XDADevelopers’Android™Hacker’sToolkitTableofContents

Introduction

FirstThingsFirst:WhatIsXDA?

TheDragonsthatLieAhead

WhoThisBookIsFor

WhatThisBookCovers

HowThisBookIsStructured

WhatYouNeedtoUseThisBook

PartI:WhatYouNeedtoKnow

Chapter1:AndroidOSInternals:UnderstandingHowYourDeviceStarts

ThePenguinDownBelow

HowYourAndroidDeviceStarts

Bootstrapping

AddingaCustomBootloader

UnderstandingtheBootloaderProcess

CustomRecoveries:TheHolyGrail

Chapter2:RootingYourAndroidDevice

WhyShouldYouRoot?

IncreasingtheServiceLifeoftheDevice

FixingOEMDefects

IncreasingCapability

CustomizingtheDevice

BackingUpData

ContactInformation

ApplicationsandTheirData

DataontheSDCard

HowYouCanRootandLeaveYourOEM’sControl

OEMFlashSoftware

Exploits

NativeFastbootFlash

ScriptedandOne-ClickMethods

RootingTwoDevices

NexusOne

HTCThunderbolt

TheRootofItAll

Chapter3:TheRightToolfortheJob

Ready,Set,...WaitIHavetoHaveWhat?

ConnectingaPhonetoaComputer

HackingTools

USBCables

USBDebugging

What’sDrivingThisThing?

UsingtheAndroidDebugBridge

CheckingDeviceConnectivity

RestartingtheADBService

CopyingFilestoandfromYourDevice

RebootingaDevice

ThePowerofFastboot

UnlockingaDevice

UpdatingaDevice

FlashingaDevice

RebootingaDevice

HarnessingthePowerofthePenguinwithADBShell

FileSystemNavigation

FileManagement

FileAccessPermissions

RedirectionandPiping

Concatenation

BusyBox:GivingthePenguinBackItsPower

TheddCommand

TheechoCommand

Themd5sumCommand

Chapter4:RootingandInstallingaCustomRecovery

HowtoUseExploits

ExploitScripts

ExploitApplications

UsingaScriptorApplicationonaDevice

HackingUtilities

OEMTools

DeveloperUtilities

ImageFiles

RecoveryMode

WhatIsRecoveryMode?

MakeItAllSoEasy:GetACustomRecovery!

UsingClockworkModRecovery

RebootingtheDevice

UpdatingaDevicefromtheSDCard

ResettingaDevicetoFactoryCondition

WipingtheCache

InstallingaZipFilefromtheSDCard

BackingUpandRestoringaDevice

MountingPartitionsandManagingStorage

AdvancedFunctions

BackupandDisasterRecovery

PrecautionsforSuccessandDataRecovery

BackingUpApplications

BackingUpThroughaRecoveryProcess

BackingUpThroughanApplication

WhatHappensifItGoesReallyWrong?

Chapter5:Theming:DigitalCosmeticSurgery

ChangingtheLookandFeelofAndroid

ThemingtheLauncher

ThemingwithanAdd-onLauncher

ToolsUsedinTheming

APKManager

AndroidSDK

Eclipse

AROMofYourChoice

7-Zip

Paint.NET

Update.zipCreator

Amend2Edify

TheEditingProcess

WalkthroughforCreatingThemeFiles

WalkthroughforCreatingaFlashableZIPFile

Chapter6:You’veBecomeSuperuser:NowWhat?

PopularMulti-DeviceCustomROMs

CyanogenMod

AndroidOpenKangProject

VillainROM

KernelTweaks

BacklightNotifications

VoodooEnhancements

PerformanceandBatteryLifeTweaks

RootApplications

SetCPU

AdfreeAndroid

Chainfire3D

TitaniumBackup

PartII:ManufacturerGuidelinesandDevice-SpecificGuides

Chapter7:HTCEVO3D:ALockedDevice

ObtainingTemporaryRoot

UsingS-OFFandPermanentRootRequirements

RunningtheRevolutionaryTool

InstallingaCustomRecovery

InstallingtheSuperuserBinary

InstallingaSuperUserApplication

Chapter8:NexusOne:AnUnlockableDevice

RootMethodsAvailable

ResourcesRequiredforthisWalkthrough

Walkthrough

PlacingtheNexusOneinFastbootMode

FlashingaBootPartition

GettingFullRootAccess

InstallingaCustomRecovery

Chapter9:HTCThunderBolt:ATightlyLockedDevice

RootMethodsAvailable

ResourcesRequiredforthisWalkthrough

Walkthrough

PushingFilestotheDevice

GainingTemporaryRoot

CheckingaFile’sMD5Signature

WritingtheTemporaryBootloader

DowngradingtheFirmware

GainingTemporaryRoottoUnlocktheMMC

RewritingtheBootloader

UpgradingtheFirmware

Chapter10:DroidCharge:FlashingwithODIN

ResourcesRequiredforthisWalkthrough

Walkthrough

ConnectingtheDevicetoODIN

FlashingtheDevice

Troubleshooting

Chapter11:NexusS:AnUnlockedDevice

ConnectingtheDevicetoaPC

ResourcesRequiredforthisWalkthrough

Walkthrough

UnlockingtheDevice

FlashingtheDevicewithaRecovery

FlashingtheDevicewiththeSuperUserapplication

Chapter12:MotorolaXoom:AnUnlockedHoneycombTablet

ResourcesRequiredforthisWalkthrough

Walkthrough

PushingtheRootFiletotheSDCard

UnlockingtheXoom

FlashingtheDevicewithaRecovery

FlashingtheDevicewithaUniversalRoot

Chapter13:NookColor:RootingwithaBootableSDCard

ResourcesRequiredforthisWalkthrough

Walkthrough

CreatingaBootableSDCard

BootingtheDevicefromtheSDCard

MakingtheDeviceMoreUsable

AppendixA:SettingUpAndroidSDKandADBTools

XDADevelopers’Android™Hacker’sToolkitTheCompleteGuidetoRooting,ROMSandThemingJasonTylerwithWill

VerduzcoThisworkisaco-publicationbetweenXDADevelopersandJohnWiley&Sons,Ltd.

Thiseditionfirstpublished2012

©2012JohnWileyandSons,Ltd.

RegisteredofficeJohnWiley&SonsLtd,TheAtrium,SouthernGate,Chichester,WestSussex,PO198SQ,UnitedKingdomFordetailsofourglobaleditorialoffices,forcustomerservicesandforinformationabouthowtoapplyforpermissiontoreusethecopyrightmaterialinthisbookpleaseseeourwebsiteatwww.wiley.com.

TherightoftheauthortobeidentifiedastheauthorofthisworkhasbeenassertedinaccordancewiththeCopyright,DesignsandPatentsAct1988.

Allrightsreserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,electronic,mechanical,photocopying,recordingorotherwise,exceptaspermittedbytheUKCopyright,DesignsandPatentsAct1988,withoutthepriorpermissionofthepublisher.

Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbeavailableinelectronicbooks.

Designationsusedbycompaniestodistinguishtheirproductsareoftenclaimedastrademarks.Allbrandnamesandproductnamesusedinthisbookaretradenames,servicemarks,trademarksorregisteredtrademarksoftheirrespectiveowners.Thepublisherisnotassociatedwithanyproductorvendormentionedinthisbook.Thispublicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothesubjectmattercovered.Itissoldontheunderstandingthatthepublisherisnotengagedinrendering

professionalservices.Ifprofessionaladviceorotherexpertassistanceisrequired,theservicesofacompetentprofessionalshouldbesought.

Trademarks:WileyandtheWileylogoaretrademarksorregisteredtrademarksofJohnWileyandSons,Inc.and/oritsaffiliatesintheUnitedStatesand/orothercountries,andmaynotbeusedwithoutwrittenpermission.AndroidisatrademarkofGoogle,Inc.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Ltd.isnotassociatedwithanyproductorvendormentionedinthebook.

XDA,XDADevelopersisatrademarkofJBOnlineMedia,LLC

AcataloguerecordforthisbookisavailablefromtheBritishLibrary.

ISBN978-1-11995138-4(paperback);ISBN978-1-119-96154-3(ebook);978-1-119-96155-0(ebook);978-1-119-96156-7(ebook)Setin9.5/11.5MinionProRegularbyIndianapolisCompositionServicesPrintedintheUnitedStatesbyCourierWestford

Publisher’sAcknowledgements

Someofthepeoplewhohelpedbringthisbooktomarketincludethefollowing:EditorialandProduction

VPConsumerandTechnologyPublishingDirector:MichelleLeeteAssociateDirector–BookContentManagement:MartinTribeAssociatePublisher:ChrisWebb

AssistantEditor:EllieScott

DevelopmentEditor:ShenaDeucharsCopyEditor:Shena

Deuchars

TechnicalEditor:AkshayDashrathEditorialManager:JodiJensen

SeniorProjectEditor:SaraShlaerEditorialAssistant:LeslieSaxmanMarketing

AssociateMarketingDirector:LouiseBreinholtSeniorMarketingExecutive:KateParrettCompositionServices

Compositor:IndianapolisCompositionServicesProofreader:LindaSeifert

Indexer:EstalitaSlivoskey

AbouttheAuthorsJasonTylerhasbeenanITinstructorandiscurrentlyDirectorofTechnologyforTypefrag.com.AnavidAndroidhacker,JasonhasbeenrootingandROMingeveryAndroidphonehecangethishandsonsincetheOGDroid.

WillVerduzcoisaJohnsHopkinsUniversitygraduateinneuroscienceandisnowcurrentlystudyingtobecomeaphysician.HeisalsoPortalAdministratorforXDA-Developers,andhasbeenaddictedtomobiletechnologysincetheHTCWizard.StartingwiththeNexusOne,however,hisgadgetloveaffairhasshiftedtoGoogle’slittlegreenrobot.

ForewordTheXDADevelopers(XDA)websitewasopenedin2003.Nineyearsmaynotseemlikethatlongago,butFacebookwasn’tevenathingthen.TheiPhoneandthefirstAndroidhandsetweren’treleaseduntil2007.So,inInternettime,XDAisold.Insmartphonetime,we’reancient.

xda-developers.comisastrangeURL—notasimaginative,shortorcatchyasmosthigh-trafficsites.There’sasimplereasonforthis:thesitewasn’tcreatedforyou.Weneverenvisionedasmartphonerevolution—orifwedid,weneverenvisionedthatmillionswouldcaresomuchaboutwhatwashappeningonourlittledeveloper-focusedforum.

XDAwascreatedfordevelopersanditisstillasitefordevelopers.Theyareincrediblysmart,generallyselfless,andhard-workingindividualswhosharetheircreations(forfree)withtheworld.Whentheyseeabooklikethis,theygetconcernedthattheirsitewillbeoverrun(morethanitalreadyis)by“newbs”withannoyingquestionsanddemands.Theyseethetitleofthisbook—withthatoverused“H”-word—androlltheireyes.

So,whydidXDAlenditsnametothisguide?Honestly?It’sbecausewecan’tstopyouallfromcomingandwe’dratheryoubeabitbettereducatedwhenyouarrive.Peoplespendmoretimetouchingtheirphonesthantheirspousesandmanyofthosepeoplewanttheirphonestobecompletelycustomizable(evenastheirspousesaregenerallynot).TheywanttoremoverestrictionsplacedonthedevicesbycarriersandOEMsandmakethephonetheirs.

ThisbookwaswrittenbyamemberofXDA.HisgoalwastosharehisenthusiasmaboutwhathefoundonthesiteandacrosstheInternetaboutthecustomizabilityoftheAndroidoperatingsystem,togetyoujustasexcited,andtoshowyouthetoolsyouneedtoputthatexcitementintoaction.Aswithmosttech-relatedbooks,muchofthetexthereinisoutdatedbythetimeithitstheshelves.Butthat’sOK.Evenifthecontentisslightlystale,evenifyoudon’thaveanyofthedeviceslistedinthetutorialchapters,westillurgeyoutoreaditcarefullysothatyouarebetterpreparedtounderstandasyou

exploreXDAforyourdevice.

Asasitefordevelopers,XDA’sgoalistomakesureyouhaveyourespectforallthosewhohaveblazedthetrailtomakeallthisgoodstuffpossible.WewantyoutouseXDAresponsibly—readeverythingbeforeposting,understandtherisksofrootingandcustomizingyourdevice,and,asyoulearn,becomeahelpful,contributingmemberofthecommunity.

TheXDAAdminTeam

Introduction

There’sareasonmostAndroidgeekshavesuchdisdainfortheothermajorsmartphoneoperatingsystem.TheiPhoneshacklestheuser,withitsclosedsourcecodeandecosystemruledwithanironfist.Android,ontheotherhand,freesdeveloperstotearapartandrebuildnearlyeveryaspectoftheuser’sexperiencewiththeoperatingsystem.Beyondtheworldofdeveloper-createdapplications(apps),thereisavastuniverseofdeepercustomizations—customkernelsandROMs,themes,CPUoverclocks,andmore.

Inmostcases,thesetasksbeginwithgaining“root”accesstoyourdevice.ThegoalofthisbookistogetyoucomfortablewiththetoolsandvocabularyofAndroidhacking,togetyouinthe“root”mindset,andtopointyoutowardsthebestonlineresourcesforexpandingyourknowledgeevenfurther.

FirstThingsFirst:WhatIsXDA?TheXDADevelopers(XDA)website,athttp://www.xda-developers.com,isthelargestsmartphonecommunityontheInternet.Asthenameimplies,thesite—launchedin2003—isadestinationfordevelopers.“XDA”wasalineofphonesbasedonWindowsMobilethatwerebrandedbyO2anddevelopedbyasmall(atthetime)TaiwanesemanufacturercalledHighTechComputerCorporation(HTC).AccordingtoXDAhistory:

ItwastheseearlyO2XDAdevicesthatthefoundersofoursitethoughthadmuchmorepotentialthanthesellersO2andHTCweregivingthemcreditfor.Withtheirgeekyhatsontheycrackedthemopenandbegantodevelopthembeyondthestandardfairlyboringbrandedversions.Tospreadtheword,theysetupasmallwebsiteandnaturallycalleditxda-developers.Intheearlydaystheyhadlessthanadozenmembers(2003).

Asmoreandmorephoneswerereleased,theXDAadministratorslaunchedanewforumforeachone.Thesitewasbuiltaroundthespiritofcommunityandcooperation.XDAitselfisnotanorganizationofdevelopers.Thesiteismerelyasandboxwheredeveloperscongregate.

Fromthoseearlyfewmembers,XDAbecameknownasthego-tosourceforinformationonhowtomakephonesdomoregreatstuffandhowtofixaphonethatwasotherwisebroken.Asmorepeoplewereattractedtothesite,enthusiastsweregivenahometosharetheawesomenessofmobiledevicedevelopment.Fromthatearlycoreofafewdozenenthusiasts,geeksanddevelopers,theXDAwebsitenowreceivesmorethantenmillionvisitorspermonthandthousandsofinformativepostseveryday.

ThematerialinthisbookdrawsheavilyontheworkdonebythefantasticcommunityatXDA.ThebookcombinestheworkoftheXDAcommunity,mytechnicalteachingexperience,andmyworkasanAndroiddevelopertoprovidealaunchingpointforthebuddingAndroidhacker.

TheXDAforumshavebecometheforemostInternetdestinationforinformationaboutmobiledevices:howtofixthem,howtohackthemand,generally,howtomakethembetterthanthemanufacturersmakethem.http://forum.xda-developers.comislaidoutinforumsdedicatedtoindividualdevices.Eachforumcontainsacoregroupofpeoplewhoworkwithandlovethedevice,aswellasthousandsofhelpfulindividualsonthesamejourneyasyou.WhenyouvisitXDA,youcanusethe“Forums”linkandnavigatethroughtheforumstofindyourspecificdevice(seeFigure1).

Figure1:Thedevice-specificforumsathttp://forum.xda-developers.com

TheDragonsthatLieAheadThefreedomofferedtoyouwhenyourdeviceisrootedisliberating.Itaffordsyousuchwondersas:

•completebackupofallapplicationsandtheirdata•GoogleApps,iftheywerenotincludedwithyourdevice

•overclockingyourdevice(speedingituptorunfasterandbetter)•fixingmanufacturerissues,suchasGPSerrorsorcalldropping

•wirelesstetheringtocreateaquickie“hotspot”•completelychangingandcustomizingthedeviceinterface.

AllofthisandmoreisavailabletothosewhostepoutonalimbandroottheirAndroiddevice.However,therearetwocaveatstokeepinmindbeforeyougetstarted.

Youshouldknowbeforeyoureadanyfurtherthatbyeventhinkingaboutrootingyourdeviceyoumayhavevoidedyourwarranty.

Notreally,ofcourse,butattemptinganyofthecustomizationsthatyoureadaboutinthisbookwillvoidyourmanufacturer’swarrantyandanyinsurancewarrantyyoumayhavepurchased.Manufacturersandmobileservicecarrierssellmillionsofdeviceseveryweek.Foreverydevicetheysell,theyhavetosupportacertainpercentageofthosedevicesthataredefective.AsfarasyourcarrierandOEMareconcerned,whenyoumesswiththestufftheyhavespentmillionsonmaking,theirresponsibilitytosupportyouends.

Therearenoexceptionstothisrule.MostOEMs,carriersandsupportcompanieswillinstantlyrejectanysortofsupportorreplacementrequestwhentheyfindthedevicehashaditssoftware,firmwareorhardwarealteredoutsidenormalparameters.Evenso-called“developer”devices,suchastheNexusrange,ceasetobesupportedwhenyoustartdevelopingonthem.

Thesecondbigcatchisthatyoucandopermanentirreversibledamagetoyourdevice.Intheparlanceofthemobiledevicehacker,thisisknownas“bricking”becauseitturnsyour$400smartphoneintosomethingasusefulasabrick.Someoftheexploitsthatareusedtogain“root”accessareedge-of-the-knifeproceduresthatcancompletelyruinadeviceifthetiniestmistakeismade.

Somedevicesaremorerobustthanothersandarelesslikelytobebricked.TheoriginalMotorolaDroidfromVerizon,forinstance,wasknownforbeingalmostimpossibletopermanentlybrick.ButeventhevenerableDroidhasbeenbrickedbyhastyorextremelyadventuroushackers.

Manyofthisbook’stutorials,whethertoachieverootorothercustomizations,requireyoutobefamiliarwithacommandpromptwindow,suchastheoneshowninFigure2.IfyouareatypicalWindowsuser,youprobablydonothavemuchexperiencewiththecommandline.Althoughyoucanfindshortcuts,scripts,andworkarounds,Istillrecommendyougetcomfortablewiththecommandline.BythetimeyoumakeitthroughChapter4,you’llbeacommandpromptpro.

Figure2:Thecommandpromptwindow

Mostofthestepsinthisbookassumethatyouhavetheabilitytoconnectyourdevicetoyourcomputerandthatyourcomputerhasallthedriversitneedstocommunicatewithyourdevice.Ifyouareunsureofthis,youmayneedtoreadthroughAppendixAtogetyourphoneconnectedtoyourcomputer.YourbestshotatgettingyourparticulardeviceconnectedtoyourcomputeristodoaquicksearchoftheXDAforumstolocatethedrivers.Don’tdoallthehardworkoflocatingtherightdriversifoneofthewonderfulpeopleatXDAhasalreadylocatedthem.

TheotherdragonthatcangobbleupthenewhackeristhatmostAndroiddevicehackingrequirestheSoftwareDevelopmentKit(SDK)tobeinstalledonyourcomputer.InAppendixA,IwalkyouthroughsettinguptheAndroidSDKandpointoutthefewpiecesthatyouactuallyneedforhackingyourAndroiddevice.

Formanydevices,muchoftheriskhasbeenremovedbydevelopersandhackerswhohavecreatedscripts,one-clickmethods,andhelpertoolstorootandcustomizeyourdevice.TheXDAforumsareanawesomecommunityofcuriousandextremelyintelligentpeoplethatcangetyououtofmostdeadendswhenhackingyourphone.

Inordertoaccessthewealthofinformationundoubtedlyavailableforyourdevice,youmustfirstnavigatetoyourdevice-specificforum.Findingthededicatedforumforyourdeviceisasimpletaskthatcanbeaccomplishedseveralways.Whileyoucouldcombthroughtheforumindexandfindyourdevicemanually,thiscanbecomequitefrustratinggiventheextremelylargenumberofdeviceforums.

Aneasiermethodtofindyourdevice-specificforumistousethe“FindYourDevice”boxintheupper-righthandcornerofthescreen,seeFigure3(top).

Simplytypethenameofyourdevice,orevenafewletters,andyouwillbepresentedwithalistofallmatchingdeviceforums.Alternatively,youcanjumptodevicesfromaparticularmanufacturerbyusingthe“DevicesbyOSorManufacturer”drop-downmenuatthetopcenterofthepage,seeFigure3(bottom).

Figure3:Searchingforyourdevicebyname(top)orbymanufacturer(bottom)

Ifyoudecidetocontinuetorootyourdevice,customizeitandslipthesurlybondsofOEMtyranny,youmustproceedatyourownrisk.Youhavetoaccepttheveryrealpossibilitythatyoucoulddoyourdevicepermanentharmorevenbrickit.JohnWiley&Sons,XDADevelopersandIarenotresponsibleifyouturnabeautifulshinyAndroiddeviceintothemostexpensivepaperweightever.

Youhavebeenwarned.

WhoThisBookIsFor

ThisbookisfortheAndroiduserwhowantstogetstartedwithhackingAndroiddevices.Ifyouhaveheardof“rooting”anAndroiddeviceandwonderwhatitmeansandhowitisdone,thenthisbookisforyou.ThisbookisalsofortheuserwhowantstogetmoreoutoftheirAndroiddeviceandincreaseitslifeandfunctionality.

WhatThisBookCoversThisbookcoversgeneralAndroidknowledgeandmobiledeviceconcepts.Italsoincludeschaptersthatgivethereadertheskillsnecessarytobeginhackingandexploringontheirown.Itcoversinstallingthetoolsneeded,suchastheAndroidSDK.Laterchapterscovertherootingproceduresforspecificdevices.Althoughdevices,andAndroiditself,changeveryquickly,readingawalkthroughcanprepareyouforwhatyoucanexpectinrootingyourdevice.

HowThisBookIsStructuredThisbookisdividedintotwoparts.ThefirstpartgivesabasicoverviewofAndroidandtheshell.ShellcommandskillswillbethecoreofyourAndroid-hackingcareer.Thesecondpartgivesexamplewalkthroughsonrepresentativedevices,fromtheverytightlylockedtothewideopen.Somedevicesfrommajormanufacturersaregivenadetailedwalkthroughtodemonstratehowtheskillslearnedearliercanbeapplied.TheappendixwalksyouthroughgettingyourcomputingenvironmentsetuptohackAndroid.

WhatYouNeedtoUseThisBookYouneedaPCwithWindows(XPorlater),afreeUSBport(USBhubsarenotgenerallyrecommended),andanInternetconnection.YouneedtobefamiliarwithnavigatingtheXDAforumsinordertoaccessthelatestupdatesandinformation.AndroidhackingcanbedoneverywellfromcomputersrunningMacorLinuxbutthisbookfocusesonthePCuser.YouneedanAndroiddeviceifyouwishtofollowalongwiththeexamplesandtutorialwalkthroughs.

PartI:WhatYouNeedtoKnow

Chapter1:AndroidOSInternals:UnderstandingHowYourDeviceStartsChapter2:RootingYourAndroidDeviceChapter3:TheRightToolfortheJobChapter4:RootingandInstallingaCustomRecoveryChapter5:Theming:DigitalCosmeticSurgeryChapter6:You’veBecomeSuperuser:NowWhat?

Chapter1:AndroidOSInternals:UnderstandingHowYourDevice

Starts

Inthischapter:

•Thepenguindownbelow:theLinuxkernel•Bootstrapping:Howyourdevicestarts

•Anintroductiontocustombootloaderandcustomrecoveryprocesses

Tofullyunderstandtheprocessofrootingyourdevice,gainingthecontrolandpoweryouneedtotrulycustomizeit,youneedtounderstandalittleabouthowtheAndroidoperatingsystemworks—howthedevicegoesfrombeingpoweredofftoafullyfunctioningstate.Itisinthisprocessthatdevelopersusuallyexploitweaknessestogainfullaccesstothedevice.Usuallysomestepinthebootprocessallowsadevelopertoinsertabitofcodeorascript,andthusaccessfunctionalitynotintendedbytheOriginalEquipmentManufacturer(OEM).

LinuxDevelopmentandOpenSourceLinuxbeganin1991withLinusTorvaldsworkingtomakeacompletelyfreeandopensourceoperatingsystemthatcouldbeusedbyhobbyists,academiaandhackers.Hisoperatingsystemhasgrowntobeoneofthemostpowerfulandflexibleintheworldtoday.Fromahandfulofunknowngeeks,thedeveloperbasehasmaturedtoincludethousandsofcontributorseveryyear.SomeofthefinestnamesincomputerscienceandprogrammingworkonthedevelopmentnotonlyofLinuxbutalsoofAndroid.

Linuxremainscompletelyfreeandcompletelyopensource.Thisallowscompaniesandindividualstohaveaccesstothepowerofcomputingdeviceswithoutthecomplexlegalandcopyrightconcernsthatcomewithclosedsourcesoftware.

ThePenguinDownBelowAndroidisanoperatingsystembuiltontheLinuxkernel.ThankstoGoogleandtheOpenHandsetAlliance,LinuxanditspenguinmascothavefoundahomeonAndroiddevices.AndroidisessentiallyahighlycustomizeddistributionofLinuxwithvarioustweaksorientedtowardsmobiledevices.

IfyouarefamiliarwiththeLinuxoperatingsystemthenyouaregoingtofeelquiteathomewithmanyaspectsoftheAndroidoperatingsystem.Ifyouarecomfortablewithanyothercommand-lineoperatingsystem,suchasDOSortheWindowscommandline,manyofyourskillstherewillbeusefulaswell.

Androidis,atitscore,animplementationoftheLinuxoperatingsystem.ManyofthecommandsyouwillbeusinginhackinganAndroiddeviceareLinuxcommands.However,youdonotneedtobeaprogrammertobecomeanAndroidhobbyistorenthusiast.Usingtheskillstaughtinthisbook,youcanbecomeadeptatexploringandalteringyourAndroiddevice.

ThedifferencesbetweenyourAndroiddeviceandaLinuxdesktopcomputeraremany.Themoststrikingdifferenceisthewayinwhichyourdevicebootstraps(starts)whenyoupoweriton.Itisinthisstartupprocessthatthehackersandelitedevelopersfindthevulnerabilitiestoexploit.BecauseLinuxhasalonghistoryofbeingthego-tooperatingsystemofdevelopers,hobbyistsandhackers,therearemanyprogrammersandprofessionalexpertsworkingontoolsthathelpyouwiththerootprocess.Mostofthe“heavylifting”isdonelongbeforetheaverageAndroidhackergetsaccesstorootonhisorherdevice.

