Android

From Segfault
Jump to: navigation, search

SDK

Installation

MacOS

Download the Stand-alone SDK Tools from Google and extract it. The "Android SDK Platform-tools" are usually not included, so we have to install them:

$ unzip android-sdk_r24.3.4-macosx.zip && cd android-sdk-macosx              # For MacOS X

$ tools/android list sdk --all | grep Platform-tools
  2- Android SDK Platform-tools, revision 23
$ tools/android update sdk --no-ui --all --filter 2

Now we should find:

  • platform-tools/adb - Android Debug Bridge
  • platform-tools/fastboot - Fastboot binary, used for ROM flashing
  • tools/android - Android SDK Manager (GUI)

Debian

In Debian/Jessie, the needed packages were:

sudo apt-get install android-tools-fastboot android-tools-adb

With Debian/Stretch, these packages were replaced by:

sudo apt-get install adb fastboot android-sdk-platform-tools-common

Developer Mode

To enable "USB Debugging", go to "Settings" → "Developer Options". If there is no "Developer Options", go to "About phone" and tap on "Build number" 7 times. Go back and there it is :-)

ADB

List devices:

$ adb devices
List of devices attached
123ab456abcd78xz        device

Open a shell on the device:

adb shell

Print a phone's IMEI[1]:

$ adb shell dumpsys iphonesubinfo
Phone Subscriber Info:
 Phone Type = GSM
 Device ID = 123456789012345

As dumpsys iphonesubinfo is no longer working with Android 5[2], we can also use the following to find out the IMEI:

$ adb shell service call iphonesubinfo 1
Result: Parcel(
  0x00000000: 00000000 0000000f 00360038 00350034 '........1.5.5.5.'
  0x00000010: 00370038 00320030 00310035 00320036 '8.7.6.5.4.3.2.1.'
  0x00000020: 00360030 00000037                   '0.1.2...        ')

Print a phone's IMSI[3]:

$ adb shell service call iphonesubinfo 7                                 # Note: this needs ROOT permissions on the device![4]
Result: Parcel(
  0x00000000: 00000000 00000001 00230045 00670080 '........1.2.3.4.'
  0x00000010: 00900001 00230045 00670089 00010023 '5.6.7.8.9.0.1.2.'
  0x00000020: 00450067 00000089                   '3.4.5...        ')

List device properties:

$ getprop | grep -E 'ro.build.(id|product|version.release)|display.version|version.baseband'
[gsm.version.baseband]: [M9615A-CEFWMAZM-2.0.1701.06]
[ro.build.id]: [KVT49L]
[ro.build.product]: [mako]
[ro.build.version.release]: [4.4.2]
[ro.cm.display.version]: [11-20140504-SNAPSHOT-M6-mako]

Note: the exact kernel version can be obtained via /proc/version as uname may not exist.

Network Debugging

If USB isn't working, we could also use adb over the network:

  1. In Developer options, select Android debugging and ADB over network
  2. Connect via adb:
$ adb connect 10.0.0.3                                                   # The IP address of the phone in the local network
connected to 10.0.0.3:5555

$ adb devices
List of devices attached
10.0.0.3:5555        device

Data transfer

If adb push resp. pull is not enough, we can also use netcat[5] to transfer data to/from the Android device.

And on the host system:

$ adb forward tcp:8888 tcp:1234

On the Android device:

mako:/mnt/sdcard $ nc -lp 1234 > foo.tar.xz

And on the host system again:

pv < foo.tar.xz | nc localhost 8888

Sideload

The easiest way to install new ROMs is to use adb sideload, available in TWRP. First, we boot into the recovery image:

adb reboot recovery

In TWRP Recovery:

  1. Select Advanced
  2. Select ADB Sideload
  3. Select Wipe Dalvik Cache and Wipe Cache (both optional)
  4. Swipe to Start Sideload

At this point, the phone is waiting for an image to be uploaded to the device:

adb push update.zip.md5 /sdcard/sideload.zip.md5                         # TWRP expects a sideload.zip.md5 for checksum verification
adb sideload update.zip

After the image has been transferred, the phone should recognize it and continue with the update.

Fastboot

Fastboot can be used if the phone is booted into its bootloader, either via "adb reboot-bootloader" or via "Vol-" & Power-On.

