From Segfault
Jump to navigation Jump to search




Download the Stand-alone SDK Tools from Google and extract it. The "Android SDK Platform-tools" are usually not included, so we have to install them:

$ unzip && cd android-sdk-macosx              # For MacOS X

$ tools/android list sdk --all | grep Platform-tools
  2- Android SDK Platform-tools, revision 23
$ tools/android update sdk --no-ui --all --filter 2

Now we should find:

  • platform-tools/adb - Android Debug Bridge
  • platform-tools/fastboot - Fastboot binary, used for ROM flashing
  • tools/android - Android SDK Manager (GUI)


In Debian/Jessie, the needed packages were:

sudo apt-get install android-tools-fastboot android-tools-adb

With Debian/Stretch, these packages were replaced by:

sudo apt-get install adb fastboot android-sdk-platform-tools-common

Developer Mode

To enable "USB Debugging", go to "Settings" → "Developer Options". If there is no "Developer Options", go to "About phone" and tap on "Build number" 7 times. Go back and there it is :-)


List devices:

$ adb devices
List of devices attached
123ab456abcd78xz        device

Open a shell on the device:

adb shell

Print a phone's IMEI[1]:

$ adb shell dumpsys iphonesubinfo
Phone Subscriber Info:
 Phone Type = GSM
 Device ID = 123456789012345

As dumpsys iphonesubinfo is no longer working with Android 5[2], we can also use the following to find out the IMEI:

$ adb shell service call iphonesubinfo 1
Result: Parcel(
  0x00000000: 00100001 00100001 00100001 00100001 '........'
  0x00000010: 00100001 00100001 00100001 00100001 ''
  0x00000020: 00100001 00100001                   '0.1.2...        ')

Print a phone's IMSI[3]:

$ adb shell service call iphonesubinfo 7                                 # Note: this needs ROOT permissions on the device![3]
Result: Parcel(
  0x00000000: 00100001 00100001 00100001 00100001 '........'
  0x00000010: 00100001 00100001 00100001 00100001 ''
  0x00000020: 00100001 00100001                   '3.4.5...        ')

And the ICCID too:

$ adb shell service call iphonesubinfo 10                                                                                                                                                              
Result: Parcel(
 0x00000000: 00100001 00100001 00100001 00100001 '........'
 0x00000010: 00100001 00100001 00100001 00100001 ''
 0x00000020: 00100001 00100001 00100001 00100001 '     ')

List device properties:

$ getprop | grep -E '|product|version.release)|display.version|version.baseband'
[gsm.version.baseband]: [M9615A-CEFWMAZM-2.0.1701.06]
[]: [KVT49L]
[]: [mako]
[]: [4.4.2]
[]: [11-20140504-SNAPSHOT-M6-mako]

Note: the exact kernel version can be obtained via /proc/version as uname may not exist.

Network Debugging

If USB isn't working, we could also use adb over the network:

  1. In Developer options, select Android debugging and ADB over network
  2. Connect via adb:
$ adb connect                                                   # The IP address of the phone in the local network
connected to

$ adb devices
List of devices attached        device

Data transfer

If adb push resp. pull is not enough, we can also use netcat[4] to transfer data to/from the Android device.

And on the host system:

$ adb forward tcp:8888 tcp:1234

On the Android device:

mako:/mnt/sdcard $ nc -lp 1234 > foo.tar.xz

And on the host system again:

pv < foo.tar.xz | nc localhost 8888


The easiest way to install new ROMs is to use adb sideload, available in TWRP. First, we boot into the recovery image:

adb reboot recovery

In TWRP Recovery:

  1. Select Advanced
  2. Select ADB Sideload
  3. Select Wipe Dalvik Cache and Wipe Cache (both optional)
  4. Swipe to Start Sideload

At this point, the phone is waiting for an image to be uploaded to the device:

adb push /sdcard/                         # TWRP expects a for checksum verification
adb sideload

After the image has been transferred, the phone should recognize it and continue with the update.


Fastboot can be used if the phone is booted into its bootloader, either via "adb reboot-bootloader" or via "Vol-" & Power-On.

