplaceondevices,theyreleasetheknowledgeofthevulnerabilityand,possibly,anexploitthatenableslessexperiencedorlessskilledhackersanddeveloperstoutilizethevulnerability.
HowtoUseExploitsManyofthesebenevolenthackersreleasetheiraidsontheXDAforumsorotherAndroidcommunitysites.ThisenablesthenextlevelofAndroidhackertoplaywiththeprocessforfreeingdevicesfromOEMandcarriertyranny.Anexploitmightbepackagedandreleasedbyadeveloper.
Oneofmyargumentsforlow-touchorone-clickrootingmethodsisthattheyarejustacontinuationofthisthoughtprocess.Mostofthepeoplewhodisdaintheone-clickrootmethodwouldbetotallylostifaskedtoexploittheASHMEMvulnerabilitythatenablesmanyoftherootprocessesthatareavailabletoday.Luckilyforthescoffers,ScottWalkercreatedthepsneuterutilitythatenablesustotakeadvantageofthatvulnerability.Justbecausesomethingisoutsideyourskillsetdoesn’tmeanyoushouldn’thaveaccesstothebenefitsandfreedomsitbrings.
ExploitscanbereleasedtotheAndroidcommunityasscripts,utilities,applicationsorimagefilesdependingonthetypeofvulnerabilitybeingexploited.Iconsidereachofthesetypesofreleaseinthissection.
ExploitScriptsAscriptisasetofcommandsthatcanberunwithasinglecommand.Ascriptcanbecomposedofcommandsandparametersornativecode.
AnAndroiddeveloperorhackerwhofindsavulnerabilityorloopholeinadeviceconfigurationcanpackageupthecommandsandproceduresnecessarytoexploititinascript.UsingscriptsfromotherAndroidhackersanddevelopersmakestheprocessofhackingintoanAndroidsystemmucheasier.MostOEM-lockeddevicesareeventuallyhackedwithsomesortofscriptorapplicationtoexploitaknownvulnerability.
Scriptsareusefulfarbeyondjusthacking.YoucancreatescriptsandrunthemfromtheADBshelloranAndroidterminalapplication.
AterminalapplicationallowsyouaccesstotheAndroidcommandshellfromthephoneitself.Terminalapplicationscanbedifficulttousebecauseofsoftkeyboardidiosyncrasies.
CreatingaScriptThescriptshownhereisasimpleexamplefordemonstrationpurposes.Itmayworkonlyifyouarealreadyrootedandhavesuperuserpermissions.
1.EnterthecommandsinListing4-1intoasimpletexteditor,suchasNotepad.(NotethatthesecommandsareexplainedinChapter3.)
2.Savethefileasbackup.scriptonyourlocalcomputer.
3.Fromacommandprompt,enterthefollowingcommandtomovethescripttoyourdevice:adbpushbackup.scriptdatalocal/tmp/backup.script
4.Enterthefollowingcommandtomakethescriptexecutable:adbshellchmod0775datalocal/tmp/backup.script
Listing4-1Asimplescriptmkdirsdcardmybackups
cpdata*sdcardmybackups
cat/system>sdcardmybackups/system.img
echoDataandSystempartitionsarebackedup
RunningaScript1.OpentheADBshellandnavigatetothedatalocal/tmpfolder.
2.Runthescriptbyenteringthefollowingcommand:./backup.script
Thecommandsinthebackup.scriptfilerunsequentiallyandcarryoutthefollowingactions:a.CreatesabackupfolderontheSDcard.
b.Copieseverythingfromthedatafoldertothemybackupsfolder.
c.Concatenatesthesystemfoldertoanimagefileinthemybackupsfolder.d.Tellstheuserthatithasfinishedrunningitscommands.
ExploitApplicationsAnapplicationisaprogramcreatedfromnativecodeandcompiledtorunontheAndroidplatform.Creatingclean,effectiveandsafeexploitsthatrunasnativeapplicationsissignificantlymoredifficultthancreatingscripts.Thedevelopermustclearlyunderstandthevulnerabilitybeingexploited,andmustalsobesurethattheexploitdoesnothaveundesiredresults.Becauseuserscannotreadthecodetoseewhatitdoes,agooddealoffaithmustbeplacedinthedeveloper’sabilities.TheAndroidcommunityofhackersareaclose-knitandfriendlygroupbutnobodylikeshavingtheirtoasterexplodefromrunningarogueexploitontheirphone.
YoucanseebylookingatListing4-2thatexploitapplicationsaresignificantlymorecomplexthanscripts.ThecodeinListing4-2isfromthepsneuterutilitybyScottWalker,whichhasbeenusedtogaintemporaryrootaccesstotheDroidProandmanyotherdevices.Therearemorethanahundredsuchlinesofcodeintheutility.ItiswritteninnativeCcodeandthusitismoreofafull,althoughverysmall,applicationthanascript.ThetemporaryrootaccessprovidedbythisscriptisallthetoeholdneededtorunBusyBoxcommandsandwritetoprivilegedareasoftheAndroidfilesystem.
Listing4-2PartofthepsneuterUtilityfdStr=workspace;
if(strstr(workspace,“,”))
*(strstr(workspace,“,”))=0;
else
{
fprintf(stderr,“Incorrectformatof
ANDROID_PROPERTY_WORKSPACE
environment
variable?\n”);
exit(1);
}
szStr=fdStr+strlen(fdStr)+1;
fd=atoi(fdStr);
sz=atol(szStr);
if((ppage=mmap(0,sz,PROT_READ,MAP_SHARED,
fd,0))==MAP_FAILED)
Customscriptsandcodecanalsoapplythemesandinterfacecustomizations
thatdevelopersputtogetherforthecommunityofAndroidusers.
UsingaScriptorApplicationonaDeviceAnytimeyouseesomeonerefertoafileasascriptorsaythatafileshouldbeexecutedfromthedevice,youwillfollowthesesteps:
1.Pushthefiletoanareaofthefilesystem,suchasdatalocal/,thatcanrunprivilegedscripts.2.Changethepermissionsonthefiletomakeitexecutable,usingthefollowingcommand:chmod0775<filename>
3.RuntheexecutablefromtheADBshelloraterminalwindowwiththefollowingcommand:./<path>/<filename>
Thesestepswillalmostalwaysremainthesame,thoughthelocationthatthefileshouldbepushedtoandrunfrommaychange.
Z4Root,showninFigure4-1,isanexampleofanapplicationthatactuallyrootswhilebeinginstalledonthedeviceitisrooting.Itisacleverandusefulpieceofprogrammingthatdoesallofthehardworkinrootingadevice.AfterinstallingtheZ4rootapplicationonyourAndroiddevice,yourunit,clicktheRootbuttonandalltherootinghappensautomatically.
Figure4-1:TheZ4Rootapplication
Aswithanyhackingactivity,youtakeagreatdealofresponsibilityonyourownheadwhenyourunscriptsorapplications.Makesurethatyoueitherknowandtrustthedeveloperorthatyouarewillingtoacceptthe
consequencesofdoingdamagetoyourdevice.Youcanalsoloseprivacyiftheapplicationorscriptisrogueandharvestspasswordsfromyourdevice.
HackingUtilitiesDevelopersintheAndroidcommunityfrequentlycompileorcreateapplicationsthatcanrunonyourlocalcomputer.TheyeithermakehackingyourAndroiddeviceeasierorarecentraltoaparticularexploit.Sometimestheutilityiscodedupandcreatedbyaskilleddeveloperandsometimesitis“scroungedup”from“leaked”sourcesattheOEM.
OEMToolsOEMtoolsaredevelopedbythemanufacturerorbyathirdpartyforthemanufacturer.Thesetoolsareusedinservicecenters.Forexample,RSDLiteisusedworldwideatMotorolaservicecenterstoinstallMotorola-signedimagesonspecificMotoroladevices.
OEMtoolsareusuallysoftwareutilitiesthatcantakeacompletesystemimageordiskimageandwriteittothebootloaderorfilesystemacrosstheUSBcableconnection.ExamplesofsuchutilitiesaretheNVFlashutilityformostdevicesusingNVIDIA’sTegrasystemonachipandtheRSDLiteutilityforsomeMotoroladevices.UsinganOEMtoolusuallyrequireslookinguptheinstructionsontheXDAforumsoranotherAndroidcommunitysiteandfollowingthemtotheletter.Mostofthetime,thetoolshavefairlycrudeinterfacesandlittleornodocumentation.
DeveloperUtilitiesCustomutilitiesfromtheAndroiddevelopercommunityareofmixedqualityandeaseofuse.Someofthemareveritableone-clicksolutionswhileothersperformasinglefunction,suchasreplacingtheuserinterfaceoraddingothercustomizations.
ImageFilesAnimagefileisabit-by-bitcopyofapartition(theoperatingsystemwithkernel,bootloader,recovery,andsoon).Animagefileallowsthestate,files,permissionsandstructuretobewrittentoapieceofmemoryorfilesystemandperfectlyreplicatethesystemfromwhichitwastaken.Oneoftheusesofimagefilesistorestoreadevicetothestateitwasinwhenitleftthefactory.Inthecaseofabrickeddevice,flashingwithaknowncompatibleimagefileisusuallytheonlywaybacktoafullyfunctionaldevice(seethe“BackupandDisasterRecovery”section).
Sometimestheonlywaytorootalockeddeviceistograbanimageofarooteddeveloperdevice(onereleasedtoanOEMpartnerforearlydevelopment)andwriteittothelockeddevice’sfilesystem.Onsomedevices,thedeveloperdoesthedifficultworkintheAndroidsystem,changingpermissionsandinstallingadifferentLinuxkernel.Thedeveloperthenwrapsthiscreationinanimagefilethatcanbeflashedtoanon-developerdeviceusinganOEMutilityoranAndroidSDKtool,suchasFastboot.Inonefellswoop,thedeviceisrootedandpreparedforcustomization.
TheXoomisanexampleofan(unlocked)devicethatrequiresthismethod.TheXoomwasquicklyrootedbyKoushikDuttaandthebootimagefilethathereleasedtothecommunityquicklybecamethebasisofmuchcustomizationandotherXoomroottoolsandmethods.BecausetheXoomwasunlocked,itsbootloaderwaseasilyoverwrittenwiththecustomimagefileusingtheAndroidSDKFastboottool.
Muchofthereallydifficultworkinhackingandrootingadeviceisdonebydevelopersandreleasedtothecommunityintheformofscripts,utilities,applicationsandimagefiles.Alltheaverageuserneedsthenistheskillsettoapplythosetools.
RecoveryModeWhenyourAndroiddevicestartsitsboot-upprocess,itpullsthebootloaderfromitsstorageareaandstartstheprocessofloadingtheAndroidoperatingsystem.Bypressingacombinationofbuttonsduringthebootprocess,youcandivertthebootintorecoverymode.Thebuttonsusedtobootintorecoverymodevaryamongdevicesbutthecombinationofthepowerbuttonandoneofthevolumebuttonsusuallyforcesthedeviceintorecoverymode.
WhatIsRecoveryMode?Recoverymodeisanexternalmicrooperatingsystemthatisusedtoapplyofficialupdates.ThedefaultrecoverymodelooksontheSDcardforafilecalledupdate.zip.Whenthefileisfound,itis(usually)checkedforasignaturetoseeifitisanupdatethatcanbesafelyappliedtotheAndroidoperatingsystem.Ifthesignaturematchesthatofthemanufacturer,thenthefilesystemchangescontainedinupdate.zipareappliedandthephoneisrebooted.
Somedefaultrecoverymodesalsoprovidetheaddedoptionofbootingintoamaintenancemodeforclearingthedatacacheorresettingthedevicetofactorycondition.
TherecoverysystemissometimescontainedinitsownNANDfilesystem;onotherdevices,itisjustapartitionedlocationintheoverallNANDmemorythatstorestheAndroidfilesystem.Thedifferenceisnegligibleaswritingtotherecoverysystemrequiresrootlevelaccessandsometimesitcanonlybereplacedwithanexternalflashprocess.Formostrecentdeviceshowever,acustomrecoverycanbeinstalledfromtheAndroidoperatingsystemoncerootstatusisattained.
MakeItAllSoEasy:GetACustomRecovery!Customrecoveryprocessesgofar,farbeyondthecapabilityofthedefaultrecoverymode.Theyremovetheneedforsignedorverifiedupdates,soyoucaninstallunofficialupdatesthatarereleasedlongbeforeOEMsandcarriersreleaseupdates.Customrecoveryprocessesalsoprovidetheabilityto
completelyoverwritetheexistingAndroidoperatingsystemandfirmware.ThisallowsforacustomAndroidinstallationandupdatingorupgradingradiofirmwaretoeliminateOEMbugsorincreasecapability.
Oneofthesinglegreatestcapabilitiesprovidedbyacustomrecoveryprocessistheabilitytodoacompleteorpartialsystembackup.Backinguptheapplications,applicationdataandAndroidfilesystemgivesahugeinsurancepolicytotheAndroidhacker.
ExternalcompletebackupsareoftencalledNANDroidbackupsbecauseNANDmemoryisusedtostorethefilesthatcontaintheAndroidfilesystem.
ThetwomostpopularcustomrecoveryapplicationsareClockworkModandAmonRa,buttheyarebynomeanstheonlyrecoveryapplicationsavailable.
Thereareseveralwaysthatarecoveryapplicationcanbeinstalled.MostdeviceswillacceptinstallationbyRomManagerorbyanupdatefile.YoushouldlookupyourparticulardeviceontheXDAforumtoseewhatothershavedeterminedasthebestwaytoinstallacustomrecoveryapplication.
InstallationviaRomManagerClockworkModrecoveryisinstalledmosteasilyusingtheRomManagerapplicationbyKoushikDutta.TheRomManagerapplicationdetectsthedeviceonwhichitisinstalledanddecideswhereandhowtherecoverycanbewritten.TheeaseofinstallingClockworkModhasmadeitoneofthemostwidelyusedrecoveryapplications.
YoucanalsouseRomManagertoinstallAmonRarecoverybyselectingthe“alternaterecoveries”option.YoucanuseanydownloadedrecoveryasanupdateanduseClockworkModtoselectthedownloadedzipfileasanupdate.
InstallationviaupdatefileSomedevicesrecognizeaspeciallynamedzipfileplacedintherootoftheSDcard.Whentheyarerebooted,theyautomaticallyinstalltheupdatecontainedinthatfile.Afterdownloadingthedesiredrecoveryapplication,youcanrenameitszipfileandplaceitontheSDcardtoberecognizedasanupdate.
UsingClockworkModRecoveryThissectiondiscussesthefunctionsavailableintheClockworkModrecovery.Familiaritywiththesefunctionswillallowyoutomanageyourdevicewithgreaterpeaceofmind.
TheinitialscreenofClockworkModisshowninFigure4-2.Youcanhighlightthefunctionsbynavigatingupanddownusingthevolumeupanddownkeys.Onmostdevices,thepowerbuttonisusedtoselectahighlighteditem(ontheNexusOne,youclickthecontrolball).Tonavigatebackfromasubmenu,thebackarrowbuttonorsoftkeyisusual.Afewseconds’experimentationusuallyrevealsthenavigationbuttons.
ThefollowingsectionsdiscusseachoptionshowninFigure4-2.Thosewithasubmenuarediscussedinmoredetail.
Oncertaindevices,ClockworkModhasa+++GoBack+++optionatthebottomofeachsubmenu.
Figure4-2:InitialscreenoftheClockworkModcustomrecovery
RebootingtheDeviceWhenthe“rebootsystemnow”functionisselected,thesystemperformsanormalreboot.
UpdatingaDevicefromtheSDCardWhenanofficialupdateisreleasedforanAndroiddevice,itusuallycomesasanupdate.zipfilethatisautomaticallyappliedwhenthedeviceisrebooted.Somedevicescanonlyapplyupdatesinthisway.
The“applyupdatefromsdcard”functionlooksontheSDcardforafilecalledupdate.zipandappliesit.Youcanapplyanyupdatetothefilesystembyrenamingthefiletoupdate.zipandselectingthisoption.InstructionsforusingthismethodareoftenspecifiedwithupdatesfromtheXDAforum.
Whenyouselectthisfunction,youarepresentedwithClockworkMod’ssafetyselectionfeature(seeFigure4-3).Youhavetoscrolldownthroughaseriesof“No”optionsbeforeyougettothe“Yes”option.Thismakessurethatyoudonotdosomethingdangerousorpotentiallydestructivetoyourdevicewithoutbeingawareofwhatyouaredoing.Thereislittlepossibilityofaccidentallyselectingadestructiveoption.
Figure4-3:TheClockworkModsafetyscreen
Tocompletetheaction,younavigatetothe“Yes”optionandthenpresstheselectorkey.
ResettingaDevicetoFactoryConditionThe“wipedata/factoryreset”function(Figure4-2)completelywipesthe/dataand/cachepartitionsofthedevice.Thisisdestructive:itremovesalluserapplicationsanddataandchangestheoptionsbacktofactorysettings.Allcustomizationsanddataareremovedfromthedevice.Thisisthelastresortforuseincaseswhereadeviceisexhibitingconsistentfailures,forceclosesorisstuckinsomekindoferrorloop.However,contrarytowhatthenameimplies,resettingadevicedoesnotrestorethe/systempartitiontoitsoriginalstate.Thiscanonlybeaccomplishedbyflashinganupdate.ziporexecutingaNANDroidrestore.
WipingtheCacheWipingthecacheislessdestructivethanwipingthedataandcanusuallybedonewithoutanydamagetoinstalledapplicationsoruserdata.However,youshouldbackupyourfilesystembeforerunningthe“wipecachepartition”function(Figure4-2).Ifyourphoneseemsslowandbuggy,trythisfunctionbeforeresettingthedevicetofactorycondition.Sometimes,removingcachedataresolvesanerrorstateorissueswithforcibleclosing.
Thisfunctionpresentsyouwiththesafetyselectorscreen(seeFigure4-3).Selectthe“Yes”optiontowipethecache.
InstallingaZipFilefromtheSDCardThe“installzipfromsdcard”function(Figure4-2)issimilartothe“applyupdatefromsdcard”function.Theupdatefunctionalwayslooksforafilenamedupdate.zipintherootoftheSDcard.The“installzipfromsdcard”functionenablesyoutoselectanyzipfileandspecifyhowitisapplied.