AlthoughyoudonotneedtobeaLinuxnerdtorootandcustomizeyourAndroiddevice,beingfamiliarwiththeLinuxcommandline,andcommandlinesingeneral,willhelpyoufeelmorecomfortable.ForanexcellentreferencetotheLinuxcommandline,checkoutLinuxCommandLineandShellScriptingBible,2ndEditionbyRichardBlum(Wiley,2011).

HowYourAndroidDeviceStartsTheAndroidoperatingsystemhasacomplexandmultistagestartuproutine.Manufacturerslockthestartupprocesstoprotectrevenueandmaintaincontrolofthedeviceyoupurchase.ThenatureoftheAndroidstartupprocessallowsdevelopersandhackerstoreplacepartsofittoachievefullcontrolofanAndroiddevice.

BootstrappingBootstrapping(orbooting)isatermthatdescribeswhatacomputingdevicedoeswhenturnedon.It“pullsitselfupbyitsbootstraps.”WhenyoupoweronanAndroiddevice,atinypieceofcodeonamemorychipinitializesthememoryandCPU.Usuallythebootstrapcodeisreferredtoasthebootloader.Thebootloaderisdifferentfromdevicetodevice,althoughallbootloadersdothesamethings:theycheckforhardwarefeaturesandloadthefirstpartoftheoperatingsystemintothedevice’smemory.

TheencryptedbootloaderisthebeginningofallthingsAndroid,effectivelylockingouttheuserfromcustomizingthefirmwareandsoftware.LockingthebootloaderistheroughequivalenttoacomputermanufacturerforcingyoutouseaparticularversionofWindows,alongwithathemeoftheirchoosing.Thebootloaderistheprimarypointofcontentionbetweenownersofmobiledevicesandtheoriginalequipmentmanufacturer(OEM).Many,ifnotmost,OEMsspecificallydonotwantyoutohaveaccesstothatbootloadercode.ThereasonsthatOEMsdonotwantuserstohaveaccesstothiscodearevariedbutfallintothefollowingcategories:

•Thecostofhonoringwarranties:Alteringthebootloadercodecanpermanentlydisablethedevice.Thisisproblematicfordevicemanufacturersbecausebrokendevicesarereturnedtothemunderwarranty.Itisdifficulttodetermineifadeviceisbrokenbecausetheuserdidsomethingsillytoitorifitis,infact,defective.Thismeansthatthemanufacturermayhavetoreplaceadevicethatbecamedefectivethroughnofaultofthemanufacturer.Replacingdefectivedevicescostsmoneyandthosecostsmaybepassedontotheconsumer.•Theneedtoprotectcarrieragreements:Carriersarepaidtopre-installapplicationsfromthirdpartiesondevices.Manyorganizations,fromcarrentalcompaniestostreamingvideostartups,haveamobileapplication.Togetexposurefortheirproducts,theypaycarrierstoincludethoseapplicationsonyourdevice;toensurethatexposure,thecarrierblockstheuser’sabilitytoremovetheapplication.Afterall,itsimplywouldn’tdotohaveBlockbusterpayhundredsofthousandsofdollarstohavetheirapplicationonyourdeviceonlytohaveyouremoveittomakeroomforAngryBirdsthreeminutesafteryouwalkoutofthestore.LockingthebootloaderallowscarriersandOEMs

todeclaresomeapplicationsas“system”applications.Thisremovesthemfromtypicalmanagementtasks,suchasdeletionormovingthemtoanSDcard.•Plannedobsolescence:DeviceswithaverylonglifearebadforOEMs.Thedevelopmentandreleasecycleofnewmobiledeviceshasbecomeincrediblyfast,outpacingevenoldstandardsintechnology.Whenadeviceisreleased,thedevicethatwillobsoleteitisoftenalreadyinproduction.Androidoperatingsystemupdateshavenewfeaturesandstabilitythatusersdesire.BecauseOEMsdependonsellingnewfeaturesandthelatestAndroidoperatingsystem,theyneedconsumerstowantthenewestdevices.AllowingconsumerstoupdatetheoperatingsystemandsoftwarethemselveseffectivelyreducestheneedtopurchasethelatestdevicefromtheOEMorcarrier.

Inessence,plannedobsolescencefromthecarriersandOEMsisdesignedtomaketheconsumerspendmoremoneytogetthelatestAndroidupdates.Ifyoucanhackthoseupdatesintotheperfectlygooddeviceyoupurchasedsixmonthsearlier,theOEMslosemoney.

WhenyoupoweronanAndroiddevice,thebootloaderisthefirstprogramcodethatruns.Bootloadingistypicallyatwo-partprocess,utilizingaprimaryandasecondarybootloader.

OnmostAndroiddevices,theprimarybootloadercannotbereplaced.Thisisbecausetheprimarybootloaderishardcodedintoanapplication-specificintegratedcircuit(ASIC)inthedevice.Thesehardcodedinstructionsloadthesecondarybootloaderintomemoryandtellitwherethememory,CPUandoperatingsystemarelocatedandhowtheycanbeaccessed.

TakingResponsibilityforYourHacksItisimportanttonotethatifyouchoosetohackyourdevice,youtakeresponsibilityforreplacingit.ItisunfairandunethicaltodosomethingsillytoyourdevicethatdisablesitandthenexpectthecarrierorOEMtoreplaceit.Goodhackersgointotheirhacksknowingthepossibleoutcomesandwillingtotakeresponsibilityfortheirownfailures.WhenitcomestoOEMandcarrierill-willtowardshackers,ensureyouarepartofthesolutionnotpartoftheproblem.Nevertrytoreturnabrickedordisableddeviceforreplacement.Learnhowtofixitortakeresponsibilityandreplaceit.

AddingaCustomBootloaderAcustombootloaderisasecondarybootloaderthatallowsyoutogainaccesstothefilesystemwithmorecontrolthanyoucanwithanOEMbootloader.Custombootloadersopenupthepossibilitiesofreplacingtheoriginaloperatingsystemfileswithcustomizationsasvariedasanewuserinterfaceorasuperchargedkernel.Despitethemanufacturer’sobjections,thehacker’sgoalistointerruptthestandardbootloadingprocessanduseacustombootloaderthatenableshackingofthedevice.

UnderstandingtheBootloaderProcessYourAndroiddevicefollowscertainstepswhenbootingup.ThefollowingstepsandFigure1-1aresimplifiedandmadegenerictoapplytomostAndroiddevices.

1.Specialcodeinthebootread-onlymemory(ROM)locatesthefirst-stagebootloaderandloadsitintomemory.ThebootROMisanASICthathasitscodepermanentlyprogrammed.2.Thefirst-stagebootloaderloadsthesecond-stagebootloaderafterinitializingsomememoryandgettingthehardwareready.

Thebootloadercheckstoseeifthesecurityflagison(S-ON).Ifitison,thenthebootloaderwillloadonlysigned(official)kernels.Ifthesecurityflagisoff(S-OFF),thenthebootloadernolongerchecksforsignatures.SettingS-OFFalsoreleasesothersecuritylockdowns,makingtheentirefilesystemwritableandenablingothergoodies,suchasallowingyoutoinstallacustomrecoveryprocessonthedevice.Thisisthestepinwhichyouwantyourcustombootloadertobeloaded.Theholygrailofhackingamanufacturer’shandsetistoloadacustombootloadersothatacustomkernelcanbeloaded.

Figure1-1:TheAndroidbootprocess

Fastboot(seeChapter3)isaprotocolthatallowslow-levelcommandstobesenttoadevicetodosuchthingsaswritefiles(suchascustombootloaders,recoveriesandROMs)totheoperatingsystem.Mostmanufacturers,therefore,disabletheFastbootprotocolatthefactory.Becausethesecond-stagebootloaderisthestepinthebootprocesswheretheFastbootprotocolisenabledordisabled,thispartofthecodeisfrequentlyencryptedorotherwiselockeddownbyOEMs.Somedevices,suchasNexusdevicesandtheXoom,canbeunlocked,allowingthe

Fastbootprotocoltobeenabled.

3.ThebootloaderloadsaLinuxkernelandcustomizationsintomemory.

Atthispoint,thebootloaderhandsoffcontrolofthehardwaretotheLinuxkernel.TheLinuxkernelandanysoftwareorfirmwarecustomizationsareusuallyallpackagedtogether.Onsomedevices,theyarecalledaROM.ThenameROMisaslightmisnomerbecauseNANDstorageisnottrulyread-only.Otherdevicesrequirecustomimages(inIMGformat)tobewrittentomemory;stillothershavethekernelpackagewrittenfromanRUUfile.Howeverthekernelpackageisplacedonthedevice,thebootloadermustknowwhereitislocatedandhowtohandoverthereinstoit.4.Thelaststepistheinitialization(INIT)process.TheINITprocessisthemotherofallotherprocessesthatrunonyourdevice.Itinitializesalloftheprocessesnecessaryforbasichardwareaccessanddevicefunctionality.ItalsostartsuptheDalvikvirtualmachineprocesseswheremostapplicationsareexecuted.

Throughthiswholestartupprocess,theimportantthingforyoutounderstandisthatmostofthehoopsyouhavetojumpthroughwhenrootingyourAndroidaretoachieveoneorbothoftwogoals:

•tosetS-OFF,therebyallowingyoutoloadyourowncustomkernelpackage

•toinstallacustomsecond-stagebootloadertoallowyoutoignoretheS-ONorS-OFFstateandloadyourowncustomkernelpackage.

Onsomedevices,neithergoalisachievableandyoumustuseworkaroundstocarryoutdevicecustomizations.Deviceswithcompletelyencryptedbootloaders,suchastheMilestoneandDroidX,canstillbecustomizedtosomeextent.Theamountofcustomizationyouareabletoachieveonthesedevicesislimitedandtheprocessisusuallyalittlemorecomplex.

CustomRecoveries:TheHolyGrailArecoveryisaseparate,standalonepieceofcodeonapartitionthatcanbebootedinordertoupdateAndroidandmaintainthedevice.AlmostallAndroiddeviceshavearecoverymodeintowhichtheycanbebooted.Oneof

yourgoalsasanAndroidhackeristogetacustomrecoveryontoyourdevice.Customrecoveriesallowyoutoincludemanyextrafeatures,includingeasycustomizationandbackup.

Arecoveryallowsyoutodousefulthingssuchasresettingadevicetofactorysettings,clearingthedatacache,andinstallinganofficialsignedupdatetotheAndroidoperatingsystem.Figure1-2showstheAmonRarecoveryscreen.Unfortunately,thecatchisthatthedefaultrecoveryprocessformostdevicesonlyinstallsupdatestoAndroidthathavebeensignedwiththeOEM’sdigitalsignature.

Ifyoucanachievefullrootandfullcustomrecovery,youcaneasilychangetheROMorfirmwarepackageinstalledonyourAndroiddeviceandcreatefullfilesystembackups,includingbackingupapplicationdata.DevelopersofcustomrecoveryprocessesincludemanyoptionsnotincludedinthestandardAndroidbootprocess.Figure1-3showsthescreenforthepopularClockworkModrecovery.ThisrecoverygivesyouthecapabilityofflashingacustomfirmwarepackagetoyourAndroiddeviceveryeasily,aswellasbackingupthefirmware,data,andcacheandstoringthemonyourSDcard.

Figure1-2:AmonRarecoveryscreen

Whichcustomrecoveryyouusedependsonpersonaltasteandthecompatibilityofyourdevice.TheAmonRaandClockworkModrecoverieseachworkonsomedevices.TheXDAforumsareagoodresourcetoseeifyourdeviceissupportedbyeitherofthosecustomrecoveries.Typically,the

processofrootingadeviceincludesinstallingoneoftheserecoveries.Ifyourdeviceissupportedbyacustomrecovery,youshouldinstallitimmediatelyafterrooting.Youcancheckthedeveloperwebsitesfordevicesupport.

Chapter4includesacompletewalkthroughfortheClockworkModrecovery.

Figure1-3:TheClockworkModrecoveryscreen

Chapter2:RootingYourAndroidDevice

Inthischapter:

•Whatisrooting?

•WhyyouwouldwanttorootyourAndroiddevice•Backingupdatabeforerooting•DifferentmethodsofrootinganAndroiddevice

•Howtogainrootpermissionsontwospecificdevices

YouhaveprobablyheardyourlocalAndroidgeekmentionrootingorreadontheWebsomewhereaboutrootinganAndroiddevice.Rootingmaysoundmagicalandmysterious,butitisafairlysimpleidea.Atitscore,rootinggivestheownerofadevicemorecontrolandaccess.

ThehighestlevelofprivilegeyoucanhaveonaLinuxsystemistobeloggedintothedeviceastherootuser,sometimescalledthesuperuser.Theterms“superuser”and“root”bothrefertothesamething.

WhyIsItCalled“Root”?ThetermrootcomesfromthehierarchicalnatureofthefilesystemandpermissionsinUNIXandLinuxoperatingsystems.Thebranchesofthefilesystemandusersresembleaninvertedtree.Therootofafilesystemisthebeginningofallthefilesanddirectories.Therootofthepermissionssystemisthebeginningofallpermissionsand,thereby,themostpowerfulandprivileged.

TherootlevelofpermissionexistsonLinuxsystemstoprovideadministrativeaccess.Loggedinasroot,thereislittlethatyoucannotdo.Roothaspermissiontoreadandwritemostplacesinthefilesystemandchangesystemsettings.Becauseofthis,thehighestgoalforanyhackeristoobtaintheabilitytologintoaLinuxdeviceasroot.

ItisthisveryhighlevelofprivilegethatyouareseekingwhenyourootanAndroiddevice.YouneedtherootlevelofpermissiontocustomizeyourAndroiddeviceinmanyways.

WhyShouldYouRoot?Thebenefitsofrootingyourdeviceincludesavingmoney,asyouextendthelifeandusefulnessofyourdevice,andfixingproblemscreatedduringdevelopmentormanufacture.Therearealsosidebenefitsofaddingfunctionalityandremovingrestrictionsimposedbythecarrierororiginalequipmentmanufacturer(OEM).However,thereareinherentrisksinusingroot-levelapplications,astheyaregivenaccesstoalldatafromallapplicationsinstalledonthedevice.Luckily,thisriskcanbemitigatedbyonlygivingrootpermissionstotrustedapplications.

IncreasingtheServiceLifeoftheDeviceOneofmyco-workerspurchasedoneofthefirstAndroiddevicesreleased,theHTCDream,alsoknownastheG1.Mattlovedthephone,butquicklyrealizedthatnewversionsofAndroidwouldrunslowlyornotatallonhisdevice.

AftertheÉclairreleaseofAndroid,itwassimplynotintheinterestoftheOEMsorthecarrierstoinvestinrecompilingAndroidforoldhardwareandworkingoutallthebugs.Matt’sG1wouldeventuallygetthenewversion—butnotsoonenough.CarriersandOEMswouldpreferyoutopurchaseanewdevicewiththelatestAndroidversion.However,developersintheAndroidandphone-hackingcommunitiesaredeterminedtoportnewversionsofAndroidtoolderdevicestoextendtheirliveswithadditionalcapabilitiesandfeatures.DeveloperssuchasKoushik(Koush)DuttaandotherteamsworkingseparatelyandinconjunctionhaveportednewversionsofAndroidtoolderhardwarethatOEMsandcarriershavelongsinceabandonedandstoppedsupporting.ToinstallanewerversionofAndroidonolderhardware,youneedtoberootedandhavefullfilesystemaccess.

ThatoriginalG1purchasedbyMattisstillhiseverydayphone.ThankstohackersatXDAandintheAndroidcommunity,itsportstheFroyoreleaseofAndroid.TheG1wasneversupposedtohavesuchalonglife.MattwouldhavehadtopurchaseatleasttwomoredevicesaftertheG1toaccessthemanufacturer-suppliedfeaturesofAndroidFroyo.Thankstorootaccess,MattwillbeusinghisG1forawhiletocome.(Yep,heiscoollikethat.)

FixingOEMDefectsAsaresultofthebreakneckpaceofmobiledevicedevelopment,fartoomanyAndroiddeviceshaveshippedwithsomeformofdefect.Someofthedefectsareminor,suchasdroppingcallsorwritingslowlytotheSDcard.Otherdeviceshaveshippedwithmajorfunctionaldefects.Forexample,theSamsungGalaxySdevice(knownastheFascinatewhensoldbyVerizonandbyothernameswhensoldbyothercarriers)wasdesignedwithprettycurvesthatforcedtheGPSantennaintoabadpositionandcausedthedefaultGPSsignalcomputationcodetogeneratenoorerroneouslocationdata.Anotherwisebeautifulandpowerfuldevicewasgivenanunnecessaryandirritating,ifnotfatal,flaw.

TheXDAforumsandotherAndroidhackingcommunitiesusuallyhaveafixfordesigndefectsfairlyquickly—eventhoughitisdifficult,ifnotimpossible,toaddressahardwaredefectwithasoftwarefix.However,installingapatchorfixfrequentlyrequiressystemwriteaccess,forwhichyouneedrootpermissions.AndroidusershavecometoexpectthatanydefectorusageirritationcanbefixedorpatchedbytheAndroidhackercommunity.IthasbeensaidthatevenOEMssometimeswaittoseehowtheAndroidcommunityfixesbrokenfirmwarebeforereleasingtheirownpatches.

AndroidVersionCodenamesTheinitialreleaseofAndroidhadnoname,butsubsequentreleaseshaveallhadaprojectnameatGoogle.ThefirstAndroiddevicetobepopularlyreleasedwassimplycalledtheG1.ItranAndroid1.5,knownasDonut.

SomeoneatGooglemusthaveasweettoothbecauseeveryversionhasbeennamedaftersomesweetconfection,startingwithDonut.ThesubsequentversionshavebeencalledÉclair,Froyo,Gingerbread,andHoneycomb(thelatterseemstobypassthesweetconfectionsthemeandcutstraighttothesweetsource).Thelatestversion,Android4.0,iscalledIceCreamSandwich.

IncreasingCapabilityManyOEMsbuilddeviceswithcomponentsthathavecapabilitiestheyneverintendtoemploy.Forexample,manyAndroiddeviceshavethecapabilitytotuneintoFMradiosignalsbutthatfeaturewasneverenabledandapplicationswerenotcreatedforradiotuning.AsaresultoftheworkoftheAndroiddevelopmentcommunity,theNexusOnegainedbothanFMradioandtheabilitytorecordin720presolution.

OverclockingAlmosteveryAndroiddevicehasaCPUthatcanrunatspeedsfasterthanthoseenabledbytheOEM.TheCPUsareoftenclockeddowntoenhancebatterylifeorreducethepossibilityofheatissues.Asdistributed,theXoomrunsat1GHz,butitcanbemadetorunsafelyandstablyat1.4or1.5GHz.Thisgivesanincredibleperformanceboosttoanalreadygreatdevice.ManyotherAndroiddevicescanhavetheirCPUspeedupgraded,givingfasterperformanceandgreatercapabilitytotheuser.SpeedinguptheCPUiscalledoverclockingandisagoodreasontorootyourAndroiddevice.

CreatingaPortableHotspotManycarriersproducedevicesthatprovideawirelessconnectionpoint(a“portablehotspot”)towhichyoucanconnect,justasyouwouldtoanyWi-Fihotspot.Suchdevicesenableyoutocarryahotspotaroundwithyou.Aportablehotspotsendsdataoverthecellnetworkinthesamewayasyourphone.ThereislittlefunctionaldifferencebetweenyourmobiledevicerequestingInternetdataandaportablehotspotrequestingdatafromtheInternet.HotspotsfrequentlycostasmuchasasmartphoneandrequireanexpensivedataconnectionpackageinadditiontowhatyoualreadypaytoaccessthesamedataonyourAndroiddevice.

RootingyourAndroiddeviceenablesyoutouseyourphoneasaportablehotspotdevice.Itisvaluabletobeabletocreateatemporaryhotspotinanemergencyorforatravelingbusinesspersontobeabletodosoregularly.Sinceyoupayfordatafromyourcarrier,howyouaccessthatdatashouldbeyourchoice.MostOEMsdisablethisfeatureonyourAndroiddeviceunlessyoupurchaseanexpensivehotspotpackage,andcarriershaveavestedinterestinyoupurchasingmoredevicesandmoredataplans.It’sworthnotingthat,moreoftenthannot,usingyourphoneasahotspotviolatesthetermsofservicewithyourcarrier,sotreadcarefully.

CustomizingtheDeviceAlthoughperhapsnotthemostcompellingfactor,thedesiretohavecompletepoweroverthelookandfeelofyourdeviceisfrequentlythefirstreasonforahackertowanttorootadevice.Unlessyouhavethepowertowritetoanyportionofthefilesystem,yourcustomizationswillbetemporaryorlimitedin

scope.

Onceyouhaveinstalledacustomrecovery,youcanwritecompletefilesystemportions,includingportionsthatareusuallycompletelyunchangeable.Installingcustomizedfirmwareusuallyinvolvesflashingafirmwareorkernelpackagethatincludesuserinterfaceimagesandlayouts,scripts,applicationpackages,andmuchmore.Thetimerequiredtocreatethesecustomizationswouldpreventmostpeoplefromdoingit.However,dedicateddevelopersspendthelong,geekyhoursnecessarytochangethedefaultfirmwareandreleaseitasaROMorotherfirmwarepackagethatenablesrooteduserstoflashalargegroupofcustomizationsallatonce.ManydevelopersreleaseorannouncenewROMpackagesontheXDAforums.

OverclockingaDeviceOverclockingisatermthatmeans“givingmorespeed.”Itcomesfromthetechnicalideathatacomputer’sspeedisbasedon“clockcycles”measuredinhertz.Speedsof500MHz,800MHzand1GHzaremeasurementsofhowmanyclockcyclesaprocessorgoesthroughinamillisecond.Overclockingmeansforcingachiptorunataclockspeedthatishigherthanitsnative,orset,speed.Thisusuallymeansincreasingthevoltagetothechip,whichresultsinusingmorebatterypower,generatingmoreheatand,mostimportantly,providingmorespeedtothedeviceuser.

Thedrawbacksofoverclockingarethattheincreasedheatanddropinbatterylifemayreducethelifeofthedevice.Manufacturersspendmonthsperfectingtherightfrequencyforthehardwarebasedontheplacementofchips,lifespanrequired,heatdissipation,andsoon.

BackingUpDataMostuserdataissafefromthedestructiveactionstakenduringrooting.However,applicationsandapplicationdataareremovedbyrootingorunlockingadevice.Forexample,usingtheFastbootOEMunlockdescribedinChapter3resultsinallofthe/datapartitionbeingwiped.Itisimportanttobackupimportantdataandassumethatyouwilllosealldatawhenhacking.

Afteryouhavesucceededinrootingyourdevice,backinguptheentireAndroidfilesystembecomesveryeasyandprovidesgreatpeaceofmindwhenyouchangedevicesorcustomizeadevice.ArooteddevicecaneitherperformacompleteNANDroidbackup,ifithasacustomrecovery,oramorefinelytunedapplication-specificbackup,usingaprogramsuchasTitaniumBackup.

ContactInformationGooglekeepsallofyourAndroidphoneandemailcontactinformationinitsdatacloud(thatis,theinformationisstoredonGoogle’sservers).Whenyouactivateaphonewithyourlogininformation,itpullsallofyourstoredcontactsbacktothephone.Aslongasyoudonotspecificallycreateacontactthatisstoredonlyonthephone,AndroiddevicesautomaticallysynchronizeallcontactstotheGoogleserversandyouneedneverfearlosingcontactdata.

BootingfromanSDCardSomeAndroiddevices,suchastheNookColorandWonderMediatablets,requireacustomSDcardforrooting.AspecialfilesystemandupdatescriptiswrittentoanSDcardusingaPC.TheSDcardistheninsertedintothedeviceandthedeviceisrebooted.ThedevicebootsfromtheSDcardandflashescustomfirmwareandbootloaders.

IfyoufindoutfromtheXDAforumthatyourdeviceneedstobootfromanSDcard,itisbesttouseaseparateSDcardonwhichyouhavenotstoreddata.MostmethodsofmakinganSDcardbootablewillcompletelyerasethedatafromit.

Often,rootingaphoneorAndroiddevicesetsthephonebacktofactorydefaults,resultingindata(includingcontactinformation)beingwipedfromthephone.ThismeansthatyouneedtosignintoyourGoogleaccountandletitsynchronizeallofyourinformation.Manyone-clickrootmethodsthatrunanexploitonyourdevicewillnotwipeyourdata,thoughyoushouldalwaysbeparanoidwhenitcomestobackingup.

ApplicationsandTheirDataAsimilarsituationexistswhenitcomestoGoogleAppsMarketplaceapplications.Whenyoudownloadandinstallanapplication,arecordthatconnectsyourlogininformationwiththatapplicationisstoredontheGoogleservers.Whenyoureactivateadevicewithyourlogininformation,itsynchronizesautomaticallywiththeGoogleAppsMarketplaceandautomaticallyinstallsanymissingapplications.

Althoughapplicationsarerestored,anydatastoredbyanapplicationwillmostlikelybelostunlessitwasspecificallybackeduporstoredtotheSDcard.Onsomedevices,youalsorisklosingalluser-createddata,suchasphotosanddocuments.Ifyouhaveimportantdatathathasbeencreatedbyanapplication,it’sagoodideatofindouthowtobackupandrestoreit(lookon

theXDAforum).Itisbesttoassumethatanyhackingprocesswillcauseallyourdatatobewiped.

DataontheSDCardAndroidstorescamerapicturesandvideosonyourSDcard,andyoumaywanttobackthoseuppriortohackingthedevice.DatastoredontheSDcardofanAndroiddeviceis,typically,safefromrootingactivities.However,it’salwaysagoodideatousetheMediaTransportProtocol(formostAndroid3.0+devices—USBMassStoragemodeforothers)ortheADBPULLcommand(seeChapter3)tocopyallofthedatafromyourSDcardtoabackupfolderonyourcomputer.

HowYouCanRootandLeaveYourOEM’sControlTheprocessofrootinganAndroiddevicevariesbasedonthemodelofyourdevice.Adevicethathasbeenavailableforawhilemayhavemultiplerootingmethods.Inthenextsection,wewalkthroughtheprocessofrootingwithtwodevices.Chapters3and4covermostofthecommonskillsandtoolsneededtoobtainroot.

Themethodsofobtainingrootfallintobroadcategories:

•OEMflashsoftwareforwritingfirmware•exploits•nativeFastbootflash

•scriptedorautomatedmethods.

TheseareverybroadandsubjectivecategoriesthatIhavecreatedfororganizationofthissection.Manydeveloperswilllikelytakemetotaskforthecategorizationoftheirmethodorutility.

YoucanfindoutwhatrootingmethodsareavailablebylookingintheXDAforumforyourspecificdevice.Forinstance,therootinginformationandproceduresformyXoomtabletarelocatedintheXoomAndroidDevelopmentsubforumoftheMotorolaXoomforum(http://forum.xda-

developers.com/forumdisplay.php?f=948).Mostprovenrootproceduresare“stickied”atthetopofthelistofpostssothattheyareeasytolocate.