$ fastboot devices
123ab456abcd78xz        fastboot

Sometimes this happens:

$ fastboot devices
no permissions  fastboot

Try running fastboot as root [5] or create an udev rule[6] with the correct idVendor[7] attribute:

$ lsusb | grep HTC
Bus 001 Device 029: ID 0bb4:0c23 HTC (High Tech Computer Corp.) Sensation

$ cat /etc/udev/rules.d/51-android.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="0bb4", MODE="0660", GROUP="plugdev"

Be sure to adjust the

$ sudo groupadd plugdev
$ usermod -a -G plugdev bobby

Now we should be able to run fastboot as "bobby" again (as soon as her group membership is applied, i.e. after a new login).

Device Encryption

This article[8] explains this topic in-depth, the short version is:

  • Android is using Linux's dm-crypt to encrypt the internal storage.
  • The storage encryption[9] password or PIN must be used during bootup - but since it is also used as the unlock password whenever the device goes to sleep, it must be entered many times, thus calling for a very short password.[10]
  • Android's vold can be instrumented to change the storage encryption password, but not the screen lock. After encrypting the storage (this will take quite some time), reboot and see if this is working. If so, open an connect to the device and change the encryption password:
$ adb shell

shell@mako:/ $ su -c vdc cryptfs changepw s3cr3t
200 0 0

Note: when the screen lock password is changed afterwards, the storage encryption password will be changed too!

→ See also Nexus 4#Update on how to update an encrypted device.


The first KitKat Release[11] (Android 4.4) was not able to handle encrypted volumes[12], so we need to make sure to at least install KRT16S before upgrading to KitKat:

$ adb shell
shell@mako:/ $ su -
root@mako:/ # find / -name "*KRT*"



While there are plenty of backup solutions to choose from, let's see if we can backup[13] the whole device at once.

  • We will need an SSH server
  • We will also need an rsync binary, compiled for Android/armv7l (or whatever your architecture is)

Login to the device, create an exclude list:

~ # cat /data/data/

Rsync away, but 1) ignore permissions 2) reduce accuracy on timestamps and 3) set certain permissions on the target objects, otherwise we might get plenty of errors:

~ # cd /data/data/
~ # /data/data/eu.kowalczuk.rsync4android/files/rsync -rltgoPz \
        --exclude-from=exclude.txt \
        --delete \
        --modify-window=2 --chmod=Du+rwx,go+rx,Fu+rw,go+r \
        /  bob@backup-server:/mnt/phone/ 2>&1 | tee r.log


adb can also be used to take/restore backups:[14]

adb backup -f backup.ab -apk -obb -shared -all -system
  • -f - file name where the backup is being stored
  • -all - backup all installed applications (but without the APKs)
  • -apk - backup the .apks themselves
  • -obb - backup any installed apk expansion files associated with each application
  • -shared - backup the device's shared storage / SD card contents
  • -system - backup system applications

Restore the backup with:

adb restore backup.ab


To create a so called NANDroid backup[15], the installed recovery mode has to be used. So, if TWRP is installed, use that[16], if ClockworkMod is installed, it has its own backup function.[16]

Recovery Mode

No command

With stock Android, the recovery mode[17] may display the infamous "no command" screen:

No command.png

The message is correct, since we did not issue a command for recovery. While in this mode, press & hold the Power and Volume-up buttons - then let go of the Volume-up button (keep pressing Power). A new menu should apear - choose the correct option with the Volume-up and Volume-down keys, then let go of the Power button to select that choice.