Whenyouselectthisfunction,asubmenuappears,asshowninFigure4-4.
Apply<ZipFile>Thefilenamedintheapplyoptiondependsonthezipfileyouselectusingthenavigationfunction.Thedefaultfilenameissdcardupdate.zip.Ifyounavigatetoafilecalledmyupdate.zip,thefirstitemonthismenubecomesapplysdcardmyupdate.zip.
Figure4-4:TheClockworkModinstallfromSDcardoptions
ChooseZipThe“choosezipfromsdcard”optionallowsyoutonavigatethroughthefileandfolderstructureonyourSDcardtolocateazipfile.Customthemesanddevicecustomizationsfrequentlycomeaszipfiles.Youusethisoptiontoselectthefileandthe“apply”optiontoapplyit.
ToggleSignatureVerificationThe“togglesignatureverification”optionallowsyoutospecifythatthedeviceshouldchecktheselectedzipfilefora“signature”.MostzipfilesfromtheOEMorcarrierwillbesigned,aswillmanyROMs.YoushouldleavesignatureverificationenabledassometimesthiswillstopcorruptedROMsfromflashing.
ToggleScriptAssertsThe“togglescriptasserts”optionisseldomutilized.Itallowsorpreventstheexecutionofscriptcommandsembeddedinazipfile.Mostzipfilessimplyupdateorreplacefilesinthefilesystem.Azipfilewithembeddedscriptingcanchangeoralterdevicesettings.Turningoffscriptassertsdisablesscriptingembeddedinthezipfile.
BackingUpandRestoringaDeviceThe“backupandrestore”functionofClockworkMod(Figure4-2)isperhapsthemostusefulanddesireditem.BackingupdatafrominsidetheAndroidoperatingsystem,evenonarooteddevice,isacomplexoperation.ClockworkModcanbackupallfiles,applications,settingsanddatainoneoperation.ThebackupfileisstoredontheSDcardwhereitismostlysafefromanycustomizationsorhacks.Thismakesforasafetynetthatisofgreatvalue.PeriodicallybackingupusingClockworkModisagoodideaevenifyouarenotanactivecustomizerandhacker.Corruptionordatalossfrommisbehavingapplicationscanbefixedbyrestoringfromaknowngoodbackup.
Whenyouselectthe“backupandrestore”option,asubmenuappears,asshownatthetopofFigure4-5.
BackupSelectingthebackupoptionimmediatelystartsbackingupyourdevice.Whilethebackupprocessisrunning,aprogresslistisdisplayed(seeFigure4-6).
ThebackupfileisplacedontheSDcardinthesdcardclockworkmod/backupsfolderwiththedateasthefilename.Thisenablesyoutodistinguishamongmultiplebackupfiles.
Figure4-5:TheClockworkModbackupandrestoreoptions
Itisimportantthatyouremoveolderbackupfilesfromtimetotime.HavingtoomanybackupfilesonyourSDcardcanquicklyuseupavailablespace.Backupfilescanbedeletedusinganyfileexplorerutility,suchasESFile
ExplorerorRootExplorer.
Whenthebackupiscomplete,youarereturnedtothe“backupandrestore”submenu.
Figure4-6:AClockworkModbackupinprogress
RestoreWhenyouselecttherestoreoption,youarepresentedwithalistofallthebackupfilesinthesdcardclockworkmod/backupsfolder.Usetheselectionkeystonavigatetothefilefromthedesireddateandselectittostarttherestoreprocess.ClockworkModshowsaprogressbarwhiletheprocessisrunningandacompletedmessagewhenitends.
ForcingRecoveryBootMostdevicescanbeputintorecoverymodebypressingacombinationofhardwarekeys.LookupthekeycombinationforyourdeviceontheXDAforums.Ifyoucannotsuccessfullybootyourdevice,havingagoodbackupandknowinghowtoputyourphoneintorecoverymodecanhelpreducepanic.
AdvancedRestoreThe“advancedrestore”optionallowsyoutoselectaparticularbackupfile,againbasedonthedate,andthenrestoreonlycertainpartsofthebackup.Whenyouhaveselectedabackupfile,youcanchoosetorestoreanyofthebootpartition,thesystempartition,thedatapartition,thecacheorthesd-extpartition.
Becarefulaboutrestoringjustonepartitionunlessyouknowwhyyouaredoingit.Partitionsusuallyhaverelatedanddependentdata.Ifyourestoreadatapartitionthatreferstocontentinthesystempartitionthatdoesn’texist,itcancauseflakybehaviororcanlockupyourdevice.Inthatcase,youwouldneedtoboottoyourrecoverypartitionusingthehardwarekeycombinationandrestoreacompletebackup.
MountingPartitionsandManagingStorageThe“mountsandstorage”function(Figure4-2)allowsyoutomanagethemountingofthepartitionsforvarioushackingactivities,suchascopyingfilestoandfromtheSDcardordatafolderviayourUSBcable.YouwillnotgenerallymountorunmountpartitionsbutitallowsyoutoaccesstheSDcardwhileinClockworkModandcanbeveryuseful.
Thisfunctionalsoallowsyoutoformatthesystempartition,thedatapartition,thecache,thebootpartition,thesd-extpartitionandtheSDcard.Formattinginvolvescompletelywipingthepartitionorcardandshouldnotbedoneunlessyouhaveaspecificreason.Ifyouformatanyofthepartitionsanddonotrestorethecontentsofthatpartition,yourdevicewillnotboot.
AdvancedFunctionsWhenyouselectthe“advanced”menuitemfromthemainClockworkModscreen(Figure4-2),asubmenuappears,asshowninFigure4-7.Thesefunctionsaregenerallyunusedexceptforspecializedactivities.
Figure4-7:TheadvancedoptionsfromtheClockworkModmainmenu
RebootRecoveryThisoptionallowsyoutorebootthedeviceandreturntotherecoveryprocess.
WipeDalvikCacheThisoptionallowsyoutowipeonlythevirtualmachinecache.Thiscanbeusefulifyouhaveanapplicationthatworksfineforawhileandthensuddenlyrefusestoworkatall,closesconstantlyorexhibitsotheroddbehavior.Thisisafairlylow-riskoption.
WipeBatteryStatsThe“wipebatterystats”optionallowsyoutoclearthestatisticsaboutbatteryusageandcharge.ThereissomebeliefthatthiscanhelpAndroidaccuratelyjudgerechargeandusagecontrolmechanisms.Thisisgenerallynottrue—itonlyremoveshistoricaldatafromyourdevice.UnlessathreadintheXDAforumgivesagoodreasonforremovingthemfromyourdevice,thebatterystatisticsshouldbeleftalone.
ReportErrorIfyougetanerrorwhileusingClockworkMod,youcanusethisfunctiontowritetheerrortoalogfilestoredatsdcardclockworkmod/recovery.log.YoucanthensendthelogtoKoushikDutta’steamfortroubleshooting.WhenClockworkModopensanddetectsthatanerrorhasoccurredinapreviousrecoverysession,youreceiveapop-upnotificationaskingifyouwanttoreporttheerror.
PartitionSDCardThisoptionallowsyoutodivideyourSDcardintodifferentpartitions.ThisisadestructiveactivitythaterasesallofthecontentsofyourSDcard.Onlyusethisoptionastheresultofdirectinstructionsfromahow-toguideforyourdevice.Forexample,somedevicescanexperienceaperformanceboostiftheyhavealargeswappartitionontheSDcard.
FixPermissionsEveryAndroidapplicationrunsasitsownuserID.Inordertomakesurethateachapplicationcannotmodifyanyotherapplication’sdata,theappropriatepermissionsmustbesetforeachapplication’sspaceinthe/datapartition.The“fixpermissions”functionreadsthroughdatasystem/packages.xmlandsetsthepermissionsaccordingly.
However,thisoptiondoesnotalwaysyieldtheintendedresultsandmayinfactcausetheveryapplicationforcecloseproblemsitisintendedtofix.Onlyrunthe“fixpermissions”optionasaresultofspecificinstructionstoresolvespecificissues.Somehow-toguidesreferto“runningapermissionsfix”—thisistheoptionthatachievesit.
BackupandDisasterRecoveryInthecourseofhackinganAndroiddevice,itisentirelypossiblethatatsomepointyouwillhaveamomentofpanicasadevicedoesnotrebootcorrectlyoritappearsthatyouhavelostallyourdata.
Mostoftheuser-createddata,suchaspictures,documentsanddownloadedfiles,arestoredontheSDcardandarerelativelysafefromhackingactivitiesthatwritetoandfromthesystempartition.However,youshouldassumethatanyhackingorexplorationactivitiescouldresultinthelossofalldata.
It’sagoodideatoconnectyourdevicetoyourcomputerandcopyallthedataontheSDcardtoyourcomputerbeforestartinghackingorexploration.Mostrecentdevicesdefaultto“massstoragemode”whenconnectedtoacomputer.Inotherwords,theSDcardismountedasanaccessibledrivefromyourcomputer’sfilesystemmanager(forexample,WindowsExplorer).CopyingthecontentsofyourSDcardtoafolderonyourcomputerwillmakesurethatyoudon’tlosethosecutepicturesofthekidsortheapplicationsyouhavedownloadedfromtheWeb.
Torestoresuchabackup,simplyconnectyourdevicetoyourPCandcopyallthefilesandfoldersbacktotheSDcard.
PrecautionsforSuccessandDataRecoveryThebestactivitytoensuresuccesswhenhackingistoreadmoreanddoless:
•Beforestartingaprocess,readtheentirethreaddedicatedtoitontheXDAforum.•Readalloftheinstructionsinarootingorflashingprocedurebeforeplugginginyourphoneandthenreadthemallagain.•Ifinstructionsfromadevelopermentiontoolsorcommandswithwhichyouarenotfamiliar,readuponthosecommandsandtoolsbysearchingtheXDAforumsandGoogle.
•Takespecialnoteofpeoplewhohavemessedupbeforeyouandwhattheirrecoveryoptionsorsuccesseswere.
Onceyouhaveachievedrootandinstalledacustomrecoveryapplication,makeregularbackupsusingareliablebackupapplicationandthecustomrecoveryapplication.
TheInternetisfullofAndroidgeekswillingtoassistyouiftheythinkyouhavetriedtoeducateyourselffirstbyreadingandsearching.Itisalwaysbettertoask“HowdoIdoXwithYtoolonadevicethatislikeZ?”ratherthantoask“HowdoIrootmyphone?”HavingathickskinishelpfulontheInternetaswell.Notallgeekshavethebestsocialskillsanditcanshowinbrusqueanswerstoquestions.Maintainyourcool,askyourquestionsintelligentlyandyouwillundoubtedlyreceivethehelpyouneed.
BackingUpApplicationsApplicationsthatyoudownloadedfromGooglePlayareautomaticallyrestoredwhenyouselectthe“MyApps”buttonandindividuallyrestoretheapplications.Thisfunctionissomewhatfinicky—most,butnotall,purchasedappsautorestore,asdocertainfreeones.
Inessence,GooglePlaykeepstrackofyourpurchasesandrestoresautomaticallyatleastthoseapplications.Onsomedevices,allofmyapplications,includingfreeapplicationsdownloadedfromGooglePlay,havebeenrestoredautomaticallyafterafactoryreset
IfyouconnectyourdevicetoacomputerandbackuptheSDcard,itdoesnotnecessarilycopytheapplicationdata.Mostproductivityapplications,suchastexteditors,officeapplicationsandartormediaapplications,storecreatedfilesontheSDcardinadocumentsfolderorinafolderoftheirown.CopyingeverythingontheSDcardincludingfolderswillbackupthedatafromtheseapplications.
Youloseallofyourapplicationdatawhenanapplicationisremovedandreplaced.Inotherwords,yourprogressthrough“AngryBirds”isnotrestoredeveniftheapplicationisautomaticallyrestoredafteradevicewipe.Backingupuserdataisoneoftheprimaryreasonsthatrootaccessissodesirable.
BackingUpThroughaRecoveryProcessWhenyoufirstachieverootandareabletoinstallacustomrecoveryapplication(whetherClockworkModoranotherrecoveryapplication),youshouldimmediatelybootintothatrecoveryprocessanddoacompletebackupofyourdevice.
Abackupcreatedbyarecoveryprocessisapoint-in-timebackup—itcapturesthestateanddataofyourdeviceataparticulartime.Alltheapplications,applicationdata,userdataandsystemfilesarebackedup.Thisisthebestoptionforbackinguptoprotectagainstdisasterwithhacking.
However,theremaybeitemsyouwanttobackuporrestorewithoutcompletelyrevertingyourentiredevicetoaparticularpointintime.
Application-levelbackupsandrestoresareoneofthebenefitsofbeingrooted.
BackingUpThroughanApplicationApplicationssuchasTitaniumBackupallowyoutospecifyanapplicationtobebackedup.Theapplicationcanbebackedupalongwithanyrelateddata.Thisallowsforspecificapplicationstoberestoredinthecaseofthembeingaccidentallyremovedorhavinganissue.
Whenaparticularapplicationstopsworking,youmaynotwanttorevertallofyourapplicationstothelatestsystem-levelbackup.TitaniumBackup,andothersuchapplications,allowforindividualmanagementofapplications.Theyalsoallowforniftymanipulation,suchasmovingapplicationstotheSDcard,removingapplicationscompletelyandcleanly,andschedulingbackups.Havingascheduledprocessthatregularlybacksupapplications,applicationdataandsystemdatawillsaveyouaheadachewhenyoueventuallybrickyourdevice.
WhatHappensifItGoesReallyWrong?Intheprocessofattemptingtoobtainroot,itispossiblethatatsomepointyouwillmakeamistakeandyourphonewillnotbootcorrectly.Therearetwogenericcategoriesof“broken”whenitcomestoAndroiddevices:
•SoftbrickmeansthatthedevicewillnotbootcompletelyintotheAndroidoperatingsystembutwillboottorecoveryorbootloaderandFastboot.Anyconditionthatkeepsthedevicefrombootingcorrectlybutleavesitwiththepossibilityofbeingflashedandrecoveredwithcorrectimagefilesisa“softbrick”condition.Themostcommonsymptomofasoftbrickeddeviceisknownasabootloop(aconditioninwhichthedevicepartiallybootsoverandover).•Hardbrick,ontheotherhand,referstoanincapacitateddevicethatisunrecoverablethroughnormalmeans.Generally,hardbrickeddevicesrequirespecializedhardwaremethodsavailableonlytotheOEMtofix,andarecharacterizedbythedevicenotbootingatallorbootloopinginawaythatpreventscommandsbeingsentviaADBorFastboot.
Howyourdevicebehavesineachcaseisverydependentonthedevice.Theproceduretofollowinthoseblind-panic-strickenmomentsfollowingsomethinggoingwrongisasfollows:
1.Don’tpanic.Seriously,don’tpanic.Paniccaninduceyoutoattemptthesameflawedprocedurethatbrickedyourdeviceinthefirstplace.Generallystopandwalkawayfromthedeviceforaminuteortwothenproceedtothenextstep.2.Removethebattery,ifpossible.Pullthebatteryoutcarefully,replaceitandseeifthedevicegetsanyfurtherinthebootprocess.
Onsometabletdevices,pullingthebatteryoutisnotpossible.Thereisgenerallyaphysicalkeycombination(forexample,thepowerbuttonandthevolumeupanddownbuttons)thatsimulatespullingthebattery.Pressandholdthebuttonsforafewsecondstoseeifthedeviceresetsandstartsbootingcorrectly.3.Attempttoforcethedeviceintorecoveryorbootloadermode.Lookupthekeycombinationforresetsandrecoverymode.
4.UsetheXDAforumsandGoogletoeducateyourselfonunbrickingproceduresforyourdevice.Ifyoucanfindnoreferencetounbrickingyourdevice,postanon-panic-strickenmessageintheXDAdeviceforumthatletsdevelopersknowwhatyouweredoingwhenthedisasteroccurred.
Therecoveryoptionsavailabledifferdependingonwhatthebrickeddevicewilldoandtowhichcommandsitwillrespond.Ifthedevicecanbootintorecoverymode,anupdate.zipfileoracompleteimagefilecanbeusedtorewriteallthesystempartitions.Inthiscase,abackupofthedevicecouldalsoberestored.Thisiswhythefirststepafterinstallingacustomrecoveryprocessshouldbetodoafullbackupfromtherecovery.
Ifthedevicecanbootintobootloader,itmaybepossibletouseFastbootcommandstoreflashthesystemandbootpartitions.SearchontheXDAforumforpoststhatcontaintherequiredfilesandinstructions.Generallyspeaking,ifadevicecanbemadetobootintoFastboot,itcanberecovered.
SomedevicescanberecoveredusingOEMordevelopertools(forexample,RSDLiteforolderMotorolaphonesandODINforSamsungdevices)toflashimagefilestothecorrectpartitions.InstructionsforusingthesetoolsandthefilesforflashingwillbefoundintheappropriateXDAforumforthedevice.
Chapter5:Theming:DigitalCosmeticSurgery
Inthischapter:
•HowtochangethelookandfeelofAndroid
•Anintroductiontotoolsthatyoucanusetomodifyyourdevice•Howtomodifytheairplanemodeindicatorsonyourdevice•Howtocreateaflashablezipfiletoshareyourchanges
AmajoradvantageofowninganAndroiddeviceisthatthelookandfeel,indeedeveryaspectoftheuserinterface,canbecustomizedtoitsowner’spersonaltaste.
Inthischapter,youlearnthebasicsoftheming—changingthelookandfeelof—Android.ManyaspectsoftheAndroidinterfacecanbechanged,fromthecolorsofnavigationelementstoreplacementiconsforapplications.AlmostanyvisualelementoftheAndroidinterfacecanbealteredorreplacedcompletely.
ThemingisacomplexprocessthatinvolvesgettingintothedetailedstructureoftheAndroidoperatingsystemfilesystem.HavingachievedrootaccessusingthetoolsdescribedinthisbookandontheXDAforum,youarenowabletobegincustomizingyourdevicethroughtheming.
Thischapterfocusesonmakingchangestargetedforyourdevice,suchasmakingtheairplanemodeindicatormorenoticeable.Theprocessofturningyourchangesintoapackagethatcanbesharedwithyourfriendsisslightlymorecomplex.Afteryoumakethedesiredthemechange,youlearnhowtocreatearecovery-flashablepackagethatcanbesharedwithotherAndroidusers.
