Android
SDK
Installation
MacOS
Download the Stand-alone SDK Tools from Google and extract it. The "Android SDK Platform-tools" are usually not included, so we have to install them:
$ unzip android-sdk_r24.3.4-macosx.zip && cd android-sdk-macosx # For MacOS X $ tools/android list sdk --all | grep Platform-tools 2- Android SDK Platform-tools, revision 23 $ tools/android update sdk --no-ui --all --filter 2
Now we should find:
- platform-tools/adb - Android Debug Bridge
- platform-tools/fastboot - Fastboot binary, used for ROM flashing
- tools/android - Android SDK Manager (GUI)
Debian
In Debian/Jessie, the needed packages were:
sudo apt-get install android-tools-fastboot android-tools-adb
With Debian/Stretch, these packages were replaced by:
sudo apt-get install adb fastboot android-sdk-platform-tools-common
Developer Mode
To enable "USB Debugging", go to "Settings" → "Developer Options". If there is no "Developer Options", go to "About phone" and tap on "Build number" 7 times. Go back and there it is :-)
ADB
List devices:
$ adb devices List of devices attached 123ab456abcd78xz device
Open a shell on the device:
adb shell
$ adb shell service call iphonesubinfo 1 s16 com.android.shell | cut -c 52-66 | tr -d '.[:space:]'"
On earlier Android versions[2] this could be done via:
$ adb shell dumpsys iphonesubinfo Phone Subscriber Info: Phone Type = GSM Device ID = 123456789012345
As dumpsys iphonesubinfo is no longer working with Android 5[3], we can also use the following to find out the IMEI:
$ adb shell service call iphonesubinfo 1 Result: Parcel( 0x00000000: 00100001 00100001 00100001 00100001 '........1.5.5.5.' 0x00000010: 00100001 00100001 00100001 00100001 '8.7.6.5.4.3.2.1.' 0x00000020: 00100001 00100001 '0.1.2... ')
$ adb shell service call iphonesubinfo 7 #Note: this needs ROOT permissions on the device![4] Result: Parcel( 0x00000000: 00100001 00100001 00100001 00100001 '........1.2.3.4.' 0x00000010: 00100001 00100001 00100001 00100001 '5.6.7.8.9.0.1.2.' 0x00000020: 00100001 00100001 '3.4.5... ')
And the ICCID too:
$ adb shell service call iphonesubinfo 10 Result: Parcel( 0x00000000: 00100001 00100001 00100001 00100001 '........1.2.3.4.' 0x00000010: 00100001 00100001 00100001 00100001 '5.6.7.8.9.0.1.2.' 0x00000020: 00100001 00100001 00100001 00100001 '3.4.5.6.7.8 ')
List device properties:
$ getprop | grep -E 'ro.build.(id|product|version.release)|display.version|version.baseband' [gsm.version.baseband]: [M9615A-CEFWMAZM-2.0.1701.06] [ro.build.id]: [KVT49L] [ro.build.product]: [mako] [ro.build.version.release]: [4.4.2] [ro.cm.display.version]: [11-20140504-SNAPSHOT-M6-mako]
Note: the exact kernel version can be obtained via /proc/version as uname may not exist.
Network Debugging
If USB isn't working, we could also use adb over the network:
- In Developer options, select Android debugging and ADB over network
- Connect via adb:
$ adb connect 10.0.0.3 # The IP address of the phone in the local network connected to 10.0.0.3:5555 $ adb devices List of devices attached 10.0.0.3:5555 device
Sometimes port '5555' may not be the correct port and we need to find out the correct one. Since recent Android versions no longer ship with a local terminal installed,[5] we have to install another terminal application, for example ConnectBot. But a local session here is still unable to find out:
$ netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State netstat: '/proc/net/tcp': Permission denied netstat: '/proc/net/tcp6': Permission denied
So, we have to use nmap
to help with that:
$ nmap --open -p1-60000 10.0.0.3 Host is up (0.012s latency). Not shown: 59999 closed tcp ports (reset) PORT STATE SERVICE 40868/tcp open unknown MAC Address: C0:EE:FB:33:11:22 (OnePlus Tech (Shenzhen)) Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds
And indeed this worked:
$ adb connect 10.0.0.3:40868 * daemon not running; starting now at tcp:5037 * daemon started successfully connected to 10.0.0.3:40868
And our adb
shell can now even show the listening port:
$ adb shell % netstat -ntl | grep LISTEN tcp6 0 0 :::40868 :::* LISTEN
Data transfer
If adb push
resp. pull
is not enough, we can also use netcat[6] to transfer data to/from the Android device.