Whetherthebootloaderorrecoveryisreplacedonyourdeviceusingflashsoftware,anexploitortheFastbootprotocol,theprincipleisthesame:rootpermissionisthefirststeptowarddevicecustomization.

OEMFlashSoftwareOnsomedevices,thefirsttimeyouacquireroot,youmustusethenativeOEMdiagnosticorflashsoftware.Afterflashingthefirmwareandaccessingroot,youwillusuallyuseacustomrecoveryforfurtherfirmwarechanges.

EducatingYourselfItisveryimportantthatyoureadeverythingthatisavailableaboutyourdevice.Readtheinitialrootinstructionsandanystickiedposts.Readtheentirethreadthatisconnectedtoyourdevice’srootprocedure.Plantospendacoupleofdaysjustreadinguponotherpeople’sexperienceswithrooting,themingandROMingyourdevice.Mostnewbiemistakesareeasilyavoidedifyoutakealongviewandhaveenoughpatiencetoreadeverythingavailableforandaboutyourdevice.Ahackerisaself-educatedandverypatientanimal.

Becauseyouareacceptingalltheriskandresponsibilityfordestroyingyourdeviceormakingitbetteryoushouldthinkmore“marathon”than“sprint”whenbeginningintherootingandhackingcommunity.ReadalotandaskquestionsonlyafterusingthesearchfunctionintheXDAforum.

Inparticular,it’sagoodideatoknowyourunbrickoptions(ifthereareany)beforeyouattempttorootyourdevice.IntheXDAforum,searchfortheterm“unbrick”andyourdevicename.

RootcanoftenonlybeachievedbyflashingacompletesignedfirmwarepackagewithOEMtools.Ifyourdevicerequiresanexternalprogram(otherthanthenativeAndroidSDKtools—AndroidDebugBridge(ADB)andFastboot)towritethenewfirmwarethefirsttime,thenitwillneedacompletesignedfirmwarepackage.Forexample,thefirstrootmethodavailablefortheDroid1involvedusingMotorola’sRSDLitetechniciantooltoflashacustombootloadertothebootsectionofthefilesystem.Similarly,manydevicesfeaturingtheNVIDIATegra2processorrequiretheuseofNVFlashandSamsungdevicesoftenmakeuseofODIN.

SometimestheonlywaytorecoverabrickeddeviceistouseOEMflashsoftware.

TheadvantagesofusingOEMflashsoftwarearethat:

•Itisusuallyfairlysafeandstraightforwardtoattempt.•Therearerelativelyfew,uncomplicatedstepsintheprocess.

ThedisadvantagesofusingOEMflashsoftwarearethat:

•Itissometimesdifficulttouseorunderstand.Atbest,theinterfaceissparse;atworse,itcanbeinlanguagethatyoudonotunderstand.

•OEMdebuggingsoftwarecanbedifficulttofindandkeepupdated.

ExploitsAnexploitisavulnerability(or“crack”)intheoperatingsystemthatcanbeexploitedbyahacker.Exploitscomeinmanytypesandformats.Forinstance,oneoftheearliestmethodsforgainingrootontheEVO4GwasanexploitofasecurityvulnerabilityintheAdobeFlashapplication.

IntheworldofLinuxoperatingsystems,hackingthroughtoauseableexploitispartscience,partartandalotofgutinstinctbuiltonexperience.Findingavulnerabilitythatcanbeexploitedisthefirstgoalofthedevelopercommunitywhenanewdeviceisreleased.Advancedhackersandgeeksracetobetheonestofindthecrackinthecodethatcanbeusedtofreealocked-downdevice.ThreadsexploringpossibilitiesontheXDAforumcanstretchtothousandsofposts.

ExploitsaresomeofthemostfunandrewardingwaystorootyourAndroiddevice.AbouthalfwaythroughrootingmyfirstHTCThunderboltusingScottWalker’sASHexploit,Irememberthinking“Wow,Iamreallyhackingthisthing.IfeellikeanactorinMissionImpossible.”ThatpsneuterexploitwrittenbyScottWalker(scotty2walkertotheAndroidhackercommunity)isagoodexampleofasimpleexploitthatwasusedtodosomereallycoolstufftogetaccesstoroot.ThepsneuterscripttakesadvantageofthefactthattheAndroidDebugBridge(seeChapter3),ifitcannotdeterminetheS-ON/S-OFFstate,assumesS-OFFanddefaultstomountingthefilesystemasreadableandwritablewhenyoulauncharemoteshellaccesstoanunrooteddevice.Thislittleexploitcanbeutilizedtowritetosectionsofthefilesystem,suchasbootsectionsandrecoverysections,thatwouldotherwisebeinaccessible.

Iamnotexperiencedenoughanddonothavethecodingskillstoprogramthe

psneuterexploit,butScottWalkerreleasedthecodetotheAndroidcommunity.Asaresult,IcanuseittofreemyAndroiddevice.IhaveneverhadmorefunthanwhenparticipatingwiththeAndroidcommunityattheXDAforumtohackanewAndroiddevice.

Theadvantagesofusinganexploitarethat:

•ItcanallowaccesstoatightlylockedOEMdevice.•Itisfunandmakesyoufeellikeahacker.

•ItisusuallydifficultfortheOEMtopatchandeliminatetheexploit.•Anyonecandoitusingtheskillsoutlinedinthisbook.

Thedisadvantagesofusinganexploitarethat:

•Itisacomplexprocessthatrequiresknowledgeandskill.

•Itiseasytodosomethingincorrectly.•Thereisahighpossibilityofbrickingthedevice.

NativeFastbootFlashWhenadeviceisleftunlockedorisunlockable,itcanbebootedintoFastbootprotocolmodetoacceptFastbootcommands.Fastbootallowsyoutoflashacompletefilesetorafilesystembundledintoasinglefile(knownasan“image”)todifferentareasofthefilesystem,suchasbootorsystem.

Mostfirst-generation“Googleexperience”devices,suchastheNexusOne,Xoom,andNexusS,haveunlockablebootloadersthatallowthesecurityswitch(S-OFF)tobeturnedoff,usuallyviatheFastbootcommand.However,notalldevicessupportFastbootnatively.Inotherwords,unlesstheOEMintendedyoutouseFastbootcommandsfromyourPC,youwillnotbeabletodoso.TheFastbootcommandanditscapabilitiesarecoveredinChapter3.

TheadvantagesofusingFastbootarethat:

•Theinstructionsaresimpleandfairlyeasytofollow.•Itisaneasymethodwithrelativelylowrisk.

ThedisadvantagesofusingFastbootarethat:

•Alimitednumberofdevicessupportit.•Command-lineskillsarerequired.

•PerformingaFastbootOEMunlockwillclearthe/datapartitiononthedevice.

ScriptedandOne-ClickMethodsThisisaverybroadcategorythatincludesmethodsfromtheverysophisticated,suchastheunRevokedrootmethod,tosimpleADBscripts.Scriptedmethodsusuallyinvolvealotlessuserinteractionthanstep-by-steprootingmethodsthatuseADBorOEMtools.Asaresult,theytendtobeeasierandmorereliable.Custombinarymethods,suchasunRevoked,relyonaproprietarylinkacrossyourUSBconnectionorrunninganapplicationdirectlyonyourdevice.Evenso,proprietarymethodsperformthebasicfunctionofreplacingthebootloaderorrecoveryprocessonthefilesystem.

DebateaboutScriptedandOne-ClickRootsThereisanongoingdebateintheAndroidcommunityaboutone-clickandscriptedmethods.SomedevelopersfearthatOEMswillcrackdownonthesemethods.Othersarguethatmakingrootingeasierlowersthebar:theeasieritis,themorepeoplewillaccidentallybricktheirdevicesandattempttoreplacethemunderwarranty,causingOEMstomakerootingmoredifficultintheirnextrelease.

Theclearadvantageofusingascriptedorone-clickrootmethodisthattheprocessismucheasier.

Thedisadvantagesofusingscriptedandone-clickmethodsarethat:

•Thehackerhaslesscontrolovertheprocess.•Theendresultisachievedwithoutlongperiodsoffrustration.•Fewerdevicesarecompatiblewiththesemethods.

RootingTwoDevicesThissectionprovidesageneraloverviewcomparingtwomethodsofrootingattwolevelsofdifficultyontwophones.TheNexusOneisadeveloper’sphone;itwasdesignedtobeveryeasytorootandcustomize,andweuse

Fastboottorootit.TheThunderboltismoredifficulttoroot,andweusethepsneuterexploitscript.

Don’tworryaboutanyterminologyyoudonotunderstand.Itwillbecomemorefamiliartoyouasyouproceed.

NexusOneInthissection,weunlockandrootaNexusOnephone.Googleplacedaremovablelockonthebootloader,sofirstyouhavetounlockitusingadevelopertoolcalledFastboot.Onceunlocked,thedeviceissimpletohackandroot.WhenanOEMallowscommunityunlocking,itmakeseverythingthatfollowssimpler.

1.ConnecttheNexusOnephonetoyourcomputerwithaUSBcable.2.PlacethephoneinFastbootmodebybootingwhileholdingacombinationofkeys(thespecificcombinationdiffersbasedonyourdevice).FastbootmodeallowsthephonetoacceptcommandsfromtheFastbootprotocol.3.Fromacommandshellwindowonyourcomputer,runthefollowingcommandtounlockthebootloader:fastbootOEMunlock

4.RebootthephoneonceagainintoFastbootmode.5.Runascripttoinstallthe“superboot”bootloaderonthedevice.

Atthispoint,theNexusOneiscompletelyrooted.

HTCThunderboltAmoredifficultrootisexemplifiedbytheThunderboltfromHTC.HTClockedthebootloaderandmadeitverydifficulttoaccessthefilesystemasarootuser.Thisoverviewshowstheincreasedlevelofcomplexitythatcomeswithalockedbootloader.Itisahigh-levelviewofthestepsnecessary—seeChapter9forthedownanddirtydetails.

1.ConnecttheThunderbolttoyourcomputerwithaUSBcable.2.UsetheADBdevelopertooltopushthefollowingitemstotheSDcard:

•thepsneuterexploitscript

•theBusyBoxutility

•anewbootloaderimagefile.3.UseADBshellcommandstochangethepermissionsonthepsneuterscriptandBusyBoxsotheycanbeexecuted.

4.UseADBshellcommandstorunthepsneuterexploitscripttogaintemporaryrootaccesstothesystemfiles.5.UsetheBusyBoxMD5SUMcommandtomakesuretheimagefileisexactlythesameastheoriginalfromwhichitwasdownloaded.6.UsetheBusyBoxDDcommandtowritetheimagefiletothebootloadersectionofmemory.

7.UseADBshellcommandstopushadowngradefirmwaresignedbytheOEMtotheSDcard.8.Forcethephonetorebootandinstallthesigneddowngradefirmware.

9.UsetheADBdevelopertooltopushthefollowingitemstotheSDcard:•thepsneuterexploitscript

•theBusyBoxutility

•thewpthisscript.

10.SetthepermissionsonpsneuterandrunittogainADBshellrootaccess.11.Setpermissionsonwpthisandrunittogainaccesstothelockedbootloader.

12.UseADBtopushanewbootloaderimagetotheSDcard.13.Writethenewbootloadertothecorefirst-levelbootloader.

14.UsetheBusyBoxMD5SUMcommandtomakesurethehashofthenewbootloadermatchesthebootloaderimagefile.15.IftheMD5SUMisincorrect,repeatSteps12–14untiltheMD5SUMiscorrect.16.PushanewunsignedcustomsystemfirmwaretotheSDcard.

17.Rebootthephoneandletthenewbootloaderloadthecustomfirmware.

Atthispoint,theThunderbolthastheS-OFFbootloader.Therearethen10morestepstoinstalltheSuperUserapplicationandgainpermanentrootaccess.Asyoucansee,rootingadevicethathashaditsbootloaderlockedbytheOEMissignificantlymorecomplexthanrootinganunlockeddevice.Hackingalockeddevicetoafreeandopendeviceisarewardingexperiencethat,onceaccomplished,willhaveyouseekingtorootmoredevices.

TheRootofItAllOnceyourdeviceisrooted,it’sreallyjustthebeginning.Applyingcustomfirmware,knownasaROM,requiresrootaccess.IfyouwanttoremoveOEMandcarrierbloatware,yourequirerootaccess.

AT&Tpreviouslypreventednon-marketapplicationsbeinginstalledondevicesitsupplied.Rootingoneofthesedevicesalloweduserstoinstallnon-marketandcustomapplicationsonanotherwiseseverelylimitedphone.

BloatwareAsmentionedinChapter1,carriersandOEMstakemoneyfromservicevendorsordeveloperstoplaceapplicationsonyourAndroiddevice.Thishelpsthemoffsetthecostofthedevice(orboostexecutivebonuses,dependingonyourpointofview).

Whateverthereasonstheseapplicationsareinstalled,theyarepermanentwhenyourdeviceisinitsunrootedstate.Youcannotuninstallthemorremovethem.Thisisroughlyanalogoustopurchasingacomputerthatcanonlyhave19programsinstalledonitandthemanufacturerforcesyoutohave5specificprogramsthatyoudon’twanttouse.Thisbloatwareoccupiestheverylimitedmemoryonyourdeviceandsometimesrunsservicesyoudon’tneedorwant,consumingbatteryanddatastorage.

Somelow-budgettabletsandphonescannoteveninstallapplicationsfromtheofficialGoogleAppsMarketplace.Ifyourootsuchadevice,youcaninstalltheGoogleAppsMarketplaceandaccessallthegoodiesthatmoreexpensivedevicescanaccess.

Asyoucansee,rootingyourAndroiddeviceisthedoorwaythroughwhichyoucantrulyownyourdevice.Iteliminatescarrierrestrictionsandremovesthelimitationsthatmightotherwiseforceyoutoupgradeorpurchaseadifferentdevice.

Chapter3:TheRightToolfortheJob

Inthischapter:•Hardwareandprerequisitesforhacking•AndroidDebugBridgebasiccommands•Fastbootcommands

•TheADBshell

Mostrootproceduresrelyonsimilartools.Theprocesses,exploits,andlevelofaccessmaydiffer,butthetoolkityouusetogetadevicetorunwithS-OFForrootfilesystemaccesswillalwaysbefairlysmall.Asolidunderstandingofthetoolsandhowtheyareusedwillhelpyouwithyourcomfortlevelwhenrootinganewdevice.

Ready,Set,...WaitIHavetoHaveWhat?Beforestartingmosthackingjobs,orevenanAndroidexploratorymission,youneedtobeabletoconnectyourphonetoyourcomputerandyouneedaccesstohackingtools.

ConnectingaPhonetoaComputerYouneedtomakesurethatyouhaveanappropriatecableforthephysicalconnectiontoaPCanddriverstoenableyourcomputertomakesenseoftheconnection.Manydevicesshipwithoutdrivers—theydependonnativedriversincludedwiththeoperatingsysteminstalledonyourcomputer.

Dependingonthemodesyourdevicehaswhenconnectedtoacomputer,thecomputermayrecognizeitasamass-storagedeviceandconnecttoitasifitwereanexternalharddriveormemorycard.

YouneedtoinstallsomeformofdebugordeveloperdriveronyourcomputerandmakesurethatUSBDebugging(debugmode)isenabledforanyinteractionsbetweenthecomputerandthephone.Debugmodeopensthe

connectionwithyourcomputerandallowssignalsandcommandstobesenttoandreceivedfromAndroid.

HackingToolsAndroidhackingtoolsfallintothreebasiccategories:

•developertoolsfromtheSDKandthirdparties•scripts•Linuxexecutablesandcommandsonthephone.

DevelopertoolsincludetheAndroidDebugBridge(ADB)andmoreadvancedtools,suchassmaliandbaksmali,fortakingapartAndroidapplicationpackage(APK)filesandputtingthembacktogether.

SomeLinuxshellcommandsareincludedontheAndroiddevice;othersareplacedonthedeviceduringthehackingprocess.ThemostpopularandeasiestbundleofLinuxshellcommandsforAndroidistheBusyBoxpackage(moreonBusyBoxlaterinthischapter).Thesecommandsareoftenexecutedinascript—aseriesofLinuxshellcommandsthatcanberuneitherfromtheAndroiddeviceorfromanADBshellonaconnectedcomputer.

OtherOptionsSomedevices,suchastheNookColorandoff-brandbudgettablets,arehackedbycreatingaspeciallyformattedSDcardthatcontainscustomfirmwareandscriptstoberunbytheAndroiddeviceonboot.Forthosedevices,theprerequisitesarealittledifferent.Youusuallyneed:•ablankSDcard•adiskimagefilewiththecustomAndroidROMandscripts

•anapplicationonyourcomputertowriterawdiskimages.

USBCablesYourdevicelikelyshippedwithacabletoconnectfromthedevicetoacomputer.ThemostpopularcableandconnectiontypeistheUSBmicro,showninFigure3-1.

Figure3-1:AUSBmicrocable

Dependingonhowmuchandhowroughlyacablehasbeenused,itmaybeabletochargeaphoneortabletbutbecompletelyunabletoreliablytransmitdata.Somecheapcables(usuallyfoundwithcheapcarchargers)onlyhavethechargingpinsofthemicroUSBjackconnected,sotheywillneverbeabletoconnecttoyourcomputerfordatatransfer.IfyourOEM’scableisingreatconditionwithoutharshbends,kinksorcattoothmarks,thenyoushouldbefine.However,ifyouhavelost,damagedorreplacedyourOEMcablemakesurethatyoureplaceitwithasimilarcable.

AUSBcableisaUSBcable.However,notallUSBcablesarecreatedequallyintermsofqualityandfit.ThemicrojackendofaUSBcableisparticularlypronetohaveapoorfitthatgivesabadconnectionorpoorlysupportsthedelicatejacksocketcomponents.Unfortunately,USBcableissuescanbedifficulttodiagnoseordetect.Unlessyouhavedisconnectionissuesthatareobviouslyrelatedtomovement,youwillneedtohaveasparecabletoswapwithasuspectedbadcable.

IfyouconnectyourdeviceviaaUSBhuboraUSBportonthefrontofyourcomputer,youarelikelytoexperienceconnectionissues.YourdeviceshouldbeconnectedtoaUSBportonthebackofyourcomputeroroneyouknowisdirectlyconnectedtothemainUSBbus.

IstruggledforhourswithmyXoomUSBcablepluggedintoafrontUSBport.

Thedeviceconnectsbutappearsas“offline”.Itinstantlyconnects“online”whenIplugtheUSBcableintotherearofmycomputer.

USBDebuggingWithaknown,orassumed,goodUSBcableconnection,youneedtoturnonUSBdebuggingonyourphoneortablet.DebugmodeallowsADBsystemcommandstotravelbetweenyourdeviceandyourcomputer.Youcanalsoviewsystemlogsandthefilestructure,andpushorpullapplicationsandfiles.However,somecautionmustbeexercisedwhenenablingUSBdebugging,asaconnectedcomputercanpotentiallyinstallapplications,copydata,andreadlogsonthedevice.

ItisimportanttorememberthatmanyoperationsyouperformwhileindebugmodeendbyautomaticallyresettingorturningoffUSBdebugging.Thismeansthatbeforeeachmajorstepinahackingprocedureyouneedtocheckthatyourdeviceisindebugmode.LuckilyAndroidmakesthisveryeasy.Wheneveryourdeviceisindebugmode,youwillseethedebugmodeiconinthenotificationbar(seeFigure3-2).

Ifyoudon’tseethedebugicon,youdonothavedebugconnectivityandADBwillnotwork.OnmostAndroiddevices,thefollowingstepsturnonUSBdebugging:

1.Accessthedevicesettings,usuallybytappingtheMenukeyorsoftbuttononthehomescreen.(OntheXoomandsomeothertabletdevices,youmusttaptheareaneartheclockandthentapSettings.)2.OntheSettingsmenu,tapApplications.

3.TapDevelopment.4.TaptheUSBdebuggingcheckbox.

5.ClickOKonthenotification.

ThedebuggingiconshouldbevisibleinthenotificationsareaasinFigure3-2.

Figure3-2:DebugmodenotificationsfromtheNexusOne(top)andtheEVO3D(bottom)

SomeAndroiddeviceshavetheabilitytoputtheUSBportintoothermodes,suchas“chargeonly”or“massstorage”.YoumayneedtoexperimenttodeterminewhichUSBportsettingsallowyourdevicetoworkwithADB.Usuallythe“chargeonly”or“Sync”settingsallowyoutostarthackingacrosstheADBconnection.ChecktheXDAforumforyourdevice—itislikelythatsomeonehasalreadyfiguredouttherequiredsettingsforyoutoconnectcleanly.

What’sDrivingThisThing?Thefirsttimeyouconnectyourdevice,adefaultsetofoperatingsystemdriversarelikelytobeused.ThesedriversarelikelytobegoodenoughforSDcardaccessandcharging.However,ADBneedsspecifickindsofconnectivitythatusuallyrequiresdeveloperorOEMdrivers.Thenextsectionshowsyouhowtoverifythatyouhavethecorrectconnectivity.

Toverifythedriverthatyouhaveinstalledonyourcomputer,youwillwanttoseethatthereisadriverwith“ADB”or“DebugDriver”inthedescription.Thestepsaredifferentfordifferentoperatingsystems.OnWindows,usetheDeviceManagertolookforanitemthatreferstoyourdeviceOEM’sname.Inotherwords,ifyourdeviceismanufacturedbyMotorola,youarelooking

foradevicewith“Motorola”orsomethingsimilarinthename.IfyouseeanitemwithADBinthedevicename,thecorrectdriversareinstalled.However,ifthereisawarningorerroricon(anexclamationpointorredX),thecorrectdevicedrivermaynotbeinstalledortheconnectionmaybemalfunctioning.

Tolocatethecorrectdriversforyourdevice,youusuallyneedtodownloadthemfromyourOEM’ssupportwebsite.Itisnotalwayseasytolocatethecorrectdevicepackagesevenwhenyouknowwhatyouarelookingfor.TheXDAdeviceforumsfrequentlyhavea“sticky”postthatcontainslinkstodevicedriverdownloads.SomeOEMs,suchasMotorola,haveadevicedriverhelperthatscansforconnecteddevicesanddownloadsthecorrectdrivers.

UsingtheAndroidDebugBridgeInthissection,wedemystifytheAndroidDebugBridgeandwalkthroughallofthecommandsyouneedtostartfreeformhackingortofollowrootinginstructions.TheAndroidDebugBridge(usuallycalledADB)allowsyoutoconnectyourAndroiddevicetoyourcomputer.

ADBisacommand-linetoolthatrunswithvariousswitchesorparameterstododifferenttasks.Intoday’sworldofprettypoint-and-clickinterfaces,returningtoacommand-lineinterfacemayseemcounterintuitive,thoughanygoodhackerworthhisweightinunlockedcellphonesiscomfortableusingacommandline.

Thecommandswithwhichyouneedtobefamiliarcanbebroadlyseparatedintotwocategories:

•CommandsthatdosomethingtotheAndroiddevice.ThesecommandsstartwithoneoftheAndroidSDKcommands,suchasadborfastboot.

•CommandsthatdosomethingonorintheAndroiddevice.ThesecommandsarerunintheAndroidshellandareusuallyenteredonacommandlinethatstartswithahashsymbol(#)oradollarsign($).

SomeofthecommandsyouwillusearenotADBorAndroidcommandsbutcommandsforyourcomputer’soperatingsystem.Themostcommonoperatingsystemcommandsyoumayneedare:

•changedirectory:tochangethecommandpromptcontexttoadifferentfolder(cdonWindows,MacandLinux)

•directorylisting:tolistthefilesandfoldersinthecurrentfolder(dironWindows;lsonMacandLinux)

•makedirectory:tomakeasubfolderinthecurrentfolder(mkdironWindows,MacandLinux).

Connectivitybetweenyourdeviceandyourcomputeristhestartingpointforallhacking.FamiliaritywithADBanditsbasiccommandswillhelpyouasyoufollowmoredetailedrootingorhackinginstructions.Ihavefoundthatafearof,orunfamiliaritywith,ADBistheprimarystumblingblockforbeginnerhackers.Ifyouuseeachofthecommandsonceduringthiswalkthrough,youwillbesettofollowactualhackingwalkthroughs.

Noneofthefollowingexamplesandwalkthroughsmakeharmfulchangestoyourdevice.However,ifyouwanttoplayitverysafe(likeareallygoodhacker),makesureyoubackupanydatafromyourdevice’sSDcard.Youmustselecttheappropriateoptioninyourdevice’sPrivacySettingsmenutoenablebackingupandrestoringofyourdataandapplications.

ContactsandapplicationsyouhavedownloadedfromtheGoogleAppsMarketplacearestoredintheGooglecloudandwillrestorethemselvesifnecessary.

TherestofthischapterassumesyouhavetheAndroidSDKtoolsinstalledonyourcomputer.RefertoAppendixAfortheSDKsetupprocedureifyougetthemessageshowninFigure3-3.

Figure3-3:MessageindicatingthattheAndroidSDKisnotsetupornotinthecurrentfolder

CheckingDeviceConnectivityThissectiondescribesthemosteffectivewaytodetermineifyourcomputerhastherightamountandcorrectkindofconnectivitywithyourcomputer.

TheadbdevicescommandallowsyoutoseethedevicesconnectedtoyourcomputerintheAndroiddebugcontext.ItisalsothecommandmostAndroiddeveloperswillaskyoutorunatthebeginningofanytroubleshootingsteps.

MakesurethatyourAndroiddeviceisconnectedtoyourcomputerandyouhavethedriversinstalledbeforecontinuing.RefertotheappropriateXDAforumforlinkstodevicedriversyoumayneed.

1.Openacommandpromptwindow.(InWindows,pressWindows+R;typecmdintheRundialogboxandpressEnter.)

2.Typeadbdevices.

TheresultsshouldbeasshowninFigure3-4ifyourdeviceisconnectedandthecorrectdriversareinstalled.Ifnodeviceserialnumberislisted,thenADBisworkingcorrectlybutyourdeviceisnotconnectedorthedriverisn’tinstalled(seethe“TroubleshootingaConnection”sidebar).

Figure3-4:TheadbdevicescommandshowingaconnectedHTCdevice

IfyougettheresponseshowninFigure3-3,thentheADBfolderisprobablynotsetupcorrectlyinyourPATHvariable.RefertoAppendixAforsettingupADBsothatitisaccessiblefromanyfolder.

Ifeverythingiscorrectlyconnected,theadbdevicescommandreturnsalistofdevicesconnectedtothecomputer.IfyouhavemorethanoneconnectedAndroiddeviceindebugmode,eachislistedwithitsserialnumber.AnyAndroidemulatorsyoumayhaverunningalsoshowup.

YoucanspecifythedevicetowhichyouwanttosendanADBcommandbygivingitsserialnumber.Thisisverytediousanditiseasiertoconnectonlythedevicewithwhichyouarecurrentlyworking.

RestartingtheADBServiceRestarttheADBservicefromthecommandpromptwiththefollowingsteps:

1.Typeadbkill-serverandpressEnter.

2.Typeadbstart-serverandpressEnter.