TheprocessoutlinedinthischapterisspecifictoCyanogenModontheNexusOne,howevertheprocessissimilarforotherdevicesandotherROMs.
ChangingtheLookandFeelofAndroidThemingAndroidinvolveseditingthegraphics(PNGfiles)andXMLfilesthatmakeuptheuserinterface.EditingtheXMLisevenmoreadvancedthaneditingthegraphics.TheAndroidXMLiscompiledintobinaryXML,soyouhavetodecompileittohuman-readabletextandthenrecompileitbacktobinaryformat.
Atahighlevel,thestepsforthemingAndroidareasfollows:
1.ExtractthefilestobeeditedfromtheROMofyourchoice.Mostbasic,system-widethemesdealwithmodifyingtheimageswithintheframework-res.apkfilebutotherchangesrequiremorespecializedfixes.
2.Decompilethefiles.
3.UseappropriateeditingsoftwaretoeditthegraphicsandXML.4.RecompiletheXML.
5.ReplacethefilesintotheROM.6.FlashtheeditedROMusingacustomrecovery.
Thesestepscanvarydependingonwhatyouarechangingandwhetheryouarecreatingacompletelyalteredthemeorathemewithminortweaks.Creatingacompletethemewillinvolveiterationsofthisprocessmanyhundredsorthousandsoftimes.
ThemingtheLauncherThemaininterfacewithwhichauserinteracts,theicons,theapplicationdrawerandalltheotherelementsareknownasthe“launcher.”Thelauncherhandlesnotonlythelookandfeelofyourhomescreensandapplicationsmenu,butalsowhichapplicationsarevisible.WhileyoucanthemethenativeAndroidlauncher,itisofteneasiertomodifyanadd-onlauncherbecauseitsharesnoresourceswiththecoreoperatingsystem.
ThemingwithanAdd-onLauncherOneofthemostpopularlauncherreplacementsforAndroidisADW.launcher.Itoffersbuilt-inthemingfunctionalitybyallowingusersto
installeasilydistributablethemeAPKoriconpacks.ADWuserscanthuseasilyswitchbetweenthemes.
Theprocessofthemingalauncherusuallyinvolvesmanyofthestepsinthiswalkthroughalongwithotheractivitiessuchascreatingiconsforlaunchedactivities(applications)andspecialfilesystemstructures.Ifyouwanttocreatethemesforaspecificlauncher,youneedtolookupthatparticularlauncher’sthemingrulesandrequirementsontheXDAforumandthelauncher’swebsite.ForADW,youcancheckouthttp://jbthemes.com/anderweb/category/adwlauncher/.
ToolsUsedinThemingThemingrequiresabroadtoolsetandtheskillstomatch.ThislistoftoolsisnotexhaustivebutgivesyoupracticallyeverythingyouneedtostartrealhackingatthelookandfeeloftheAndroiduserinterface.Youwillnotuseallofthetoolsinthischapter’swalkthrough,butyoushouldhavethemallinstalledifyouintendtocontinuehackingyourdevice.
APKManagerAPKManagerisascriptthatrunsasaconsoleapplication(inacommandwindow).ItallowsyoutocarryouteasilymanyofthetasksthatwouldrequiremultiplecomplexstepsifyouweretoaccomplishthesametasksusingtheAndroidSDKandEclipsetools.Ifyouarecreatingacomplexthemefromscratch,youarelikelytoneedtousethosecomplexSDKandEclipsetoolsstandalone.However,formostthemingofexistingROMs,andAndroidingeneral,theAPKManagerautomatesacomplexandfrustratingprocess.
WhatIsanAPK?AnAPKisanAndroidApplicationPackage.AnAPKconsistsofafolderandfilestructurealongwithXMLfilesthatdefinethestructureandcontentsofapackagetoAndroid.AnAPKcanbesignedorunsigned.Androidusesthesignaturetocheckforauthenticity.Packagesalsousetheirsignaturesto“address”eachother.Becauseofthis,itisveryimportantthatyoufollowtheinstructionsaboutsigningandre-signinginAPKManagerandtutorialsontheXDAforum.
Beforeattemptingthewalkthroughinthischapter,youneedtoinstallAPKManager.Followthesesteps:
1.DownloadAPKManagerfromthelinkathttp://forum.xda-developers.com/showthread.php?t=695701.
2.ExtractAPKManagerintoafolder.
ItisbesttoextractAPKManagerandallthefoldersintoarootfoldersuchasC:\Theming\APKManager.ItisimportantthatyouhaveacleanandclearstructureforyourthemingfolderbecauseAPKManagerusesthefoldersinthestructuretodecompileandrecompileAndroidAPKs.
AndroidSDKRefertoAppendixAforinformationoninstallingAndroidSDKandmakingsureyourPChasenvironmentvariablesforADBtools.MakesureyouinstalltheSDKandsetuptheenvironmentvariablesbeforeattemptingthewalkthroughinthischapter.
EclipseEclipseisnotrequiredforthewalkthroughbutisincludedhereforcompleteness.
EclipsecanbeusedtoeditXMLfilesandthenotoriouslydifficultandsemi-resolution-independentNinePatchfiles(.9.png)manually.MostofwhatyouwilldointhischapterisdonewithAPKManager.However,youwillwantEclipsefortheNinePatchfilesandcomplexprojects.
YoucaninstallthelatestversionofEclipsefromwww.eclipse.org/downloads/.Unlessyouhaveaspecificreasontodootherwise,youwillnormallyinstalltheclassicversionofEclipse.
AROMofYourChoiceForthewalkthrough,IwillbeusingthepopularCyanogenModROM(whichisdiscussedinChapter6).TheROMisavailableatwww.cyanogenmod.comorontheXDAforums.ThesewalkthroughstepsapplytoalmostanycustomROM,however.YoupullthefilesyouwanttoeditoutoftheROMandmakethechanges.Thefilescanthenbere-signedandinsertedintotheROMorpusheddirectlytoyourdevice.
ItisagoodideatodownloadyourfavoriteROM,unzipit,digintoitsfolderstructureandpulloutthefilesyouneedtoedit.Thiswillhelpyoubegintolearnthestructureandpurposeofallthosehundredsoffilesandfolders.Itwillalsohelpyouunderstandstepsintheprocess,suchascreatingafolderstructureonyourlocalcomputerandthenzippingthatfolderstructureforinstallation.
7-ZipAPKs,ROMsandmanyotherfilesarecompressedusingzipcompression.7-Zipisatoolwithwhichyoucanopenthesefilesandmanipulatetheirinternalstructurewithoutextractingthecontents.7-Ziphasabuiltinfilemanagerthatallowsyoutonavigatethroughacompressedfile,suchasanAPK,withoutdisturbingthesignatureonthefile.
Forthiswalkthrough,youneedtoinstall7-Zip(fromwww.7-Zip.org/download.html).
Paint.NETPaint.NETisafreeandeasy-to-useimage-editingpackagethatallowsyoutoeditthePNGfilesthatmakeupthevisualelementsoftheAndroidinterface.Paint.NETisnottheonlyoption.Anygoodgraphics-editingpackage(suchasPhotoshoporGIMP)willwork.Paint.NETisfreeandisthetoolusedinthewalkthrough.YoucandownloadPaint.NETfromwww.getpaint.net/download.html.
Update.zipCreatorAnupdate.zipcreatormakesiteasytocreateaflashableupdate.zipfilefromthefilesthatyoucreatewithAPKManager.Therearemanydifferentupdate.zipcreatorsonXDA,butperhapstheeasiestforWindowsusersisTLCUpdatezipCreator,whichcanbeobtainedfromhttp://forum.xda-developers.com/showthread.php?t=1248486.
Youwillusethisprogramaspartofthefinalstepinthiswalkthrough.
Amend2Edify
Amend2Edifyisaprogramthatcanalterupdatescriptscreatedbytheupdate.zipScriptCreatortobecompatiblewithnewerversionsofClockworkMod.Theoriginalspecificationfortheupdatescriptswasknownas“amend”scripts.WithGingerbread,Googlechangedthespecificationtothe“edify”script.Edifyismorepowerfulbutrequiressomemorecomplexsettingssuchasknowingwhereandhowtomountthefilesystemintheupdatescript.
DownloadAmend2Edifyfromhttp://forum.xda-developers.com/showthread.php?t=903598.Extractthetooltoitsownfolderinyourthemingfolder.
Youdonotneedthistoolforthewalkthrough,butyouneedittoconvertscriptsfromtheolderamendstandardtotheneweredifystyle.
TheEditingProcessThissectionshowsyouhowtoaltertheairplanemodeiconandstatusindicatorforCyanogenMod7.0.1ontheNexusOnetomaketheairplanemodeindicatorsmorenoticeable.(IfindthatwhenevermyphoneisinairplanemodeIfrequentlyoverlookthefactandspendafewsecondspuzzledastowhymydevicewillnotconnect.)
Thisexamplechangesasingleelementoftheuserinterface.Acompleterethemewouldinvolvehundredsifnotthousandsofsuchedits.Ifyoudownloadorusethemescreatedbyotherthemers,considerdonatingtothemontheXDAforum.Thetimeinvolvedincreatingthetoolstomakethemesandincreatingthemesisprodigious.
Therearetwowalkthroughsinthissection.Thefirstwalkthroughdemonstratesamethodforcreatingthemefiles.Inthesecondwalkthrough,youseethestepsthatwouldbeusedtocreatefilesthatcouldbereusedorpackagedinaflashableupdateaftermanyhundredsofedits.
WalkthroughforCreatingThemeFilesForthiswalkthrough,youtargetafewspecificfilesthatcontainthegraphicsthatyouwanttoeditintheseAPKpackages:
•\system\framework\framework-res.apk
•\system\app\SystemUI.apk(becausethisisaGingerbreadROM).
ThefilesoutlinedhereareforaspecificdeviceandaspecificROM.RememberthatotherversionsofAndroid,otherROMsandothermanufacturers’devicesmayrequireyoutoamendotherAPKs.
Forinstance,ifthiswereanHTCdevicewiththeSenseuserinterface,youwouldneedtoeditthe\system\framework\com.htc.resources.apkfileinsteadoftheSystemUI.apkfile.IfyouwerecreatingaSamsungFroyotheme,youwouldedit\system\twframework-res.apk.DoyourresearchontheXDAforum.
ThebestwaytofindoutwhichAPKscontainyourdesiredimagesistodownloadafullcopyofthethemeorROMthatyouwanttoeditandopenitorfullyextractitwith7-Zip.Onceyouhavethefilesystemavailable,youcanopenimagesintheembeddedfolders.
PreparingtoEditFilesBeforeeditingsystemfilestocreateourtheme,wemustfirstextracttheAPKfilewewishtomodify.
1.ConnectyourphonetoyourPCusingitsUSBcable.VerifythatthephoneisinDebugmode(openAndroidsettings→Applications→Development→Debug).
2.VerifythatyouhavetheAPKManagerfolderinyourthemingfolderandthatyouhaveinstalledanimageeditor,suchasPaint.NET.3.PlaceyourdownloadedROM(inthiscase,CyanogenMod7.0.1)inadedicatedfolderinyourthemingfolder.
4.Double-clicktheROM’szipfileandopenitin7-Zip.ThiswillletyoubrowsethefilestructureoftheROM.5.Double-clickthesystemfolderinthe7-Zipwindow.6.Dragthe\system\app\SystemUI.apkfileoutoftheROM’szipfileanddropitintheAPKManager\place-apk-here-for-moddingfolder(seeFigure5-1).
Figure5-1:NavigatingtheROMin7-Zip,insearchofSystemUI.apk
ThefullpathfortheAPKfileintheoperatingsystemis\system\app\SystemUI.apk.ItisimportanttonotethisforlateruseinAPKManagerwhenyouwanttopushthefilebacktoaconnecteddevice.
LoadinganUnzippedAPKintoAPKManagerThenextstepinourthemingjourneyistoloadtheextractedfileintoAPKManager:
1.StartAPKManagerbydouble-clickingscript.batinthemainAPKManagerfolder.TheAPKManagerinterfacehasyouchooseoptionsusingnumbersandpressingEnter.
2.SelectOption22(type22andpressEnter).
APKManagerreadsthefilesintheplace-apk-here-for-moddingfolderandasksyouwhichoneisyourcurrentproject.APKManagerworkswithonlyasingleAPKfileatatime.
3.SelectthenumberinfrontofSystemUI.apkandpressEnter.Allofyour
menuselectionsfromthispointwillaffectthisAPKfile.4.SelectOption1andpressEnter.YouwillseeafastscrolloftextandthentheAPKManagermainmenuwillload.
Nowyouhaveanewfolder,namedaftertheAPKthatyouunzippedordecompiled,undertheprojectsfolderintheAPKManagerfolder.Inthiscase,thefolderisnamedSystemUI.APK.ItcontainsallofthefilesfromtheAPK.YoucannavigatethroughtheAPKfilestructureandeditfilesasyouseefit.
EditingtheImageFilesYouaregoingtosearchforandhuntdownthegraphicsthatrepresenttheairplanemodeiconsintheuserinterface.ItcanhelptochangeyourWindowsfolderviewtodisplayimagethumbnails.Thiswillallowyoutoscrollthroughtheimagesinthefoldersandlocatetheonesyouwanttoedit.
Mostofthegraphicobjectelementsarelocatedinthe\res\drawable-hdpi\folder.Resourcesarefoundintheresfolderandthedrawable-hdpifolderstoresthehigh-densityimages.
Nowthatyouhaveallofthe“guts”oftheAPKlaidout,youcanstartpokingaroundfortheairplanemodeimages.Theimagesyouwantare:
•stat_airplane_off.png
•stat_airplane_on.png
•stat_sys_signal_flightmode.png.
OpeneachoftheseimagesinPaint.NET(oranothergraphicseditor).Maketherequiredchanges.Iremovedtheimageofanairplaneandreplaceditwiththetext“AIR.”YoucandothisinPaint.NETbyselectingtheErasetool,draggingitovertheairplane,andthenusingtheTexttooltotype“AIR.”Selectafontandsizethatfitsnicelyinthesquare.
Inmostgraphics-editingprograms,presstheCtrlkeyandscrollthemousewheeltozoominandout.Thiswillmakeiteasytoeditthesmallgraphicsfiles.
InstallingaThemeonYourDeviceWhenyouhavecompletedtheeditingprocess,youcanzipupthefilesandinstallthemonyourphone.However,beforeproceedingwiththisstep,makesureyouhavecreatedacompleteNANDroidbackupthroughyourrecoverypartition,asdescribedinChapter4.
1.InAPKManager,selectOption4(SignAPK)andpressEnter.AnewunsignedAPKshowsupintheplace-apk-here-for-moddingfolder.
2.Youwillbepromptedtoselectwhetheryourprojectfileisasystemfileornot.Inthiscase,itisdefinitelyasystemfilesoselectYtobypassthesigningprocessfornow.YoucancopythenewSystemUI.apkfiletoamasterthemefoldertocreateaflashablethemeorinstallitstraightontoyourdevice.Inthiswalkthrough,youpushthefiletoyourAndroiddevice.
3.InAPKManager,selectOption8(ADBPush)andpressEnter.4.APKManagerpromptsyouforalocationinwhichtoplacethefile.Youwillneedtoenterafullpathandfilename.Enter\system\app\SystemUI.apkandpressEnter.ThisisthepathfromwhichyoupulledtheAPKwhenyouwereexploringthedownloadedROM.YouwanttoplaceyoureditedAPKfileinexactlythesameplaceinthefilestructurefromwhichyoupulledit.5.APKManagerpushesthefilestotheirappropriateplaces.Ifthedevicehasinterfaceglitchesoroddities,don’tworrytoomuchaboutit.Youoftenneedtorebootthedevicebeforeeditsshowup.Ifafterareboot,thingsdon’tgoquiteasplanned(e.g.youenterabootloopcondition),restoretheNANDroidbackupthatyoucreatedbeforestartingthissection.
LoadinganAPKfromYourDeviceintoAPKManagerItisnotalwayspossibletoobtainafullROMforyourdevice.Ifyourphoneisrooted,youcanpullAPKfilesindividuallyfromadevice.Youthenfollowthesamebasicstepsofunzipping,editing,zipping,andpushingthefilebacktothedevice.
Yournexttargetforeditsistheframework-res.apkfile,whichlivesinthe
\system\framework\pathofyourdevice’sfilesystem.YoucanverifythatiswherethefilelivesbyopeningyourdownloadedROMandnavigatingtothatpath.RememberthataROMisanexactcopyofthefilesystemonyourdevice;itisgoodforlearningaboutfilesystemstructureandplacement.
1.MakesureyourdeviceisconnectedtoyourPCandindebugmode.2.RunAPKManager.
3.Type0andpressEntertoselectthePullAPKoption.4.Enterthepath\system\framework\framework-res.apkandpressEnter.
APKManagerpullstheframework-res.apkfileandplacesitintheplace-apk-here-for-moddingfolderintheAPKManagerfolder.ThisisthesamefolderinwhichyouplacedtheSystemUI.apkfileearlier.
5.ExtractthefilesfromtheAPKusingOption1.Nowyouhaveanewfolder,namedframework-res.apk,undertheprojectsfolderintheAPKManagerfolder.
6.Opentheframework-res.apkfolder.
7.Navigatetotheframeworkfilesandedittheappropriatefile(forexample,removetheairplanesymbolandreplaceitwith“AIR”).
8.Whenallofyoureditsaredone,youcanziptheAPKfilebyselectingOption4.9.Selecttoindicatethatitisasystemfile.10.Atthispoint,youcanpushtheAPKfilebacktothedevicefromwhichyoupulleditorplaceitinyourthemefolderstructureifyouarecreatingaflashabletheme.
WalkthroughforCreatingaFlashableZIPFileOnceyou’vethemedanAPKfile,youcanusetheAPKManagertopushitbacktothedevice.However,ifyouwishtodistributeyourthemetoawideraudience,you’rebestservedbycreatingaflashableupdate.zip.
1.InstallandrunTLCUpdatezipCreator.
2.Navigatetothe“Files”tabandclickAddtoselectthefilesyouwanttoflash.Inthisexample,weselectthefileswecreatedinthepreviouswalkthrough.
3.Whenprompted,selectsystem/frameworkasthetargetdirectoryforframework-res.apkandsystem/appforSystemUI.apk.