Setup forwarding ports on the host system:
$ adb forward tcp:8888 tcp:1234
To push data to the Android device:
mako:/sdcard $ nc -lp 1234 > foo.tar.xz
And on the host system:
$ pv < foo.tar.xz | nc localhost 8888
The other way around, to pull data from the Android device:
mako:/sdcard $ tar -cf - Android/ DCIM/ | nc -l -p 1234
And on the host system:
$ nc -4 localhost 8888 | tar -xvf -
Sideload
The easiest way to install new ROMs is to use adb sideload, available in TWRP. First, we boot into the recovery image:
adb reboot recovery
In TWRP Recovery:
- Select Advanced
- Select ADB Sideload
- Select Wipe Dalvik Cache and Wipe Cache (both optional)
- Swipe to Start Sideload
At this point, the phone is waiting for an image to be uploaded to the device:
adb push update.zip.md5 /sdcard/sideload.zip.md5 # TWRP expects a sideload.zip.md5 for checksum verification adb sideload update.zip
After the image has been transferred, the phone should recognize it and continue with the update.
Fastboot
Fastboot can be used if the phone is booted into its bootloader, either via "adb reboot-bootloader" or via "Vol-" & Power-On.
$ fastboot devices 123ab456abcd78xz fastboot
Sometimes this happens:
$ fastboot devices no permissions fastboot
Try running fastboot as root [7] or create an udev rule[8] with the correct idVendor[9] attribute:
$ lsusb | grep HTC Bus 001 Device 029: ID 0bb4:0c23 HTC (High Tech Computer Corp.) Sensation $ cat /etc/udev/rules.d/51-android.rules SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0660", GROUP="plugdev"
Adjust the group name accordingly[10], or create the group if necessary:
$ sudo groupadd plugdev $ usermod -a -G plugdev bobby
Now we should be able to run fastboot as "bobby" again (as soon as her group membership is applied, i.e. after a new login).
Device Encryption
This article[11] explains this topic in-depth, the short version is:
- Android is using Linux's dm-crypt to encrypt the internal storage.
- The storage encryption[12] password or PIN must be used during bootup - but since it is also used as the unlock password whenever the device goes to sleep, it must be entered many times, thus calling for a very short password.[13]
- Android's vold can be instrumented to change the storage encryption password, but not the screen lock. After encrypting the storage (this will take quite some time), reboot and see if this is working. If so, open an connect to the device and change the encryption password:
$ adb shell shell@mako:/ $ su -c vdc cryptfs changepw s3cr3t 200 0 0
Note: when the screen lock password is changed afterwards, the storage encryption password will be changed too!
→ See also Nexus 4#Update on how to update an encrypted device.
KitKat
The first KitKat Release[14] (Android 4.4) was not able to handle encrypted volumes[15], so we need to make sure to at least install KRT16S before upgrading to KitKat:
$ adb shell
shell@mako:/ $ su -
root@mako:/ # find / -name "*KRT*"
/cache/c7d8660af65b878835d5248252f51dcbf53c2001.signed-two-step.signed-occam-KRT16S-from-JWR66Y.d1b99704.zip
Backup
rsync
While there are plenty of backup solutions to choose from, let's see if we can backup[16] the whole device at once.
- We will need an SSH server
- We will also need an rsync binary, compiled for Android/armv7l (or whatever your architecture is)
Login to the device, create an exclude list:
~ # cat /data/data/berserker.android.apps.sshdroid/home/exclude.txt /data/d /data/DxDrm /data/htcfs /data/inc_data_path /dev /proc /sys mgmtsocket qmux_connect_socket wpa_ctrl_*
Rsync away, but 1) ignore permissions 2) reduce accuracy on timestamps and 3) set certain permissions on the target objects, otherwise we might get plenty of errors:
~ # cd /data/data/berserker.android.apps.sshdroid/home ~ # /data/data/eu.kowalczuk.rsync4android/files/rsync -rltgoPz \ --exclude-from=exclude.txt \ --delete \ --modify-window=2 --chmod=Du+rwx,go+rx,Fu+rw,go+r \ / bob@backup-server:/mnt/phone/ 2>&1 | tee r.log
Sometimes we need to calculate a checksum for all the files in our storage, but exclude that Android directory:
find /sdcard/ -xdev -path "/sdcard/Android" -prune -o -type f -exec md5sum '{}' +
ADB
adb can also be used to take/restore backups:[17]
adb backup -f backup.ab -apk -obb -shared -all -system
- -f - file name where the backup is being stored
- -all - backup all installed applications (but without the APKs)
- -apk - backup the .apks themselves
- -obb - backup any installed apk expansion files associated with each application
- -shared - backup the device's shared storage / SD card contents
- -system - backup system applications
Restore the backup with:
adb restore backup.ab
NANDroid
To create a so called NANDroid backup[18], the installed recovery mode has to be used. So, if TWRP is installed, use that[19], if ClockworkMod is installed, it has its own backup function.[19]
Recovery Mode
No command
With stock Android, the recovery mode[20] may display the infamous "no command" screen:
The message is correct, since we did not issue a command for recovery. While in this mode, press & hold the Power and Volume-up buttons - then let go of the Volume-up button (keep pressing Power). A new menu should apear - choose the correct option with the Volume-up and Volume-down keys, then let go of the Power button to select that choice.