ThisshutsdowntheADBservicegracefullyandre-initializesit.Youcanthencheckagainfordeviceconnectivityusingadbdevices.

TroubleshootingaConnectionSometimesyourdevicewillloseitsconnection.Whenthishappens,theadbdevicescommandreturns“Listofconnecteddevices”followedbytheword“offline”.ThismeansthatADBknowsthereisadeviceconnectedbutitcannotcommunicatewiththedevice.

UsethemnemonicDUCKtoremindyouofthestepstotakeintroubleshootingaconnection:•Debugmode:Makesurethedeviceisindebugmode.

•USB:MakesuretheUSBcableisconnectedtoanappropriate(rear)portandthattheAndroiddeviceisintheproperUSBmode.•Context:MakesureyouarerunningyourADBcommandfromafolderinwhichtheADBbinaryexecutableisaccessible.

•Kill:Iftheconnectionstilldoesnotfunction,youmayhavetokillandrestarttheADBserver.

YoumayhavetorebootboththecomputerandtheAndroiddevice.Youshouldverifythatthedriveriscorrectlyinstalledandreinstallifnecessary.

YoushouldalsochecktheXDAforumforcommonorknownconnectionissueswithyourdevice.

CopyingFilestoandfromYourDeviceOneofthemostusefulthingsyoucanbecomfortabledoingis“pushing”filestoand“pulling”filesfromyourdevice.MostrootandS-OFFhacksrequirepushingascripttoadeviceandthenrunningitlocallyonthedevice.This

walkthroughhasyoupushasimpletextfiletoyourSDcardandlookonyourdevicetoseethatitislocatedthere.Doingthisoncewithaninnocuoustextfilewillgiveyouthecomfortlevelyouneedtopushothertypesoffiletoyourdevice.

Makesureyouhavealocalfilesystemexploreronyourdevice,suchasRootExplorerorESFileExplorer.Youneedtobeabletoexplorethedevicefilesystemtoverifythatpushingafiletoyourphonehasworked.

First,youneedtocreateatextfile:

1.Openacommandpromptwindowandnotethepath.2.UseWindowsExplorertonavigatetothatfolder.

3.Right-clickinWindowsExplorerandselectNew→TextFile.4.Renamethetextfiletosample.txt.

Theadbpushcommandusesthefollowingpattern:

adbpush<desiredlocalfile><desiredtargetlocation>

Copythetextfiletothedevice.Switchbacktothecommandpromptwindowandenterthefollowingcommand:

adbpushsample.txtsdcardsample.txt

TheresponseshouldbesimilartoFigure3-5.

Figure3-5:Theresultsoftheadbpushcommandsequence

Ifthefileyouwanttopushtothedeviceisnotinthecurrentcontextfolder,youneedtouseitsfullpath,asshowninFigure3-6.

Figure3-6:Thesyntaxoftheadbpushcommandsequence

Ifadbpushreturnsanerrormessagesayingthatthefilesystemis“readonly”,restarttheADBserverandattempttheactivitiesagain.Ifyoustillhaveproblems,tryreplacingthepathtotheSDcardwiththepathtothetmpfilearea(datalocal/tmp)towhichyoumayhavemoreaccessonanunrooteddevice.

Nowlet’schecktheSDcardonyourdevicetoseethepushedfile.Openthefileexploreronthedevice.NavigatetotherootofyourSDcard.Dependingonthefileexplorer,itmaybethedefaultfolder;ifnot,itwillbeafolderlistedintherootofthefilesystem.Figure3-7showsthefileontheSDcardusingESFileExplorer.

Figure3-7:Thesample.txtfileontheSDcardinESFileExplorer

Nowyouaregoingtopullthefilefromthedevicebacktoyourcomputer.Theadbpullcommandusesthefollowingpattern:

adbpull<desireddevicefile><desiredlocalfile>

ThecommandsyntaxissimilartothatshowninFigure3-6,withpullinsteadofpush.

Inyourcommandpromptwindow,enterthefollowingcommand:

adbpullsdcardsample.txtsample2.txt

RemembertopresstheEnterkeyafteryouenterthecommand.

Nowtypedir*.txtandthenpresstheEnterkey.Thiswillgiveyoualistofallthe.txtfilesinthecurrentfolder.Youshouldseethesample2.txtfilethathasbeenpulledfromyourAndroiddevice.

Thepullcommandpulledafilenamedsample.txtandwroteittoyourlocalfilesystemunderthenewnamesample2.txt.YouwillseethisagaininthesectionaboutfilemanagementandwilldoitmanytimeswhenfollowingarootinstructionguidefromtheXDAforum.Pullingafiletoanewnameallowsyoutokeepcopiesofthefilestraightandissometimesnecessarytocorrectlyflashimagefilesorupdates.

YoumayoftenwanttobackupsomepartofyourAndroiddevice’sfilesystemtoyourcomputer.Youmaywanttopullaspecificapplicationorsystemfile,alteritonyourlocalcomputerandthenpushitbacktoyourAndroiddevice.Youcancopyanyfileusingtheadbpullandadbpushcommands.

RebootingaDeviceAfterflashinganimageorwritingafiletothefilesystem,itissometimesnecessarytorebootthedevicecleanly.TheadbrebootcommandallowsyoutorebootyourAndroiddevicefromthecommandlineofyourcomputer.Youcanusetheadbrebootcommandwithoneoftwoswitches:

•bootloader:Thisoptionbootsthedeviceintothebootloadermenu(asshowninFigure3-8).ThebootloadermenuissometimesusedtoaccessFastbootandtoflashofficialfirmwareupdates.Fromthebootloadermenu,youcanbootthebootloadersequence,rebootthedeviceorpowerdownthedevice.•recovery:Thisoptionbootsthedeviceintotherecoveryinstalledonthedevice.Itrebootsintothefirmware(thefactoryrecoveryoracustomrecovery)installedintherecoverypartition.

Figure3-8:TheBootloaderscreenoftheMotorolaXOOMafterrunningadbrebootbootloader

ThePowerofFastbootTheFastbootcommandfromtheAndroidSDKisapowerfultoolforwritingtothefilesystempartitionsofanAndroiddevice.YouwillmostlyuseFastbootcommandstoflashimagefilesandthecontainedfilesystemstovariouspartitionssuchasthesystem,bootandrecoverypartitions.

FastbootcommandsarenotsomuchexploratoryorhackingtoolsastheyarespecifictoolsusedwhenyouaregoingtofundamentallychangethefilesystemonanAndroiddevice.Assuch,youshouldonlyusethemwhenyouknowspecificallywhatyouaretryingtoaccomplish.NotalldevicescanboottoFastbootmode.Typically,youonlyuseFastbootcommandsondevicesthathavetheabilitytounlockthebootloader.

TheFastbootcommanddoesnotliveinthesamefolderastheadbcommand.FastbootisintheC:\ProgramFiles(x86)\Android\android-sdk-windows\tools\folder.

Aswiththeadbcommand,youusevariouscommandsandoptionsfollowingfastboottochangewhattheFastbootcommanddoes.ThewalkthroughsandactivitiesbelowrequirethatyourphonebeinFastbootmode.FollowthestepsbelowtoattempttoputyourdeviceinFastbootmode:

1.Connectyourdevicetoyourcomputerandverifyconnectivityusingadbdevices.

2.TypeadbrebootbootloaderandpressEnter.

Yourdeviceshouldrebootintothebootloader.Makesuretoselect“FASTBOOT”orequivalentfromthebootloadermenu(seeFigure3-8).

UnlockingaDeviceAfewdevices,suchastheNexusOneandXoomtablets,haveabuilt-inabilitytounlockandallowthefollowingcommandtoberun:

fastbootOEMunlock

ThiscommandsequenceunlocksthebootloaderandallowsyoutorunFastbootflashandothercommandssothatrootcanbeacquired.

UpdatingaDeviceThefollowingcommandflashesanupdate.zipfiletotheAndroiddevice:

fastbootupdate

Thiscommandisnotusedmuchinhackingorrootingproceduresalthoughitcanbeusedtobringbackadevicethatissoftbricked.IfthedevicecanreceiveFastbootcommandsandyouhaveafullfilesysteminanupdate.zipfile,youcanrestorethedevicefromthatfile.

FlashingaDeviceTheflashcommandisperhapsthemostusefulFastbootcommand.ItallowsyoutowritethecontentsofanimagefiletoanamedpartitiononyourAndroiddevice.Theargumenttothecommandnamesthepartitionthatistobeflashed:

fastbootflashboot

fastbootflashsystem

fastbootflashrecovery

Ondevicesthathavebeenunlocked,theflashcommandisfrequentlyusedto

flashafilesystemwithrootaccess.Forexample,ifyouhaveanewboot.imgfilethatcontainsanunlockedbootloaderorrootaccesspermissions,youcanusetheflashcommandtowritethecontentstothebootpartition.

Itisimportanttonotethatflashingthewrongthingorinterruptingtheflashingprocesscanpermanentlybrickyourdevice.NeverflashanimagefiletoapartitionunlessyouarecertainthatyouhavethecorrectfileforyourdeviceandyouhavereadupontheprocessintheappropriateXDAforum.

RebootingaDeviceThiscommandissometimesusedaftertheFastbootflashcommandtorebootthedevicesothattheflashedfilesystemcanbebooted:

fastbootreboot

Insteadofbootingnormally,thefollowingcommandbootsyourAndroiddevicedirectlyintothebootloader:

fastbootreboot-bootloader

HarnessingthePowerofthePenguinwithADBShellADBcanalsobeusedasadirectconnectiontotheAndroidoperatingsystemandharnessthepowerofLinux.Thecommandsthatcanberunfrominsidetheoperatingsystemshellaremanyandvaried.

TheadbshellcommandopensupyourAndroiddevicetoallowyoutoruncommandsdirectlyonthedevice.TheshellisfrequentlyutilizedtomakechangestothebaseAndroidoperatingsystemfiles.

WhenyouconnecttoanAndroiddeviceusingADBshell,thecommandpromptonyourcomputerchangestoindicateyouarenolongerenteringcommandsthatarebeingpickedupandinterpretedbyyourlocalcomputer.InsteadyouareintheAndroidoperatingsystemandthecommandsyouenteratthepromptarepickedupandinterpretedbyit.

Toloadtheshell,typethecommandadbshell.Thefamiliarcommand

promptchangestoanenigmatic$or#.Thedollarsign($)istheAndroidoperatingsystem’swayoftellingyouthatitiswaitingforinputbutthatyouarenota“privileged”usersoyoucan’treallyharmanythingbypokingaround.Youonlyseethehashtag(#)promptifyouareintheAndroidoperatingsystemasrootuser.ThehashtagisabeautifulthingtotheAndroidhacker:itmeansthatyouhaveultimatecontrolovertheAndroidfilesystem.

WhileintheADBshell,youneedtoenterLinux(notDOS)commands.Forinstance,togetalistingoffilesandfoldersinafolder,youenterthecommandlsinsteadofdir.

YoucansendshellcommandstoyourAndroiddevicewithoutstartingtheinteractiveshell.Forexample,ifyouenterthefollowingcommand:

adbshellcpsdcardsample.txt

&nbsp;&nbsp;sdcardsample2.txt

itisperformedasifithadbeenenteredonthecommandlineoftheshell.ManyrootinginstructionshaveyourunADBshellcommandsinthisway.ItisashortcutthatallowsinteractivecommandstoberunwithoutactuallybeingintheAndroidshell.

FileSystemNavigationInthisexample,youopentheADBshellanduseafewLinuxcommandstonavigatethefilesystem.ThecommandswecoverhereareincludedinthedefaultAndroidconfiguration.BecauseAndroidisaslimmeddownandcustomizedversionofLinux,itonlyusesaverysmallsubsetofthepossibleLinuxcommands.AlatersectiondealswiththemorecomplexLinuxcommandsthatyouinstallwiththeexcellentBusyBoxpackage.

Inthissection,weopenanADBshellprompt,navigatethroughthefilesystemandexitfromthefilesystem.

AccessingtheADBShellPromptFollowthesestepstoopenanADBshellprompt:

1.Openacommandpromptwindowonyourlocalcomputer.2.Enterthecommandadbshell.

IfyourADBenvironmenthasbeensetupcorrectly,youareintheAndroidshell.Ifyoureceiveanerrormessage,checkforconnectivity(remembertheDUCKtroubleshootingmodel).

Ifyourphoneiscurrentlyunrooted,youshouldseethepromptchangetoadollarsign($)followedbyaflashingcursor(seeFigure3-9).

Yourcommandpromptwindowisnolongeroperatinginthecontextofyourlocalcomputer.Insteaditisa“shell”thatismirroringdirectlytotheAndroidoperatingsystem.

Figure3-9:TheADBshellintheAndroidoperatingsystem

ListingtheFilesinaFolderNowtakealookatthefilesandfoldersinyourcurrentAndroidfolder.TypethecommandlsfollowedbytheEnterkey.(Remember,commandsarenotexecuteduntilyoupresstheEnterkey.)

Lookatthelistedfilesandfolders.Itisnotreadilyapparentwhicharefoldersandwhicharefiles.Unlessyouaddflagstothelscommand,Linux(and,therefore,Android)doesnotmakeanyvisualdistinctionbetweenfilesandfolders.PokingaroundinAndroidsometimesmeanstypingamoreadvancedversionofthelistcommandtoseewhatkindoffileisinaparticularfolderlisting.

Anytimeyouseeafileorfolderwiththenameprecededbyaperiod,itisahiddenfileorfolder.Atthispoint,youarenotlikelytoseehiddenfilesorfolders.Thecommandls–sallowsyoutoseetheselessobviousfiles.

NavigatingtheFileSystemThenextactivitywalksyouthroughtheimportantskillsofviewingyourcurrentfoldercontentsandnavigatingfromfoldertofolder.

1.IntheADBshellwindow,typethefollowingcommandtogototherootofthefilesystem:cd/.

2.Enterthecommandls.Nowyoushouldseefilessuchassystemandetcinthefolderlisting.

3.Enterthecommandcdsystemtochangeyouractivefoldercontexttothesystemfolder.

4.Typethecommandls.Youshouldseethefilesandfoldersthatarelocatedinthesystemfolderscrollpast.

5.Nownavigatebacktotherootofyourfilesystembyusingthecommandcd/.

Linux,andthusAndroid,isacase-sensitiveoperatingsystem.SothecommandcdSystemreturnsanerror.ItisimportanttokeepthiscasesensitivityinmindasyoubeginhackinginAndroid.RememberthatCASEMATTERS!

Usingthecdcommand,youcanwanderallthroughyourAndroidfilesystem.Usingthelscommand,youcanseethefoldersandfilesinthecurrentfolder.

ItwillhelpifyoukeepinmindthattheAndroidfilesystemislikeaninvertedtree(seeFigure3-10),withtheotherfoldersbranchingdownfromtherootfolder.Usingthecdcommandtonavigateintoaparentfoldertakesyouupinthehierarchy.

Figure3-10:TheAndroidfilesystem“tree”

Youcanusethefollowingshortcutcommandtonavigateuponelevelinthe

folderhierarchy:

cd..

Ifyoustartatrootandnavigateto/sdcardandthento/myfolder,yourfullpathissdcardmyfolder.Enteringthecommandcd..thenmovesbackupfromyourcurrentlocationto/sdcard.

FileManagementHackingisallaboutgettingaccessandpermissionsthatarenotstandard.Soyouneedthreebasicskillsforhacking:

•navigatingandmanagingfiles•determiningwhohaswhatkindofaccesstofiles•changingwhohaswhatkindofaccesstoafile.

Wehavecoverednavigationandnowwegoontolearnhowtomanipulatefilesandtheaccesstothem.

Intheprocessofhackingcertaindevices,youwillneedtomovefilestoandfromtheSDcard.TheSDcardisalow-privilegefilesystem,whichmeansthatyoucanplacefilesontheSDcardandthenpullthemintotheprimaryfilesystem,usuallyafterexploitingsomepartofthesystemwithascriptsuchaspsneuter.

SomefilemanagementtoolsarenotavailableuntilyoufollowthestepstoinstallBusyBoxonarooteddevice.WediscussBusyBoxattheendofthischapterandinthedevicewalkthroughs.

CopyingFilesThefirstthingyouneedtodoisbeabletocopyfilesfromonelocationtoanother.InanyLinux-basedoperatingsystem,youusethecpcommandtocopyfilesorfoldersfromonelocationtoanother.Thecpcommandusesthepattern:

cp<sourcefilename><destinationfilename>

Forexample,thecommandcpsample.txtsample2.txttakesthesample.txtfileandcopiesittoanewfilenamedsample2.txt.Sotherewouldthenbetwofiles:sample.txtandsample2.txt.

Thecpcommandcanalsotakefullpathnamestocopyonefiletoanotherlocation.Tocopyafiletonewlocation,specifythefullpathforthedestination:

cpsample.txtsdcardmy_folder/sample2.txt

Frequently,youwilluseadbpushtoputanexploitscriptorfirmwarefileontoyourSDcardandthenusecptomoveandrenameit.

DeletingFilesTheremove(rm)commandallowsyoutodeletefilesandfoldersfromthefilesystem.Theremovecommandusesthepattern:

rm<pathandfilename>

ThereisnorecyclebininAndroid,sotheresultsofthiscommandarenotreversible.

MovingFilesThemovecommandisequivalenttocopyingafileanddeletingtheoriginal.WhenBusyBox(coveredlaterthischapter)isinstalledonarooteddevice,themovecommandisavailable.

mvsample.txtsdcardsample2.txt

Theabovecommandcopiesthesample.txtfiletoanewfileontheSDcardnamedsample2.txtandthenremovessample.txtfromthecurrentfolder.

FileManagementWalkthroughIfyoustillhavethesample.txtfilefromthe“CopyingFilestoandfromYourDevice”sectiononyourSDcard,youcannowusefilemanagementcommandstoplayaroundwithit.IfyoudonothavethefileonyourSDcard,pushasample.txtfiletoyourSDcard.

1.StartADBshellbyrunningadbshellfromthecommandpromptwindow.2.Atthe$prompt,enterthecommandcd\sdcard.

3.Enterthecommandls–l.

4.Verifythatthefilesample.txtislisted.

5.Enterthecommandcpsample.txtsamplecopy.txt.

Nowlet’smakeanewfolderandcopythesamplecopy.txtfiletoit.

1.Enterthefollowingcommand:mkdirMyDirectory.

2.Enterthefollowingcommand:cpsamplecopy.txtMyDirectorysamplecopy2.txt

FilenamesandcommandsinLinuxandAndroidarecasesensitive,somydirectoryisanentirelydifferentnamefromMyDirectory.

Nowdeletetheoldcopyofsamplecopy.txtandverifythefilewasmovedtoMyDirectory.

1.Enterthecommand:rmsamplecopy.txt.

2.Enterthecommandls–landcheckthatsamplecopy.txtisnotthere.

3.EnterthecommandcdMyDirectory.

4.Enterthecommandls–landcheckthatsamplecopy.txtisthere.

FileAccessPermissionsManycommandsintheAndroidshellcantake“switches.”Aswitchisaparameterthatisenteredwiththecommandtochangethewaythecommanddoesitsjob.Let’slookattheswitchesforthelist(ls)commandyoulearnedearlier.IntheADBshell,typethefollowingcommand:

ls-?

Theshellthrowsanerrorbutthenshowsyoualltheacceptableswitchesforthelscommand.Ifyouuseanyunacceptablesyntaxwithacommand,itshowsyouaquicklistingoftheacceptedswitchesandparameters.Inafull

Linuxinstallation,youwouldbeabletousethemancommandtoseetheappropriatemanualpage.Androidisatrimmed-downversionofLinuxanddoesnotincludethemanualpagesforcommoncommands.

SeeingFileAccessPermissionsNoticethatoneoftheswitchesthatyoucanusewithlsisthe-l(that’salowercaseL,notanumeric1)switch.Whenyouusethisswitch,thelscommandshowsmuchmoreinformation.Let’stryit.TypethefollowingcommandinyourADBshell:

ls-l

YouroutputshouldresembleFigure3-11.Noticeallthegibberishatthestartofeachline—lotsofDs,Rs,WsandXs.

Figure3-11:Outputfromls-l

YoucanconsidertheleftmostcolumnofinformationinFigure3-11tobeatableofrowsandcolumns.Eachrowreferstothefileontherightandthecolumnscontaininformationaboutthatfile(seeTable3-1).Column1indicatesafolderbytheletter“d.”Thenextninecolumnsrefertotheaccesspermissionsforaclassofperson.Columns2–4showtheaccesspermissions

fortheUserclass;columns5–7fortheGroupclass;andcolumns8–10fortheOthersclass.

ThetwoaspectsofpermissionsonanAndroidfilearewhohasthepermissionandwhatkindofpermissiontheyhave.Thewhodefinitionisbrokendownintothreeclassesofpeople:

•Useristheownerofthefile.•Groupmeansalltheuserswhoareinthesamegroupasthefile’sowner.

•Othersmeansalltheotherusersonthedevice.

Eachgroupofthreecolumnsrecordsthekindsofpermission(Read,WriteandeXecute)thattheclassofpeoplehaveonthefile.Table3.1showsthepossiblevalueofeachcolumn.Ifaclassdoesnothaveaparticularpermission,thereisadashinthatcolumn.

OnanAndroiddevice,theimportantpermissioncolumnsarethoseforUserandOthers.Youwillneedtochangethepermissionlevelsofsomescriptsandbinaryfilesyouaddtoanunhackeddevice.

ChangingFileAccessPermissionsThechangemodecommand(chmod)isoneofthesinglemostimportantcommandsyoucanlearninAndroidhacking.Itisthecommandthatchangesthepermissionsandaccesstofilesandfolders.

YoucansetthepermissionlevelforacertainclassusingU,GandOtoindicateUser,GroupandOthersandusinganoperator(+or-)toaddorremoveapermission.Forexample,thefollowingcommandwouldsetthereadandexecutepermissionsfortheUserandOthersclasses:

chmoduo+rx<filename>

Nowthatmayseemsimpleenoughbutinstructionsandwalkthroughsusually

don’tusechmodinthatway.Instead,theyuseanumericvalueforaparticularlevelofpermissionforeachclass.ThepossiblenumericvaluesandtheirmeaningsarelistedinTable3-2.

Table3-2OptionsforthechmodcommandValue Permission

7 Full

6 Readandwrite

5 Readandexecute

4 Readonly

3 Writeandexecute

2 Writeonly

1 Executeonly

0 None

Asinglenumericvaluerepresentsthepermissionforeachofthethreeclassesofuserorgroup.Ifyoudeterminethatyoursample.txtfileshouldgivefullrightstoUserandread-onlyaccesstotheGroupandOthersclasses,thenthatpermissioncouldbesetusingthefollowingcommand:

chmod0744sample.txt

Ifyoudonothaverootaccess,youmaynotbeabletocarryoutthefollowingactivityonfilesinyourSDcardfolder.Ifthisisthecase,pushthesample.txtfiletothedatalocal/tmpfolderonyourdeviceandthentrytheactivityagain.

1.InyourADBshellwindow,enterthecommandcd/sdcard.

2.Enterthecommandlstoverifythatsample.txtisstillthere.

3.Enterthecommandls-lsample.txttoseewhichpermissionlevelsaresetforthefile.4.Enterthecommandchmod0775sample.txttomakesample.txtexecutable.

5.Enterthecommandchmod0766sample.txttochangethepermissionsforGroupandOtherstoreadandwriteonly.

Atfirst,thechmodcommandcanseemverydauntingandconfusing.Usuallyyoudonotneedtoworryabouttheoverallstructureofpermissionsforfilesandfolders;theinstructionsforarootingproceduresimplytellyouwhichfiletochangepermissionsonandhowtodoit.

RedirectionandPipingRedirectionallowsyoutowritetheoutputofacommandtodisk.Theredirectionoperator(>)causestheoutputofacommandtobewrittentoanamedfile(ifthefilealreadyexists,itisoverwritten).Forexample,thefollowingcommandputsthelistoffilesintolisting.txt:

ls-l>listing.txt

Pipingmeansusingtheoutputofonecommandastheinputofanothercommand.Thepipeoperator(|)takestheoutputofacommandandsendsitasinputtoanothercommand.Forexample,thefollowingcommandtakesthefolderlistingandpipesittothemorecommand(whichdisplaystheoutputonescreenatatimeandpromptstheuserforthenextscreen):

ls-l|more

1.InyourADBshellwindow,enterthecommandls-l>

\sdcard\listing.txt.

2.Enterthecommandmore\sdcard\listing.txttodisplaythecontentsofthelisting.txtfilecreatedwiththeredirectionsymbol.

3.Enterthecommandls–l|moretoseethatthepipegivesthesameresultasSteps1and2.

ConcatenationTheconcatenatecommand(cat)takesthecontentofafileorfilestructureandstreamsitouttoafileortothescreen.Forexample,youcanstreamthecontentsofafilesystemtoasinglefileusingtheredirectionoperator.Forinstancetogetabitbybitcopyofafilesystem,youcouldusethefollowingcommand:

cat/data&nbsp;&nbsp;>data.img

Thiscommandoutputsthecontentsofthe/datafoldertoanimagefile.

BusyBox:GivingthePenguinBackItsPowerOnlyahandfulofLinuxoperatingsystemcommandsareincludedwithAndroid.BusyBoxisanexcellentmulti-utilitybinarythatwasoriginallydevelopedbyBrucePerensandhasmaturedintoanincredibleSwissArmyknifeofLinuxutilities.ItiscurrentlymaintainedbyStericson,aseniormoderatoratXDA.WhenyouinstalltheBusyBoxbinary,yougetamuchlargersubsetofLinuxcommands,alloptimizedforsmallsystemsandlimitedresources.BecausetheBusyBoxutilitiesareinasinglebinary,theycansharecode,whichmakesforasmallinstallationpackage.

BusyBoxwillbeaconstantcompanioninyourhackingofAndroiddevices.AlotoftheadvancedLinuxtoolsyourequirearenotavailableuntilBusyBoxisinstalled.Forthisreason,installingBusyBoxisfrequentlyoneofyourfirsttasksinarootingorhackingsession.TheprocessofinstallingandlinkingtheBusyBoxcommandsdiffersbetweendevices.RootinginstructionsusuallyhaveinstallingBusyBoxasastep.SearchtheXDAforumsforinstructionsoninstallingBusyBoxonyourdevice.

SomeapplicationsthatrequirerootmayalsorequirethatBusyBoxisinstalledastheymaydependonsomeofthecommandsinBusyBox.

Over200commandscanbecompiledintoBusyBox.Inthecourseofhacking,youwillprobablyuseonlyafractionofthem.HerewecoverthreeofthemostfrequentlyusedcommandsfromtheawesomeBusyBoxbinary.TheyareusedfromyourAndroidcommandshelloranAndroidterminalprogram.

TheddCommandTheddcommandisaspecializedcommandthatuseslow-levelbitcopyingtocopyandconvertdatafromasourcetoagivendestination.InAndroidhacking,ddisfrequentlyusedtowriteanimagefiletoamemorylocationorfilelocationwhenthedataandresultmustbeexact,sothatitcanbeverifiedandusedforcriticalprocessessuchasoperatingsystembootfiles.