4.Navigatetothe“Options”tabandchangethe“Scriptversion”fieldtoEdify.ThisisneededbecauseGooglestoppedsupportingamendscriptsinAndroid1.5andClockworkModrecoverydroppedsupportforamendscriptsinversion3.0(seeFigure5-2).
5.Navigatetothe“Script”tabandsetthepropermountingpointforyourdevice.Thisisspecifictothedevice,sobesuretosearchonyourdevice’sforumwithinXDA.Settingthisfieldimproperlycanhavecatastrophicresults.6.Nowyouarereadytofinalizeyourupdate.zipbyclickingthe“Makeanupdate.zip”button.
Figure5-2:SelectingEdifyscriptforClockworkModrecoveriesgreaterthanversion3
Onceyouhavecreatedyourupdate.zip,youarereadytotestitoutforyourself.However,tobesafe,youshouldcreateafullNANDroidbackupbeforeflashing.Oncethebackupiscomplete,goaheadandflashyourupdate.
Assumingallwentwell,youhavenowcreatedyourfirstthemeandarereadytoshareitwiththecommunity.
Chapter6:You’veBecomeSuperuser:NowWhat?
Inthischapter:•PopularcustomROMsthatwillworkonseveraldevices•Howtotweakthekernel•Applicationsthatrunatrootlevel
Soyou’vefollowedtheinstructionsinthisbookandhaveobtainedrootaccesstoyourdevice.Congratulations!Itfeelsgoodtobefree,doesn’tit?Butfreeingyourdevicedoesn’tinherentlygiveitanysuperpowersuntilyoustarttinkeringwithroot-levelapplicationsandothermodifications.
Formost,thefirststepafterobtainingrootaccessistoinstallacustomROM.WhilemostcustomROMsarespecifictoparticulardevices,severalarewidespread,cross-platformreleases.Here,wepresentacoupleofthemostcommonlyusedmulti-deviceROMscurrentlyavailable.
AfterinstallingacustomROM,manyventuretoinstallanewkernel.Alternativekernelsoffermanypotentialadvantagesrangingfromoverclockingability,betterbatterylifeandperformance,tomoreesoterictweaks,suchasUSBhostfunctionalityandsoundqualityenhancements.
Finally,oncethekernelhasbeenupdated,manypeopletheninstallroot-levelapplicationsthatmakeuseofthenewlyobtainedsuperuserprivileges.
Thefunindevicehackingdoesnotendwithsimplyobtainingrootaccess.Onceyouachieveroot,youhaveonlybegunyourjourneyinoptimizingyourdevicetofityourneeds.WiththepropersetofcustomizedROMs,aftermarketkerneltweaks,androot-levelapplications,youcancreateadevicethatistrulyyourownandcapableoffarmorethantheoriginalmanufacturereverintended.
PopularMulti-DeviceCustomROMsAsyou’llquicklynoticewhenbrowsingthevariousXDAdeviceforums,themajorityofROMsthataresharedwiththecommunityarereleasedforindividualdevices.However,thereareafewnotableexceptions.TheROMspresentedinthissectionarelarge-scale,multi-devicereleasesthatoftenfunctionasthebaseforfurtherderivativedevelopmentwork.
CyanogenModIfyou’veheardofAndroidandyou’veheardofrooting,you’veundoubtedlyheardofCyanogenMod.BeginningwithincreasinglycomplextweaksfortheHTCDream:G1,CyanogenModhasgrowntobecomeanall-outmegaROMwithcloseto90officiallysupporteddevices.TheROMitselfoffersdozensofusefulfeaturesincludinglockscreengestures,apowerfulbuilt-inthemeengine,audioequalization,VPNsupport,andmuchmore.CyanogenModisbuiltfromsourcecodemadeavailableaspartoftheAndroidOpenSourceProject(AOSP),soextensivemodificationscanbemadetoit.
Inadditiontotheofficialports,therearehundreds(ifnotthousands)ofunofficialportsandmodifications(alsoknownas“kangs”).TheseunofficialversionstypicallyaddanythingfromsupportforadditionaldevicestoexperimentalfeaturesnotyetmergedintotheofficialCyanogenModtree.
ThecurrentversionoftheROMisCyanogenMod9.ItisbuiltuponAndroid4.0(IceCreamSandwich).Youcandownloaditfromhttp://get.cm.
AndroidOpenKangProjectSimilarlytoCyanogenMod,theAndroidOpenKangProjectisbuiltfromAOSP-derivedsourcecodeandincorporatesdozensoftweaksontopofGoogle’sowncode.Atthetimeofwriting,theROMbringsAndroid4.0(IceCreamSandwich)to17devices,manyofwhichhaveyettoseetheofficialmanufacturer-releasedupdatetotheoperatingsystemrevision.
VillainROMVillainROMtakesadifferentapproachtomulti-deviceROMcustomization.AlthoughsomeVillainROMreleasesarecompileddirectlyfromsourcecode,mostintheVillainROMseriesofROMsareactuallyhighlycustomizedversionsoftheoriginalmanufacturer’sshippingROM.Thus,theROMfamilyvariessignificantlyfromdevicetodevice.
Whilethelackofcohesionbetweensupporteddevicesmaydetersomepotentialusers,thisapproachalsoallowsforROMreleasestobemadequicklyafteramanufacturerreleasesanewbuildoftheoperatingsystem.Essentially,VillainROMisforuserswhothinkthatthemanufacturergenerallydidagoodjobwiththeshippedsoftwareandonlywishtohaveitperfected.
KernelTweaksTweakstothekernelcangiveavarietyofenhancementstoanAndroiddevice.
BacklightNotificationsOneofthemostpopularfeaturesoftheNexusOnewasitsmulti-coloredtrackball,whichlitupwhennotificationswerepresent.
WhentheSamsungGalaxySlinewaslaunchedinthesummerof2010,itprovidedamajorupgradeinscreenqualityandGPUspeedcomparedwiththeNexusOne.OnethingthatSamsungleftoutofmostGalaxySphoneswasanotificationLED.
Thinkingoutsidethebox,XDAforummemberNeldarwasabletosimulateLEDnotificationfunctionalitybywritingakernelmodificationthatdisplayednotificationsusingtheAndroidsoftkeysbacklight.Neldar’sBackLightNotificationmodification,whichhassincebeenportedtootherdevices,suchastheSamsung-builtNexusS,givesusersthemissingfunctionalityinaveryelegantmanner.Ratherthanrequireahardwaremodificationorevenactivatingthedevice’sdisplay,theAndroidsoftkeyssimplylightuptoindicatethatanotificationhasarrived.
BackLightNotificationcanbefoundontheXDAforums:http://forum.xda-developers.com/showthread.php?t=813389.
VoodooEnhancementsFrançoisSimond,otherwiseknownassupercurioontheXDAforums,hasproducedaseriesofkerneltweaksknownastheVoodooenhancements.Aswellasprovidingamoreefficientfilesystem,supercurioalsodecidedtoimproveuserexperienceontheGalaxySthroughthedevelopmentofaudioandcolortoolsknownasVoodooSoundandVoodooColor.Youcanlearnmoreabouttheenhancementsfromhttp://project-voodoo.org/.
VoodooLagfixWhenitwasfirstlearnedthattheRFSfilesystemusedbytheGalaxySlineofsmartphonesintroducednoticeablelagtoanotherwise-excellentexperience,thedevelopmentcommunityquicklylookedforasolution.
Supercurio’sVoodooLagfixswapsouttheRFSfilesysteminthe/cacheand/systempartitionsforthemuchmoreLinux-friendlyEXT4filesystem.
VoodooSoundBecausetheGalaxyS(alongwithseveralotherAndroiddevices)usesthehigh-endWolfsonMicroelectronicsWM8994DAC,thehardwarehasthepotentialfortrueaudiophile-gradesoundquality.Byallowingfordirect,low-levelcontrolofthehardware,VoodoosoundgivesGalaxySownersbetteraudioqualitythanpreviouslyimagined.
Severalotherdevices,suchastheSamsungGalaxyTab,Samsung-builtNexusS,andtheAsusEeePadTransformer,usetheWolfsonWM8994DACandcanbenefitfromtheenhancements.Furthermore,effortsareunderwaytoporttheaudioenhancementstootherDACs.
VoodooColorTheGalaxySshippedwithanunfavorablecolorcast.VoodooColorgivesusersdirectcontroloftheoutputparametersoftheirdevicestoimprovethecolorcast.Italsoprovidesavarietyofothervisualenhancements.
PerformanceandBatteryLifeTweaksLast,butcertainlynotleast,manypeopleflashcustomkernelsforperformancegainsandbatterysavings.Community-suppliedkernelsareoftenundervoltedandoverclocked,toallowuserstogetsmootherperformanceandalongerlastingbattery.
Manyaftermarketkernelsalsoincludeadditionalortweakedgovernorsandschedulers,whichalterthewaytheprocessordevotesitsresources.Forexample,manykernelsdefaulttoan“interactive”governorinsteadofthemoretypical“ondemand”or“conservative”options.Asitsnameimplies,aninteractivegovernorgenerallydeliversamoreresponsivelevelofperformance.
ManykernelsswapoutthestandardCFStaskschedulerinfavoroftheBFStaskscheduler,whichwascreatedbyAustraliananesthesiologistConKolivas.TheBFSgenerallydelivershigher—albeitoccasionallylessconsistent—performance.
RootApplicationsRootapplicationsmakeuseofsuperuserprivilegestoalterthedeviceatabasiclevel.
SetCPUSoyou’verootedyourdeviceandloadedacustomkernelthattweaksperformanceandenablesoverclocking.HowdoyoumakeuseoftheadditionalMHzandrunyourprocessortoitsfullestpotential?Easy:downloadSetCPU,createdbyMichaelHuang,otherwiseknownasXDARecognizedDevelopercoolbho3000.
SetCPUmakessettingyourminimumandmaximumspeedsabreeze.SetCPUalsoallowsyouto:
•selectyourclockspeedgovernorandtuneitsparameterstoyourliking•createclockspeedandgovernorprofilesfordifferentdeviceconditions(temperature,batterylifeconditions,andwhetherornotthescreenison).
Ifyouwanttomanageyourclocks,SetCPUisthewaytogo.
AdonationversionofSetCPUcanbefoundonGooglePlay.AfreeversionisavailabledirectfromthedeveloperontheXDAforum.
AdfreeAndroidAnotherpopularthingtodowhenrootingistoremoveadvertisements.AdfreeAndroidaccomplishesthistaskbymodifyingthedevice’shostsfile.Thehostsfileisasystemfile(locatedwithinsystemetc)thatisusedtomapahostnametoanIPaddress.InsteadofrelyingonaDNSquery,thesystemsimplygoestothehostname’sIPaddress,asspecifiedinthehostsfile.
Inordertoblockadvertisements,thehostsfileisoftenmodifiedtoredirectcommonlyusedadvertisementserversto127.0.0.1,otherwiseknownaslocalhost.AdfreeAndroiddoesthisandiseffectiveatblockingthemajorityofin-applicationandwebsiteadvertisements.
Onecaveattobeawareof,however,isthatmanyapplicationdevelopersrelyonadvertisementrevenueastheirprimarymeansofgeneratingincome.Byblockingtheirin-applicationadvertisements,youaredeprivingthemoftheirrightfullyearnedmoney.Sincethereisnowaytomodifythehostsfileforeachapplication,usersthatblockadvertisementsusingthehostsfileenduphurtingthedevelopersoftheapplicationsthattheyusethemost.Forthisreason,weencourageuserswhoblockadvertisementstodonatetotheirfavoritedevelopers.
AdfreeAndroidcanbeobtainedforfreefromGooglePlayorfromitsreleasethreadonXDA.
Chainfire3DHaveyoueverdiscoveredakillernewgameonGooglePlay,onlytofindthatitisincompatiblewithyourhardware?UnlikePCgaming,wheregenerallyallgamesworkoncapablehardware,gamingonAndroidismuchmorefickle.GamesoftenusetexturecompressionorshadersthatareonlycompatiblewithGPUsfromaparticularmanufacturer.
Insteadofadmittingdefeat,Chainfire3D—createdbynoneotherthanXDARecognizedDeveloperChainfirehimself—loadsanintermediarydriverthatcanaccomplishmanytasks,giventherightplugin.Almostimmediatelyafteritsrelease,pluginsappearedtoallowownersofdeviceswithallchipsetstoplaygamesmeantforNVIDIATegra,AMDAdreno,andPowerVRSGX
GPUs.
Theintermediarydriverallowsuserstocreateasettingforeachapplication.Notonlycanyouswapoutpluginsforeachofyourgames,butyoucanalsoenableperformancetweaksfordifferentapplications,suchasforcing16-bittexturesandZ-bufferorlimitingtexturesize(seeFigure6-1).
Figure6-1:PerformancetweaksavailableinChainfire3D
Chainfire3DcanbefoundonGooglePlayandinstructionsandsupportcanbefoundinitsXDAreleasethread.
TitaniumBackupAndfinally,oneofthemostwidelycitedreasonstorootistheprogramTitaniumBackup.DevelopedbyTitaniumTrack,theapplicationallowsuserstobackupapplications,applicationdata,andsystemsettings.SimilartothepreviouslymentionedNANDroidbackup,aTitaniumBackupcanpreventthelossofyoursavedgamedata.However,that’swherethesimilaritiesend.
Ratherthansimplymakingadirectimagebackupofyourdevice’sstate,Titaniumlooksatapplicationsindividuallyandbacksthemuppiecemeal.ThisisespeciallyusefulwhenusedinconjunctionwithcustomROMs.Forexample,manycustomROMsrequireadevicetobecompletelywipedbeforeinstallation.Normallythiswouldmeanlosingallapplicationsanddata.However,withaTitaniumBackup,youcanrestoreindividualapplicationsandtheirdataontothenewROM(seeFigure6-2).ANANDroidbackup,ontheotherhand,onlyallowsuserstobackupandrestoreanentiredeviceorapartitiononthedevice.
Figure6-2:Titaniumbackupdisplayingallavailableapplications
TitaniumBackupevenallowsfortaskstobebatchedandautomated.Youcanbackupandrestoreallofyourapplicationswithjustafewclicks.Youcan
evensetyourdevicetoautomaticallybackupyourapplicationstoyourDropboxaccountonasetschedule.
TitaniumBackupisavailableforfreeonGooglePlay.Apremiumversionisalsoavailable,whichaddsbetterbatchfunctionalityandmore.
PartII:ManufacturerGuidelinesandDevice-SpecificGuidesChapter7:HTCEVO3D:ALockedDevice
Chapter8:NexusOne:AnUnlockableDeviceChapter9:HTCThunderBolt:ATightlyLockedDeviceChapter10:DroidCharge:
FlashingwithODIN
Chapter11:NexusS:AnUnlockedDeviceChapter12:MotorolaXoom:AnUnlockedHoneycombTabletChapter13:NookColor:RootingwithaBootableSDCard
Chapter7:HTCEVO3D:ALockedDevice
Inthischapter:•Usingthetemporaryrootmethod•Usingthepermanentrootmethod
HTCphoneshavebecomedeveloper-andhacker-friendly.HTCallowsdevelopersandenthusiaststounlocktheirdevices.YoucanfindoutmoreaboutHTC’sunlockmethodbybrowsingtohttp://htcdev.com/bootloader.
TheEVO3Dwasoneofthefirstgenerationofsmartphonesbasedonadual-coreprocessorandrunningAndroid.TheEVO3Dincludeda“glasses-free”3Dscreenandcamera.ItshippedwithSense3.0andAndroid2.3(Gingerbread).ItlaunchedintheUSontheSprintnetworkwithaccesstoSprint’s4GWiMAXnetwork.TheHTCSensationhadasimilarspecification,withoutthe3Dcapability,andlaunchedontheT-Mobilenetwork(andonsimilar3G/UMTSnetworksworldwide).
TheEVO3Dhadalocked,signedbootloaderandlockedEMMCmemory.Itwasconsideredtobeoneofthemorelocked-downdevicesreleasedbyHTC,butitwasliberatedafewweeksafteritsrelease.
ThehackercommunitydevelopedatemporaryrootmethodfortheEVO3DbeforetherewasapermanentsolutionthatincludedS-OFF.Afterusingthetemporaryrootmethod,theEVO3Dfilesystemwouldunrootitselfandreturntoafactorystate.Asemi-permanentrootmethod(knownasa“perma-temp”method)givesrootprivilegesuntilthedevicereboots.ThepermanentrootsolutiondiscussedhereremovesS-ONandestablishespermanentrootaccessonthedevice.
ThetemporaryrootmethodusesFre3voandthepermanentrootmethodusesRevolutionary.Thiswalkthroughcoversbothmethods.Thereasonfor
coveringbothmethodsistodemonstratethewaytemporaryaccesswasgainedandtoprovideawaytodoafullbackupbeforeusingRevolutionary.
ObtainingTemporaryRootTemporaryrootwasbroughttotheEVO3DcourtesyofTeamWin.ThegroupdevelopedFre3vo,atemporary-root-acquiringtoolthatallowsusersaccesstoarootshellontheirdevices.TeamWinisalsoresponsibleforacustomrecoveryandotherEVO3D-specifichacksandcustomizations.
YouneedtheSDKinstalled,theADBtobefunctioningandthephonetobeindebugmode(seeAppendixA).YouneedtodownloadtheFre3vofilefromtheXDAforum(http://forum.xda-developers.com/showthread.php?t=1149998).TheFre3vofileisanexploitthatcreatestemporaryrootaccesstothefilesystem.
Thismethodhasyoupushafiletothefilesystem,makeitexecutableandexecuteit.
1.DownloadtheFre3vofileandplaceitinafoldercreatedspecificallyfortheexploit.2.OpenacommandpromptwindowandnavigatetoyourFre3vofolder.
3.Enterthefollowingcommandfromthecommandline:adbpushfre3vodatalocal/tmp
Thebinaryexploitis“fre3vo”withnoextension.Linux-basedoperatingsystems(includingAndroid)donotrequirefilestohaveacertainextensiontobeexecutable.
4.Makethebinaryexecutablewiththefollowingcommand:adbshellchmod777datalocal/tmp/fre3vo
5.EntertheADBshellwiththefollowingcommand:adbshell
6.Executethefre3voexploitwiththiscommand:datalocal/tmp/fre3vo
TheADBshellisclosedandyoureturntothePCprompt.Youmustre-entertheADBshelltoverifyyouhaverootaccess:
1.Enterthefollowingcommand:adbshell.
