Android

From Segfault
Jump to navigation Jump to search

SDK

Installation

MacOS

Download the Stand-alone SDK Tools from Google and extract it. The "Android SDK Platform-tools" are usually not included, so we have to install them:

$ unzip android-sdk_r24.3.4-macosx.zip && cd android-sdk-macosx              # For MacOS X

$ tools/android list sdk --all | grep Platform-tools
  2- Android SDK Platform-tools, revision 23
$ tools/android update sdk --no-ui --all --filter 2

Now we should find:

  • platform-tools/adb - Android Debug Bridge
  • platform-tools/fastboot - Fastboot binary, used for ROM flashing
  • tools/android - Android SDK Manager (GUI)

Debian

In Debian/Jessie, the needed packages were:

sudo apt-get install android-tools-fastboot android-tools-adb

With Debian/Stretch, these packages were replaced by:

sudo apt-get install adb fastboot android-sdk-platform-tools-common

Developer Mode

To enable "USB Debugging", go to "Settings" → "Developer Options". If there is no "Developer Options", go to "About phone" and tap on "Build number" 7 times. Go back and there it is :-)

ADB

List devices:

$ adb devices
List of devices attached
123ab456abcd78xz        device

Open a shell on the device:

adb shell

Print a phone's IMEI[1]

$ adb shell service call iphonesubinfo 1 s16 com.android.shell | cut -c 52-66 | tr -d '.[:space:]'"

On earlier Android versions[2] this could be done via:

$ adb shell dumpsys iphonesubinfo
Phone Subscriber Info:
 Phone Type = GSM
 Device ID = 123456789012345

As dumpsys iphonesubinfo is no longer working with Android 5[3], we can also use the following to find out the IMEI:

$ adb shell service call iphonesubinfo 1
Result: Parcel(
  0x00000000: 00100001 00100001 00100001 00100001 '........1.5.5.5.'
  0x00000010: 00100001 00100001 00100001 00100001 '8.7.6.5.4.3.2.1.'
  0x00000020: 00100001 00100001                   '0.1.2...        ')

Print a phone's IMSI[4]:

$ adb shell service call iphonesubinfo 7                                 # Note: this needs ROOT permissions on the device![4]
Result: Parcel(
  0x00000000: 00100001 00100001 00100001 00100001 '........1.2.3.4.'
  0x00000010: 00100001 00100001 00100001 00100001 '5.6.7.8.9.0.1.2.'
  0x00000020: 00100001 00100001                   '3.4.5...        ')

And the ICCID too:

$ adb shell service call iphonesubinfo 10                                                                                                                                                              
Result: Parcel(
 0x00000000: 00100001 00100001 00100001 00100001 '........1.2.3.4.'
 0x00000010: 00100001 00100001 00100001 00100001 '5.6.7.8.9.0.1.2.'
 0x00000020: 00100001 00100001 00100001 00100001 '3.4.5.6.7.8     ')

List device properties:

$ getprop | grep -E 'ro.build.(id|product|version.release)|display.version|version.baseband'
[gsm.version.baseband]: [M9615A-CEFWMAZM-2.0.1701.06]
[ro.build.id]: [KVT49L]
[ro.build.product]: [mako]
[ro.build.version.release]: [4.4.2]
[ro.cm.display.version]: [11-20140504-SNAPSHOT-M6-mako]

Note: the exact kernel version can be obtained via /proc/version as uname may not exist.

Network Debugging

If USB isn't working, we could also use adb over the network:

  1. In Developer options, select Android debugging and ADB over network
  2. Connect via adb:
$ adb connect 10.0.0.3                                                   # The IP address of the phone in the local network
connected to 10.0.0.3:5555

$ adb devices
List of devices attached
10.0.0.3:5555        device

Sometimes port '5555' may not be the correct port and we need to find out the correct one. Since recent Android versions no longer ship with a local terminal installed,[5] we have to install another terminal application, for example ConnectBot. But a local session here is still unable to find out:

$ netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
netstat: '/proc/net/tcp': Permission denied
netstat: '/proc/net/tcp6': Permission denied

So, we have to use nmap to help with that:

$ nmap --open  -p1-60000 10.0.0.3
Host is up (0.012s latency).
Not shown: 59999 closed tcp ports (reset)
PORT      STATE SERVICE
40868/tcp open  unknown
MAC Address: C0:EE:FB:33:11:22 (OnePlus Tech (Shenzhen))
Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds

And indeed this worked:

$ adb connect 10.0.0.3:40868
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to 10.0.0.3:40868

And our adb shell can now even show the listening port:

$ adb shell
% netstat -ntl | grep LISTEN                                                                                                                                                                   
tcp6       0      0 :::40868                :::*                    LISTEN     

Data transfer

If adb push resp. pull is not enough, we can also use netcat[6] to transfer data to/from the Android device.