Theddcommandusesthefollowingsyntax:

ddif=<sourcefile>of=<targetfile>

•Theif(inputfile)parametertellsthecommandwheretofindthesourcefile.•Theof(outputfile)parametertellsthecommandwheretowritethetargetfile.

Youshouldtakespecialcarewiththeparameters:reversingtheifandofparameterswouldbecatastrophic.

TheechoCommandTheechocommandsimplywritesastringtothescreen(knownasstdoutinLinux).InAndroidhacking,itissometimesusedtotrickthesystemintobelievingithasreceivedaspecializedsystemmessagesuchas“Hey,thereisanupdateavailableontheSDcard—youshouldinstallit.”

Themd5sumCommandThemd5sumcommandallowsyoutohashafileusingtheMD5algorithmand

seetheoutput.Thisisaveryaccurateandeasywaytoseeiffilesindifferentlocationsarethesame.Whensomeonehasusedthemd5sumcommandtohashafile,theypublishtheshorthashstringandyoucancompareittothehashyoucreatelocally.Iftwohashstringsmatch,nomatterhowmanytimesthefileiscopied,moved,downloadedoruploaded,youcanbesurethatitisidenticaltotheoriginalfile.

InAndroidhacking,md5sumisfrequentlyusedtoverifythatcriticalsystemfiles(whichwillbeusedtoreplaceexistingfiles)areexactlyastheyneedtobebeforebeingpushedtothesystempartition.Itisalsousedtoverifyafileafterithasbeenwrittentomemoryorthefilesystem.

Toverifyafile,carryoutthefollowingsteps:

1.InacommandpromptwindowonyourlocalPC,enterthefollowingcommandtoopentheADBshellininteractivemode:adbshell.

Yourcommandpromptchangesto#,indicatingthatyouhaverootaccesstothefilesystem.

2.Enterthefollowingcommandatthe#prompttocheckthehashvalue,forexample,ofthesample.txtfileontheSDcard:datalocal/busyboxmd5sumsdcardsample.txt

Forthisfile,theoutputfromthehashcommandshouldbe4deed76681853806d45e141a96f606dc.(Forotherfiles,theoutputwillbeasimilarstring.)3.Iftheoutputstringdeviatesinanywayfromtheexpectedstring,youneedtorepeattheprocessofdownloadingorcopyingthefileandpushingittotheSDcard.

IfanMD5SUMhashdoesnotmatch,itisveryimportantthatyoudonotrebootyourdevice.YoumustcopythefileagainuntilyougettheexpectedMD5hashcode.

Chapter4:RootingandInstallingaCustomRecovery

Inthischapter:•Exploitsandhowtousethem•Hackingutilities•Recoverymode

•UsingtheClockworkModrecoveryapplication•Backupanddisasterrecovery

AnexploittakesadvantageofaknownvulnerabilitytoallowtheAndroidusertheabilitytoincreasehisorherlevelofprivilegeandaccessroot.MostexploitsarefoundduringthebootstrapprocesscoveredinChapter1.TheyarediscoveredbyexperiencedAndroidorLinuxdevelopersandprogrammerswhodreaminbinaryandliveonenergydrinksalone.Whentheyfindacrackinthelockdownthatoriginalequipmentmanufacturers(OEMs)andcarriersplaceondevices,theyreleasetheknowledgeofthevulnerabilityand,possibly,anexploitthatenableslessexperiencedorlessskilledhackersanddeveloperstoutilizethevulnerability.

HowtoUseExploitsManyofthesebenevolenthackersreleasetheiraidsontheXDAforumsorotherAndroidcommunitysites.ThisenablesthenextlevelofAndroidhackertoplaywiththeprocessforfreeingdevicesfromOEMandcarriertyranny.Anexploitmightbepackagedandreleasedbyadeveloper.

Oneofmyargumentsforlow-touchorone-clickrootingmethodsisthattheyarejustacontinuationofthisthoughtprocess.Mostofthepeoplewhodisdaintheone-clickrootmethodwouldbetotallylostifaskedtoexploittheASHMEMvulnerabilitythatenablesmanyoftherootprocessesthatareavailabletoday.Luckilyforthescoffers,ScottWalkercreatedthepsneuterutilitythatenablesustotakeadvantageofthatvulnerability.Justbecausesomethingisoutsideyourskillsetdoesn’tmeanyoushouldn’thaveaccesstothebenefitsandfreedomsitbrings.

ExploitscanbereleasedtotheAndroidcommunityasscripts,utilities,applicationsorimagefilesdependingonthetypeofvulnerabilitybeingexploited.Iconsidereachofthesetypesofreleaseinthissection.

ExploitScriptsAscriptisasetofcommandsthatcanberunwithasinglecommand.Ascriptcanbecomposedofcommandsandparametersornativecode.

AnAndroiddeveloperorhackerwhofindsavulnerabilityorloopholeinadeviceconfigurationcanpackageupthecommandsandproceduresnecessarytoexploititinascript.UsingscriptsfromotherAndroidhackersanddevelopersmakestheprocessofhackingintoanAndroidsystemmucheasier.MostOEM-lockeddevicesareeventuallyhackedwithsomesortofscriptorapplicationtoexploitaknownvulnerability.

Scriptsareusefulfarbeyondjusthacking.YoucancreatescriptsandrunthemfromtheADBshelloranAndroidterminalapplication.

AterminalapplicationallowsyouaccesstotheAndroidcommandshellfromthephoneitself.Terminalapplicationscanbedifficulttousebecauseofsoftkeyboardidiosyncrasies.

CreatingaScriptThescriptshownhereisasimpleexamplefordemonstrationpurposes.Itmayworkonlyifyouarealreadyrootedandhavesuperuserpermissions.

1.EnterthecommandsinListing4-1intoasimpletexteditor,suchasNotepad.(NotethatthesecommandsareexplainedinChapter3.)

2.Savethefileasbackup.scriptonyourlocalcomputer.

3.Fromacommandprompt,enterthefollowingcommandtomovethescripttoyourdevice:adbpushbackup.scriptdatalocal/tmp/backup.script

4.Enterthefollowingcommandtomakethescriptexecutable:adbshellchmod0775datalocal/tmp/backup.script

Listing4-1Asimplescriptmkdirsdcardmybackups

cpdata*sdcardmybackups

cat/system>sdcardmybackups/system.img

echoDataandSystempartitionsarebackedup

RunningaScript1.OpentheADBshellandnavigatetothedatalocal/tmpfolder.

2.Runthescriptbyenteringthefollowingcommand:./backup.script

Thecommandsinthebackup.scriptfilerunsequentiallyandcarryoutthefollowingactions:a.CreatesabackupfolderontheSDcard.

b.Copieseverythingfromthedatafoldertothemybackupsfolder.

c.Concatenatesthesystemfoldertoanimagefileinthemybackupsfolder.d.Tellstheuserthatithasfinishedrunningitscommands.

ExploitApplicationsAnapplicationisaprogramcreatedfromnativecodeandcompiledtorunontheAndroidplatform.Creatingclean,effectiveandsafeexploitsthatrunasnativeapplicationsissignificantlymoredifficultthancreatingscripts.Thedevelopermustclearlyunderstandthevulnerabilitybeingexploited,andmustalsobesurethattheexploitdoesnothaveundesiredresults.Becauseuserscannotreadthecodetoseewhatitdoes,agooddealoffaithmustbeplacedinthedeveloper’sabilities.TheAndroidcommunityofhackersareaclose-knitandfriendlygroupbutnobodylikeshavingtheirtoasterexplodefromrunningarogueexploitontheirphone.

YoucanseebylookingatListing4-2thatexploitapplicationsaresignificantlymorecomplexthanscripts.ThecodeinListing4-2isfromthepsneuterutilitybyScottWalker,whichhasbeenusedtogaintemporaryrootaccesstotheDroidProandmanyotherdevices.Therearemorethanahundredsuchlinesofcodeintheutility.ItiswritteninnativeCcodeandthusitismoreofafull,althoughverysmall,applicationthanascript.ThetemporaryrootaccessprovidedbythisscriptisallthetoeholdneededtorunBusyBoxcommandsandwritetoprivilegedareasoftheAndroidfilesystem.

Listing4-2PartofthepsneuterUtilityfdStr=workspace;

if(strstr(workspace,“,”))

&nbsp;&nbsp;&nbsp;&nbsp;*(strstr(workspace,“,”))=0;

else

{

&nbsp;&nbsp;&nbsp;&nbsp;fprintf(stderr,“Incorrectformatof

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ANDROID_PROPERTY_WORKSPACE

environment

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;variable?\n”);

&nbsp;&nbsp;&nbsp;&nbsp;exit(1);

}

szStr=fdStr+strlen(fdStr)+1;

fd=atoi(fdStr);

sz=atol(szStr);

if((ppage=mmap(0,sz,PROT_READ,MAP_SHARED,

fd,0))==MAP_FAILED)

Customscriptsandcodecanalsoapplythemesandinterfacecustomizations

thatdevelopersputtogetherforthecommunityofAndroidusers.

UsingaScriptorApplicationonaDeviceAnytimeyouseesomeonerefertoafileasascriptorsaythatafileshouldbeexecutedfromthedevice,youwillfollowthesesteps:

1.Pushthefiletoanareaofthefilesystem,suchasdatalocal/,thatcanrunprivilegedscripts.2.Changethepermissionsonthefiletomakeitexecutable,usingthefollowingcommand:chmod0775<filename>

3.RuntheexecutablefromtheADBshelloraterminalwindowwiththefollowingcommand:./<path>/<filename>

Thesestepswillalmostalwaysremainthesame,thoughthelocationthatthefileshouldbepushedtoandrunfrommaychange.

Z4Root,showninFigure4-1,isanexampleofanapplicationthatactuallyrootswhilebeinginstalledonthedeviceitisrooting.Itisacleverandusefulpieceofprogrammingthatdoesallofthehardworkinrootingadevice.AfterinstallingtheZ4rootapplicationonyourAndroiddevice,yourunit,clicktheRootbuttonandalltherootinghappensautomatically.

Figure4-1:TheZ4Rootapplication

Aswithanyhackingactivity,youtakeagreatdealofresponsibilityonyourownheadwhenyourunscriptsorapplications.Makesurethatyoueitherknowandtrustthedeveloperorthatyouarewillingtoacceptthe

consequencesofdoingdamagetoyourdevice.Youcanalsoloseprivacyiftheapplicationorscriptisrogueandharvestspasswordsfromyourdevice.

HackingUtilitiesDevelopersintheAndroidcommunityfrequentlycompileorcreateapplicationsthatcanrunonyourlocalcomputer.TheyeithermakehackingyourAndroiddeviceeasierorarecentraltoaparticularexploit.Sometimestheutilityiscodedupandcreatedbyaskilleddeveloperandsometimesitis“scroungedup”from“leaked”sourcesattheOEM.

OEMToolsOEMtoolsaredevelopedbythemanufacturerorbyathirdpartyforthemanufacturer.Thesetoolsareusedinservicecenters.Forexample,RSDLiteisusedworldwideatMotorolaservicecenterstoinstallMotorola-signedimagesonspecificMotoroladevices.

OEMtoolsareusuallysoftwareutilitiesthatcantakeacompletesystemimageordiskimageandwriteittothebootloaderorfilesystemacrosstheUSBcableconnection.ExamplesofsuchutilitiesaretheNVFlashutilityformostdevicesusingNVIDIA’sTegrasystemonachipandtheRSDLiteutilityforsomeMotoroladevices.UsinganOEMtoolusuallyrequireslookinguptheinstructionsontheXDAforumsoranotherAndroidcommunitysiteandfollowingthemtotheletter.Mostofthetime,thetoolshavefairlycrudeinterfacesandlittleornodocumentation.

DeveloperUtilitiesCustomutilitiesfromtheAndroiddevelopercommunityareofmixedqualityandeaseofuse.Someofthemareveritableone-clicksolutionswhileothersperformasinglefunction,suchasreplacingtheuserinterfaceoraddingothercustomizations.

ImageFilesAnimagefileisabit-by-bitcopyofapartition(theoperatingsystemwithkernel,bootloader,recovery,andsoon).Animagefileallowsthestate,files,permissionsandstructuretobewrittentoapieceofmemoryorfilesystemandperfectlyreplicatethesystemfromwhichitwastaken.Oneoftheusesofimagefilesistorestoreadevicetothestateitwasinwhenitleftthefactory.Inthecaseofabrickeddevice,flashingwithaknowncompatibleimagefileisusuallytheonlywaybacktoafullyfunctionaldevice(seethe“BackupandDisasterRecovery”section).

Sometimestheonlywaytorootalockeddeviceistograbanimageofarooteddeveloperdevice(onereleasedtoanOEMpartnerforearlydevelopment)andwriteittothelockeddevice’sfilesystem.Onsomedevices,thedeveloperdoesthedifficultworkintheAndroidsystem,changingpermissionsandinstallingadifferentLinuxkernel.Thedeveloperthenwrapsthiscreationinanimagefilethatcanbeflashedtoanon-developerdeviceusinganOEMutilityoranAndroidSDKtool,suchasFastboot.Inonefellswoop,thedeviceisrootedandpreparedforcustomization.

TheXoomisanexampleofan(unlocked)devicethatrequiresthismethod.TheXoomwasquicklyrootedbyKoushikDuttaandthebootimagefilethathereleasedtothecommunityquicklybecamethebasisofmuchcustomizationandotherXoomroottoolsandmethods.BecausetheXoomwasunlocked,itsbootloaderwaseasilyoverwrittenwiththecustomimagefileusingtheAndroidSDKFastboottool.

Muchofthereallydifficultworkinhackingandrootingadeviceisdonebydevelopersandreleasedtothecommunityintheformofscripts,utilities,applicationsandimagefiles.Alltheaverageuserneedsthenistheskillsettoapplythosetools.

RecoveryModeWhenyourAndroiddevicestartsitsboot-upprocess,itpullsthebootloaderfromitsstorageareaandstartstheprocessofloadingtheAndroidoperatingsystem.Bypressingacombinationofbuttonsduringthebootprocess,youcandivertthebootintorecoverymode.Thebuttonsusedtobootintorecoverymodevaryamongdevicesbutthecombinationofthepowerbuttonandoneofthevolumebuttonsusuallyforcesthedeviceintorecoverymode.

WhatIsRecoveryMode?Recoverymodeisanexternalmicrooperatingsystemthatisusedtoapplyofficialupdates.ThedefaultrecoverymodelooksontheSDcardforafilecalledupdate.zip.Whenthefileisfound,itis(usually)checkedforasignaturetoseeifitisanupdatethatcanbesafelyappliedtotheAndroidoperatingsystem.Ifthesignaturematchesthatofthemanufacturer,thenthefilesystemchangescontainedinupdate.zipareappliedandthephoneisrebooted.

Somedefaultrecoverymodesalsoprovidetheaddedoptionofbootingintoamaintenancemodeforclearingthedatacacheorresettingthedevicetofactorycondition.

TherecoverysystemissometimescontainedinitsownNANDfilesystem;onotherdevices,itisjustapartitionedlocationintheoverallNANDmemorythatstorestheAndroidfilesystem.Thedifferenceisnegligibleaswritingtotherecoverysystemrequiresrootlevelaccessandsometimesitcanonlybereplacedwithanexternalflashprocess.Formostrecentdeviceshowever,acustomrecoverycanbeinstalledfromtheAndroidoperatingsystemoncerootstatusisattained.

MakeItAllSoEasy:GetACustomRecovery!Customrecoveryprocessesgofar,farbeyondthecapabilityofthedefaultrecoverymode.Theyremovetheneedforsignedorverifiedupdates,soyoucaninstallunofficialupdatesthatarereleasedlongbeforeOEMsandcarriersreleaseupdates.Customrecoveryprocessesalsoprovidetheabilityto

completelyoverwritetheexistingAndroidoperatingsystemandfirmware.ThisallowsforacustomAndroidinstallationandupdatingorupgradingradiofirmwaretoeliminateOEMbugsorincreasecapability.

Oneofthesinglegreatestcapabilitiesprovidedbyacustomrecoveryprocessistheabilitytodoacompleteorpartialsystembackup.Backinguptheapplications,applicationdataandAndroidfilesystemgivesahugeinsurancepolicytotheAndroidhacker.

ExternalcompletebackupsareoftencalledNANDroidbackupsbecauseNANDmemoryisusedtostorethefilesthatcontaintheAndroidfilesystem.

ThetwomostpopularcustomrecoveryapplicationsareClockworkModandAmonRa,buttheyarebynomeanstheonlyrecoveryapplicationsavailable.

Thereareseveralwaysthatarecoveryapplicationcanbeinstalled.MostdeviceswillacceptinstallationbyRomManagerorbyanupdatefile.YoushouldlookupyourparticulardeviceontheXDAforumtoseewhatothershavedeterminedasthebestwaytoinstallacustomrecoveryapplication.

InstallationviaRomManagerClockworkModrecoveryisinstalledmosteasilyusingtheRomManagerapplicationbyKoushikDutta.TheRomManagerapplicationdetectsthedeviceonwhichitisinstalledanddecideswhereandhowtherecoverycanbewritten.TheeaseofinstallingClockworkModhasmadeitoneofthemostwidelyusedrecoveryapplications.

YoucanalsouseRomManagertoinstallAmonRarecoverybyselectingthe“alternaterecoveries”option.YoucanuseanydownloadedrecoveryasanupdateanduseClockworkModtoselectthedownloadedzipfileasanupdate.

InstallationviaupdatefileSomedevicesrecognizeaspeciallynamedzipfileplacedintherootoftheSDcard.Whentheyarerebooted,theyautomaticallyinstalltheupdatecontainedinthatfile.Afterdownloadingthedesiredrecoveryapplication,youcanrenameitszipfileandplaceitontheSDcardtoberecognizedasanupdate.

UsingClockworkModRecoveryThissectiondiscussesthefunctionsavailableintheClockworkModrecovery.Familiaritywiththesefunctionswillallowyoutomanageyourdevicewithgreaterpeaceofmind.

TheinitialscreenofClockworkModisshowninFigure4-2.Youcanhighlightthefunctionsbynavigatingupanddownusingthevolumeupanddownkeys.Onmostdevices,thepowerbuttonisusedtoselectahighlighteditem(ontheNexusOne,youclickthecontrolball).Tonavigatebackfromasubmenu,thebackarrowbuttonorsoftkeyisusual.Afewseconds’experimentationusuallyrevealsthenavigationbuttons.

ThefollowingsectionsdiscusseachoptionshowninFigure4-2.Thosewithasubmenuarediscussedinmoredetail.

Oncertaindevices,ClockworkModhasa+++GoBack+++optionatthebottomofeachsubmenu.

Figure4-2:InitialscreenoftheClockworkModcustomrecovery

RebootingtheDeviceWhenthe“rebootsystemnow”functionisselected,thesystemperformsanormalreboot.

UpdatingaDevicefromtheSDCardWhenanofficialupdateisreleasedforanAndroiddevice,itusuallycomesasanupdate.zipfilethatisautomaticallyappliedwhenthedeviceisrebooted.Somedevicescanonlyapplyupdatesinthisway.

The“applyupdatefromsdcard”functionlooksontheSDcardforafilecalledupdate.zipandappliesit.Youcanapplyanyupdatetothefilesystembyrenamingthefiletoupdate.zipandselectingthisoption.InstructionsforusingthismethodareoftenspecifiedwithupdatesfromtheXDAforum.

Whenyouselectthisfunction,youarepresentedwithClockworkMod’ssafetyselectionfeature(seeFigure4-3).Youhavetoscrolldownthroughaseriesof“No”optionsbeforeyougettothe“Yes”option.Thismakessurethatyoudonotdosomethingdangerousorpotentiallydestructivetoyourdevicewithoutbeingawareofwhatyouaredoing.Thereislittlepossibilityofaccidentallyselectingadestructiveoption.

Figure4-3:TheClockworkModsafetyscreen

Tocompletetheaction,younavigatetothe“Yes”optionandthenpresstheselectorkey.

ResettingaDevicetoFactoryConditionThe“wipedata/factoryreset”function(Figure4-2)completelywipesthe/dataand/cachepartitionsofthedevice.Thisisdestructive:itremovesalluserapplicationsanddataandchangestheoptionsbacktofactorysettings.Allcustomizationsanddataareremovedfromthedevice.Thisisthelastresortforuseincaseswhereadeviceisexhibitingconsistentfailures,forceclosesorisstuckinsomekindoferrorloop.However,contrarytowhatthenameimplies,resettingadevicedoesnotrestorethe/systempartitiontoitsoriginalstate.Thiscanonlybeaccomplishedbyflashinganupdate.ziporexecutingaNANDroidrestore.

WipingtheCacheWipingthecacheislessdestructivethanwipingthedataandcanusuallybedonewithoutanydamagetoinstalledapplicationsoruserdata.However,youshouldbackupyourfilesystembeforerunningthe“wipecachepartition”function(Figure4-2).Ifyourphoneseemsslowandbuggy,trythisfunctionbeforeresettingthedevicetofactorycondition.Sometimes,removingcachedataresolvesanerrorstateorissueswithforcibleclosing.

Thisfunctionpresentsyouwiththesafetyselectorscreen(seeFigure4-3).Selectthe“Yes”optiontowipethecache.

InstallingaZipFilefromtheSDCardThe“installzipfromsdcard”function(Figure4-2)issimilartothe“applyupdatefromsdcard”function.Theupdatefunctionalwayslooksforafilenamedupdate.zipintherootoftheSDcard.The“installzipfromsdcard”functionenablesyoutoselectanyzipfileandspecifyhowitisapplied.

Whenyouselectthisfunction,asubmenuappears,asshowninFigure4-4.

Apply<ZipFile>Thefilenamedintheapplyoptiondependsonthezipfileyouselectusingthenavigationfunction.Thedefaultfilenameissdcardupdate.zip.Ifyounavigatetoafilecalledmyupdate.zip,thefirstitemonthismenubecomesapplysdcardmyupdate.zip.

Figure4-4:TheClockworkModinstallfromSDcardoptions

ChooseZipThe“choosezipfromsdcard”optionallowsyoutonavigatethroughthefileandfolderstructureonyourSDcardtolocateazipfile.Customthemesanddevicecustomizationsfrequentlycomeaszipfiles.Youusethisoptiontoselectthefileandthe“apply”optiontoapplyit.

ToggleSignatureVerificationThe“togglesignatureverification”optionallowsyoutospecifythatthedeviceshouldchecktheselectedzipfilefora“signature”.MostzipfilesfromtheOEMorcarrierwillbesigned,aswillmanyROMs.YoushouldleavesignatureverificationenabledassometimesthiswillstopcorruptedROMsfromflashing.

ToggleScriptAssertsThe“togglescriptasserts”optionisseldomutilized.Itallowsorpreventstheexecutionofscriptcommandsembeddedinazipfile.Mostzipfilessimplyupdateorreplacefilesinthefilesystem.Azipfilewithembeddedscriptingcanchangeoralterdevicesettings.Turningoffscriptassertsdisablesscriptingembeddedinthezipfile.

BackingUpandRestoringaDeviceThe“backupandrestore”functionofClockworkMod(Figure4-2)isperhapsthemostusefulanddesireditem.BackingupdatafrominsidetheAndroidoperatingsystem,evenonarooteddevice,isacomplexoperation.ClockworkModcanbackupallfiles,applications,settingsanddatainoneoperation.ThebackupfileisstoredontheSDcardwhereitismostlysafefromanycustomizationsorhacks.Thismakesforasafetynetthatisofgreatvalue.PeriodicallybackingupusingClockworkModisagoodideaevenifyouarenotanactivecustomizerandhacker.Corruptionordatalossfrommisbehavingapplicationscanbefixedbyrestoringfromaknowngoodbackup.

Whenyouselectthe“backupandrestore”option,asubmenuappears,asshownatthetopofFigure4-5.

BackupSelectingthebackupoptionimmediatelystartsbackingupyourdevice.Whilethebackupprocessisrunning,aprogresslistisdisplayed(seeFigure4-6).

ThebackupfileisplacedontheSDcardinthesdcardclockworkmod/backupsfolderwiththedateasthefilename.Thisenablesyoutodistinguishamongmultiplebackupfiles.

Figure4-5:TheClockworkModbackupandrestoreoptions

Itisimportantthatyouremoveolderbackupfilesfromtimetotime.HavingtoomanybackupfilesonyourSDcardcanquicklyuseupavailablespace.Backupfilescanbedeletedusinganyfileexplorerutility,suchasESFile

ExplorerorRootExplorer.

Whenthebackupiscomplete,youarereturnedtothe“backupandrestore”submenu.

Figure4-6:AClockworkModbackupinprogress

RestoreWhenyouselecttherestoreoption,youarepresentedwithalistofallthebackupfilesinthesdcardclockworkmod/backupsfolder.Usetheselectionkeystonavigatetothefilefromthedesireddateandselectittostarttherestoreprocess.ClockworkModshowsaprogressbarwhiletheprocessisrunningandacompletedmessagewhenitends.

ForcingRecoveryBootMostdevicescanbeputintorecoverymodebypressingacombinationofhardwarekeys.LookupthekeycombinationforyourdeviceontheXDAforums.Ifyoucannotsuccessfullybootyourdevice,havingagoodbackupandknowinghowtoputyourphoneintorecoverymodecanhelpreducepanic.

AdvancedRestoreThe“advancedrestore”optionallowsyoutoselectaparticularbackupfile,againbasedonthedate,andthenrestoreonlycertainpartsofthebackup.Whenyouhaveselectedabackupfile,youcanchoosetorestoreanyofthebootpartition,thesystempartition,thedatapartition,thecacheorthesd-extpartition.

Becarefulaboutrestoringjustonepartitionunlessyouknowwhyyouaredoingit.Partitionsusuallyhaverelatedanddependentdata.Ifyourestoreadatapartitionthatreferstocontentinthesystempartitionthatdoesn’texist,itcancauseflakybehaviororcanlockupyourdevice.Inthatcase,youwouldneedtoboottoyourrecoverypartitionusingthehardwarekeycombinationandrestoreacompletebackup.

MountingPartitionsandManagingStorageThe“mountsandstorage”function(Figure4-2)allowsyoutomanagethemountingofthepartitionsforvarioushackingactivities,suchascopyingfilestoandfromtheSDcardordatafolderviayourUSBcable.YouwillnotgenerallymountorunmountpartitionsbutitallowsyoutoaccesstheSDcardwhileinClockworkModandcanbeveryuseful.

Thisfunctionalsoallowsyoutoformatthesystempartition,thedatapartition,thecache,thebootpartition,thesd-extpartitionandtheSDcard.Formattinginvolvescompletelywipingthepartitionorcardandshouldnotbedoneunlessyouhaveaspecificreason.Ifyouformatanyofthepartitionsanddonotrestorethecontentsofthatpartition,yourdevicewillnotboot.

AdvancedFunctionsWhenyouselectthe“advanced”menuitemfromthemainClockworkModscreen(Figure4-2),asubmenuappears,asshowninFigure4-7.Thesefunctionsaregenerallyunusedexceptforspecializedactivities.