2.Verifythattheshellnowhasthehash(#)prompt,indicatingrootlevelaccess.
TherootstateobtainedwhenusingFre3voistemporaryanddisappearswhenthedeviceisrebooted.
UsingS-OFFandPermanentRootRequirementsTheAlphaRev,TeamWinandUnRevokedhackerteamsallworkedtogethertocreatetheRevolutionarytool,whichsetsS-OFFontheEVO3Dandotherphones.Revolutionaryisa“closed-source”tool,meaningthatexactlyhowitdoesitsmagicisundisclosed.Theclaimfromthedevelopersisthatthispreventsthemethodfrombeingpatched,orblocked,byOEMsandcarriers.
Asthetimeofwriting,theRevolutionarytoolisindeveloperpre-release(beta)stateandrequiresyoutouseaserialnumber.TheserialnumberisretrievedfromtheRevolutionarywebsiteinthecourseofrunningthetool.
Beforeyoustart,youneedtofollowthesesteps:
1.DownloadRevolutionaryfromhttp://revolutionary.io.(Youcanleavetheserialkeyretrievalformopenorcomebacktoitlaterbyclickingonadownloadlinkagain.)2.InstallandconfiguretheSDK(seeAppendixA).
3.InstalltheHTCdeveloperdrivers.(Youcandownloadthemfromthewikiathttp://unrevoked.com/rootwiki/doku.php/public/revolutionary.)
4.DownloadtheTeamWinflashablecustomrecovery(TWRP)fromhttp://forum.xda-developers.com/showthread.php?t=1192077
(downloadthezipfilenottheimagefile).
5.Downloadthesuperuserflashablefile(su-2.3.6.3-signed-efgh.zip)fromSection99ofhttp://forum.xda-developers.com/showthread.php?t=1192525.
Placealltherequiredfilesinafolderbythemselvestoavoidconfusion.
HereisabriefoverviewofthestepsinvolvedwithgettingS-OFFontheEVO3D:
1.VerifythattheHTCdeveloperdriversareinstalledandthatyouhaveconnectivitybetweenthePCandthedevice.2.(Optional)Backupalldata(forexample,usingthetemporaryrootmethodintheprevioussection).
3.RuntheRevolutionarytool.4.Flashthecustomrecovery.
5.Flashthesuperuserbinary.6.InstalltheSuperUserapplication.7.Runafullsystembackupfromthecustomrecovery.
Theprocedureoutlinedbelowisfairlysafeandbrick-proof.However,aswithallhackingactivities,youacceptfullresponsibilityandwillvoidyourwarrantybyrunningtheRevolutionarytool.
RunningtheRevolutionaryToolRevolutionaryrunsonyourlocalmachineandcommunicateswithyourphoneviatheUSBcable.Itdoesitsmagicviaembeddedcommandsencodedinthebinary.YouneedtoverifythatyouhaveADBconnectivity(seeAppendixAforarefresheronusingtheadbdevicescommandtotestconnectivity).ThereisasimplisticinterfacethatrunsasshowninFigure7-1.
Theutilitywilldetectthedeviceyouhaveconnected(itcanbeusedwithanumberofHTCdevices)andchooseanappropriateS-OFFmethod.
TheRevolutionaryutilitywillthenaskforakeybasedonyourserialnumber.Attimeofwriting,theRevolutionaryutilityisinbetateststageandrequiresaserialnumbergeneratedbytheRevolutionarywebsite.Thedevelopmentteamhassaidthatwhenthekeyispubliclyreleased,itwillnotrequireabetakey.
Figure7-1:TheRevolutionaryS-OFFutility
Togetyourbetakey:
1.Navigatetohttp://revolutionary.io.
2.Clickthedownloadbuttonforyouroperatingsystem.
3.Cancelthedownloadwindowifyouhavealreadydownloadedtheutility.4.Thebetakeyformisnowshownonthepage.
5.EntertheserialnumberofyourdeviceasshownintheRevolutionary
utilitywindow.6.SelectyourdeviceandHBOOTversion.
YourHBOOTversioncanbeobtainedbyforcingthephoneintobootloadermodewiththecommandadbrebootbootloader.TheHBOOTversionislistedatthetopofthewhitescreenedbootloader.
7.Clickthe“generatekey”buttonandwritedownthebetakeythatisgenerated.
Nowthatyouhavethebetakey,enteritintotheRevolutionaryutilitywindowprompt(seeFigure7-2)andhittheEnterkey.
Figure7-2:Enterthebetakeyattheprompt
TheRevolutionaryutilitystartsitsmagic.Theprocesstakesalittletimeandyourphonewillflashandrebootfourtimes.Eachtime,theRevolutionaryutilitywillpromptyouthatitisrebootingyourphone.
Attheendoftheprocess,theutilityasksyouifyouwouldliketodownloadandinstalltheClockworkModrecovery.Answer“No”tothispromptasyouwillbeinstallingtheTWRPrecovery.
TheRevolutionaryutilityisnotalwayssuccessfulatflashingtheClockworkModrecovery.Thereisthepossibilityofendingupinabootloopif
youuseittoflashClockworkMod.
AftertheRevolutionarytoolhascompleted,yourEVO3DwillbeS-OFF.However,togetfullrootaccess,youneedtoinstallthesuperuserbinaryandatooltomanageSuperUserrequests.TheeasiestwaytodothisistoflashtheSuperUserpackagestothefilesystemusingacustomrecovery.
InstallingaCustomRecoveryTherearetwowaysthattheTWRP(oranyrecovery)canbewrittentotherecoverypartition:
•usingFastboot(seeChapter3)toflashanimagefiletotherecoverypartition•usingthebuilt-inbootloaderbyrenamingthefiletotheexpectedupdatepackagename(inthiscase,PG86IMG.zip).
ThefirsttimeIrootedanEVO3D,IusedtheFastbootcommandtoflashtherecovery.Inhasteandwithalackofcaution,Iflashedtherecoveryimagetothebootpartition.Thismademyphoneonlyabletobootintorecovery.Inessence,Ihadasoft-brickeddevicethattookmeafulldayofsweatandfeartofix.IeventuallyfixedtheissuewithacombinationofADBrebootcommandsandFastboot.
Thesecondmethodisdescribedhereasitissaferandlesslikelytocauseissues.YouuseADBtopushtherecoveryflashabletotheSDcardandrenameit.ThiswillbypasspossibleissueswithWindowsExplorerchangingthenameandextensionofthefile.
ToflashtheTWRPcustomrecovery,followthesesteps:
1.OpenacommandpromptwindowandnavigatetothefoldertowhichyoudownloadedtheTWRPcustomrecoveryfile.2.UseADBtopushthefiletotheSDcardandchangethenamewiththiscommand:adbpushPG86IMG-twrp-shooter-1.0.3.zipsdcardPG86IMG.zip
3.UseADBtorebootintotheHBOOTwiththefollowingcommand:adbrebootbootloader
4.Whenthewhitebootloaderscreencomesonyourdevice,usetheupanddownvolumebuttonstoselectthebootloaderoptionandpressthepowerbuttontoselect.ThebootloaderscansforthezipfileyoupushedtotheSDcardandflashesit.5.Whenthezipfilehasbeenflashed,usetheupanddownarrowstoselect
therebootoptionandselectitwiththepowerbutton.Thedevicewillreboot.6.RemoveanyPG86IMG.zipfilethatremainsonyourSDcard.Youcandothiswithafileexplorer,suchasESFileExplorer,orusingthefollowingADBcommands:adbshell
cd\sdcard
rmPG86IMG.zip
InstallingtheSuperuserBinaryNowyouflashtheSuperUserrecoverybinaryusingTWRPrecovery.(Ifyoudidnotdownloadthesuperuserbinaryearlier,downloadsu-2.3.6.3-signed-efgh.zipfromSection99athttp://forum.xda-developers.com/showthread.php?t=1192525.)YouneedtopushthefiletoyourSDcard,rebootintorecoveryandthenflashitfromtherecovery.
Withyourdeviceon,connectedandindebugmode,enterthefollowingcommandstocopythefiletoyourSDcard:
adbpushsu-2.3.6.3-signed.efgh.zipsdcardsu-
2.3.6.3-signed.zip
adbrebootbootloader
Youcantypesuandthentapthetabkeytoautofilltherestofthelongcomplexfilenames.
1.Whenthewhitebootloaderappears,usethevolumebuttonstohighlightbootloaderandpressthepowerbutton.
2.Thebootloaderrunsascanforupdate.zipfilesandthenallowsyoutoselecttherecoveryoptiontobootintotheTWRPrecovery.
3.WhentheTWRPrecoveryboots,selectthe“FlashZip”optionusingthepowerbutton.4.Usethevolumebuttonstonavigatetothesuperuserbinaryandselectitwiththepowerbutton.TheTWRPrecoveryflashesthezipfile’scontentsandthenrebootsthedevice.
Whenthedevicereboots,thesuperuserbinariesareinplaceandyouarereadytomoveontothenextstep.
InstallingaSuperUserApplicationNowthatyouhaveacustomrecoveryandthesuperuserbinaryinplace,youneedawaytohandlerootandrootrequestsfromapplicationsandtheAndroidoperatingsystem.ChainsDD,adeveloperofexceptionaltalent,hascreatedasuperusermanagementapplicationknownasSuperUser.YouinstallChainsDD’sSuperUserapplicationtohandleallsuperuserrequests.
1.SearchinGooglePlayforthe“SuperUser”applicationfromChainsDD.2.DownloadandinstalltheSuperUserapplication.(YoucanpurchaseSuperUserElitetothankChainsDDforhisexcellentworkintheAndroidhackercommunity.Heworksveryhardtomakethiseasyforus.Forlessthanacupofcoffee,youcanhelpChainsDDcontinuehisworkforthehackercommunity.)
3.RuntheSuperUserapplicationonyourEVO3D.IftheapplicationdetectsavalidinstallationofSuperUserbinaries,youwillbefullyrootedwithS-OFF.4.RebootintoTWRPtomakeafullbackupofyourfilesystem.
AtthispointyoucandownloadROMswithcustomizationsandoptimizations.CustomROMsusuallyhavecarrierbloatremovedandcontaincustomizationstothefirmware.DownloadingROMsfromtheXDAforumcanbeaddictive.Checkoutoneoftheaggregateposts(suchashttp://forum.xda-developers.com/showthread.php?t=1192661)thatkeeptrackofthemostpopularROMsandcustomthemes.
Chapter8:NexusOne:AnUnlockableDevice
Inthischapter:•InformationabouttheNexusOne•RootingtheNexusOne
Thiswalkthroughappliesskillslearnedinthefirstpartofthebook.Anunlockeddevicemakesiteasytosendfilestotherootfilesystemandstartthecustomizationofyourphone.ThischapterwillmakeagoodreadnotonlyforownersoftheNexusOnedevicebutalsoforbeginningAndroidhackers.Itisincludedhereasareferencetohelpyouunderstandtheapplicationofthecommandsandskillsfromthefirstpartofthebook.ReadthroughthiswalkthroughtounderstandtheprocessofrootinganunlockabledeviceandthegeneralapplicationofADBandFastbootcommandsfromtheSDK.
TheNexusOneisaGooglephonewithavanilla(unaltered)versionofAndroid.Itisconsideredadevelopers’phoneanditcanbeunlockedusingtheFastbootcommand.TheNexusOnewasbuiltbyHTCandsoldbyGoogle.OEMsandcarriersusuallytakeaversionofAndroidandmodifyittoincludeorexcludefeaturesandapplicationsbeforeshippingitonaspecificmodelofdevice.TheNexusOnewasdesignedspecificallytohighlightanAndroidinstallationthathadnotbeenalteredbyanOEMorcarrier.ThephonecontinuestobepopularamongdevelopersandthosewhovaluetheeaseofrootinganddevelopinginanunalteredAndroidenvironment.
TheXDAforumfortheNexusOnecanbefoundathttp://forum.xda-developers.com/forumdisplay.php?f=556.
RootMethodsAvailableThefollowingrootmethodsareavailablefortheNexusOne:
•theZ4Rootone-touchrootapplication,whichdoesnotunlockthedevice•ASHMEMexploitsusingpsneuter
•Fastbootunlockingofbootloader.
ThiswalkthroughusestheFastbootunlockingmethod.TheNexusOnewasintendedtobeunlockedandusedasadeveloperphone.TheNexusOneXDAforumandtheNexusOnewiki(http://forum.xda-developers.com/wiki/index.php?title=Nexus_One)containallofthemethodsandfilesneededforthewalkthroughhere.
TherearemethodsforrootingandrunningcustomROMsontheNexusOnethatbypassunlockingthebootloader.Theprimaryreasonforusingamethodthatleavesthebootloaderlockedistoavoidthelossofwarrantycoveragethatcomesfromunlockingit.However,ifyouunlocktheNexusOne,theprocessissimplerandyouwillhavealearningexperiencewithadeveloper-classdevice.
ResourcesRequiredforthisWalkthroughBeforefollowingthestepsinthiswalkthrough,youshoulddownloadthefollowingfilesfromthedevice-specificforumatXDA(http://forum.xda-developers.com/forumdisplay.php?f=556):
•AndroidSDKfortheADBandFastbootcommands•theNexusOnesuperbootimagefile(abootimagewithrootaccessthatwillbewrittentothebootpartition)appropriatetoyourAndroidbuild(todeterminethebuild,openSettingsandAboutThisPhone;thebuildnumbershouldresemble“ERE36B”)
•thesuperuserbinary•theSuperUser.apkapplication
•theBusyBoxbinaries.
WalkthroughTheskillsdiscussedinChapter3areusedheretounlockthebootloaderandflashanewbootloaderusingFastboot.
ThiswalkthroughisforAndroid2.3.3.IfyourNexusOneusesAndroid2.3.4,youwillneedtheprocedurelistedathttp://nd1razor.blogspot.com/2011/07/how-to-root-android-234-
nexus-one.html.IfyourdeviceusesanyotherversionofAndroid,youwillneedtoresearchthespecificvariationsfromtheprocessinthiswalkthrough.
ThebasicstepsofrootingtheNexusOneandthengettingacustomROMontoitaresimilartotheotherwalkthroughsinthisbook:
1.Unlockthebootloader.2.Flashanewbootloaderwithanunlockedfilesystem.
3.InstalltheBusyBoxbinaries.4.Installthesuperuserbinary.
5.InstalltheSuperuser.apkapplicationtocontrolwhathasrootaccessfromthedevice.
YoucanunlockthebootloaderontheNexusOnewithasimplecommandfromFastbootonyourPC.Youneedtorealizethoughthatthismethodofunlockingthebootloaderisuniquetounlockabledevices.Withotherdevicesinthisbook,youmustjumpthroughmanyhoopsjusttogetthebootloaderunlocked.AbootloaderfromtheOEMthatisnotlockeddownmakestheprocessofcustomizingyourphoneassimpleasthewalkthroughhere.
UnlockingthebootloaderonyourNexusOnevoidsthewarranty.ItiscurrentlynotpossibletorelocktheNexusOnebootloader,thoughprogresshasbeenmadebydevelopers.YoucanalwaysgobacktoastockversionofAndroidandastockROMbutunlockingthebootloaderisaone-waystreet.Ifyouwanttokeepthebootloaderlocked,youcanusethepsneutermethodtorootyourNexusOne(http://forum.xda-developers.com/wiki/Nexus_One/Guides_%26_Tutorials#Root).
Youshouldnotethatsomeunlockabledevicescanberelocked.TheXoom,forinstance,canberelockedaslongasthebootloaderandtheROMarebothsignedwiththeOEM’ssignature.
PlacingtheNexusOneinFastbootModeThefirststepistoplacethephoneinamodethatwillacceptcommandsfromtheFastbootprotocol.ThisistypicallycalledFastbootorFastbootmode.TheNexusOnehasanintermediatemodecalledHBOOT,whichallowsyouchoosebetweenFastbootandbootingintorecovery.ToforcetheNexusOneintoHBOOT,startwiththephoneswitchedoffandfollowthesesteps:
1.ConnectthedevicetoyourPCwiththeUSBcable.2.Pressandholdthetrackballatthebottomofthephone.3.Withoutreleasingthetrackball,pressthepowerbuttontoturnthephoneon.HoldthetrackballuntilthewhiteHBOOTscreenappears.
4.Verifythatthestatusindicatorreadsfastbootusb.
Youcanalsousethevolumebuttonstoselectthebootloaderoption,bootintothebootloaderandthenselecttherecovery.Fortheunlockprocedure,youneedonlythedefaultFastbootmode.
5.StartacommandpromptwindowonyourPCandnavigatetothefolderwheretheFastbootcommandisinstalled(usuallyC:\ProgramFiles(x86)\Android\android-sdk-windows\tools\).
6.Enterthefollowingcommand:fastbootdevices
ThiscommandworksinasimilarwaytotheADBdevicescommand.ItreportsanyattachedFastbootdevices.TheoutputofthecommandshouldlooklikeFigure8-1.
Figure8-1:ThefastbootdevicescommandshowinganattachedHTCdevice(theNexusOne)inFastbootmode
Iffastbootdevicesdoesnotreturntheattacheddevices,verifyconnectivityandthattheNexusOneshowsfastbootusbontheHBOOTscreen.7.Enterthefollowingcommand:fastbootoemunlock
ThiscommandstartstheunlockqueryontheNexusOne.Selectthe“Yes,unlockbootloaderandvoidyourwarranty.”option.
TheNexusOnewillrebootandthebootscreenwilldisplayanunlockedpadlockatthebottom.
FlashingaBootPartitionNextyoumustflashabootpartitionthatwillallowfullrootaccesstothefilesystem.
1.ExtractthesuperbootimagefiletoyourFastbootfolder.ThismakesiteasiertotypetheFastbootcommand.2.ReboottheNexusOneintoFastbootmodebypoweringitonwhileholdingdownthetrackball.
3.OpenacommandpromptwindowonyourPCandnavigatetoyourFastbootfolder.4.Enterthefollowingcommand:fastbootflashboot<buildnumber>.boot.img
Thiscommandwritesthebootimagefilethatyoudownloadedtothebootpartition.
Whentheflashiscomplete,theNexusOneshouldreboot.Ifitdoesnot,enter:fastbootreboot.