Setup forwarding ports on the host system:

$ adb forward tcp:8888 tcp:1234

To push data to the Android device:

mako:/sdcard $ nc -lp 1234 > foo.tar.xz

And on the host system:

$ pv < foo.tar.xz | nc localhost 8888

The other way around, to pull data from the Android device:

mako:/sdcard $ tar -cf - Android/ DCIM/ | nc -l -p 1234

And on the host system:

$ nc -4 localhost 8888 | tar -xvf -

Sideload

The easiest way to install new ROMs is to use adb sideload, available in TWRP. First, we boot into the recovery image:

adb reboot recovery

In TWRP Recovery:

  1. Select Advanced
  2. Select ADB Sideload
  3. Select Wipe Dalvik Cache and Wipe Cache (both optional)
  4. Swipe to Start Sideload

At this point, the phone is waiting for an image to be uploaded to the device:

adb push update.zip.md5 /sdcard/sideload.zip.md5                         # TWRP expects a sideload.zip.md5 for checksum verification
adb sideload update.zip

After the image has been transferred, the phone should recognize it and continue with the update.

Fastboot

Fastboot can be used if the phone is booted into its bootloader, either via "adb reboot-bootloader" or via "Vol-" & Power-On.

$ fastboot devices
123ab456abcd78xz        fastboot

Sometimes this happens:

$ fastboot devices
no permissions  fastboot

Try running fastboot as root [7] or create an udev rule[8] with the correct idVendor[9] attribute:

$ lsusb | grep HTC
Bus 001 Device 029: ID 0bb4:0c23 HTC (High Tech Computer Corp.) Sensation

$ cat /etc/udev/rules.d/51-android.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0660", GROUP="plugdev"

Adjust the group name accordingly[10], or create the group if necessary:

$ sudo groupadd plugdev
$ usermod -a -G plugdev bobby

Now we should be able to run fastboot as "bobby" again (as soon as her group membership is applied, i.e. after a new login).

Device Encryption

This article[11] explains this topic in-depth, the short version is:

  • Android is using Linux's dm-crypt to encrypt the internal storage.
  • The storage encryption[12] password or PIN must be used during bootup - but since it is also used as the unlock password whenever the device goes to sleep, it must be entered many times, thus calling for a very short password.[13]
  • Android's vold can be instrumented to change the storage encryption password, but not the screen lock. After encrypting the storage (this will take quite some time), reboot and see if this is working. If so, open an connect to the device and change the encryption password:
$ adb shell

shell@mako:/ $ su -c vdc cryptfs changepw s3cr3t
200 0 0

Note: when the screen lock password is changed afterwards, the storage encryption password will be changed too!

→ See also Nexus 4#Update on how to update an encrypted device.

KitKat

The first KitKat Release[14] (Android 4.4) was not able to handle encrypted volumes[15], so we need to make sure to at least install KRT16S before upgrading to KitKat:

$ adb shell
shell@mako:/ $ su -
root@mako:/ # find / -name "*KRT*"
/cache/c7d8660af65b878835d5248252f51dcbf53c2001.signed-two-step.signed-occam-KRT16S-from-JWR66Y.d1b99704.zip

Backup

rsync

While there are plenty of backup solutions to choose from, let's see if we can backup[16] the whole device at once.

  • We will need an SSH server
  • We will also need an rsync binary, compiled for Android/armv7l (or whatever your architecture is)

Login to the device, create an exclude list:

~ # cat /data/data/berserker.android.apps.sshdroid/home/exclude.txt
/data/d
/data/DxDrm
/data/htcfs
/data/inc_data_path
/dev
/proc
/sys
mgmtsocket
qmux_connect_socket
wpa_ctrl_*

Rsync away, but 1) ignore permissions 2) reduce accuracy on timestamps and 3) set certain permissions on the target objects, otherwise we might get plenty of errors:

~ # cd /data/data/berserker.android.apps.sshdroid/home
~ # /data/data/eu.kowalczuk.rsync4android/files/rsync -rltgoPz \
        --exclude-from=exclude.txt \
        --delete \
        --modify-window=2 --chmod=Du+rwx,go+rx,Fu+rw,go+r \
        /  bob@backup-server:/mnt/phone/ 2>&1 | tee r.log

Sometimes we need to calculate a checksum for all the files in our storage, but exclude that Android directory:

find /sdcard/ -xdev -path "/sdcard/Android" -prune -o -type f -exec md5sum '{}' +

ADB

adb can also be used to take/restore backups:[17]

adb backup -f backup.ab -apk -obb -shared -all -system
  • -f - file name where the backup is being stored
  • -all - backup all installed applications (but without the APKs)
  • -apk - backup the .apks themselves
  • -obb - backup any installed apk expansion files associated with each application
  • -shared - backup the device's shared storage / SD card contents
  • -system - backup system applications

Restore the backup with:

adb restore backup.ab

NANDroid

To create a so called NANDroid backup[18], the installed recovery mode has to be used. So, if TWRP is installed, use that[19], if ClockworkMod is installed, it has its own backup function.[19]

Recovery Mode

No command

With stock Android, the recovery mode[20] may display the infamous "no command" screen:

The message is correct, since we did not issue a command for recovery. While in this mode, press & hold the Power and Volume-up buttons - then let go of the Volume-up button (keep pressing Power). A new menu should apear - choose the correct option with the Volume-up and Volume-down keys, then let go of the Power button to select that choice.

Root

TWRP

TWRP[21] is an alternative custom recovery, which does support encrypted devices.[22]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.
  • Download the recovery image[23] and verify its checksum.
  • For some reason, we needed the SuperSU package[24] instead of the SuperSU-Busybox-Installer. Once the SuperSU-Busybox-Installer package was installed, applications could not gain root access. Let's try with SuperSU this time. Download the latest SuperSU image[25] and verify its checksum.
  • Now adb should be able to connect to the phone:
$ adb devices
List of devices attached
012ab345abcd12ef        device

When this is working, we can continue. Upload the SuperSU package to the phone's SDcard:

$ adb push UPDATE-SuperSU-v1.89.zip /mnt/sdcard/
2632 KB/s (1210442 bytes in 0.449s)
$ adb shell
shell@mako:/ $ ls -l /mnt/sdcard/UPDATE-SuperSU-v1.89.zip
-rw-rw-r-- root     sdcard_rw  1210442 2013-09-07 16:20 UPDATE-SuperSU-v1.89.zip

shell@mako:/ $ md5 /mnt/sdcard/UPDATE-SuperSU-v1.89.zip
9cfdf7032ef3f45abaa83f03fa7995a1  /mnt/sdcard/UPDATE-SuperSU-v1.89.zip

Now that these packages are on the phone, reboot into the bootloader:

adb reboot bootloader

Now that we are in the bootloader, unlock the phone, if not done already. Note: this will erase all userdata!

fastboot flashing unlock             # Use "oem unlock" on older devices

That should be all to unlock the phone[26]. Still in the bootloader, we will flash the recovery partition with our TWRP image:

$ fastboot flash recovery openrecovery-twrp-2.6.3.3-mako.img
sending 'recovery' (7814 KB)...
OKAY [  0.265s]
writing 'recovery'...
OKAY [  0.481s]
finished. total time: 0.746s

As the phone is still in the bootloader, we can now boot into the RECOVERY mode (Toggle Vol-/Vol+ and press POWER to select). Now, in the TWRP recovery mode:

  • Create a backup (in the SDcard)
  • Flash partition with the downloaded SuperSU package
  • Wipe the cache partition and the Dalvik cache (both optional)
  • Reboot the phone via "Reboot system"

The system should come up just fine and is now hopefully rooted.

ClockworkMod

Note: CWM does not support encrypted devices![27][28]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.

→ Now continue the same way as for TWRP

Un-Root

To un-root, one can flash the phone with a stock image (and possibly a stock recovery too)[29] and then lock the bootloader again. The latter does not wipe the phone (but unlocking does):[30]

fastboot oem lock

Note: this may or may not will reset the phone!

Screen Casting

Sometimes it's nice to have the device's screen mirrored to a desktop computer. scrcpy can do this, and even wireless mirroring is possible.[31].