Figure4-7:TheadvancedoptionsfromtheClockworkModmainmenu

RebootRecoveryThisoptionallowsyoutorebootthedeviceandreturntotherecoveryprocess.

WipeDalvikCacheThisoptionallowsyoutowipeonlythevirtualmachinecache.Thiscanbeusefulifyouhaveanapplicationthatworksfineforawhileandthensuddenlyrefusestoworkatall,closesconstantlyorexhibitsotheroddbehavior.Thisisafairlylow-riskoption.

WipeBatteryStatsThe“wipebatterystats”optionallowsyoutoclearthestatisticsaboutbatteryusageandcharge.ThereissomebeliefthatthiscanhelpAndroidaccuratelyjudgerechargeandusagecontrolmechanisms.Thisisgenerallynottrue—itonlyremoveshistoricaldatafromyourdevice.UnlessathreadintheXDAforumgivesagoodreasonforremovingthemfromyourdevice,thebatterystatisticsshouldbeleftalone.

ReportErrorIfyougetanerrorwhileusingClockworkMod,youcanusethisfunctiontowritetheerrortoalogfilestoredatsdcardclockworkmod/recovery.log.YoucanthensendthelogtoKoushikDutta’steamfortroubleshooting.WhenClockworkModopensanddetectsthatanerrorhasoccurredinapreviousrecoverysession,youreceiveapop-upnotificationaskingifyouwanttoreporttheerror.

PartitionSDCardThisoptionallowsyoutodivideyourSDcardintodifferentpartitions.ThisisadestructiveactivitythaterasesallofthecontentsofyourSDcard.Onlyusethisoptionastheresultofdirectinstructionsfromahow-toguideforyourdevice.Forexample,somedevicescanexperienceaperformanceboostiftheyhavealargeswappartitionontheSDcard.

FixPermissionsEveryAndroidapplicationrunsasitsownuserID.Inordertomakesurethateachapplicationcannotmodifyanyotherapplication’sdata,theappropriatepermissionsmustbesetforeachapplication’sspaceinthe/datapartition.The“fixpermissions”functionreadsthroughdatasystem/packages.xmlandsetsthepermissionsaccordingly.

However,thisoptiondoesnotalwaysyieldtheintendedresultsandmayinfactcausetheveryapplicationforcecloseproblemsitisintendedtofix.Onlyrunthe“fixpermissions”optionasaresultofspecificinstructionstoresolvespecificissues.Somehow-toguidesreferto“runningapermissionsfix”—thisistheoptionthatachievesit.

BackupandDisasterRecoveryInthecourseofhackinganAndroiddevice,itisentirelypossiblethatatsomepointyouwillhaveamomentofpanicasadevicedoesnotrebootcorrectlyoritappearsthatyouhavelostallyourdata.

Mostoftheuser-createddata,suchaspictures,documentsanddownloadedfiles,arestoredontheSDcardandarerelativelysafefromhackingactivitiesthatwritetoandfromthesystempartition.However,youshouldassumethatanyhackingorexplorationactivitiescouldresultinthelossofalldata.

It’sagoodideatoconnectyourdevicetoyourcomputerandcopyallthedataontheSDcardtoyourcomputerbeforestartinghackingorexploration.Mostrecentdevicesdefaultto“massstoragemode”whenconnectedtoacomputer.Inotherwords,theSDcardismountedasanaccessibledrivefromyourcomputer’sfilesystemmanager(forexample,WindowsExplorer).CopyingthecontentsofyourSDcardtoafolderonyourcomputerwillmakesurethatyoudon’tlosethosecutepicturesofthekidsortheapplicationsyouhavedownloadedfromtheWeb.

Torestoresuchabackup,simplyconnectyourdevicetoyourPCandcopyallthefilesandfoldersbacktotheSDcard.

PrecautionsforSuccessandDataRecoveryThebestactivitytoensuresuccesswhenhackingistoreadmoreanddoless:

•Beforestartingaprocess,readtheentirethreaddedicatedtoitontheXDAforum.•Readalloftheinstructionsinarootingorflashingprocedurebeforeplugginginyourphoneandthenreadthemallagain.•Ifinstructionsfromadevelopermentiontoolsorcommandswithwhichyouarenotfamiliar,readuponthosecommandsandtoolsbysearchingtheXDAforumsandGoogle.

•Takespecialnoteofpeoplewhohavemessedupbeforeyouandwhattheirrecoveryoptionsorsuccesseswere.

Onceyouhaveachievedrootandinstalledacustomrecoveryapplication,makeregularbackupsusingareliablebackupapplicationandthecustomrecoveryapplication.

TheInternetisfullofAndroidgeekswillingtoassistyouiftheythinkyouhavetriedtoeducateyourselffirstbyreadingandsearching.Itisalwaysbettertoask“HowdoIdoXwithYtoolonadevicethatislikeZ?”ratherthantoask“HowdoIrootmyphone?”HavingathickskinishelpfulontheInternetaswell.Notallgeekshavethebestsocialskillsanditcanshowinbrusqueanswerstoquestions.Maintainyourcool,askyourquestionsintelligentlyandyouwillundoubtedlyreceivethehelpyouneed.

BackingUpApplicationsApplicationsthatyoudownloadedfromGooglePlayareautomaticallyrestoredwhenyouselectthe“MyApps”buttonandindividuallyrestoretheapplications.Thisfunctionissomewhatfinicky—most,butnotall,purchasedappsautorestore,asdocertainfreeones.

Inessence,GooglePlaykeepstrackofyourpurchasesandrestoresautomaticallyatleastthoseapplications.Onsomedevices,allofmyapplications,includingfreeapplicationsdownloadedfromGooglePlay,havebeenrestoredautomaticallyafterafactoryreset

IfyouconnectyourdevicetoacomputerandbackuptheSDcard,itdoesnotnecessarilycopytheapplicationdata.Mostproductivityapplications,suchastexteditors,officeapplicationsandartormediaapplications,storecreatedfilesontheSDcardinadocumentsfolderorinafolderoftheirown.CopyingeverythingontheSDcardincludingfolderswillbackupthedatafromtheseapplications.

Youloseallofyourapplicationdatawhenanapplicationisremovedandreplaced.Inotherwords,yourprogressthrough“AngryBirds”isnotrestoredeveniftheapplicationisautomaticallyrestoredafteradevicewipe.Backingupuserdataisoneoftheprimaryreasonsthatrootaccessissodesirable.

BackingUpThroughaRecoveryProcessWhenyoufirstachieverootandareabletoinstallacustomrecoveryapplication(whetherClockworkModoranotherrecoveryapplication),youshouldimmediatelybootintothatrecoveryprocessanddoacompletebackupofyourdevice.

Abackupcreatedbyarecoveryprocessisapoint-in-timebackup—itcapturesthestateanddataofyourdeviceataparticulartime.Alltheapplications,applicationdata,userdataandsystemfilesarebackedup.Thisisthebestoptionforbackinguptoprotectagainstdisasterwithhacking.

However,theremaybeitemsyouwanttobackuporrestorewithoutcompletelyrevertingyourentiredevicetoaparticularpointintime.

Application-levelbackupsandrestoresareoneofthebenefitsofbeingrooted.

BackingUpThroughanApplicationApplicationssuchasTitaniumBackupallowyoutospecifyanapplicationtobebackedup.Theapplicationcanbebackedupalongwithanyrelateddata.Thisallowsforspecificapplicationstoberestoredinthecaseofthembeingaccidentallyremovedorhavinganissue.

Whenaparticularapplicationstopsworking,youmaynotwanttorevertallofyourapplicationstothelatestsystem-levelbackup.TitaniumBackup,andothersuchapplications,allowforindividualmanagementofapplications.Theyalsoallowforniftymanipulation,suchasmovingapplicationstotheSDcard,removingapplicationscompletelyandcleanly,andschedulingbackups.Havingascheduledprocessthatregularlybacksupapplications,applicationdataandsystemdatawillsaveyouaheadachewhenyoueventuallybrickyourdevice.

WhatHappensifItGoesReallyWrong?Intheprocessofattemptingtoobtainroot,itispossiblethatatsomepointyouwillmakeamistakeandyourphonewillnotbootcorrectly.Therearetwogenericcategoriesof“broken”whenitcomestoAndroiddevices:

•SoftbrickmeansthatthedevicewillnotbootcompletelyintotheAndroidoperatingsystembutwillboottorecoveryorbootloaderandFastboot.Anyconditionthatkeepsthedevicefrombootingcorrectlybutleavesitwiththepossibilityofbeingflashedandrecoveredwithcorrectimagefilesisa“softbrick”condition.Themostcommonsymptomofasoftbrickeddeviceisknownasabootloop(aconditioninwhichthedevicepartiallybootsoverandover).•Hardbrick,ontheotherhand,referstoanincapacitateddevicethatisunrecoverablethroughnormalmeans.Generally,hardbrickeddevicesrequirespecializedhardwaremethodsavailableonlytotheOEMtofix,andarecharacterizedbythedevicenotbootingatallorbootloopinginawaythatpreventscommandsbeingsentviaADBorFastboot.

Howyourdevicebehavesineachcaseisverydependentonthedevice.Theproceduretofollowinthoseblind-panic-strickenmomentsfollowingsomethinggoingwrongisasfollows:

1.Don’tpanic.Seriously,don’tpanic.Paniccaninduceyoutoattemptthesameflawedprocedurethatbrickedyourdeviceinthefirstplace.Generallystopandwalkawayfromthedeviceforaminuteortwothenproceedtothenextstep.2.Removethebattery,ifpossible.Pullthebatteryoutcarefully,replaceitandseeifthedevicegetsanyfurtherinthebootprocess.

Onsometabletdevices,pullingthebatteryoutisnotpossible.Thereisgenerallyaphysicalkeycombination(forexample,thepowerbuttonandthevolumeupanddownbuttons)thatsimulatespullingthebattery.Pressandholdthebuttonsforafewsecondstoseeifthedeviceresetsandstartsbootingcorrectly.3.Attempttoforcethedeviceintorecoveryorbootloadermode.Lookupthekeycombinationforresetsandrecoverymode.

4.UsetheXDAforumsandGoogletoeducateyourselfonunbrickingproceduresforyourdevice.Ifyoucanfindnoreferencetounbrickingyourdevice,postanon-panic-strickenmessageintheXDAdeviceforumthatletsdevelopersknowwhatyouweredoingwhenthedisasteroccurred.

Therecoveryoptionsavailabledifferdependingonwhatthebrickeddevicewilldoandtowhichcommandsitwillrespond.Ifthedevicecanbootintorecoverymode,anupdate.zipfileoracompleteimagefilecanbeusedtorewriteallthesystempartitions.Inthiscase,abackupofthedevicecouldalsoberestored.Thisiswhythefirststepafterinstallingacustomrecoveryprocessshouldbetodoafullbackupfromtherecovery.

Ifthedevicecanbootintobootloader,itmaybepossibletouseFastbootcommandstoreflashthesystemandbootpartitions.SearchontheXDAforumforpoststhatcontaintherequiredfilesandinstructions.Generallyspeaking,ifadevicecanbemadetobootintoFastboot,itcanberecovered.

SomedevicescanberecoveredusingOEMordevelopertools(forexample,RSDLiteforolderMotorolaphonesandODINforSamsungdevices)toflashimagefilestothecorrectpartitions.InstructionsforusingthesetoolsandthefilesforflashingwillbefoundintheappropriateXDAforumforthedevice.

Chapter5:Theming:DigitalCosmeticSurgery

Inthischapter:

•HowtochangethelookandfeelofAndroid

•Anintroductiontotoolsthatyoucanusetomodifyyourdevice•Howtomodifytheairplanemodeindicatorsonyourdevice•Howtocreateaflashablezipfiletoshareyourchanges

AmajoradvantageofowninganAndroiddeviceisthatthelookandfeel,indeedeveryaspectoftheuserinterface,canbecustomizedtoitsowner’spersonaltaste.

Inthischapter,youlearnthebasicsoftheming—changingthelookandfeelof—Android.ManyaspectsoftheAndroidinterfacecanbechanged,fromthecolorsofnavigationelementstoreplacementiconsforapplications.AlmostanyvisualelementoftheAndroidinterfacecanbealteredorreplacedcompletely.

ThemingisacomplexprocessthatinvolvesgettingintothedetailedstructureoftheAndroidoperatingsystemfilesystem.HavingachievedrootaccessusingthetoolsdescribedinthisbookandontheXDAforum,youarenowabletobegincustomizingyourdevicethroughtheming.

Thischapterfocusesonmakingchangestargetedforyourdevice,suchasmakingtheairplanemodeindicatormorenoticeable.Theprocessofturningyourchangesintoapackagethatcanbesharedwithyourfriendsisslightlymorecomplex.Afteryoumakethedesiredthemechange,youlearnhowtocreatearecovery-flashablepackagethatcanbesharedwithotherAndroidusers.

TheprocessoutlinedinthischapterisspecifictoCyanogenModontheNexusOne,howevertheprocessissimilarforotherdevicesandotherROMs.

ChangingtheLookandFeelofAndroidThemingAndroidinvolveseditingthegraphics(PNGfiles)andXMLfilesthatmakeuptheuserinterface.EditingtheXMLisevenmoreadvancedthaneditingthegraphics.TheAndroidXMLiscompiledintobinaryXML,soyouhavetodecompileittohuman-readabletextandthenrecompileitbacktobinaryformat.

Atahighlevel,thestepsforthemingAndroidareasfollows:

1.ExtractthefilestobeeditedfromtheROMofyourchoice.Mostbasic,system-widethemesdealwithmodifyingtheimageswithintheframework-res.apkfilebutotherchangesrequiremorespecializedfixes.

2.Decompilethefiles.

3.UseappropriateeditingsoftwaretoeditthegraphicsandXML.4.RecompiletheXML.

5.ReplacethefilesintotheROM.6.FlashtheeditedROMusingacustomrecovery.

Thesestepscanvarydependingonwhatyouarechangingandwhetheryouarecreatingacompletelyalteredthemeorathemewithminortweaks.Creatingacompletethemewillinvolveiterationsofthisprocessmanyhundredsorthousandsoftimes.

ThemingtheLauncherThemaininterfacewithwhichauserinteracts,theicons,theapplicationdrawerandalltheotherelementsareknownasthe“launcher.”Thelauncherhandlesnotonlythelookandfeelofyourhomescreensandapplicationsmenu,butalsowhichapplicationsarevisible.WhileyoucanthemethenativeAndroidlauncher,itisofteneasiertomodifyanadd-onlauncherbecauseitsharesnoresourceswiththecoreoperatingsystem.

ThemingwithanAdd-onLauncherOneofthemostpopularlauncherreplacementsforAndroidisADW.launcher.Itoffersbuilt-inthemingfunctionalitybyallowingusersto

installeasilydistributablethemeAPKoriconpacks.ADWuserscanthuseasilyswitchbetweenthemes.

Theprocessofthemingalauncherusuallyinvolvesmanyofthestepsinthiswalkthroughalongwithotheractivitiessuchascreatingiconsforlaunchedactivities(applications)andspecialfilesystemstructures.Ifyouwanttocreatethemesforaspecificlauncher,youneedtolookupthatparticularlauncher’sthemingrulesandrequirementsontheXDAforumandthelauncher’swebsite.ForADW,youcancheckouthttp://jbthemes.com/anderweb/category/adwlauncher/.

ToolsUsedinThemingThemingrequiresabroadtoolsetandtheskillstomatch.ThislistoftoolsisnotexhaustivebutgivesyoupracticallyeverythingyouneedtostartrealhackingatthelookandfeeloftheAndroiduserinterface.Youwillnotuseallofthetoolsinthischapter’swalkthrough,butyoushouldhavethemallinstalledifyouintendtocontinuehackingyourdevice.

APKManagerAPKManagerisascriptthatrunsasaconsoleapplication(inacommandwindow).ItallowsyoutocarryouteasilymanyofthetasksthatwouldrequiremultiplecomplexstepsifyouweretoaccomplishthesametasksusingtheAndroidSDKandEclipsetools.Ifyouarecreatingacomplexthemefromscratch,youarelikelytoneedtousethosecomplexSDKandEclipsetoolsstandalone.However,formostthemingofexistingROMs,andAndroidingeneral,theAPKManagerautomatesacomplexandfrustratingprocess.

WhatIsanAPK?AnAPKisanAndroidApplicationPackage.AnAPKconsistsofafolderandfilestructurealongwithXMLfilesthatdefinethestructureandcontentsofapackagetoAndroid.AnAPKcanbesignedorunsigned.Androidusesthesignaturetocheckforauthenticity.Packagesalsousetheirsignaturesto“address”eachother.Becauseofthis,itisveryimportantthatyoufollowtheinstructionsaboutsigningandre-signinginAPKManagerandtutorialsontheXDAforum.

Beforeattemptingthewalkthroughinthischapter,youneedtoinstallAPKManager.Followthesesteps:

1.DownloadAPKManagerfromthelinkathttp://forum.xda-developers.com/showthread.php?t=695701.

2.ExtractAPKManagerintoafolder.

ItisbesttoextractAPKManagerandallthefoldersintoarootfoldersuchasC:\Theming\APKManager.ItisimportantthatyouhaveacleanandclearstructureforyourthemingfolderbecauseAPKManagerusesthefoldersinthestructuretodecompileandrecompileAndroidAPKs.

AndroidSDKRefertoAppendixAforinformationoninstallingAndroidSDKandmakingsureyourPChasenvironmentvariablesforADBtools.MakesureyouinstalltheSDKandsetuptheenvironmentvariablesbeforeattemptingthewalkthroughinthischapter.

EclipseEclipseisnotrequiredforthewalkthroughbutisincludedhereforcompleteness.

EclipsecanbeusedtoeditXMLfilesandthenotoriouslydifficultandsemi-resolution-independentNinePatchfiles(.9.png)manually.MostofwhatyouwilldointhischapterisdonewithAPKManager.However,youwillwantEclipsefortheNinePatchfilesandcomplexprojects.

YoucaninstallthelatestversionofEclipsefromwww.eclipse.org/downloads/.Unlessyouhaveaspecificreasontodootherwise,youwillnormallyinstalltheclassicversionofEclipse.

AROMofYourChoiceForthewalkthrough,IwillbeusingthepopularCyanogenModROM(whichisdiscussedinChapter6).TheROMisavailableatwww.cyanogenmod.comorontheXDAforums.ThesewalkthroughstepsapplytoalmostanycustomROM,however.YoupullthefilesyouwanttoeditoutoftheROMandmakethechanges.Thefilescanthenbere-signedandinsertedintotheROMorpusheddirectlytoyourdevice.

ItisagoodideatodownloadyourfavoriteROM,unzipit,digintoitsfolderstructureandpulloutthefilesyouneedtoedit.Thiswillhelpyoubegintolearnthestructureandpurposeofallthosehundredsoffilesandfolders.Itwillalsohelpyouunderstandstepsintheprocess,suchascreatingafolderstructureonyourlocalcomputerandthenzippingthatfolderstructureforinstallation.

7-ZipAPKs,ROMsandmanyotherfilesarecompressedusingzipcompression.7-Zipisatoolwithwhichyoucanopenthesefilesandmanipulatetheirinternalstructurewithoutextractingthecontents.7-Ziphasabuiltinfilemanagerthatallowsyoutonavigatethroughacompressedfile,suchasanAPK,withoutdisturbingthesignatureonthefile.

Forthiswalkthrough,youneedtoinstall7-Zip(fromwww.7-Zip.org/download.html).

Paint.NETPaint.NETisafreeandeasy-to-useimage-editingpackagethatallowsyoutoeditthePNGfilesthatmakeupthevisualelementsoftheAndroidinterface.Paint.NETisnottheonlyoption.Anygoodgraphics-editingpackage(suchasPhotoshoporGIMP)willwork.Paint.NETisfreeandisthetoolusedinthewalkthrough.YoucandownloadPaint.NETfromwww.getpaint.net/download.html.

Update.zipCreatorAnupdate.zipcreatormakesiteasytocreateaflashableupdate.zipfilefromthefilesthatyoucreatewithAPKManager.Therearemanydifferentupdate.zipcreatorsonXDA,butperhapstheeasiestforWindowsusersisTLCUpdatezipCreator,whichcanbeobtainedfromhttp://forum.xda-developers.com/showthread.php?t=1248486.

Youwillusethisprogramaspartofthefinalstepinthiswalkthrough.

Amend2Edify

Amend2Edifyisaprogramthatcanalterupdatescriptscreatedbytheupdate.zipScriptCreatortobecompatiblewithnewerversionsofClockworkMod.Theoriginalspecificationfortheupdatescriptswasknownas“amend”scripts.WithGingerbread,Googlechangedthespecificationtothe“edify”script.Edifyismorepowerfulbutrequiressomemorecomplexsettingssuchasknowingwhereandhowtomountthefilesystemintheupdatescript.

DownloadAmend2Edifyfromhttp://forum.xda-developers.com/showthread.php?t=903598.Extractthetooltoitsownfolderinyourthemingfolder.

Youdonotneedthistoolforthewalkthrough,butyouneedittoconvertscriptsfromtheolderamendstandardtotheneweredifystyle.

TheEditingProcessThissectionshowsyouhowtoaltertheairplanemodeiconandstatusindicatorforCyanogenMod7.0.1ontheNexusOnetomaketheairplanemodeindicatorsmorenoticeable.(IfindthatwhenevermyphoneisinairplanemodeIfrequentlyoverlookthefactandspendafewsecondspuzzledastowhymydevicewillnotconnect.)

Thisexamplechangesasingleelementoftheuserinterface.Acompleterethemewouldinvolvehundredsifnotthousandsofsuchedits.Ifyoudownloadorusethemescreatedbyotherthemers,considerdonatingtothemontheXDAforum.Thetimeinvolvedincreatingthetoolstomakethemesandincreatingthemesisprodigious.

Therearetwowalkthroughsinthissection.Thefirstwalkthroughdemonstratesamethodforcreatingthemefiles.Inthesecondwalkthrough,youseethestepsthatwouldbeusedtocreatefilesthatcouldbereusedorpackagedinaflashableupdateaftermanyhundredsofedits.

WalkthroughforCreatingThemeFilesForthiswalkthrough,youtargetafewspecificfilesthatcontainthegraphicsthatyouwanttoeditintheseAPKpackages:

•\system\framework\framework-res.apk

•\system\app\SystemUI.apk(becausethisisaGingerbreadROM).

ThefilesoutlinedhereareforaspecificdeviceandaspecificROM.RememberthatotherversionsofAndroid,otherROMsandothermanufacturers’devicesmayrequireyoutoamendotherAPKs.

Forinstance,ifthiswereanHTCdevicewiththeSenseuserinterface,youwouldneedtoeditthe\system\framework\com.htc.resources.apkfileinsteadoftheSystemUI.apkfile.IfyouwerecreatingaSamsungFroyotheme,youwouldedit\system\twframework-res.apk.DoyourresearchontheXDAforum.

ThebestwaytofindoutwhichAPKscontainyourdesiredimagesistodownloadafullcopyofthethemeorROMthatyouwanttoeditandopenitorfullyextractitwith7-Zip.Onceyouhavethefilesystemavailable,youcanopenimagesintheembeddedfolders.

PreparingtoEditFilesBeforeeditingsystemfilestocreateourtheme,wemustfirstextracttheAPKfilewewishtomodify.

1.ConnectyourphonetoyourPCusingitsUSBcable.VerifythatthephoneisinDebugmode(openAndroidsettings→Applications→Development→Debug).

2.VerifythatyouhavetheAPKManagerfolderinyourthemingfolderandthatyouhaveinstalledanimageeditor,suchasPaint.NET.3.PlaceyourdownloadedROM(inthiscase,CyanogenMod7.0.1)inadedicatedfolderinyourthemingfolder.

4.Double-clicktheROM’szipfileandopenitin7-Zip.ThiswillletyoubrowsethefilestructureoftheROM.5.Double-clickthesystemfolderinthe7-Zipwindow.6.Dragthe\system\app\SystemUI.apkfileoutoftheROM’szipfileanddropitintheAPKManager\place-apk-here-for-moddingfolder(seeFigure5-1).

Figure5-1:NavigatingtheROMin7-Zip,insearchofSystemUI.apk

ThefullpathfortheAPKfileintheoperatingsystemis\system\app\SystemUI.apk.ItisimportanttonotethisforlateruseinAPKManagerwhenyouwanttopushthefilebacktoaconnecteddevice.

LoadinganUnzippedAPKintoAPKManagerThenextstepinourthemingjourneyistoloadtheextractedfileintoAPKManager:

1.StartAPKManagerbydouble-clickingscript.batinthemainAPKManagerfolder.TheAPKManagerinterfacehasyouchooseoptionsusingnumbersandpressingEnter.

2.SelectOption22(type22andpressEnter).

APKManagerreadsthefilesintheplace-apk-here-for-moddingfolderandasksyouwhichoneisyourcurrentproject.APKManagerworkswithonlyasingleAPKfileatatime.

3.SelectthenumberinfrontofSystemUI.apkandpressEnter.Allofyour

menuselectionsfromthispointwillaffectthisAPKfile.4.SelectOption1andpressEnter.YouwillseeafastscrolloftextandthentheAPKManagermainmenuwillload.

Nowyouhaveanewfolder,namedaftertheAPKthatyouunzippedordecompiled,undertheprojectsfolderintheAPKManagerfolder.Inthiscase,thefolderisnamedSystemUI.APK.ItcontainsallofthefilesfromtheAPK.YoucannavigatethroughtheAPKfilestructureandeditfilesasyouseefit.

EditingtheImageFilesYouaregoingtosearchforandhuntdownthegraphicsthatrepresenttheairplanemodeiconsintheuserinterface.ItcanhelptochangeyourWindowsfolderviewtodisplayimagethumbnails.Thiswillallowyoutoscrollthroughtheimagesinthefoldersandlocatetheonesyouwanttoedit.

Mostofthegraphicobjectelementsarelocatedinthe\res\drawable-hdpi\folder.Resourcesarefoundintheresfolderandthedrawable-hdpifolderstoresthehigh-densityimages.

Nowthatyouhaveallofthe“guts”oftheAPKlaidout,youcanstartpokingaroundfortheairplanemodeimages.Theimagesyouwantare:

•stat_airplane_off.png

•stat_airplane_on.png

•stat_sys_signal_flightmode.png.

OpeneachoftheseimagesinPaint.NET(oranothergraphicseditor).Maketherequiredchanges.Iremovedtheimageofanairplaneandreplaceditwiththetext“AIR.”YoucandothisinPaint.NETbyselectingtheErasetool,draggingitovertheairplane,andthenusingtheTexttooltotype“AIR.”Selectafontandsizethatfitsnicelyinthesquare.

Inmostgraphics-editingprograms,presstheCtrlkeyandscrollthemousewheeltozoominandout.Thiswillmakeiteasytoeditthesmallgraphicsfiles.