GettingFullRootAccessThenextstepsaretoinstallthecommandstogivetheNexusOnefullrootaccessandsuperusercontrolofthefilesystem.YoupushseveralbinariestothefilesystemwithADBthenchangethepermissionsonthebinariessotheycanbeexecuted.
MakesuretheNexusOneisinDebugmode.RefertoChapter3forinstructionsonputtingyourphoneintoDebugmode.TheclickpathforDebugmodeisSettings→Applications→Development→Debug.
1.NavigatetothefoldertowhichyoudownloadedthesuperuserandBusyBoxbinariesandtheSuperUser.apkapplication.
2.Enterthefollowingcommand:adbpushsusystembin/
3.Enterthefollowingcommand:adbpushbusyboxsystembin/
Next,logintotheAndroidshellandchangethepermissionsonthesefilessotheycanbeexecuted.IfyouneedarefresheronnavigatingandusingtheADBshellorthechmodcommand,turnbacktoChapter3andreviewtheactivitiesthere.Tomakethebinariesexecutable,followthesesteps:
1.OpenacommandpromptwindowonyourPCandverifythatyouhaveADBconnectivitywithyourdevice.(RefertoAppendixAforinstructionsonsettingupandusingADB.)2.Atthecommandprompt,enterthefollowingcommand:adbshell
ThiswilldropyouintotheinteractiveADBshell.Youcanverifyitbythe#promptinthecommandshell.3.Atthehashprompt,enterthefollowingcommand:chmod4755systembin/su
4.Enterthefollowingcommand:chmod4755systembin/busybox
5.Finallyusethechangeownercommandtomakethesuperuserbinary
belongtoroot.Enterthefollowingcommand:chownrootsystembin/su
Afterthecorebinariesareinstalledandthepermissionschanged,youneedtoinstalltheSuperUserapplication(writtenbyChainsDD),whichprovidesacontrolmechanismforapplicationsthatrequestsuperuseraccess.NavigatetoGooglePlayanddownloadSuperUser.apk.
Atthispoint,yourNexusOneisunlocked,rootedandreadyformorecustomization.
InstallingaCustomRecoveryThereareacoupleofwaystoinstallthecustomrecovery.ThemanualwayistodownloadtherecoveryimagefileanduseFastboottoflashittotherecoverypartition.Tomanuallyflashacustomrecovery,followthesesteps:
1.ConnecttheNexusOnetoyourPCandopenacommandpromptwindowonyourcomputer.2.Enterthecommandadbreboot-bootloader.
3.VerifythattheNexusOnerebootsintoFastbootUSBmode.4.FromyourPCcommandprompt,runthefollowingcommand:fastbootflashrecovery<recoveryimagename.img>
Waitfortheflashtocomplete.
5.Enterthecommandfastbootreboot-bootloadertorebootthedevicebackintothebootloader.6.Usethevolumeupanddownbuttonstohighlightthe“bootloader”optionandpressthepowerbutton.
7.Thebootloaderlooksforanupdate.zipfileandthenallowsyoutoselectthe“recovery”optionwiththevolumeandpowerbuttons.TheNexusOnebootsintorecovery.
Thereisafareasierwaytoinstallacustomrecovery,thoughthemanualwayismoreedifying.KoushikDuttahascreatedanapplication,RomManager,thatisacompaniontotheClockworkModrecovery.RomManagernotonlyprovidesanexcellentwaytoinstalltheClockworkModrecoverybutisalsoawaytodownloadandflashcustomROMs.
DownloadtheRomManagerapplicationfromGooglePlay.(Purchasethefullversionasthebenefitsaremanyandthedeveloperisbothtrustworthyandhardworking.)
TousetheRomManagerapplicationtoinstalltheClockworkModrecovery,followthesesteps:
1.StartRomManagerandselectthe“FlashClockwork”option.
2.SelectyourdevicefromthelistofsupporteddevicesthatRomManagerdetects.RomManagerwillrequestsuperuserpermissionsandtheSuperUserapplicationwillpresentyouwithapop-upbox.3.Selectthe“Allow”and“Remember”options.TheRomManagerwillinstalltheClockworkModrecovery.
4.Whenthesuccessfulflashhasoccurred,selectthe“Rebootintorecovery”option.YourNexusOnewillbootintotheClockworkModrecovery.
Atthispoint,youshouldusethebackupoptiontobackuptheentireNexusOne.
Chapter9:HTCThunderBolt:ATightlyLockedDevice
Inthischapter:•InformationabouttheHTCThunderBolt•RootingtheHTCThunderBolt
TheHTCThunderBoltwasintroducedtotheVerizonLTE(4G)networkasa1GHzAndroiddevicewith768MBofinternalmemory.Itwasoneofthefirstgenerationofdevicestooffer4GspeedsontheVerizonnetwork.
TheThunderBoltwasalsooneofthemorelocked-downHTCdeviceswithmultiplelevelsofsecuritychecksandencryption.Thelocked-downnatureoftheThunderBoltwasintendedtokeepthedevicewellwithinthecontroloftheOEMandcarriers.However,theThunderBoltwasfreedbyacombinationoftheprovenpsneuterexploitandsomenewmagicintheformofadowngradefirmwarethatcouldberooted.
IhavechosentowalkthroughrootingtheThunderBoltbecauseitisoneoftherootprocessesthatmakesyoufeelverymuchasifyouarehacking.Therealityisthatallofthehardworkhasbeendonebythedevelopers,suchasScottWalkerandTeamAndIRC.However,usingtheexploitandskillsyoulearnedinChapter3,youwillquicklyrealizeyouaredoingrealdevicehacking.
Whenreleased,thedevicewasrumoredtobe“unbreakable”.Thehackercommunitymadeshortworkofitanyway.TheThunderBoltwentveryquicklyfrombeingoneofthemostlocked-downAndroiddevicestojoiningtheranksofcompletelyfreeAndroiddevices.Thewalkthroughinthischapterexamineseachstepoftheprocess.
RootMethodsAvailableMostoftherootmethodsfortheThunderBoltfollowthewalkthroughprocedureswithslightalterationsforupdatedversionsofthephoneandchangesthatcomewithover-the-airupdatesfromVerizon.ItisextremelyimportantthatyoudoyourhomeworkontheXDAforumtodeterminewhichprocessiscorrectforyourdeviceversion,HBOOTversionandAndroidbuild.
ThisparticularwalkthroughisfortheMR1/OTAFirmware1.13.605.7version.YoucancheckyourfirmwareversionbynavigatingtoSettings→AboutPhone.
Thedevice-specificforumonXDAcanbefoundathttp://forum.xda-developers.com/forumdisplay.php?f=940.Agoodreferencethreadforthisprocedureisathttp://forum.xda-developers.com/showthread.php?t=996616.
Somepostssaythatthemethodcoveredinthischapterisoutdated.Thatisbecauseaneasiermethodisnowavailable.TheRevolutionarytooliscoveredinChapter7andshouldbeusedifpossible.ThemethoddiscussedhereisstillappropriateandstillworksiftheversionofAndroidisthesameasoriginallyshippedonthedevice.
ResourcesRequiredforthisWalkthroughThefollowingfilescanbedownloadedfromembeddedlinksinhttp://forum.xda-developers.com/showthread.php?t=996616:
•thecustomROMupgradeutility,PG05IMG_downgrade.zip(MD5SUM:aae974054fc3aed275ba3596480ccd5b)•theBusyBoxbinary
•theexploitfiles,wpthisandpsneuter
•thesuperuser(SU)binary
•themisc.imgfile(MD5SUM:c88dd947eb3b36eec90503a3525ae0de)foroverwritingtheeMMC•thehbooteng.nb0imagefileforreplacingtheHBOOT(MD5SUM:6991368ee2deaf182048a3ed9d3c0fcb)(ThisisthedeveloperversionofHBOOTthatgivesaccesstomoreFastbootcommands.)•thecustomROMupgradeutilityPG05IMG_MR1_upgrade.zip(MD5SUM:7960c7977c25b2c8759605be264843ea).
PlaceallofthefilesyoudownloadintoasinglefolderonyourPC.ItwillbehelpfulforyoutoaccessthefilesifyoucreatethefolderontherootofoneofyourPC’sharddisks,forexample,D:\ThunderboltRoot.UnziptheexploitfilesandtheBusyBoxandSUbinariesintoyourfolder.
Donotunzipthedowngradeandupgradezipfiles.TheyareROMupgradeutility(RUU)files—signedfirmwarethatwillbeusedtodowngradeyourfirmwareandthenupgradeaftergrantingS-OFFtoyourdevice.Itisextremelyimportantthatyoudonotunzipthesefiles.Placethezipfilesinyourfolder.
WalkthroughADBhastobesetupbeforeyoustartthisprocess.RefertoAppendixAforinstructionsonsettingupandusingADB.
Readeverything.ReadtheXDAthreads.Chargeyourphone.Youcanbrickyourdeviceifyoudonotfollowtheseinstructionscorrectly.Youwillvoidyourwarranty.Youassumeallresponsibility.
PushingFilestotheDeviceThefirststepistopushtheexploitfile,BusyBoxandtheexploitimagetoapartofthefilesystemthatiswriteablewithoutrootaccess.YouwilluseADBtopushthefilesandthenchangethepermissionsonthefilessothattheycanbeexecutedasbinaries.
YouwillusetheADBshellinitsnon-interactivemode.WhenyoupracticedthechmodskillinChapter3,youusedtheADBshellininteractivemode.Innon-interactivemode,yourcommandpromptdoesnotchangeto$afterthefirstADBshellcommand.Instead,thecommandisrunonthedeviceandyoureturntothePCcommandprompt.
1.OpenacommandpromptwindowonyourPCandnavigatetothefolderinwhichyousavedthefiles.2.Runthefollowingcommandstopushthefilestothewriteableportionofthefilesystem:adbpushpsneuterdatalocal/
adbpushbusyboxdatalocal/
adbpushmisc.imgdatalocal/
3.Enterthefollowingcommandstochangethepermissionsonthefiles:adbshellchmod777datalocal/psneuter
adbshellchmod777datalocal/busybox
GainingTemporaryRootThenextstepistogaintemporaryrootaccess.ThisisaccomplishedviaanexploitinwhichADBchecksfortheS-OFFandS-ONsecurityflagsfortheconnecteddevice.ScottWalkerhaswrappedupthisexploitintothepsneuterutilityyouhavejustuploadedtoyourdevice.
YounowusetheADBshellinitsinteractivemode(asyoudidinChapter3).Inthemiddleoftheprocess,yourADBshellmayseemtofreeze—thisisexpectedandyouwillcloseyourcommandpromptwindowasnecessaryandrestartittocontinuetheprocess.
Rootaccessusingthepsneuterexploitisveryfragile.Itwilldisappearifyourdeviceisrebooted.Infact,itcanalsoberevokedbysomedeviceactivities.Makesureyourdeviceisfullychargedandfollowonlythestepshere.
1.EnterthefollowingcommandtoentertheinteractivemodeofADBshell:adbshell.
YourPCcommandpromptshouldbereplacedbythe$promptthatsignifiesyouareoperatingintheAndroidoperatingsystemwithalowor“notroot”accesslevel.
2.Enterthefollowingcommandtorunthepsneuterexploit:datalocal/psneuter
Therewillbeaslightpauseandoneoftwothingsmayoccur:
•YoumaybekickedoutoftheADBshellandseethePCcommandpromptagain.•Youmayfreezeatthecommandpromptandnotbeabletoenteranything.
Ineithercase,simplyopenanewcommandpromptwindowandcontinuefromthenextsection.Itishighlyunlikelythatyouwillneedtorunthepsneuterexploitasecondtime.Ifyoudonothavetemporaryroot(indicatedbythe#promptintheADBshell),rebootyourphoneandtrytheprocessagainfromthetop.
CheckingaFile’sMD5SignatureTheBusyBoxbinary(seeChapter3)containsmanycommandsfortheAndroidoperatingsystem,includingacommandthatallowsyoutohashanyfiletocheckitsMD5signature.
Whenyoudownloadafile,youshouldhashthecopyonthefilesystemtoverifythatitisthecorrectsizeandnocorruptionhasoccurred.Afteryouwritetheimagefiletothepartofthefilesystemsetasideasstorageforparticularcode,youagainhashthedatatoverifythatitwaswrittencorrectlyandwithnocorruption.
WritingtheTemporaryBootloaderNowyouwillusethemisc.imgfileyouuploadedtooverwriteaportionoftheThunderBolt’sfilesystem.Thiswillallowyoutodowngradethefirmwaresoyoucanupgradetoarootedimage.
Beforeyoudosomethingasdestructiveasoverwritingaportionofthebootloader,youwanttobevery,verysurethatthedatayouwillbewritingmatchestheknowngoodexploitcode.Whentheexploitwascreated,itwasrunthroughanMD5hashprocedurethatgeneratedaone-wayhashcodethatcanbeusedtoverifythefilewheneveritisdownloadedormoved.
TheprocessforverifyingtheMD5hashofafileisdescribedindetailinChapter3.Youmustenterthefollowingcommandatthe#promptoftheADBshell:
datalocal/busyboxmd5sumdatalocal/misc.img
Theoutputfromthehashcommandshouldbec88dd947eb3b36eec90503a3525ae0de.Iftheoutputstringdeviatesinanywayfromtheexpectedstring,youneedtorepeattheprocessofdownloadingthefileandpushingittotherequiredlocation.
Itiscriticaltocheck(anddouble-check)theMD5hashherebecauseyouarewritingtoasectionofmemorywithapowerfulcommand.Amis-steporsinglefaultybitwillbetheabsoluteendgameforthephone.Thatisrarelytrueforrootingprocedures.
Oncethehashstringisidenticaltotheexpectedstring,youcanwritemisc.imgtoitsnewhome.
1.OntheADBshellcommandline,enterthefollowingcommand(seeChapter3formoreinformationabouttheddcommand):ddif=datalocal/misc.imgof=devblock/mmcblk0p17
2.VerifytheMD5hashofwhatwascopiedbyenteringthefollowingcommand:datalocal/busyboxmd5sumdevblock/mmcblk0p17
TheMD5hashoutputshouldmatchthefollowingstringexactly:c88dd947eb3b36eec90503a3525ae0de.Ifitdoesnotmatchexactly,repeatthesesteps.
DowngradingtheFirmwareInthisstep,youflashasignedversionofthefirmwareearlierthantheonewithwhichyourdeviceshipped.AsmentionedinChapter2,thebootloaderlooksforaspecificallynamedfileforupdatestothedevicefirmware.Youcopythesigneddowngradezipfiletothedevice’sSDcardusingADBcommands.
1.InacommandpromptwindowonyourlocalPC,enterthefollowingcommandtoopentheADBshellininteractivemode:adbshell.
2.Enterthefollowingcommandtorenamethefile:adbpushPG05IMG_downgrade.zipsdcardPG05IMG.zip
3.EnterthefollowingcommandtoverifytheMD5hashofthepushedfile:datalocal/busyboxmd5sumsdcardPG05IMG.zip
TheMD5hashoutputshouldmatchthefollowingstringexactly:aae974054fc3aed275ba3596480ccd5b.Ifitdoesnotmatchexactly,repeatStep2andcheckitagain.Youmayalsowanttodownloadthefileagain.Donotunplugyourphoneorrebootit—ifyourphoneisturnedofforrebootsatthispoint,itislikelytobepermanentlybricked.Justkeeptryinguntilthehashcomesoutcorrectly.4.Whenthehashstringmatches,enterthefollowingcommand:adbrebootbootloader
5.WhenthewhiteHBOOTbootloaderscreenshowsup,usethevolumeupanddownbuttonstoselectthe“bootloader”optionandpressthepowerbuttontoselectthebootloader.Thebootloaderlocatesthesignedzipfileandflashesittoyourdevice.
6.Whenyouareaskedtoupgrade,selectthe“yes”option.Getacupofcoffeeandletitdoitsthing.Theflashandrebootcantakealongtime.7.Whenit’sdone,selectthe“reboot”optionandallowittoreboot.
Whenthephonehasrebooted,useafileexplorer(suchasESFileExplorer)tolocatePG05IMG.ziponyourSDcardanddeleteit.Thisisimportantasyouwilllaterplaceanothersignedfirmwarethereforflashingtoupgradethefirmware.
GainingTemporaryRoottoUnlocktheMMCYouaregoingtofollowalmostthesameprocedureasyoudidearlierwhenpushingfilestothedevice.Thenyouwillrunthetwo-partexploittogaintemporaryrootandunlocktheMMC.
1.InyourPCcommandpromptwindow,makesurethatyouareinthefoldertowhichyouextractedalltheThunderBoltexploitfiles.2.Runthefollowingcommands:adbpushpsneuterdatalocal/
adbpushbusyboxdatalocal/
adbpushwpthisdatalocal/
adbshellchmod777datalocal/psneuter
adbshellchmod777datalocal/busybox
adbshellchmod777datalocal/wpthis
3.Runthefollowcommandstogettemporaryroot:adbshell
datalocal/psneuter
RememberthisexploitthrowsyououtofADBshell,sodon’tpanic.SimplyreopentheADBshellandcontinuewiththefollowingstep.
4.RuntheMMCunlock:datalocal/wpthis
exit
RewritingtheBootloaderFirstyoupushtheHBOOTtothefilesystemandverifytheMD5hash.ThenyouwritethefiletotheMMCandverifytheMD5hash.Thisisthesinglemostcriticalmomentofthisprocess.IfyoudonotgetanexacthashfromtheMD5SUMcommandyoumustrewriteuntilyougetthecorrectMD5hash.
Ifthispartoftheprocedureisdoneincorrectly,youcancompletelybrickyourphone.Goslowly,readaheadanddon’tpanic.
1.InyourPCcommandpromptwindow,makesurethatyouareinthefoldertowhichyouextractedalltheThunderBoltfiles.2.Enterthefollowingcommandtopushthefiletoyourdevice:adbpushhbooteng.nb0datalocal/
3.OpentheADBshellandcheckthefile’shashvalueusingthefollowingcommands:adbshell
datalocal/busyboxmd5sum
datalocal/hbooteng.nb0
4.Lookcarefullyattheoutput.Itmustmatchthefollowingstring:6991368ee2deaf182048a3ed9d3c0fcb.IftheoutputoftheMD5SUMcommanddoesnotmatchthestringexactly,youmustdownloadthefileagain.