$ fastboot devices
123ab456abcd78xz        fastboot

Sometimes this happens:

$ fastboot devices
no permissions  fastboot

Try running fastboot as root [6] or create an udev rule[7] with the correct idVendor[8] attribute:

$ lsusb | grep HTC
Bus 001 Device 029: ID 0bb4:0c23 HTC (High Tech Computer Corp.) Sensation

$ cat /etc/udev/rules.d/51-android.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0660", GROUP="plugdev"

Be sure to adjust the

$ sudo groupadd plugdev
$ usermod -a -G plugdev bobby

Now we should be able to run fastboot as "bobby" again (as soon as her group membership is applied, i.e. after a new login).

Device Encryption

This article[9] explains this topic in-depth, the short version is:

  • Android is using Linux's dm-crypt to encrypt the internal storage.
  • The storage encryption[10] password or PIN must be used during bootup - but since it is also used as the unlock password whenever the device goes to sleep, it must be entered many times, thus calling for a very short password.[11]
  • Android's vold can be instrumented to change the storage encryption password, but not the screen lock. After encrypting the storage (this will take quite some time), reboot and see if this is working. If so, open an connect to the device and change the encryption password:
$ adb shell

shell@mako:/ $ su -c vdc cryptfs changepw s3cr3t
200 0 0

Note: when the screen lock password is changed afterwards, the storage encryption password will be changed too!

→ See also Nexus 4#Update on how to update an encrypted device.

KitKat

The first KitKat Release[12] (Android 4.4) was not able to handle encrypted volumes[13], so we need to make sure to at least install KRT16S before upgrading to KitKat:

$ adb shell
shell@mako:/ $ su -
root@mako:/ # find / -name "*KRT*"
/cache/c7d8660af65b878835d5248252f51dcbf53c2001.signed-two-step.signed-occam-KRT16S-from-JWR66Y.d1b99704.zip

Backup

rsync

While there are plenty of backup solutions to choose from, let's see if we can backup[14] the whole device at once.

  • We will need an SSH server
  • We will also need an rsync binary, compiled for Android/armv7l (or whatever your architecture is)

Login to the device, create an exclude list:

~ # cat /data/data/berserker.android.apps.sshdroid/home/exclude.txt
/data/d
/data/DxDrm
/data/htcfs
/data/inc_data_path
/dev
/proc
/sys
mgmtsocket
qmux_connect_socket
wpa_ctrl_*

Rsync away, but 1) ignore permissions 2) reduce accuracy on timestamps and 3) set certain permissions on the target objects, otherwise we might get plenty of errors:

~ # cd /data/data/berserker.android.apps.sshdroid/home
~ # /data/data/eu.kowalczuk.rsync4android/files/rsync -rltgoPz \
        --exclude-from=exclude.txt \
        --delete \
        --modify-window=2 --chmod=Du+rwx,go+rx,Fu+rw,go+r \
        /  bob@backup-server:/mnt/phone/ 2>&1 | tee r.log

ADB

adb can also be used to take/restore backups:[15]

adb backup -f backup.ab -apk -obb -shared -all -system
  • -f - file name where the backup is being stored
  • -all - backup all installed applications (but without the APKs)
  • -apk - backup the .apks themselves
  • -obb - backup any installed apk expansion files associated with each application
  • -shared - backup the device's shared storage / SD card contents
  • -system - backup system applications

Restore the backup with:

adb restore backup.ab

NANDroid

To create a so called NANDroid backup[16], the installed recovery mode has to be used. So, if TWRP is installed, use that[17], if ClockworkMod is installed, it has its own backup function.[17]

Root

TWRP

TWRP[18] is an alternative custom recovery, which does support encrypted devices.[19]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.
  • Download the recovery image[20] and verify its checksum.
  • For some reason, we needed the SuperSU package[21] instead of the SuperSU-Busybox-Installer. Once the SuperSU-Busybox-Installer package was installed, applications could not gain root access. Let's try with SuperSU this time. Download the latest SuperSU image[22] and verify its checksum.
  • Now adb should be able to connect to the phone:
$ adb devices
List of devices attached
012ab345abcd12ef        device

When this is working, we can continue. Upload the SuperSU package to the phone's SDcard:

$ adb push UPDATE-SuperSU-v1.89.zip /mnt/sdcard/
2632 KB/s (1210442 bytes in 0.449s)
$ adb shell
shell@mako:/ $ ls -l /mnt/sdcard/UPDATE-SuperSU-v1.89.zip
-rw-rw-r-- root     sdcard_rw  1210442 2013-09-07 16:20 UPDATE-SuperSU-v1.89.zip

shell@mako:/ $ md5 /mnt/sdcard/UPDATE-SuperSU-v1.89.zip
9cfdf7032ef3f45abaa83f03fa7995a1  /mnt/sdcard/UPDATE-SuperSU-v1.89.zip

Now that these packages are on the phone, reboot into the bootloader:

adb reboot bootloader

Now that we are in the bootloader, unlock the phone, if not done already. Note: this will erase all userdata!

fastboot flashing unlock             # Use "oem unlock" on older devices

That should be all to unlock the phone[23]. Still in the bootloader, we will flash the recovery partition with our TWRP image:

$ fastboot flash recovery openrecovery-twrp-2.6.3.3-mako.img
sending 'recovery' (7814 KB)...
OKAY [  0.265s]
writing 'recovery'...
OKAY [  0.481s]
finished. total time: 0.746s

As the phone is still in the bootloader, we can now boot into the RECOVERY mode (Toggle Vol-/Vol+ and press POWER to select). Now, in the TWRP recovery mode:

  • Create a backup (in the SDcard)
  • Flash partition with the downloaded SuperSU package
  • Wipe the cache partition and the Dalvik cache (both optional)
  • Reboot the phone via "Reboot system"

The system should come up just fine and is now hopefully rooted.

ClockworkMod

Note: CWM does not support encrypted devices![24][25]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.

→ Now continue the same way as for TWRP

Un-Root

To un-root, one can flash the phone with a stock image (and possibly a stock recovery too)[26] and then lock the bootloader again. The latter does not wipe the phone (but unlocking does):[27]

fastboot oem lock

Note: this may or may not will reset the phone!

Partitions

There are several partitions[28] on an Android device:

Partition Usage
/boot Needed for booting, includes the kernel and ramdisk. Can be wiped but only if a new boot image is installed right away, before rebooting
/cache Cache for data and application components, can be wiped w/o losing personal data.
/data Contains userdata (contacts, messages, settings). Wiping it is aka factory reset
/misc Various settings (carrier, USB, hardware), should not be touched.
/recovery Alternative /boot partition, used for maintenance and recovery. This is where ROMs like ClockworkMod or TWRP can be installed.
/system Android OS, except kernel & ramdisk. Can be wiped in order to install another OS.
/sdcard External memory, like an SDcard. Can be wiped, but applications may have stored user data on it.

See also: "Dirty Flashing:" What it is and is not. Let's set the record straight. - elaborates also on when to wipe certain parts of the system.

Tethering

Some providers[29] disallow WiFi tethering, so we'll try to get around those restrictions.

T-Mobile

For Android 4.4 and T-Mobile[30], we need to edit /data/data/com.android.providers.settings/databases/settings.db.

Backup settings.db:

$ adb root                                         # We need root access on the device!
restarting adbd as root

$ adb pull /data/data/com.android.providers.settings/databases/settings.db 
1819 KB/s (86016 bytes in 0.046s)

$ cp settings.db{,.bak}

Disable tether_dun_required:

$ sqlite3 settings.db "select * from global where name='tether_dun_required';"
44|tether_dun_required|1

$ sqlite3 settings.db "update global set value='0' where name='tether_dun_required';"
$ sqlite3 settings.db "select * from global where name='tether_dun_required';"
44|tether_dun_required|0

Upload the modified settings.db to the phone again:

$ adb push settings.db /data/data/com.android.providers.settings/databases/settings.db
1819 KB/s (86016 bytes in 0.046s)

On the phone again, open "Wireless Networks" → "Mobile Networks" → APNs. Make sure the T-Mobile US LTE profile is selected, with fast.t-mobile.com as the APN set. The IPv6 profile may not work for tethering.

Reboot the phone, tethering should be working now.

One may have to update the useragent string in the webbrowser to something that looks mobile, to mitigate DPI techniques:

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 7 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.138 Safari/537.36

Links

References