Root
TWRP
TWRP[21] is an alternative custom recovery, which does support encrypted devices.[22]
- Download & extract the Android SDK. The adb and fastboot utilities will be needed here.
- Download the recovery image[23] and verify its checksum.
- For some reason, we needed the SuperSU package[24] instead of the SuperSU-Busybox-Installer. Once the SuperSU-Busybox-Installer package was installed, applications could not gain root access. Let's try with SuperSU this time. Download the latest SuperSU image[25] and verify its checksum.
- Enable USB Debugging on the phone.
- Now adb should be able to connect to the phone:
$ adb devices List of devices attached 012ab345abcd12ef device
When this is working, we can continue. Upload the SuperSU package to the phone's SDcard:
$ adb push UPDATE-SuperSU-v1.89.zip /mnt/sdcard/ 2632 KB/s (1210442 bytes in 0.449s)
$ adb shell shell@mako:/ $ ls -l /mnt/sdcard/UPDATE-SuperSU-v1.89.zip -rw-rw-r-- root sdcard_rw 1210442 2013-09-07 16:20 UPDATE-SuperSU-v1.89.zip shell@mako:/ $ md5 /mnt/sdcard/UPDATE-SuperSU-v1.89.zip 9cfdf7032ef3f45abaa83f03fa7995a1 /mnt/sdcard/UPDATE-SuperSU-v1.89.zip
Now that these packages are on the phone, reboot into the bootloader:
adb reboot bootloader
Now that we are in the bootloader, unlock the phone, if not done already. Note: this will erase all userdata!
fastboot flashing unlock # Use "oem unlock" on older devices
That should be all to unlock the phone[26]. Still in the bootloader, we will flash the recovery partition with our TWRP image:
$ fastboot flash recovery openrecovery-twrp-2.6.3.3-mako.img sending 'recovery' (7814 KB)... OKAY [ 0.265s] writing 'recovery'... OKAY [ 0.481s] finished. total time: 0.746s
As the phone is still in the bootloader, we can now boot into the RECOVERY mode (Toggle Vol-/Vol+ and press POWER to select). Now, in the TWRP recovery mode:
- Create a backup (in the SDcard)
- Flash partition with the downloaded SuperSU package
- Wipe the cache partition and the Dalvik cache (both optional)
- Reboot the phone via "Reboot system"
The system should come up just fine and is now hopefully rooted.
ClockworkMod
Note: CWM does not support encrypted devices![27][28]
- Download & extract the Android SDK. The adb and fastboot utilities will be needed here.
- Download the correct Recovery Image and verify its checksum.
→ Now continue the same way as for TWRP
Un-Root
To un-root, one can flash the phone with a stock image (and possibly a stock recovery too)[29] and then lock the bootloader again. The latter does not wipe the phone (but unlocking does):[30]
fastboot oem lock
Note: this may or may not will reset the phone!
Screen Casting
Sometimes it's nice to have the device's screen mirrored to a desktop computer. scrcpy can do this, and even wireless mirroring is possible.[31].