5.FromtheADBshell’s#prompt,enterthefollowingcommandtowritethenewbootloader:ddif=datalocal/hbooteng.nb0
of=devblock/mmcblk0p18
6.Whenthatprocesscompletes,youneedtoverifytheMD5hashofwhatendedupintheMMCmemoryblock.AttheADBshellprompt,enterthefollowingcommand:datalocal/busyboxmd5sumdevblock/mmcblk0p18
TheMD5hashoutputshouldmatchthefollowingstringexactly:6991368ee2deaf182048a3ed9d3c0fcb.Ifitdoesnotmatchexactly,repeatStep5.Donotunplugyourphoneorrebootit—ifyourphoneisturnedofforrebootsatthispoint,itislikelytobepermanentlybricked.
7.Whenthehashstringmatches,enterthefollowingcommandstoleavetheADBshellandrebootyourdevice:exit
adbreboot
UpgradingtheFirmwareNowyouuseADBtocopytheupgradezipfiletoyourSDcardandallowthenewbootloadertowriteittoyourdevice.
1.MakesureyouhaveaPCcommandpromptwindowopenandareinthefolderwhereyouplacedthesignedzipfile.2.EnterthefollowingcommandtopushthefiletoyourSDcard:adbpushPG05IMG_MR1_upgrade.zip
sdcardPG05IMG.zip
3.Becauseweonlyacquiredtemporaryrootearlier,wemustpushtheBusyBoxbinarytothedeviceaswell:adbpushbusyboxdatalocal/
4.VerifythattheupgradeRUUfirmwarematchestheMD5SUMhashforthefile(7960c7977c25b2c8759605be264843ea):adbshell
datalocal/busyboxmd5sumsdcardPG05IMG.zip
Ifthehashstringsdonotmatch,downloadtheupgradezipfileandpushittotheSDcardagainuntiltheydomatch.5.OncethefileiscorrectlywrittentoyourSDcard,youcanletthenewbootloaderwritethenewfirmware:exit
adbrebootbootloader
WhenthewhiteHBOOTscreenbootsup,usethevolumeandpowerbuttonstoselectthe“bootloader”option.ThebootloaderwillcheckforPG05IMG.zipandflashit.Againwhenaskedtoupgrade,select“yes”andgoforacupofcoffee—itcantakeawhile.Whentheflashingiscompleted,rebootthedeviceandremovePG05IMG.zipfromyourSDcard.
AtthispointyouarerunningadevicethatisS-OFF—ithasthesecurityflagoffandisrunningrelease(asopposedtodeveloper)firmware.
DownloadSuperUser.apkfromGooglePlaybysearchingfortheSuperUserapplication.YoucanalsopurchaseandinstallRomManagertohaveaccesstocustomrecoveriesandcustomROMfirmwareforflashing.
Ifyouweretoacceptadownloadpushedovertheair(OTA)fromyourcarrier,youwouldbeverylikelytoundoallofyourhardwork:itwillunrootandremovethecustomfirmware.ItisbestnottoacceptOTAupdates.However,ifyouinstallacustomROM,youareunlikelytoseeOTAupdates,asmostROMsblockthem.MostcustomROMsreleasetheirownupdatesbasedontheOTAs.
Chapter10:DroidCharge:FlashingwithODIN
Inthischapter:•InformationabouttheDroidCharge•RootingtheDroidCharge
TheDroidChargeisawell-roundedAndroidsmartphonewithahigh-contrastdisplayandaccesstoVerizon’sLTE(4G)network.
CustomizingtheROMandfirmwareonaDroidChargeinvolvesstepsratherdifferentfromusingADBtosendandreceivecommandsandfilestothedevice.AlthoughADBcanbeusedtocommunicatewithaSamsung(aswithnearlyallAndroiddevices),mostfirmwaremodificationproceduresonSamsungdevicesuseasoftwaresuiteknownasODIN.SimilartotheFastbootprotocol,ODINisatoolthattakesfirmwarepackages(rootedROMs,recoveriesandothercustomizations)andwritesthemtothememoryofaSamsungdevice.ODINmakesforafairlyeasyrootingprocess.Whileitismoreuser-friendlythanthecommandline,ODINitselfisnotterriblyintuitiveandrequiressomebasicexplanationoftheinterface.
ODINflashestoyourphone’sfilesystemspeciallyformattedpackagesin.tar.md5format.Theeasiestwaytoaccomplishroot-levelaccessistoflashtheClockworkModrecoveryandthenusetherecoverytoinstalltherootedROMofyourchoice.
Neverflashapackagethatyoudonotknowisintendedforyourdeviceandfirmware(bootloader)version.
ResourcesRequiredforthisWalkthroughYoucandownloadalltherequiredpiecesofsoftwarefromhttp://forum.xda-developers.com/showpost.php?p=15897406.Ataminimum,youneed:
•driversfortheDroidCharge•ODIN3.x
•ClockworkModinaformatforODINtoflash•arootedcustomizedROMtoflashwithClockworkMod.
TherearecompletepackagesfortheDroidChargethatincludearootedROMandClockworkMod.Flashinganall-in-onepackage,suchastheonelistedintheXDAforumpostathttp://forum.xda-developers.com/showpost.php?p=15897406willresultinasingleflashstepinsteadofmultiplesteps.
WalkthroughIfyoudownloadedaChargeKitfromhttp://forum.xda-developers.com/showpost.php?p=15897406,youneedtoextractODINtoafolderofitsownsomewhereonyourmachine.ThisfolderisprimarilyforrunningtheODINutility;trynottoputflashablefilesandotherfilesintoit.
ConnectingtheDevicetoODINRuntheODINutilitybydouble-clickingtheODINexecutable.YoushouldseetheutilityasinFigure10-1.
Figure10-1:TheODINutility
ForthephonetocommunicatewiththeODINutility,itneedstobeindownloadmode.Putthephoneindownloadmodebyfollowingthesesteps:
1.PullthebatteryfromyourDroidCharge.2.PlugyourDroidChargeintoyourcomputerwiththeUSBcable.ThephonewilltakeitspowerfromthePCinmostcases.(Seethe“Troubleshooting”sectionifyouhaveaproblem.)
3.Holdthevolumedownbuttonuntilyouseealargeyellowtriangle.4.YourphoneisindownloadmodeandODINshouldnowshowaconnecteddeviceintheID:COMwindow.
FlashingtheDeviceThisstageinvolvesbrowsingtoafileyouwanttoflashandusingODINtoflashittothedevice.
1.OpentheODINutilityonthePC.2.ClickthecheckboxinfrontofthePDAbutton.
3.ClickthePDAbutton.Youarepresentedwithafileselectiondialog.ThebuttonyouuseisthePDAbutton.Itcannotbestressedenoughthatyoudonotuseanyotherbuttontoflashyourphone.
4.NavigatetothefileyouwishtoflashtoyourDroidCharge.Thiscouldbeanall-in-oneROM–Root–RecoverypackageortheClockworkModfile.
5.Selecta.tar.md5file;itspathisplacedinthetextboxtotherightofthePDAbutton.6.Uncheckthe“AutoReboot”checkbox(belowtheID:COMboxes).7.Pressthe“Start”button.
ODINwillshowthedownloadprocess.Donotinterrupttheprocess.Whenthedownloadhascompleted,ODINwilldisplayablue“Restart”andthenshowagreen“Pass”intheID:COMbox.
If“Pass”doesnotshow,youneedtostarttroubleshootingtheflashprocess.UsingODINisafairlysafeandstraightforwardactivity.Ifyouexperienceissues,skiptothe“Troubleshooting”section.
8.Disconnectyourphonetorebootit.Ifyouinsertedthebatteryfortroubleshooting,youwillneedtopullthebatteryoutaswell.
•IfthepackageyouinstalledwithODINwasarecoverypackage,youcannowbootintorecoverytoinstallacustomrootedROM.UsetheinformationinChapter3onClockworkModtoinstallacustomROMwithit.•Tobootintorecovery,pressthehome,volumeupandpowerbuttonsallatthesametimewhilebooting.WhentheSamsunglogoappears,youcanreleasethepowerbuttonbutcontinuetopresstheotherbuttons.
TroubleshootingIfyourODINinterfacedoesnotflashthegreen“Pass”intheID:COMrectangle,considersomeofthesetroubleshootingtips:
•Ifthedeviceseemstoshutdownwithoutcompletingtheprocess,theremaybeaproblemwiththeamountofpowerbeingsenttothedeviceviatheUSBcable.TrychangingUSBportsandensurethatyouareusingarearUSBport.•OnlyuseaUSBportdirectlyinthecomputer,neveraUSBhubora“front”USBport.IfyoudonotuseamainUSBport,thereisapossibilityofinterferenceandtheremaynotbesufficientvoltagefortheflashtocomplete.
•VerifythattheUSBcableyouareusingisadatacableandnotjustachargingcable.TryadifferentcombinationofUSBcableandport.•IfthereisaproblemwhenthephoneisconnectedtoODINandinDownloadmode,reinsertthebatteryfortheflash.Afteryouflashyourpackage,removethebatterytorestartthedevice.
•ODINdoesnotliketoshare,soturnoffallothersoftware.Disableorturnoffanti-virussoftware,firewallsandothersecuritysoftware.•Thereisalwaysthepossibilityofabaddownloadofyourflashpackages.Downloadyourpackageagain,whetheritisanall-in-onepackageorarecoveryorROMpackage.
Chapter11:NexusS:AnUnlockedDevice
Inthischapter:•InformationabouttheNexusS•RootingtheNexusS
TheNexusSisGoogle’ssecondflagshipvanillaAndroidsmartphone.Periodically,Googlereleasesonephoneinconjunctionwithadevicemanufacturer.Thesephonesfeature“Nexus”branding.NexusphonesarevanillaAndroidinstallations,withnointerfaceoroperatingsystemcustomizations.UnlockedorunlockablebootloadersandfreelyavailabledriverbinariesmaketheNexusphoneshighlyprizedbythehackingandhobbyistcommunities.
UnlockeddevicesareusuallylockedfromthefactorybuthavefirmwareinplacethatallowsthemtobeunlockedwithFastbootcommands.TheNexusSfollowsthispattern.UnliketheGoogleNexusOne,theNexusSallowsthebootloadertoberelockedaswell.AfterunlockingtheNexusS,itisfairlystraightforwardtousenativeFastbootflashingfunctionalitytoflashtherecoveryorfirmwareofyourchoice.
NexusphonesareunlockedbecauseGoogleseesthemasdeveloperdevices.DevelopersneedtobeabletoaccesstheAndroidoperatingsystemataverylowlevel.Whenadeveloperiscreatinganapplication,thereneedstobeacommondevicethatcanbeconsideredtobethereferencedeviceforaparticularversionofAndroid.
ConnectingtheDevicetoaPCTheNexusSmayrequiresomespecialattentiontoconnecttoyourPCsothatADBandFastbootcommandscanbeused.BesuretodownloadandinstallthecorrectdriversforyourNexusSfromthereferencethreadathttp://forum.xda-developers.com/showthread.php?t=935819.
Afterinstallingthethird-partydrivers,youshouldthoroughlytestADBandFastbootconnectivity.RefertoAppendixAforconnectivitytestsandAndroidSDKinstallationinstructions.
ResourcesRequiredforthisWalkthroughDownloadtherequiredfilestoadedicatedfolderonyourPCtomakeiteasiertoperformtheflashing:
•driversforFastbootandADBconnectivity•acustomrecovery,suchasClockworkMod
•theSuperUserbinaryandapplicationfromthereferencethreadontheXDAforum.
Walkthrough
UnlockingtheDeviceFollowthesestepstounlocktheNexusSandprepareitforflashingacustomrecovery.
1.Backupeverythingonyourdevice.UnlockingtheNexuswillcompletelyeraseallthedataonthedeviceaswellasontheSDcard.ConnectthedevicetoyourPC,mounttheSDcardasstorageandcopyallitscontentstoyourPC.Whenyouhavecompletedthere-rootingprocedure,youwillbeabletocopybackthecontentsofyourSDcard.
2.PutyourNexusSinFastbootmode:a.Startwiththedeviceoff.
b.Poweritonwhilepressingthevolumeupandpowerbuttons.ThedeviceshouldboottothewhiteFastbootscreenwiththeskatingAndroids.
3.FromacommandpromptwindowonyourPC,runthefollowingcommandtounlockyourNexusS:fastbootoemunlock
4.Yourdevicewillpromptyoutoverifythatyouwanttounlock.Rememberthatunlockingnotonlyerasesyourdevice,italsovoidsyourwarranty.5.Pressthevolumeupbuttonandthenthepowerbuttontoverifytheunlock.
Thedevicewillwipeandreboot.Whenthephonereboots,itwillbeunlockedandcanbeflashedwiththeFastbootcommand.
FlashingtheDevicewithaRecoveryNextyouwillusetheFastbootcommandtoflashthedevicewiththeClockworkModrecovery.MakesurethatyoudownloadtherecoveryappropriatefortheNexusS.ThereferencethreadontheXDAforumwillhavealinktothelatestversion.
1.PuttheNexusSinFastbootmode.2.WiththedeviceconnectedtoyourPC,enterthefollowingcommandfromthefoldertowhichyoudownloadedClockworkMod:fastbootflashrecoveryrecovery-clockwork-crespo.img
Note:Thenameoftheimagefilemayincludeaversionnumberthatwillchangewiththeversionoftherecovery.
Afterthesuccessfulflash,youcanrebootintorecoverybypoweringtheNexusonwhileholdingthevolumeupandpowerbutton.WhenthewhiteHBOOTscreencomesup,selecttherecoveryoption.
FlashingtheDevicewiththeSuperUserapplication1.UsetheClockworkModmountUSBoption(seeChapter4)tomounttheSDcardasmassstorage.
2.CopySuperUser.ziptotherootoftheSDcard.
3.Usethe“InstallZip”optiontoselecttheSuperUserapplicationandflashittoyourNexusS.
Atthispoint,yourNexusSisunlockedandrooted.However,itwillreplacetherecoveryonrebootthankstothefilesystemprotectionsystem:codeinthebootprocesswilldetectthattherecoveryhasbeenalteredandrewritethedefaultrecoverytotherecoverypartition.Tochangethisbehavior,followthesesteps:
1.Downloadarootpermissionsfileexplorer,suchastheRootFileExplorer,thatcanmountthefilesystemforreadingandwriting.2.Mountthefilesystemaswritable(inRootFileExplorer,clickthegray“Mountr/w”button).
3.Navigatetothe/etcfolder.
4.Renametherecovery-install.shfiletorecovery-install.old.
5.OpenGooglePlay,downloadRomManagerandinstallit.6.Usethe“InstallClockworkRecovery”optiontoreinstallClockworkModrecovery.
Atthispoint,ClockworkModshouldbepermanentandyouarerootedandreadytoinstallcustomROMsorothercustomizations.
Chapter12:MotorolaXoom:AnUnlockedHoneycombTablet
Inthischapter:•InformationabouttheMotorolaXoom•RootingtheMotorolaXoom
TheXoomisanunlockedtabletthatwasreleasedwiththeHoneycomb(Android3.0)operatingsystem.ItwasoneofthefirsttabletsreleasedwiththisversionofAndroid.
TheXoomisconsideredadevelopers’device.AswithitsGoogleExperienceDevicestablemates,itiseasilyunlockedusingtheFastbootcommands.RootingandflashingcustomROMsiseasy.However,theHoneycombsourcecodewasreleasedlatebyGoogle,atthesametimeasthesourceforIceCreamSandwich(Android4.0).BothHoneycombandIceCreamSandwichhavenearlyidenticaldriverrequirements,somostdevelopersdidnotseethepointinbuildingcustomROMsforaninferiorOSversion.ThismeansthattherearefewercustomROMsforitthanthereareforotherversionsofAndroidforwhichdevelopershaveaccesstothesourcecoderepositories.
ResourcesRequiredforthisWalkthroughTocarryouttheprocedure,youneedthefollowingsetup:
•TheXoomneedstobeinDebugmode.•ADBmustbeinstalledandfunctioning.
•AnexternalSDcardmustbeinstalledontheXoom.•YoumustdownloadthefollowingfilesfromtheXDAforumathttp://forum.xda-developers.com/showthread.php?p=17135571:
•therootzipfile•theimagerecoveryfile.
WalkthroughThebasicstepsofrootingtheXoomareasfollows:
1.PlacetherootzipfileontheSDcard.2.UnlocktheXoom.
3.FlashtherecoverytotheXoom.4.Usetherecoverytoflashauniversalroot.
PushingtheRootFiletotheSDCardYouneedtodownloadtheuniversalrootfilefromthelinkathttp://forum.xda-developers.com/showthread.php?p=17135571
andplaceitontheSDcard.YoumayneedtouseanadaptertoconnecttheSDcardasanexternalstoragemedium.Onceyouhavecopiedxoom-universal-root.ziptotheSDcard,youcanplacetheSDcardinyourXoom.
UnlockingtheXoomIfyouhavenotdonesopreviously,youneedtounlocktheXoombootloader.TheprocessisfairlysimplebutrequirescarefulreadingoftheXoomscreenduringtheprocess.FollowthesestepstounlocktheXoombootloader.
Unlockingyourdevicewillcompletelyerasethedataonit(includingdataontheSDcard).TheinternalmemorydesignandthewaythedeviceunlockscompletelyresetstheXoomtofactorycondition.Youwilllosealldata.
1.ConnecttheXoomtoyourPCwiththeUSBcableandverifythattheXoomisinDebugmode.2.OpenacommandpromptwindowonyourPCandenterthefollowingcommandtoboottheXoomintoFastbootmode:adbrebootbootloader
IfthisstepdoesnotworkmakesurethatADBissetupcorrectly(refertoAppendixA).YoucanalsogettheXoomintoFastbootmodebypoweringitoffandpressingthepowerandvolumeupbuttonsuntilFastbootmodeappears.
InFastbootmode,theXoomcanaccepttheFastbootcommandsthatyouwillusetoflashthecustomrecovery.Thisisthemodeyouwouldusetorecoverasoftbrickofanykind.IfyoucangetthedevicetoboottoFastbootmode,youcangenerallyflashsomesortofusableROMorrecoveryandgetyourselfoutofsoftbricksandbootloops.TheXoomisfairlybulletproofinthisregard.