InstallingaThemeonYourDeviceWhenyouhavecompletedtheeditingprocess,youcanzipupthefilesandinstallthemonyourphone.However,beforeproceedingwiththisstep,makesureyouhavecreatedacompleteNANDroidbackupthroughyourrecoverypartition,asdescribedinChapter4.

1.InAPKManager,selectOption4(SignAPK)andpressEnter.AnewunsignedAPKshowsupintheplace-apk-here-for-moddingfolder.

2.Youwillbepromptedtoselectwhetheryourprojectfileisasystemfileornot.Inthiscase,itisdefinitelyasystemfilesoselectYtobypassthesigningprocessfornow.YoucancopythenewSystemUI.apkfiletoamasterthemefoldertocreateaflashablethemeorinstallitstraightontoyourdevice.Inthiswalkthrough,youpushthefiletoyourAndroiddevice.

3.InAPKManager,selectOption8(ADBPush)andpressEnter.4.APKManagerpromptsyouforalocationinwhichtoplacethefile.Youwillneedtoenterafullpathandfilename.Enter\system\app\SystemUI.apkandpressEnter.ThisisthepathfromwhichyoupulledtheAPKwhenyouwereexploringthedownloadedROM.YouwanttoplaceyoureditedAPKfileinexactlythesameplaceinthefilestructurefromwhichyoupulledit.5.APKManagerpushesthefilestotheirappropriateplaces.Ifthedevicehasinterfaceglitchesoroddities,don’tworrytoomuchaboutit.Youoftenneedtorebootthedevicebeforeeditsshowup.Ifafterareboot,thingsdon’tgoquiteasplanned(e.g.youenterabootloopcondition),restoretheNANDroidbackupthatyoucreatedbeforestartingthissection.

LoadinganAPKfromYourDeviceintoAPKManagerItisnotalwayspossibletoobtainafullROMforyourdevice.Ifyourphoneisrooted,youcanpullAPKfilesindividuallyfromadevice.Youthenfollowthesamebasicstepsofunzipping,editing,zipping,andpushingthefilebacktothedevice.

Yournexttargetforeditsistheframework-res.apkfile,whichlivesinthe

\system\framework\pathofyourdevice’sfilesystem.YoucanverifythatiswherethefilelivesbyopeningyourdownloadedROMandnavigatingtothatpath.RememberthataROMisanexactcopyofthefilesystemonyourdevice;itisgoodforlearningaboutfilesystemstructureandplacement.

1.MakesureyourdeviceisconnectedtoyourPCandindebugmode.2.RunAPKManager.

3.Type0andpressEntertoselectthePullAPKoption.4.Enterthepath\system\framework\framework-res.apkandpressEnter.

APKManagerpullstheframework-res.apkfileandplacesitintheplace-apk-here-for-moddingfolderintheAPKManagerfolder.ThisisthesamefolderinwhichyouplacedtheSystemUI.apkfileearlier.

5.ExtractthefilesfromtheAPKusingOption1.Nowyouhaveanewfolder,namedframework-res.apk,undertheprojectsfolderintheAPKManagerfolder.

6.Opentheframework-res.apkfolder.

7.Navigatetotheframeworkfilesandedittheappropriatefile(forexample,removetheairplanesymbolandreplaceitwith“AIR”).

8.Whenallofyoureditsaredone,youcanziptheAPKfilebyselectingOption4.9.Selecttoindicatethatitisasystemfile.10.Atthispoint,youcanpushtheAPKfilebacktothedevicefromwhichyoupulleditorplaceitinyourthemefolderstructureifyouarecreatingaflashabletheme.

WalkthroughforCreatingaFlashableZIPFileOnceyou’vethemedanAPKfile,youcanusetheAPKManagertopushitbacktothedevice.However,ifyouwishtodistributeyourthemetoawideraudience,you’rebestservedbycreatingaflashableupdate.zip.

1.InstallandrunTLCUpdatezipCreator.

2.Navigatetothe“Files”tabandclickAddtoselectthefilesyouwanttoflash.Inthisexample,weselectthefileswecreatedinthepreviouswalkthrough.

3.Whenprompted,selectsystem/frameworkasthetargetdirectoryforframework-res.apkandsystem/appforSystemUI.apk.

4.Navigatetothe“Options”tabandchangethe“Scriptversion”fieldtoEdify.ThisisneededbecauseGooglestoppedsupportingamendscriptsinAndroid1.5andClockworkModrecoverydroppedsupportforamendscriptsinversion3.0(seeFigure5-2).

5.Navigatetothe“Script”tabandsetthepropermountingpointforyourdevice.Thisisspecifictothedevice,sobesuretosearchonyourdevice’sforumwithinXDA.Settingthisfieldimproperlycanhavecatastrophicresults.6.Nowyouarereadytofinalizeyourupdate.zipbyclickingthe“Makeanupdate.zip”button.

Figure5-2:SelectingEdifyscriptforClockworkModrecoveriesgreaterthanversion3

Onceyouhavecreatedyourupdate.zip,youarereadytotestitoutforyourself.However,tobesafe,youshouldcreateafullNANDroidbackupbeforeflashing.Oncethebackupiscomplete,goaheadandflashyourupdate.

Assumingallwentwell,youhavenowcreatedyourfirstthemeandarereadytoshareitwiththecommunity.

Chapter6:You’veBecomeSuperuser:NowWhat?

Inthischapter:•PopularcustomROMsthatwillworkonseveraldevices•Howtotweakthekernel•Applicationsthatrunatrootlevel

Soyou’vefollowedtheinstructionsinthisbookandhaveobtainedrootaccesstoyourdevice.Congratulations!Itfeelsgoodtobefree,doesn’tit?Butfreeingyourdevicedoesn’tinherentlygiveitanysuperpowersuntilyoustarttinkeringwithroot-levelapplicationsandothermodifications.

Formost,thefirststepafterobtainingrootaccessistoinstallacustomROM.WhilemostcustomROMsarespecifictoparticulardevices,severalarewidespread,cross-platformreleases.Here,wepresentacoupleofthemostcommonlyusedmulti-deviceROMscurrentlyavailable.

AfterinstallingacustomROM,manyventuretoinstallanewkernel.Alternativekernelsoffermanypotentialadvantagesrangingfromoverclockingability,betterbatterylifeandperformance,tomoreesoterictweaks,suchasUSBhostfunctionalityandsoundqualityenhancements.

Finally,oncethekernelhasbeenupdated,manypeopletheninstallroot-levelapplicationsthatmakeuseofthenewlyobtainedsuperuserprivileges.

Thefunindevicehackingdoesnotendwithsimplyobtainingrootaccess.Onceyouachieveroot,youhaveonlybegunyourjourneyinoptimizingyourdevicetofityourneeds.WiththepropersetofcustomizedROMs,aftermarketkerneltweaks,androot-levelapplications,youcancreateadevicethatistrulyyourownandcapableoffarmorethantheoriginalmanufacturereverintended.

PopularMulti-DeviceCustomROMsAsyou’llquicklynoticewhenbrowsingthevariousXDAdeviceforums,themajorityofROMsthataresharedwiththecommunityarereleasedforindividualdevices.However,thereareafewnotableexceptions.TheROMspresentedinthissectionarelarge-scale,multi-devicereleasesthatoftenfunctionasthebaseforfurtherderivativedevelopmentwork.

CyanogenModIfyou’veheardofAndroidandyou’veheardofrooting,you’veundoubtedlyheardofCyanogenMod.BeginningwithincreasinglycomplextweaksfortheHTCDream:G1,CyanogenModhasgrowntobecomeanall-outmegaROMwithcloseto90officiallysupporteddevices.TheROMitselfoffersdozensofusefulfeaturesincludinglockscreengestures,apowerfulbuilt-inthemeengine,audioequalization,VPNsupport,andmuchmore.CyanogenModisbuiltfromsourcecodemadeavailableaspartoftheAndroidOpenSourceProject(AOSP),soextensivemodificationscanbemadetoit.

Inadditiontotheofficialports,therearehundreds(ifnotthousands)ofunofficialportsandmodifications(alsoknownas“kangs”).TheseunofficialversionstypicallyaddanythingfromsupportforadditionaldevicestoexperimentalfeaturesnotyetmergedintotheofficialCyanogenModtree.

ThecurrentversionoftheROMisCyanogenMod9.ItisbuiltuponAndroid4.0(IceCreamSandwich).Youcandownloaditfromhttp://get.cm.

AndroidOpenKangProjectSimilarlytoCyanogenMod,theAndroidOpenKangProjectisbuiltfromAOSP-derivedsourcecodeandincorporatesdozensoftweaksontopofGoogle’sowncode.Atthetimeofwriting,theROMbringsAndroid4.0(IceCreamSandwich)to17devices,manyofwhichhaveyettoseetheofficialmanufacturer-releasedupdatetotheoperatingsystemrevision.

VillainROMVillainROMtakesadifferentapproachtomulti-deviceROMcustomization.AlthoughsomeVillainROMreleasesarecompileddirectlyfromsourcecode,mostintheVillainROMseriesofROMsareactuallyhighlycustomizedversionsoftheoriginalmanufacturer’sshippingROM.Thus,theROMfamilyvariessignificantlyfromdevicetodevice.

Whilethelackofcohesionbetweensupporteddevicesmaydetersomepotentialusers,thisapproachalsoallowsforROMreleasestobemadequicklyafteramanufacturerreleasesanewbuildoftheoperatingsystem.Essentially,VillainROMisforuserswhothinkthatthemanufacturergenerallydidagoodjobwiththeshippedsoftwareandonlywishtohaveitperfected.

KernelTweaksTweakstothekernelcangiveavarietyofenhancementstoanAndroiddevice.

BacklightNotificationsOneofthemostpopularfeaturesoftheNexusOnewasitsmulti-coloredtrackball,whichlitupwhennotificationswerepresent.

WhentheSamsungGalaxySlinewaslaunchedinthesummerof2010,itprovidedamajorupgradeinscreenqualityandGPUspeedcomparedwiththeNexusOne.OnethingthatSamsungleftoutofmostGalaxySphoneswasanotificationLED.

Thinkingoutsidethebox,XDAforummemberNeldarwasabletosimulateLEDnotificationfunctionalitybywritingakernelmodificationthatdisplayednotificationsusingtheAndroidsoftkeysbacklight.Neldar’sBackLightNotificationmodification,whichhassincebeenportedtootherdevices,suchastheSamsung-builtNexusS,givesusersthemissingfunctionalityinaveryelegantmanner.Ratherthanrequireahardwaremodificationorevenactivatingthedevice’sdisplay,theAndroidsoftkeyssimplylightuptoindicatethatanotificationhasarrived.

BackLightNotificationcanbefoundontheXDAforums:http://forum.xda-developers.com/showthread.php?t=813389.

VoodooEnhancementsFrançoisSimond,otherwiseknownassupercurioontheXDAforums,hasproducedaseriesofkerneltweaksknownastheVoodooenhancements.Aswellasprovidingamoreefficientfilesystem,supercurioalsodecidedtoimproveuserexperienceontheGalaxySthroughthedevelopmentofaudioandcolortoolsknownasVoodooSoundandVoodooColor.Youcanlearnmoreabouttheenhancementsfromhttp://project-voodoo.org/.

VoodooLagfixWhenitwasfirstlearnedthattheRFSfilesystemusedbytheGalaxySlineofsmartphonesintroducednoticeablelagtoanotherwise-excellentexperience,thedevelopmentcommunityquicklylookedforasolution.

Supercurio’sVoodooLagfixswapsouttheRFSfilesysteminthe/cacheand/systempartitionsforthemuchmoreLinux-friendlyEXT4filesystem.

VoodooSoundBecausetheGalaxyS(alongwithseveralotherAndroiddevices)usesthehigh-endWolfsonMicroelectronicsWM8994DAC,thehardwarehasthepotentialfortrueaudiophile-gradesoundquality.Byallowingfordirect,low-levelcontrolofthehardware,VoodoosoundgivesGalaxySownersbetteraudioqualitythanpreviouslyimagined.

Severalotherdevices,suchastheSamsungGalaxyTab,Samsung-builtNexusS,andtheAsusEeePadTransformer,usetheWolfsonWM8994DACandcanbenefitfromtheenhancements.Furthermore,effortsareunderwaytoporttheaudioenhancementstootherDACs.

VoodooColorTheGalaxySshippedwithanunfavorablecolorcast.VoodooColorgivesusersdirectcontroloftheoutputparametersoftheirdevicestoimprovethecolorcast.Italsoprovidesavarietyofothervisualenhancements.

PerformanceandBatteryLifeTweaksLast,butcertainlynotleast,manypeopleflashcustomkernelsforperformancegainsandbatterysavings.Community-suppliedkernelsareoftenundervoltedandoverclocked,toallowuserstogetsmootherperformanceandalongerlastingbattery.

Manyaftermarketkernelsalsoincludeadditionalortweakedgovernorsandschedulers,whichalterthewaytheprocessordevotesitsresources.Forexample,manykernelsdefaulttoan“interactive”governorinsteadofthemoretypical“ondemand”or“conservative”options.Asitsnameimplies,aninteractivegovernorgenerallydeliversamoreresponsivelevelofperformance.

ManykernelsswapoutthestandardCFStaskschedulerinfavoroftheBFStaskscheduler,whichwascreatedbyAustraliananesthesiologistConKolivas.TheBFSgenerallydelivershigher—albeitoccasionallylessconsistent—performance.

RootApplicationsRootapplicationsmakeuseofsuperuserprivilegestoalterthedeviceatabasiclevel.

SetCPUSoyou’verootedyourdeviceandloadedacustomkernelthattweaksperformanceandenablesoverclocking.HowdoyoumakeuseoftheadditionalMHzandrunyourprocessortoitsfullestpotential?Easy:downloadSetCPU,createdbyMichaelHuang,otherwiseknownasXDARecognizedDevelopercoolbho3000.

SetCPUmakessettingyourminimumandmaximumspeedsabreeze.SetCPUalsoallowsyouto:

•selectyourclockspeedgovernorandtuneitsparameterstoyourliking•createclockspeedandgovernorprofilesfordifferentdeviceconditions(temperature,batterylifeconditions,andwhetherornotthescreenison).

Ifyouwanttomanageyourclocks,SetCPUisthewaytogo.

AdonationversionofSetCPUcanbefoundonGooglePlay.AfreeversionisavailabledirectfromthedeveloperontheXDAforum.

AdfreeAndroidAnotherpopularthingtodowhenrootingistoremoveadvertisements.AdfreeAndroidaccomplishesthistaskbymodifyingthedevice’shostsfile.Thehostsfileisasystemfile(locatedwithinsystemetc)thatisusedtomapahostnametoanIPaddress.InsteadofrelyingonaDNSquery,thesystemsimplygoestothehostname’sIPaddress,asspecifiedinthehostsfile.

Inordertoblockadvertisements,thehostsfileisoftenmodifiedtoredirectcommonlyusedadvertisementserversto127.0.0.1,otherwiseknownaslocalhost.AdfreeAndroiddoesthisandiseffectiveatblockingthemajorityofin-applicationandwebsiteadvertisements.

Onecaveattobeawareof,however,isthatmanyapplicationdevelopersrelyonadvertisementrevenueastheirprimarymeansofgeneratingincome.Byblockingtheirin-applicationadvertisements,youaredeprivingthemoftheirrightfullyearnedmoney.Sincethereisnowaytomodifythehostsfileforeachapplication,usersthatblockadvertisementsusingthehostsfileenduphurtingthedevelopersoftheapplicationsthattheyusethemost.Forthisreason,weencourageuserswhoblockadvertisementstodonatetotheirfavoritedevelopers.

AdfreeAndroidcanbeobtainedforfreefromGooglePlayorfromitsreleasethreadonXDA.

Chainfire3DHaveyoueverdiscoveredakillernewgameonGooglePlay,onlytofindthatitisincompatiblewithyourhardware?UnlikePCgaming,wheregenerallyallgamesworkoncapablehardware,gamingonAndroidismuchmorefickle.GamesoftenusetexturecompressionorshadersthatareonlycompatiblewithGPUsfromaparticularmanufacturer.

Insteadofadmittingdefeat,Chainfire3D—createdbynoneotherthanXDARecognizedDeveloperChainfirehimself—loadsanintermediarydriverthatcanaccomplishmanytasks,giventherightplugin.Almostimmediatelyafteritsrelease,pluginsappearedtoallowownersofdeviceswithallchipsetstoplaygamesmeantforNVIDIATegra,AMDAdreno,andPowerVRSGX

GPUs.

Theintermediarydriverallowsuserstocreateasettingforeachapplication.Notonlycanyouswapoutpluginsforeachofyourgames,butyoucanalsoenableperformancetweaksfordifferentapplications,suchasforcing16-bittexturesandZ-bufferorlimitingtexturesize(seeFigure6-1).

Figure6-1:PerformancetweaksavailableinChainfire3D

Chainfire3DcanbefoundonGooglePlayandinstructionsandsupportcanbefoundinitsXDAreleasethread.

TitaniumBackupAndfinally,oneofthemostwidelycitedreasonstorootistheprogramTitaniumBackup.DevelopedbyTitaniumTrack,theapplicationallowsuserstobackupapplications,applicationdata,andsystemsettings.SimilartothepreviouslymentionedNANDroidbackup,aTitaniumBackupcanpreventthelossofyoursavedgamedata.However,that’swherethesimilaritiesend.

Ratherthansimplymakingadirectimagebackupofyourdevice’sstate,Titaniumlooksatapplicationsindividuallyandbacksthemuppiecemeal.ThisisespeciallyusefulwhenusedinconjunctionwithcustomROMs.Forexample,manycustomROMsrequireadevicetobecompletelywipedbeforeinstallation.Normallythiswouldmeanlosingallapplicationsanddata.However,withaTitaniumBackup,youcanrestoreindividualapplicationsandtheirdataontothenewROM(seeFigure6-2).ANANDroidbackup,ontheotherhand,onlyallowsuserstobackupandrestoreanentiredeviceorapartitiononthedevice.

Figure6-2:Titaniumbackupdisplayingallavailableapplications

TitaniumBackupevenallowsfortaskstobebatchedandautomated.Youcanbackupandrestoreallofyourapplicationswithjustafewclicks.Youcan

evensetyourdevicetoautomaticallybackupyourapplicationstoyourDropboxaccountonasetschedule.

TitaniumBackupisavailableforfreeonGooglePlay.Apremiumversionisalsoavailable,whichaddsbetterbatchfunctionalityandmore.

PartII:ManufacturerGuidelinesandDevice-SpecificGuidesChapter7:HTCEVO3D:ALockedDevice

Chapter8:NexusOne:AnUnlockableDeviceChapter9:HTCThunderBolt:ATightlyLockedDeviceChapter10:DroidCharge:

FlashingwithODIN

Chapter11:NexusS:AnUnlockedDeviceChapter12:MotorolaXoom:AnUnlockedHoneycombTabletChapter13:NookColor:RootingwithaBootableSDCard

Chapter7:HTCEVO3D:ALockedDevice

Inthischapter:•Usingthetemporaryrootmethod•Usingthepermanentrootmethod

HTCphoneshavebecomedeveloper-andhacker-friendly.HTCallowsdevelopersandenthusiaststounlocktheirdevices.YoucanfindoutmoreaboutHTC’sunlockmethodbybrowsingtohttp://htcdev.com/bootloader.

TheEVO3Dwasoneofthefirstgenerationofsmartphonesbasedonadual-coreprocessorandrunningAndroid.TheEVO3Dincludeda“glasses-free”3Dscreenandcamera.ItshippedwithSense3.0andAndroid2.3(Gingerbread).ItlaunchedintheUSontheSprintnetworkwithaccesstoSprint’s4GWiMAXnetwork.TheHTCSensationhadasimilarspecification,withoutthe3Dcapability,andlaunchedontheT-Mobilenetwork(andonsimilar3G/UMTSnetworksworldwide).

TheEVO3Dhadalocked,signedbootloaderandlockedEMMCmemory.Itwasconsideredtobeoneofthemorelocked-downdevicesreleasedbyHTC,butitwasliberatedafewweeksafteritsrelease.

ThehackercommunitydevelopedatemporaryrootmethodfortheEVO3DbeforetherewasapermanentsolutionthatincludedS-OFF.Afterusingthetemporaryrootmethod,theEVO3Dfilesystemwouldunrootitselfandreturntoafactorystate.Asemi-permanentrootmethod(knownasa“perma-temp”method)givesrootprivilegesuntilthedevicereboots.ThepermanentrootsolutiondiscussedhereremovesS-ONandestablishespermanentrootaccessonthedevice.

ThetemporaryrootmethodusesFre3voandthepermanentrootmethodusesRevolutionary.Thiswalkthroughcoversbothmethods.Thereasonfor

coveringbothmethodsistodemonstratethewaytemporaryaccesswasgainedandtoprovideawaytodoafullbackupbeforeusingRevolutionary.

ObtainingTemporaryRootTemporaryrootwasbroughttotheEVO3DcourtesyofTeamWin.ThegroupdevelopedFre3vo,atemporary-root-acquiringtoolthatallowsusersaccesstoarootshellontheirdevices.TeamWinisalsoresponsibleforacustomrecoveryandotherEVO3D-specifichacksandcustomizations.

YouneedtheSDKinstalled,theADBtobefunctioningandthephonetobeindebugmode(seeAppendixA).YouneedtodownloadtheFre3vofilefromtheXDAforum(http://forum.xda-developers.com/showthread.php?t=1149998).TheFre3vofileisanexploitthatcreatestemporaryrootaccesstothefilesystem.

Thismethodhasyoupushafiletothefilesystem,makeitexecutableandexecuteit.

1.DownloadtheFre3vofileandplaceitinafoldercreatedspecificallyfortheexploit.2.OpenacommandpromptwindowandnavigatetoyourFre3vofolder.

3.Enterthefollowingcommandfromthecommandline:adbpushfre3vodatalocal/tmp

Thebinaryexploitis“fre3vo”withnoextension.Linux-basedoperatingsystems(includingAndroid)donotrequirefilestohaveacertainextensiontobeexecutable.

4.Makethebinaryexecutablewiththefollowingcommand:adbshellchmod777datalocal/tmp/fre3vo

5.EntertheADBshellwiththefollowingcommand:adbshell

6.Executethefre3voexploitwiththiscommand:datalocal/tmp/fre3vo

TheADBshellisclosedandyoureturntothePCprompt.Youmustre-entertheADBshelltoverifyyouhaverootaccess:

1.Enterthefollowingcommand:adbshell.

2.Verifythattheshellnowhasthehash(#)prompt,indicatingrootlevelaccess.

TherootstateobtainedwhenusingFre3voistemporaryanddisappearswhenthedeviceisrebooted.

UsingS-OFFandPermanentRootRequirementsTheAlphaRev,TeamWinandUnRevokedhackerteamsallworkedtogethertocreatetheRevolutionarytool,whichsetsS-OFFontheEVO3Dandotherphones.Revolutionaryisa“closed-source”tool,meaningthatexactlyhowitdoesitsmagicisundisclosed.Theclaimfromthedevelopersisthatthispreventsthemethodfrombeingpatched,orblocked,byOEMsandcarriers.

Asthetimeofwriting,theRevolutionarytoolisindeveloperpre-release(beta)stateandrequiresyoutouseaserialnumber.TheserialnumberisretrievedfromtheRevolutionarywebsiteinthecourseofrunningthetool.

Beforeyoustart,youneedtofollowthesesteps:

1.DownloadRevolutionaryfromhttp://revolutionary.io.(Youcanleavetheserialkeyretrievalformopenorcomebacktoitlaterbyclickingonadownloadlinkagain.)2.InstallandconfiguretheSDK(seeAppendixA).

3.InstalltheHTCdeveloperdrivers.(Youcandownloadthemfromthewikiathttp://unrevoked.com/rootwiki/doku.php/public/revolutionary.)

4.DownloadtheTeamWinflashablecustomrecovery(TWRP)fromhttp://forum.xda-developers.com/showthread.php?t=1192077

(downloadthezipfilenottheimagefile).

5.Downloadthesuperuserflashablefile(su-2.3.6.3-signed-efgh.zip)fromSection99ofhttp://forum.xda-developers.com/showthread.php?t=1192525.

Placealltherequiredfilesinafolderbythemselvestoavoidconfusion.

HereisabriefoverviewofthestepsinvolvedwithgettingS-OFFontheEVO3D:

1.VerifythattheHTCdeveloperdriversareinstalledandthatyouhaveconnectivitybetweenthePCandthedevice.2.(Optional)Backupalldata(forexample,usingthetemporaryrootmethodintheprevioussection).

3.RuntheRevolutionarytool.4.Flashthecustomrecovery.

5.Flashthesuperuserbinary.6.InstalltheSuperUserapplication.7.Runafullsystembackupfromthecustomrecovery.

Theprocedureoutlinedbelowisfairlysafeandbrick-proof.However,aswithallhackingactivities,youacceptfullresponsibilityandwillvoidyourwarrantybyrunningtheRevolutionarytool.

RunningtheRevolutionaryToolRevolutionaryrunsonyourlocalmachineandcommunicateswithyourphoneviatheUSBcable.Itdoesitsmagicviaembeddedcommandsencodedinthebinary.YouneedtoverifythatyouhaveADBconnectivity(seeAppendixAforarefresheronusingtheadbdevicescommandtotestconnectivity).ThereisasimplisticinterfacethatrunsasshowninFigure7-1.

Theutilitywilldetectthedeviceyouhaveconnected(itcanbeusedwithanumberofHTCdevices)andchooseanappropriateS-OFFmethod.

TheRevolutionaryutilitywillthenaskforakeybasedonyourserialnumber.Attimeofwriting,theRevolutionaryutilityisinbetateststageandrequiresaserialnumbergeneratedbytheRevolutionarywebsite.Thedevelopmentteamhassaidthatwhenthekeyispubliclyreleased,itwillnotrequireabetakey.

Figure7-1:TheRevolutionaryS-OFFutility

Togetyourbetakey:

1.Navigatetohttp://revolutionary.io.

2.Clickthedownloadbuttonforyouroperatingsystem.

3.Cancelthedownloadwindowifyouhavealreadydownloadedtheutility.4.Thebetakeyformisnowshownonthepage.

5.EntertheserialnumberofyourdeviceasshownintheRevolutionary

utilitywindow.6.SelectyourdeviceandHBOOTversion.

YourHBOOTversioncanbeobtainedbyforcingthephoneintobootloadermodewiththecommandadbrebootbootloader.TheHBOOTversionislistedatthetopofthewhitescreenedbootloader.

7.Clickthe“generatekey”buttonandwritedownthebetakeythatisgenerated.

Nowthatyouhavethebetakey,enteritintotheRevolutionaryutilitywindowprompt(seeFigure7-2)andhittheEnterkey.

Figure7-2:Enterthebetakeyattheprompt

TheRevolutionaryutilitystartsitsmagic.Theprocesstakesalittletimeandyourphonewillflashandrebootfourtimes.Eachtime,theRevolutionaryutilitywillpromptyouthatitisrebootingyourphone.

Attheendoftheprocess,theutilityasksyouifyouwouldliketodownloadandinstalltheClockworkModrecovery.Answer“No”tothispromptasyouwillbeinstallingtheTWRPrecovery.