Enable wireless ADB on the device and connect:
adb tcpip 5555
On the desktop and for ease of use, we can download the prebuilt server:
mkdir ~/opt/scrcpy
wget https://github.com/Genymobile/scrcpy/releases/download/v1.10/scrcpy-server-v1.10.jar -O ~/opt/scrcpy/scrcpy-server.jar
SERVERJAR=$HOME/opt/scrcpy/scrcpy-server.jar
Build the scrcpy
client, in short:
sudo apt install ffmpeg libsdl2-2.0-0 gcc git pkg-config meson ninja-build \ libavcodec-dev libavformat-dev libavutil-dev libsdl2-dev openjdk-8-jdk sudo dnf install SDL2-devel ffms2-devel meson gcc make java-devel
git clone https://github.com/Genymobile/scrcpy.git scrcpy-git cd scrcpy-git meson x --buildtype release --strip -Db_lto=true -Dprebuilt_server=${SERVERJAR} cd x && ninja sudo install -o root -g root -m 0555 x/app/scrcpy /usr/local/bin/scrcpy.exe
Connect via ADB and run with:
adb connect android:5555
SCRCPY_SERVER_PATH=${SERVERJAR} app/scrcpy
Tethering
Some providers[32] disallow WiFi tethering, so we'll try to get around those restrictions.
T-Mobile
For Android 4.4 and T-Mobile[33], we need to edit /data/data/com.android.providers.settings/databases/settings.db.
Backup settings.db:
$ adb root # We need root access on the device! restarting adbd as root $ adb pull /data/data/com.android.providers.settings/databases/settings.db 1819 KB/s (86016 bytes in 0.046s) $ cp settings.db{,.bak}
Disable tether_dun_required:
$ sqlite3 settings.db "select * from global where name='tether_dun_required';" 44|tether_dun_required|1 $ sqlite3 settings.db "update global set value='0' where name='tether_dun_required';" $ sqlite3 settings.db "select * from global where name='tether_dun_required';" 44|tether_dun_required|0
Upload the modified settings.db to the phone again:
$ adb push settings.db /data/data/com.android.providers.settings/databases/settings.db 1819 KB/s (86016 bytes in 0.046s)
On the phone again, open "Wireless Networks" → "Mobile Networks" → APNs. Make sure the T-Mobile US LTE profile is selected, with fast.t-mobile.com as the APN set. The IPv6 profile may not work for tethering.
Reboot the phone, tethering should be working now.
One may have to update the useragent string in the webbrowser to something that looks mobile, to mitigate DPI techniques:
Mozilla/5.0 (Linux; Android 4.4.2; Nexus 7 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.138 Safari/537.36
Links
- Apps
- IPv6 trouble
- Factory Images for Nexus and Pixel Devices
- Use Google Calendar in different time zones
- Android Enterprise Recommended
- Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010
- Android Open Source Project Changelogs
- Lineage OS Changelog
- Android Security Updates
- Open GApps
RFE: Android Security Patch Level is too old- When you'll get Android software updates
- scrcpy: Display and control your Android device
- Evolution-X ROMs
References
- ↑ How to get IMEI using adb command on Android 13?
- ↑ Is there an android shell or adb command that I could use to get a device's IMEI/MEID?
- ↑ adb shell dumpsys iphonesubinfo not working since Android 5.0 Lollipop
- ↑ 4.0 4.1 how to get imsi number in android using command line
- ↑ Can't find option "local terminal" (Settings -> System -> Developer options) in android one
- ↑ Pipe into `adb shell`
- ↑ Fastboot cant find device in linux? Try this...
- ↑ Using Hardware Devices
- ↑ USB Vendor IDs
- ↑ RHBZ #859244 - systemd-udev: specified group 'plugdev' unknown
- ↑ Changing Android's disk encryption password
- ↑ Encrypt your data
- ↑ Different passwords for encryption and screen lock
- ↑ KRT16O To KRT16S, Critical Bug In Full-Disk Encryption Explains Hotfix
- ↑ Just got the 4.4 KRT16 OTA on my Nexus 4 and its been stuck on the boot screen
- ↑ The Abysmal State of Backup Options on Android
- ↑ Full Phone Backup without Unlock or Root
- ↑ xda-developers: NANDroid
- ↑ 19.0 19.1 What Is A Nandroid Backup and How Exactly Does It Work?
- ↑ How to use recovery mode to fix your Android phone or tablet
- ↑ Team Win Recovery Project
- ↑ Changing Android's disk encryption password
- ↑ TWRP Devices
- ↑ SuperSU v2.45
- ↑ SuperSU Download
- ↑ Warning about operating system safety
- ↑ ClockWorkMod Instructions
- ↑ Noah Friedman on ClockworkMod
- ↑ How to re-lock Android bootloader?
- ↑ What does “fastboot oem lock” do?
- ↑ Android Debug Bridge: Connect to a device over Wi-Fi
- ↑ T-Mobile Ice Cream Sandwich ends mobile tethering
- ↑ How to re-enable tethering in KitKat with T-Mobile