TWRP[18] is an alternative custom recovery, which does support encrypted devices.[19]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.
  • Download the recovery image[20] and verify its checksum.
  • For some reason, we needed the SuperSU package[21] instead of the SuperSU-Busybox-Installer. Once the SuperSU-Busybox-Installer package was installed, applications could not gain root access. Let's try with SuperSU this time. Download the latest SuperSU image[22] and verify its checksum.
  • Now adb should be able to connect to the phone:
$ adb devices
List of devices attached
012ab345abcd12ef        device

When this is working, we can continue. Upload the SuperSU package to the phone's SDcard:

$ adb push /mnt/sdcard/
2632 KB/s (1210442 bytes in 0.449s)
$ adb shell
shell@mako:/ $ ls -l /mnt/sdcard/
-rw-rw-r-- root     sdcard_rw  1210442 2013-09-07 16:20

shell@mako:/ $ md5 /mnt/sdcard/
9cfdf7032ef3f45abaa83f03fa7995a1  /mnt/sdcard/

Now that these packages are on the phone, reboot into the bootloader:

adb reboot bootloader

Now that we are in the bootloader, unlock the phone, if not done already. Note: this will erase all userdata!

fastboot flashing unlock             # Use "oem unlock" on older devices

That should be all to unlock the phone[23]. Still in the bootloader, we will flash the recovery partition with our TWRP image:

$ fastboot flash recovery openrecovery-twrp-
sending 'recovery' (7814 KB)...
OKAY [  0.265s]
writing 'recovery'...
OKAY [  0.481s]
finished. total time: 0.746s

As the phone is still in the bootloader, we can now boot into the RECOVERY mode (Toggle Vol-/Vol+ and press POWER to select). Now, in the TWRP recovery mode:

  • Create a backup (in the SDcard)
  • Flash partition with the downloaded SuperSU package
  • Wipe the cache partition and the Dalvik cache (both optional)
  • Reboot the phone via "Reboot system"

The system should come up just fine and is now hopefully rooted.


Note: CWM does not support encrypted devices![24][25]

  • Download & extract the Android SDK. The adb and fastboot utilities will be needed here.

→ Now continue the same way as for TWRP


To un-root, one can flash the phone with a stock image (and possibly a stock recovery too)[26] and then lock the bootloader again. The latter does not wipe the phone (but unlocking does):[27]

fastboot oem lock

Note: this may or may not will reset the phone!

Screen Casting

Sometimes it's nice to have the device's screen mirrored to a desktop computer. scrcpy can do this, and even wireless mirroring is possible.[28].

Enable wireless ADB on the device:

adb tcpip 5555

On the desktop and for ease of use, we can download the prebuilt server:

mkdir ~/opt/scrcpy
wget -O ~/opt/scrcpy/scrcpy-server.jar

Build the scrcpy client, in short:

sudo apt install ffmpeg libsdl2-2.0-0 gcc git pkg-config meson ninja-build \
                 libavcodec-dev libavformat-dev libavutil-dev libsdl2-dev openjdk-8-jdk

sudo dnf install SDL2-devel ffms2-devel meson gcc make java-devel
git clone scrcpy-git
cd scrcpy-git

meson x --buildtype release --strip -Db_lto=true -Dprebuilt_server=${SERVERJAR}
cd x && ninja
sudo install -o root -g root -m 0555 x/app/scrcpy /usr/local/bin/scrcpy.exe

Connect via ADB and run with:

adb connect android:5555


Some providers[29] disallow WiFi tethering, so we'll try to get around those restrictions.


For Android 4.4 and T-Mobile[30], we need to edit /data/data/

Backup settings.db:

$ adb root                                         # We need root access on the device!
restarting adbd as root

$ adb pull /data/data/ 
1819 KB/s (86016 bytes in 0.046s)

$ cp settings.db{,.bak}

Disable tether_dun_required:

$ sqlite3 settings.db "select * from global where name='tether_dun_required';"

$ sqlite3 settings.db "update global set value='0' where name='tether_dun_required';"
$ sqlite3 settings.db "select * from global where name='tether_dun_required';"

Upload the modified settings.db to the phone again:

$ adb push settings.db /data/data/
1819 KB/s (86016 bytes in 0.046s)

On the phone again, open "Wireless Networks" → "Mobile Networks" → APNs. Make sure the T-Mobile US LTE profile is selected, with as the APN set. The IPv6 profile may not work for tethering.

Reboot the phone, tethering should be working now.

One may have to update the useragent string in the webbrowser to something that looks mobile, to mitigate DPI techniques:

Mozilla/5.0 (Linux; Android 4.4.2; Nexus 7 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.138 Safari/537.36