WiththeXoominFastbootmode,youcanunlockthebootloaderbyfollowingthesesteps:
1.Inacommandpromptwindow,enterthefollowingcommand:fastbootoemunlock
2.ReadtheXoomscreencarefully.Thereisawarningthatyouarevoidingyourwarrantyandthatyouwilllosealldata.Paycloseattentiontothestepsnecessarytoverifytheunlock.Youwillusethevolumeupanddownbuttonstoverifyorbackoutoftheprocess.
Afterunlocking,theXoomwillrebootandfunctionasusual.Thereisnodifferenceinthedeviceatthispointexceptthatthebootloaderisunlocked.
FlashingtheDevicewithaRecoveryThenextstepistoflashthecustomversionoftheClockworkModrecovery.ThiscustomversiontakesintoaccounttheXoom’speculiaruseofinternalmemoryasanSDcard.Inessence,itcompletelyskipstheneedforanSDcard.Youshouldhavedownloadedafilenamedsolarnz-<versionnumber>.img.
YoucannotflashazipfilefromFastbootmode—youcanonlyflashimagefiles.YouusezipfileswithClockworkModorsomeothercustomrecovery.
1.PuttheXoombackintoFastbootmode:adbrebootbootloader.
2.Enterthefollowingcommand:fastbootflashrecoverysolarnz-######.###.img
Itisimportantthatthefilenameyouenterisexactlythenameofthefileyoudownloaded.Itisalsoextremelyimportantthatyouusethe“recovery”keywordwiththeFastbootflashcommandtoensurethatyouflashthecorrectpartition.
TheXoomwillreportthatitisflashingthefileandthenindicatewhentheprocessiscomplete.Atthispoint,yourXoomhastheClockworkModrecoveryinstalledandcanbebootedintotherecoveryforcustomizations,suchasflashingcustomkernels,themes,orstartupanimationsandfullcustomROMs.
DonotrebootyourXoomuntilyouhaveflasheditwithauniversalrootoryouwillhavetoreflashtheClockworkModfiletotherecoverypartition.Ifyoudonotdothis,systemrecovery-from-boot.pwillrevertyourrecoverypartitiontothedefaultrecoveryuponyournextreboot.
FlashingtheDevicewithaUniversalRootToachieverootedfullaccesstotheexistingfilesystem,youneedtoflashtheuniversalrootpackagethatyoudownloaded.Thispackagecontainsthefilesfortherootedfilesystemandthesuperuserbinariesforaccessingsystem-
levelpermissionsandfiles.
Thisstagehasabitoftrickytiming.Ifyoumissthetiming,youwillneedtoreflashtheClockworkModrecovery.Therecoverysystemhasabuilt-inauto-restorefeature.TheoverviewisthatyouusetheFastbootcommandtoreboottheXoom;whenyouseetheMotorolalogo,youpressvolumedownandthenvolumeuptobumpthesystemintothenewrecovery.
Followthesestepstoflashtheuniversalrootfile:
1.Ifyouhavenotyetdoneso,copytheuniversalrootzipfiletotherootofyourSDcard(nottoafolder)andinsertthecardintotheXoom.
YourXoomshouldshowthesuccessfulmessagefromflashingtheClockworkModrecoveryfile.
2.EnterthefollowingcommandintothecommandpromptwindowtoreboottheXoom:adbreboot
3.WhenyouseetheMotorolalogo,counttothreeandpressthevolumedownbutton.Youshouldsee“AndroidRecovery”appearonthescreen.4.PressthevolumeupbuttontobootintothenewlyinstalledClockworkModrecovery.
Ifyoumisstheopportunitytobootintotherecovery,youmayhavetogobackandreflashtheClockworkModrecoverytotherecoverypartitionbecausesystemrecovery-from-boot.pwillreverttothedefaultrecovery.
5.Usethevolumebuttonstoselectthe“InstallZipfromsdcard”optionandpressthepowerbutton.6.Selectthe“ChooseZip”option.
7.NavigatewiththevolumeupanddownbuttonstotheuniversalrootzipfileyouplacedontheSDcardandselectitwiththepowerbutton.8.Confirmtheinstallation.Whentheinstallationhasfinished,navigatebacktothemainClockworkModmenuandreboottheXoom.
YourXoomisnowunlockedandrooted.Youcanusethevolumeupkeyor
thecommandadbrebootrecoverytobootintorecoveryandboottheROMsandcustomizationsyouwant.CheckouttheXDAXoomforumforthelatestandgreatestfromthehard-workingdevelopersofROMs,kernels,andcustomizations.
RefertoChapter4forspecificinstructionsonusingClockworkModrecovery.
Chapter13:NookColor:RootingwithaBootableSDCard
Inthischapter:•InformationabouttheNookColor•RootingtheNookColor
TheNookColor,releasedbyBarnesandNoble,wasoriginallyintendedtobeaneReaderbasedonAndroid.InthehandsofAndroidhackers,itquicklybecameoneofthebest-valuetabletsthatcouldbepurchased.OncerootedandwithacustomROM,itwastransformedintoausableandfullyfunctionalAndroidtablet.
Becauseofthenatureofthedevicestartuproutine(itdoesnotsupporttheFastbootprotocol),aslightlydifferentmethodisneededtorootandROMtheNookColorcomparedtootherAndroidtablets.YouuseanSDcardthathasbeenmadebootablebyflashinganimagefiletoit.WhentheSDcardisinsertedintotheNookColor,ittakesprecedenceovertheNookColornativebootroutineandthefilesontheSDcardarebooted.Thisallowsyoutodofunstuff,suchaswritinganativecustomrecoverytotheEMMCmemoryandrootthedevice.
ThismethodcanalsobeusedforotherminorbrandorunbrandedvarietiesofAndroidtablets(usuallytheyhavenoGooglelicenseorGooglePlaysupport).Thedetailschangebutthecoreskillsarethesame.Besuretoreaduponyourdevicebeforestartingthisoranyrootingprocess.
ResourcesRequiredforthisWalkthroughTocarryouttheprocedure,youneedthefollowingsetup:
•aregisteredNookColor,version1.1•anSDcardthatyoucancompletelywipe
•adedicatedSDcardwriter(mostbuilt-inSDcardwriterswillnotwork—getonethatplugsintoyourUSBport)•aGmailaccountthatyouhavelinkedtoYouTube
•theAuto-Nooterimagefilefromhttp://forum.xda-developers.com/showthread.php?t=942424
•theWin32DiskImageimagewriterfromhttps://launchpad.net/win32-image-writer/+download.
TheAuto-NooterisaconvenientlittlepieceofsoftwarethatwasbuiltbydevelopersatNookdevs.com.TheAuto-NooterdoesmostofthehardworkwhentheNookColorbootsfromit.AfteryouhavebootedtheNookColorfromtheAuto-NooterSDcard,theSDcardcanbereformattedandremovedorusedasaddedstorage.
WalkthroughThehigh-levelstepsoftheprocessare:
1.Burn(write)thecustombootableimagetotheSDcardusingyourPC.2.BoottheNookColordeviceusingtheSDcard.
3.Allowtheauto-rootroutinetocomplete.
ThiswalkthroughisfortheNookColorversion1.1.Ifyouhaveadifferentversion,readupattheXDAforumtofindthedifferences.Theprimarydifferencesareinthefilesused—thestepsarevirtuallythesame.
CreatingaBootableSDCardRememberthatthisprocesscanalsobeusedforotherversionsoftheNookColorandminorbrandorunbrandedAndroidtablets.
1.RuntheWin32DiskImagewriterprogramthatyoudownloaded.2.ClickthefolderbuttontonavigatetotheAuto-Nooterimagefile.
3.Double-clicktheimagefile.4.Clickonthedrop-downwithdriveletters.SelectthedriveletterthatcorrespondstoyourSDcard.
Youcandouble-checkthedriveletterofyourSDcardbyopeningWindowsExplorerandlookingfortheSDcarddriveletterthere.
Makesurethatyouselectthecorrectdriveletter.Youdon’twanttooverwriteadatapartitionoranotherexternalstoragedevice.Thisprocessirrevocablydeletesallcontentontheselecteddrive.
5.Clickthe“Write”buttonandlettheimagebewrittentotheSDcard.6.Whenthewritingprocessiscomplete,verifythecontentsoftheSDcardbyusingWindowsExplorertoopenit.Youshouldseethefollowingitems:MLO
u-boot.bin
uImage
uRamdisk
BootingtheDevicefromtheSDCardThesestepsguideyouthroughbootingtheAuto-NooterontheNookColorandwrappinguptherootandbootprocess.
1.TurnoffyourNookColorcompletely.2.PlacetheSDcardtowhichyouhavejustwrittentheAuto-NooterintotheNookColor.3.PlugtheUSBcablefromyourcomputerintotheNookColor.ThiswillcausetheNookColortoturnonandbootfromtheSDcard.
ThescreenwillbeoffduringtheAuto-Nooterbooting.Youwillnotseeanythingonthescreen.Bepatient.IfyouareusingtheNookColorcable,the
LEDwillblinkbutthisisirrelevanttotheprocess.
4.Yourcomputerwillindicatethatanewdevicehasbeenpluggedin.CancelanyrequestfordriversfromyourPC.
Whentheprocessisdone,youwillseeanewbootanimation.PulltheSDcardoutoftheNookColortoensureitdoesnotbootfromtheSDcardagain.
MakingtheDeviceMoreUsableAtthispoint,thehardworkhasbeendone—yourNookColorisrooted.However,tomakeitmoreusableyouneedtoenable:
•Googleaccountintegration,soyouhaveGooglePlayaccess•Softkeys,soyouhaveaccesstotheAndroidBack,Home,MenuandSearchkeys.
TheprocessofsettingupandenablingGoogleaccountintegrationusesaclever“backdoor”.Itusesthesign-inintegrationbetweenYouTubeandGoogle.
1.Onboot,taptheAndroid.
2.Tapthe“SkipSignin”button.3.Enablethelocationservicesoption.
4.ConnecttoaknowngoodWi-Ficonnection.5.LaunchtheYouTubeapplicationfromthe“Extras”menubutton.6.TaptheMenubuttontotherightoftheuparrow.
7.Tap“MyChannel”andloginwithyourGoogleaccount.8.ExitYouTubeandlaunchGmailfromthesame“Extras”menu.
9.SynchronizeyourGmailaccountandexit.Thiscouldtakeafewminutes,sobepatient.10.OpenupGooglePlayandacceptthetermsofservice.11.Downloadanapplicationtoverifythatitworks.
Ifthedownloadstallswithoutinstallingtheapplication,reboottheNookandtryagain.
YouneedtosettheSoftkeyssothatyouhaveaccesstotheHome,Back,MenuandSearchkeysnativetoAndroid.
YouneedtosettheSoftkeysprogramasyourdefaultlauncher,tocauseittoloadautomatically.SelecttheSoftkeysapplicationfromyourapplications
drawerandselectthecheckboxthatsetsthesoftkeyactionstoberememberedasthedefaults.Next,settheHomesoftkeytocallyourreallauncherprogrambypressingtheMenubuttonandselectingyourlauncherapplications.
AppendixA:SettingUpAndroidSDKandADBTools
Inthisappendix:•InstallingtheJavaDevelopmentKit•InstallingtheAndroidSDK•Installingtheplatformtools
•SettingupenvironmentvariablesforWindowscomputers
ThisappendixhelpsyoutosetuptheAndroiddevelopertoolsyouusetorootandhackyourphone.
InstallingtheJavaDevelopmentKitThefirststeptogettingaccesstotheAndroiddevelopertoolsistodownloadtheJavaDevelopmentKit(JDK).AlthoughyoudonotusethetoolsprovidedbytheJDK,itmustbeinstalledforyoutobeabletoinstalltheAndroidSDK.
1.Navigateyourbrowsertowww.oracle.com/technetwork/java/javase/downloads/(seeFigureA-1).AnycurrentversionwillworkwithAndroidSDK.
FigureA-1:DownloadingtheJDK
2.ClicktheJavaPlatform(JDK)button.3.Clicktoacceptthelicensingagreementsandthenselectthecorrectinstallerforyourcomputer.MostWindowsuserswillclickonWindowsx86.Ifyouhave64-bitWindows,clickthex64link.
4.Downloadtheinstallertoalocationyoucaneasilyfindonyour
computer.5.Runtheinstallerexecutable.
6.ClickthroughtheJDKinstallationwizardacceptingallthedefaults.
InstallingtheAndroidSDKNowyoucandownloadandruntheinstallerfortheAndroidSDK.
1.Navigateyourbrowsertohttp://developer.android.com/sdk/.
2.Downloadtheappropriatepackageforyouroperatingsystem(Windowsusersshoulddownloadtheinstallerexecutable).
3.Runthedownloadedpackage.4.Clickthroughtheinstaller.
TakespecialnoteofwheretheAndroidSDKisinstalled.Youcanchangethepathbutitisbettertoacceptthedefaultpath.For64-bitsystems,thedefaultpathshouldbesomethinglikeC:\ProgramFiles(x86)\android\android-sdk-windows\.For32-bitsystems,theonlydifferencewillbetheabsenceof“(x86)”fromthepath.
Whenthewizardcompletes,itwillhaveacheckmarktostarttheSDKmanager.YouusetheSDKmanagertodownloadtherequiredplatformtools(i.e.ADBandothers).YoucanalsolaunchtheSDKmanagerfromtheoperatingsystem,asshowninFigureA-2.
FigureA-2:StartingtheSDKmanagermanuallyinWindows
InstallingthePlatformToolsWhentheSDKManagerstarts,itfindsoutfromGooglewhatpackagesareavailablefordownloadandthenpresentsyouwithaninterfacetoselectthepackagesyouwishtoinstall.
1.ClickontheAndroidPlatformToolsentryintheleft-mostcolumn.2.ClicktheAcceptradiobuttonbelowthedescriptionintheright-mostcolumn.
3.AccepttheGoogleUSBDriverPackagebyclickingtheOKbutton.4.Optionally,rejecttheotherpackages.Thissavessomedownloadtime.
5.ClicktheInstallbuttonatthebottomoftheSDKManager.TheselectedSDKpackageswilldownloadandinstall.Whenthedownloadandinstallationprocessiscomplete,youcanclosethearchivedownloaderandtheSDKManager.
Atthispoint,theSDKplatformtools(suchasADB,DDMSandothers)shouldbeinstalledonyourcomputer.Toverifythis,followthesesteps:
1.Openacommandpromptwindow.(OnWindows,presstheWindowskey+R.Arunboxwillpopup.TypecmdandpressEnter.)
2.Inthecommandpromptwindow,youshouldseeapathsuchasC:\Users\<username>followedbyaflashingcursor.Thecursorindicateswhereyourtypedtextwillshowup.Thepathisthefoldercontextinwhichyouareissuingcommands.Inotherwords,everycommandtypedatthispromptwillattempttorunandaffectthefolderatC:\Users\<username>.
3.Clickinthecommandpromptwindow,typecd\,andpressEnter.
TheDOScommandcdstandsfor“changedirectory”.Thebackslashisshorthandfor“therootofthisdisk”.Sothecommandcd\means“changethefoldertotheroot(orhighestlevel)inthisdisk.”Youcanaccessanylocationfromanyfolderusingthetargetfolder’sfullpath.ItisimportanttolearntheseconceptsbecausetheyaresharedwiththeAndroidoperatingsystemcommandprompt.Youwillusethesecommandsfrequently.
4.Typecd“\ProgramFiles(x86)\Android\android-sdk-windows\”andpressEnter.ThisisthepathyounotedwhentheSDKManagerwasinstallingtheSDK.Makesureyouincludethequotationmarks.Wheneverthereisaspaceinyourcommand,youneedtoencloseitinquotationmarks.Ifyouareusinga32-bitoperatingsystem,youwillnothavethe(x86)partofthepath.
5.Nowthatyouareinthecontextoftheandroid-sdk-windowsfolder,youcantesttoseeifthefilesandfoldersforthedevelopertoolsarefunctioning.TypedirandpressEnter.Thelistingoffoldersandfilesshouldincludeafoldercalledplatform-tools.ThisisthefolderinwhichtheADB.execommandlives.
ThedircommandgivesalistingofthefilesandfoldersinthecurrentfoldercontextintheWindowscommandwindow.AttheAndroidcommandline(andinLinux),youusethelscommand.
6.Typecdplatform-toolsandpressEntertochangeyourcontexttotheplatform-toolsfolder.
7.TypeadbandpressEnter.YoushouldseetheADBcommandhelpscreenscrollpast(seeFigureA-3).
FigureA-3:TheADBhelpscreen,whichappearswhenyourunADBwithno
switchesorparameters
SettingUpWindowsEnvironmentVariablesNowthatyouknowthatADBisinstalled,youneedtoplaceaPATHentryinyoursystemvariables.ThiswillenableyoutousetheADBcommandregardlessofthecurrentfoldercontextofyourcommandprompt.Forexample,youwanttobeabletorunthefollowingcommandfromthefoldertowhichyouhavedownloadedacustomTCP/IPmoduleforyourAndroiddevice:
adbpushtcpip.ko\system\etc
Ifyoudonotdothis,youwillalwaysneedtobeinthec:\ProgramFiles(x86)\Android\android-sdk-windows\platform-tools\foldertorunADB.
TomaketheADBcommanduniversallyaccessible(inWindowsVistaandWindows7),followthesesteps:
1.ClicktheWindowsStartbutton.2.Right-clickComputerandselectProperties.
3.ClickAdvancedSystemSettingsintheleftcolumntoopentheSystemPropertiesdialogbox.4.ClicktheEnvironmentVariablesbutton.
5.IntheSystemVariablesbox,scrolldownuntilyouseeanentrylabeledPATH.6.Double-clickthePATHentrytoopentheEditvariablewindow.7.ClickintheVariableValuefieldandplaceyourcursorattheveryendofthestringoftext.
8.Typeasemi-colon(;).9.TypeinthefullpathtoyourADBcommandfolder:C:\ProgramFiles(x86)\Android\android-sdk-windows\platform-tools.
10.ClickonOKtocloseeachoftheopendialogboxesandclosetheSystemPropertiesbox.
YoushouldnowbeabletoaccessADBfromacommandlineprompt,nomatterwhichfoldercontextyourcommandlineisin.Thiscanbeveryusefulifyouareintheprocessoftransferringexploitfilesfromthefolderintowhichyoudownloadedorextractedthem.