Enable wireless ADB on the device and connect:

adb tcpip 5555

On the desktop and for ease of use, we can download the prebuilt server:

mkdir ~/opt/scrcpy
wget https://github.com/Genymobile/scrcpy/releases/download/v1.10/scrcpy-server-v1.10.jar -O ~/opt/scrcpy/scrcpy-server.jar
SERVERJAR=$HOME/opt/scrcpy/scrcpy-server.jar

Build the scrcpy client, in short:

sudo apt install ffmpeg libsdl2-2.0-0 gcc git pkg-config meson ninja-build \
                 libavcodec-dev libavformat-dev libavutil-dev libsdl2-dev openjdk-8-jdk

sudo dnf install SDL2-devel ffms2-devel meson gcc make java-devel
git clone https://github.com/Genymobile/scrcpy.git scrcpy-git
cd scrcpy-git

meson x --buildtype release --strip -Db_lto=true -Dprebuilt_server=${SERVERJAR}
cd x && ninja
sudo install -o root -g root -m 0555 x/app/scrcpy /usr/local/bin/scrcpy.exe

Connect via ADB and run with:

adb connect android:5555
SCRCPY_SERVER_PATH=${SERVERJAR} app/scrcpy

Tethering

Some providers[32] disallow WiFi tethering, so we'll try to get around those restrictions.

T-Mobile

For Android 4.4 and T-Mobile[33], we need to edit /data/data/com.android.providers.settings/databases/settings.db.

Backup settings.db:

$ adb root                                         # We need root access on the device!
restarting adbd as root

$ adb pull /data/data/com.android.providers.settings/databases/settings.db 
1819 KB/s (86016 bytes in 0.046s)

$ cp settings.db{,.bak}

Disable tether_dun_required:

$ sqlite3 settings.db "select * from global where name='tether_dun_required';"
44|tether_dun_required|1

$ sqlite3 settings.db "update global set value='0' where name='tether_dun_required';"
$ sqlite3 settings.db "select * from global where name='tether_dun_required';"
44|tether_dun_required|0

Upload the modified settings.db to the phone again:

$ adb push settings.db /data/data/com.android.providers.settings/databases/settings.db
1819 KB/s (86016 bytes in 0.046s)

On the phone again, open "Wireless Networks" → "Mobile Networks" → APNs. Make sure the T-Mobile US LTE profile is selected, with fast.t-mobile.com as the APN set. The IPv6 profile may not work for tethering.

Reboot the phone, tethering should be working now.

One may have to update the useragent string in the webbrowser to something that looks mobile, to mitigate DPI techniques:

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 7 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.138 Safari/537.36

Links

References

  1. How to get IMEI using adb command on Android 13?
  2. Is there an android shell or adb command that I could use to get a device's IMEI/MEID?
  3. adb shell dumpsys iphonesubinfo not working since Android 5.0 Lollipop
  4. 4.0 4.1 how to get imsi number in android using command line
  5. Can't find option "local terminal" (Settings -> System -> Developer options) in android one
  6. Pipe into `adb shell`
  7. Fastboot cant find device in linux? Try this...
  8. Using Hardware Devices
  9. USB Vendor IDs
  10. RHBZ #859244 - systemd-udev: specified group 'plugdev' unknown
  11. Changing Android's disk encryption password
  12. Encrypt your data
  13. Different passwords for encryption and screen lock
  14. KRT16O To KRT16S, Critical Bug In Full-Disk Encryption Explains Hotfix
  15. Just got the 4.4 KRT16 OTA on my Nexus 4 and its been stuck on the boot screen
  16. The Abysmal State of Backup Options on Android
  17. Full Phone Backup without Unlock or Root
  18. xda-developers: NANDroid
  19. 19.0 19.1 What Is A Nandroid Backup and How Exactly Does It Work?
  20. How to use recovery mode to fix your Android phone or tablet
  21. Team Win Recovery Project
  22. Changing Android's disk encryption password
  23. TWRP Devices
  24. SuperSU v2.45
  25. SuperSU Download
  26. Warning about operating system safety
  27. ClockWorkMod Instructions
  28. Noah Friedman on ClockworkMod
  29. How to re-lock Android bootloader?
  30. What does “fastboot oem lock” do?
  31. Android Debug Bridge: Connect to a device over Wi-Fi
  32. T-Mobile Ice Cream Sandwich ends mobile tethering
  33. How to re-enable tethering in KitKat with T-Mobile