TheRevolutionaryutilityisnotalwayssuccessfulatflashingtheClockworkModrecovery.Thereisthepossibilityofendingupinabootloopif

youuseittoflashClockworkMod.

AftertheRevolutionarytoolhascompleted,yourEVO3DwillbeS-OFF.However,togetfullrootaccess,youneedtoinstallthesuperuserbinaryandatooltomanageSuperUserrequests.TheeasiestwaytodothisistoflashtheSuperUserpackagestothefilesystemusingacustomrecovery.

InstallingaCustomRecoveryTherearetwowaysthattheTWRP(oranyrecovery)canbewrittentotherecoverypartition:

•usingFastboot(seeChapter3)toflashanimagefiletotherecoverypartition•usingthebuilt-inbootloaderbyrenamingthefiletotheexpectedupdatepackagename(inthiscase,PG86IMG.zip).

ThefirsttimeIrootedanEVO3D,IusedtheFastbootcommandtoflashtherecovery.Inhasteandwithalackofcaution,Iflashedtherecoveryimagetothebootpartition.Thismademyphoneonlyabletobootintorecovery.Inessence,Ihadasoft-brickeddevicethattookmeafulldayofsweatandfeartofix.IeventuallyfixedtheissuewithacombinationofADBrebootcommandsandFastboot.

Thesecondmethodisdescribedhereasitissaferandlesslikelytocauseissues.YouuseADBtopushtherecoveryflashabletotheSDcardandrenameit.ThiswillbypasspossibleissueswithWindowsExplorerchangingthenameandextensionofthefile.

ToflashtheTWRPcustomrecovery,followthesesteps:

1.OpenacommandpromptwindowandnavigatetothefoldertowhichyoudownloadedtheTWRPcustomrecoveryfile.2.UseADBtopushthefiletotheSDcardandchangethenamewiththiscommand:adbpushPG86IMG-twrp-shooter-1.0.3.zipsdcardPG86IMG.zip

3.UseADBtorebootintotheHBOOTwiththefollowingcommand:adbrebootbootloader

4.Whenthewhitebootloaderscreencomesonyourdevice,usetheupanddownvolumebuttonstoselectthebootloaderoptionandpressthepowerbuttontoselect.ThebootloaderscansforthezipfileyoupushedtotheSDcardandflashesit.5.Whenthezipfilehasbeenflashed,usetheupanddownarrowstoselect

therebootoptionandselectitwiththepowerbutton.Thedevicewillreboot.6.RemoveanyPG86IMG.zipfilethatremainsonyourSDcard.Youcandothiswithafileexplorer,suchasESFileExplorer,orusingthefollowingADBcommands:adbshell

cd\sdcard

rmPG86IMG.zip

InstallingtheSuperuserBinaryNowyouflashtheSuperUserrecoverybinaryusingTWRPrecovery.(Ifyoudidnotdownloadthesuperuserbinaryearlier,downloadsu-2.3.6.3-signed-efgh.zipfromSection99athttp://forum.xda-developers.com/showthread.php?t=1192525.)YouneedtopushthefiletoyourSDcard,rebootintorecoveryandthenflashitfromtherecovery.

Withyourdeviceon,connectedandindebugmode,enterthefollowingcommandstocopythefiletoyourSDcard:

adbpushsu-2.3.6.3-signed.efgh.zipsdcardsu-

&nbsp;&nbsp;2.3.6.3-signed.zip

adbrebootbootloader

Youcantypesuandthentapthetabkeytoautofilltherestofthelongcomplexfilenames.

1.Whenthewhitebootloaderappears,usethevolumebuttonstohighlightbootloaderandpressthepowerbutton.

2.Thebootloaderrunsascanforupdate.zipfilesandthenallowsyoutoselecttherecoveryoptiontobootintotheTWRPrecovery.

3.WhentheTWRPrecoveryboots,selectthe“FlashZip”optionusingthepowerbutton.4.Usethevolumebuttonstonavigatetothesuperuserbinaryandselectitwiththepowerbutton.TheTWRPrecoveryflashesthezipfile’scontentsandthenrebootsthedevice.

Whenthedevicereboots,thesuperuserbinariesareinplaceandyouarereadytomoveontothenextstep.

InstallingaSuperUserApplicationNowthatyouhaveacustomrecoveryandthesuperuserbinaryinplace,youneedawaytohandlerootandrootrequestsfromapplicationsandtheAndroidoperatingsystem.ChainsDD,adeveloperofexceptionaltalent,hascreatedasuperusermanagementapplicationknownasSuperUser.YouinstallChainsDD’sSuperUserapplicationtohandleallsuperuserrequests.

1.SearchinGooglePlayforthe“SuperUser”applicationfromChainsDD.2.DownloadandinstalltheSuperUserapplication.(YoucanpurchaseSuperUserElitetothankChainsDDforhisexcellentworkintheAndroidhackercommunity.Heworksveryhardtomakethiseasyforus.Forlessthanacupofcoffee,youcanhelpChainsDDcontinuehisworkforthehackercommunity.)

3.RuntheSuperUserapplicationonyourEVO3D.IftheapplicationdetectsavalidinstallationofSuperUserbinaries,youwillbefullyrootedwithS-OFF.4.RebootintoTWRPtomakeafullbackupofyourfilesystem.

AtthispointyoucandownloadROMswithcustomizationsandoptimizations.CustomROMsusuallyhavecarrierbloatremovedandcontaincustomizationstothefirmware.DownloadingROMsfromtheXDAforumcanbeaddictive.Checkoutoneoftheaggregateposts(suchashttp://forum.xda-developers.com/showthread.php?t=1192661)thatkeeptrackofthemostpopularROMsandcustomthemes.

Chapter8:NexusOne:AnUnlockableDevice

Inthischapter:•InformationabouttheNexusOne•RootingtheNexusOne

Thiswalkthroughappliesskillslearnedinthefirstpartofthebook.Anunlockeddevicemakesiteasytosendfilestotherootfilesystemandstartthecustomizationofyourphone.ThischapterwillmakeagoodreadnotonlyforownersoftheNexusOnedevicebutalsoforbeginningAndroidhackers.Itisincludedhereasareferencetohelpyouunderstandtheapplicationofthecommandsandskillsfromthefirstpartofthebook.ReadthroughthiswalkthroughtounderstandtheprocessofrootinganunlockabledeviceandthegeneralapplicationofADBandFastbootcommandsfromtheSDK.

TheNexusOneisaGooglephonewithavanilla(unaltered)versionofAndroid.Itisconsideredadevelopers’phoneanditcanbeunlockedusingtheFastbootcommand.TheNexusOnewasbuiltbyHTCandsoldbyGoogle.OEMsandcarriersusuallytakeaversionofAndroidandmodifyittoincludeorexcludefeaturesandapplicationsbeforeshippingitonaspecificmodelofdevice.TheNexusOnewasdesignedspecificallytohighlightanAndroidinstallationthathadnotbeenalteredbyanOEMorcarrier.ThephonecontinuestobepopularamongdevelopersandthosewhovaluetheeaseofrootinganddevelopinginanunalteredAndroidenvironment.

TheXDAforumfortheNexusOnecanbefoundathttp://forum.xda-developers.com/forumdisplay.php?f=556.

RootMethodsAvailableThefollowingrootmethodsareavailablefortheNexusOne:

•theZ4Rootone-touchrootapplication,whichdoesnotunlockthedevice•ASHMEMexploitsusingpsneuter

•Fastbootunlockingofbootloader.

ThiswalkthroughusestheFastbootunlockingmethod.TheNexusOnewasintendedtobeunlockedandusedasadeveloperphone.TheNexusOneXDAforumandtheNexusOnewiki(http://forum.xda-developers.com/wiki/index.php?title=Nexus_One)containallofthemethodsandfilesneededforthewalkthroughhere.

TherearemethodsforrootingandrunningcustomROMsontheNexusOnethatbypassunlockingthebootloader.Theprimaryreasonforusingamethodthatleavesthebootloaderlockedistoavoidthelossofwarrantycoveragethatcomesfromunlockingit.However,ifyouunlocktheNexusOne,theprocessissimplerandyouwillhavealearningexperiencewithadeveloper-classdevice.

ResourcesRequiredforthisWalkthroughBeforefollowingthestepsinthiswalkthrough,youshoulddownloadthefollowingfilesfromthedevice-specificforumatXDA(http://forum.xda-developers.com/forumdisplay.php?f=556):

•AndroidSDKfortheADBandFastbootcommands•theNexusOnesuperbootimagefile(abootimagewithrootaccessthatwillbewrittentothebootpartition)appropriatetoyourAndroidbuild(todeterminethebuild,openSettingsandAboutThisPhone;thebuildnumbershouldresemble“ERE36B”)

•thesuperuserbinary•theSuperUser.apkapplication

•theBusyBoxbinaries.

WalkthroughTheskillsdiscussedinChapter3areusedheretounlockthebootloaderandflashanewbootloaderusingFastboot.

ThiswalkthroughisforAndroid2.3.3.IfyourNexusOneusesAndroid2.3.4,youwillneedtheprocedurelistedathttp://nd1razor.blogspot.com/2011/07/how-to-root-android-234-

nexus-one.html.IfyourdeviceusesanyotherversionofAndroid,youwillneedtoresearchthespecificvariationsfromtheprocessinthiswalkthrough.

ThebasicstepsofrootingtheNexusOneandthengettingacustomROMontoitaresimilartotheotherwalkthroughsinthisbook:

1.Unlockthebootloader.2.Flashanewbootloaderwithanunlockedfilesystem.

3.InstalltheBusyBoxbinaries.4.Installthesuperuserbinary.

5.InstalltheSuperuser.apkapplicationtocontrolwhathasrootaccessfromthedevice.

YoucanunlockthebootloaderontheNexusOnewithasimplecommandfromFastbootonyourPC.Youneedtorealizethoughthatthismethodofunlockingthebootloaderisuniquetounlockabledevices.Withotherdevicesinthisbook,youmustjumpthroughmanyhoopsjusttogetthebootloaderunlocked.AbootloaderfromtheOEMthatisnotlockeddownmakestheprocessofcustomizingyourphoneassimpleasthewalkthroughhere.

UnlockingthebootloaderonyourNexusOnevoidsthewarranty.ItiscurrentlynotpossibletorelocktheNexusOnebootloader,thoughprogresshasbeenmadebydevelopers.YoucanalwaysgobacktoastockversionofAndroidandastockROMbutunlockingthebootloaderisaone-waystreet.Ifyouwanttokeepthebootloaderlocked,youcanusethepsneutermethodtorootyourNexusOne(http://forum.xda-developers.com/wiki/Nexus_One/Guides_%26_Tutorials#Root).

Youshouldnotethatsomeunlockabledevicescanberelocked.TheXoom,forinstance,canberelockedaslongasthebootloaderandtheROMarebothsignedwiththeOEM’ssignature.

PlacingtheNexusOneinFastbootModeThefirststepistoplacethephoneinamodethatwillacceptcommandsfromtheFastbootprotocol.ThisistypicallycalledFastbootorFastbootmode.TheNexusOnehasanintermediatemodecalledHBOOT,whichallowsyouchoosebetweenFastbootandbootingintorecovery.ToforcetheNexusOneintoHBOOT,startwiththephoneswitchedoffandfollowthesesteps:

1.ConnectthedevicetoyourPCwiththeUSBcable.2.Pressandholdthetrackballatthebottomofthephone.3.Withoutreleasingthetrackball,pressthepowerbuttontoturnthephoneon.HoldthetrackballuntilthewhiteHBOOTscreenappears.

4.Verifythatthestatusindicatorreadsfastbootusb.

Youcanalsousethevolumebuttonstoselectthebootloaderoption,bootintothebootloaderandthenselecttherecovery.Fortheunlockprocedure,youneedonlythedefaultFastbootmode.

5.StartacommandpromptwindowonyourPCandnavigatetothefolderwheretheFastbootcommandisinstalled(usuallyC:\ProgramFiles(x86)\Android\android-sdk-windows\tools\).

6.Enterthefollowingcommand:fastbootdevices

ThiscommandworksinasimilarwaytotheADBdevicescommand.ItreportsanyattachedFastbootdevices.TheoutputofthecommandshouldlooklikeFigure8-1.

Figure8-1:ThefastbootdevicescommandshowinganattachedHTCdevice(theNexusOne)inFastbootmode

Iffastbootdevicesdoesnotreturntheattacheddevices,verifyconnectivityandthattheNexusOneshowsfastbootusbontheHBOOTscreen.7.Enterthefollowingcommand:fastbootoemunlock

ThiscommandstartstheunlockqueryontheNexusOne.Selectthe“Yes,unlockbootloaderandvoidyourwarranty.”option.

TheNexusOnewillrebootandthebootscreenwilldisplayanunlockedpadlockatthebottom.

FlashingaBootPartitionNextyoumustflashabootpartitionthatwillallowfullrootaccesstothefilesystem.

1.ExtractthesuperbootimagefiletoyourFastbootfolder.ThismakesiteasiertotypetheFastbootcommand.2.ReboottheNexusOneintoFastbootmodebypoweringitonwhileholdingdownthetrackball.

3.OpenacommandpromptwindowonyourPCandnavigatetoyourFastbootfolder.4.Enterthefollowingcommand:fastbootflashboot<buildnumber>.boot.img

Thiscommandwritesthebootimagefilethatyoudownloadedtothebootpartition.

Whentheflashiscomplete,theNexusOneshouldreboot.Ifitdoesnot,enter:fastbootreboot.

GettingFullRootAccessThenextstepsaretoinstallthecommandstogivetheNexusOnefullrootaccessandsuperusercontrolofthefilesystem.YoupushseveralbinariestothefilesystemwithADBthenchangethepermissionsonthebinariessotheycanbeexecuted.

MakesuretheNexusOneisinDebugmode.RefertoChapter3forinstructionsonputtingyourphoneintoDebugmode.TheclickpathforDebugmodeisSettings→Applications→Development→Debug.

1.NavigatetothefoldertowhichyoudownloadedthesuperuserandBusyBoxbinariesandtheSuperUser.apkapplication.

2.Enterthefollowingcommand:adbpushsusystembin/

3.Enterthefollowingcommand:adbpushbusyboxsystembin/

Next,logintotheAndroidshellandchangethepermissionsonthesefilessotheycanbeexecuted.IfyouneedarefresheronnavigatingandusingtheADBshellorthechmodcommand,turnbacktoChapter3andreviewtheactivitiesthere.Tomakethebinariesexecutable,followthesesteps:

1.OpenacommandpromptwindowonyourPCandverifythatyouhaveADBconnectivitywithyourdevice.(RefertoAppendixAforinstructionsonsettingupandusingADB.)2.Atthecommandprompt,enterthefollowingcommand:adbshell

ThiswilldropyouintotheinteractiveADBshell.Youcanverifyitbythe#promptinthecommandshell.3.Atthehashprompt,enterthefollowingcommand:chmod4755systembin/su

4.Enterthefollowingcommand:chmod4755systembin/busybox

5.Finallyusethechangeownercommandtomakethesuperuserbinary

belongtoroot.Enterthefollowingcommand:chownrootsystembin/su

Afterthecorebinariesareinstalledandthepermissionschanged,youneedtoinstalltheSuperUserapplication(writtenbyChainsDD),whichprovidesacontrolmechanismforapplicationsthatrequestsuperuseraccess.NavigatetoGooglePlayanddownloadSuperUser.apk.

Atthispoint,yourNexusOneisunlocked,rootedandreadyformorecustomization.

InstallingaCustomRecoveryThereareacoupleofwaystoinstallthecustomrecovery.ThemanualwayistodownloadtherecoveryimagefileanduseFastboottoflashittotherecoverypartition.Tomanuallyflashacustomrecovery,followthesesteps:

1.ConnecttheNexusOnetoyourPCandopenacommandpromptwindowonyourcomputer.2.Enterthecommandadbreboot-bootloader.

3.VerifythattheNexusOnerebootsintoFastbootUSBmode.4.FromyourPCcommandprompt,runthefollowingcommand:fastbootflashrecovery<recoveryimagename.img>

Waitfortheflashtocomplete.

5.Enterthecommandfastbootreboot-bootloadertorebootthedevicebackintothebootloader.6.Usethevolumeupanddownbuttonstohighlightthe“bootloader”optionandpressthepowerbutton.

7.Thebootloaderlooksforanupdate.zipfileandthenallowsyoutoselectthe“recovery”optionwiththevolumeandpowerbuttons.TheNexusOnebootsintorecovery.

Thereisafareasierwaytoinstallacustomrecovery,thoughthemanualwayismoreedifying.KoushikDuttahascreatedanapplication,RomManager,thatisacompaniontotheClockworkModrecovery.RomManagernotonlyprovidesanexcellentwaytoinstalltheClockworkModrecoverybutisalsoawaytodownloadandflashcustomROMs.

DownloadtheRomManagerapplicationfromGooglePlay.(Purchasethefullversionasthebenefitsaremanyandthedeveloperisbothtrustworthyandhardworking.)

TousetheRomManagerapplicationtoinstalltheClockworkModrecovery,followthesesteps:

1.StartRomManagerandselectthe“FlashClockwork”option.

2.SelectyourdevicefromthelistofsupporteddevicesthatRomManagerdetects.RomManagerwillrequestsuperuserpermissionsandtheSuperUserapplicationwillpresentyouwithapop-upbox.3.Selectthe“Allow”and“Remember”options.TheRomManagerwillinstalltheClockworkModrecovery.

4.Whenthesuccessfulflashhasoccurred,selectthe“Rebootintorecovery”option.YourNexusOnewillbootintotheClockworkModrecovery.

Atthispoint,youshouldusethebackupoptiontobackuptheentireNexusOne.

Chapter9:HTCThunderBolt:ATightlyLockedDevice

Inthischapter:•InformationabouttheHTCThunderBolt•RootingtheHTCThunderBolt

TheHTCThunderBoltwasintroducedtotheVerizonLTE(4G)networkasa1GHzAndroiddevicewith768MBofinternalmemory.Itwasoneofthefirstgenerationofdevicestooffer4GspeedsontheVerizonnetwork.

TheThunderBoltwasalsooneofthemorelocked-downHTCdeviceswithmultiplelevelsofsecuritychecksandencryption.Thelocked-downnatureoftheThunderBoltwasintendedtokeepthedevicewellwithinthecontroloftheOEMandcarriers.However,theThunderBoltwasfreedbyacombinationoftheprovenpsneuterexploitandsomenewmagicintheformofadowngradefirmwarethatcouldberooted.

IhavechosentowalkthroughrootingtheThunderBoltbecauseitisoneoftherootprocessesthatmakesyoufeelverymuchasifyouarehacking.Therealityisthatallofthehardworkhasbeendonebythedevelopers,suchasScottWalkerandTeamAndIRC.However,usingtheexploitandskillsyoulearnedinChapter3,youwillquicklyrealizeyouaredoingrealdevicehacking.

Whenreleased,thedevicewasrumoredtobe“unbreakable”.Thehackercommunitymadeshortworkofitanyway.TheThunderBoltwentveryquicklyfrombeingoneofthemostlocked-downAndroiddevicestojoiningtheranksofcompletelyfreeAndroiddevices.Thewalkthroughinthischapterexamineseachstepoftheprocess.

RootMethodsAvailableMostoftherootmethodsfortheThunderBoltfollowthewalkthroughprocedureswithslightalterationsforupdatedversionsofthephoneandchangesthatcomewithover-the-airupdatesfromVerizon.ItisextremelyimportantthatyoudoyourhomeworkontheXDAforumtodeterminewhichprocessiscorrectforyourdeviceversion,HBOOTversionandAndroidbuild.

ThisparticularwalkthroughisfortheMR1/OTAFirmware1.13.605.7version.YoucancheckyourfirmwareversionbynavigatingtoSettings→AboutPhone.

Thedevice-specificforumonXDAcanbefoundathttp://forum.xda-developers.com/forumdisplay.php?f=940.Agoodreferencethreadforthisprocedureisathttp://forum.xda-developers.com/showthread.php?t=996616.

Somepostssaythatthemethodcoveredinthischapterisoutdated.Thatisbecauseaneasiermethodisnowavailable.TheRevolutionarytooliscoveredinChapter7andshouldbeusedifpossible.ThemethoddiscussedhereisstillappropriateandstillworksiftheversionofAndroidisthesameasoriginallyshippedonthedevice.

ResourcesRequiredforthisWalkthroughThefollowingfilescanbedownloadedfromembeddedlinksinhttp://forum.xda-developers.com/showthread.php?t=996616:

•thecustomROMupgradeutility,PG05IMG_downgrade.zip(MD5SUM:aae974054fc3aed275ba3596480ccd5b)•theBusyBoxbinary

•theexploitfiles,wpthisandpsneuter

•thesuperuser(SU)binary

•themisc.imgfile(MD5SUM:c88dd947eb3b36eec90503a3525ae0de)foroverwritingtheeMMC•thehbooteng.nb0imagefileforreplacingtheHBOOT(MD5SUM:6991368ee2deaf182048a3ed9d3c0fcb)(ThisisthedeveloperversionofHBOOTthatgivesaccesstomoreFastbootcommands.)•thecustomROMupgradeutilityPG05IMG_MR1_upgrade.zip(MD5SUM:7960c7977c25b2c8759605be264843ea).

PlaceallofthefilesyoudownloadintoasinglefolderonyourPC.ItwillbehelpfulforyoutoaccessthefilesifyoucreatethefolderontherootofoneofyourPC’sharddisks,forexample,D:\ThunderboltRoot.UnziptheexploitfilesandtheBusyBoxandSUbinariesintoyourfolder.

Donotunzipthedowngradeandupgradezipfiles.TheyareROMupgradeutility(RUU)files—signedfirmwarethatwillbeusedtodowngradeyourfirmwareandthenupgradeaftergrantingS-OFFtoyourdevice.Itisextremelyimportantthatyoudonotunzipthesefiles.Placethezipfilesinyourfolder.

WalkthroughADBhastobesetupbeforeyoustartthisprocess.RefertoAppendixAforinstructionsonsettingupandusingADB.

Readeverything.ReadtheXDAthreads.Chargeyourphone.Youcanbrickyourdeviceifyoudonotfollowtheseinstructionscorrectly.Youwillvoidyourwarranty.Youassumeallresponsibility.

PushingFilestotheDeviceThefirststepistopushtheexploitfile,BusyBoxandtheexploitimagetoapartofthefilesystemthatiswriteablewithoutrootaccess.YouwilluseADBtopushthefilesandthenchangethepermissionsonthefilessothattheycanbeexecutedasbinaries.

YouwillusetheADBshellinitsnon-interactivemode.WhenyoupracticedthechmodskillinChapter3,youusedtheADBshellininteractivemode.Innon-interactivemode,yourcommandpromptdoesnotchangeto$afterthefirstADBshellcommand.Instead,thecommandisrunonthedeviceandyoureturntothePCcommandprompt.

1.OpenacommandpromptwindowonyourPCandnavigatetothefolderinwhichyousavedthefiles.2.Runthefollowingcommandstopushthefilestothewriteableportionofthefilesystem:adbpushpsneuterdatalocal/

adbpushbusyboxdatalocal/

adbpushmisc.imgdatalocal/

3.Enterthefollowingcommandstochangethepermissionsonthefiles:adbshellchmod777datalocal/psneuter

adbshellchmod777datalocal/busybox

GainingTemporaryRootThenextstepistogaintemporaryrootaccess.ThisisaccomplishedviaanexploitinwhichADBchecksfortheS-OFFandS-ONsecurityflagsfortheconnecteddevice.ScottWalkerhaswrappedupthisexploitintothepsneuterutilityyouhavejustuploadedtoyourdevice.

YounowusetheADBshellinitsinteractivemode(asyoudidinChapter3).Inthemiddleoftheprocess,yourADBshellmayseemtofreeze—thisisexpectedandyouwillcloseyourcommandpromptwindowasnecessaryandrestartittocontinuetheprocess.

Rootaccessusingthepsneuterexploitisveryfragile.Itwilldisappearifyourdeviceisrebooted.Infact,itcanalsoberevokedbysomedeviceactivities.Makesureyourdeviceisfullychargedandfollowonlythestepshere.

1.EnterthefollowingcommandtoentertheinteractivemodeofADBshell:adbshell.

YourPCcommandpromptshouldbereplacedbythe$promptthatsignifiesyouareoperatingintheAndroidoperatingsystemwithalowor“notroot”accesslevel.

2.Enterthefollowingcommandtorunthepsneuterexploit:datalocal/psneuter

Therewillbeaslightpauseandoneoftwothingsmayoccur:

•YoumaybekickedoutoftheADBshellandseethePCcommandpromptagain.•Youmayfreezeatthecommandpromptandnotbeabletoenteranything.

Ineithercase,simplyopenanewcommandpromptwindowandcontinuefromthenextsection.Itishighlyunlikelythatyouwillneedtorunthepsneuterexploitasecondtime.Ifyoudonothavetemporaryroot(indicatedbythe#promptintheADBshell),rebootyourphoneandtrytheprocessagainfromthetop.

CheckingaFile’sMD5SignatureTheBusyBoxbinary(seeChapter3)containsmanycommandsfortheAndroidoperatingsystem,includingacommandthatallowsyoutohashanyfiletocheckitsMD5signature.

Whenyoudownloadafile,youshouldhashthecopyonthefilesystemtoverifythatitisthecorrectsizeandnocorruptionhasoccurred.Afteryouwritetheimagefiletothepartofthefilesystemsetasideasstorageforparticularcode,youagainhashthedatatoverifythatitwaswrittencorrectlyandwithnocorruption.

WritingtheTemporaryBootloaderNowyouwillusethemisc.imgfileyouuploadedtooverwriteaportionoftheThunderBolt’sfilesystem.Thiswillallowyoutodowngradethefirmwaresoyoucanupgradetoarootedimage.

Beforeyoudosomethingasdestructiveasoverwritingaportionofthebootloader,youwanttobevery,verysurethatthedatayouwillbewritingmatchestheknowngoodexploitcode.Whentheexploitwascreated,itwasrunthroughanMD5hashprocedurethatgeneratedaone-wayhashcodethatcanbeusedtoverifythefilewheneveritisdownloadedormoved.

TheprocessforverifyingtheMD5hashofafileisdescribedindetailinChapter3.Youmustenterthefollowingcommandatthe#promptoftheADBshell:

datalocal/busyboxmd5sumdatalocal/misc.img

Theoutputfromthehashcommandshouldbec88dd947eb3b36eec90503a3525ae0de.Iftheoutputstringdeviatesinanywayfromtheexpectedstring,youneedtorepeattheprocessofdownloadingthefileandpushingittotherequiredlocation.

Itiscriticaltocheck(anddouble-check)theMD5hashherebecauseyouarewritingtoasectionofmemorywithapowerfulcommand.Amis-steporsinglefaultybitwillbetheabsoluteendgameforthephone.Thatisrarelytrueforrootingprocedures.

Oncethehashstringisidenticaltotheexpectedstring,youcanwritemisc.imgtoitsnewhome.

1.OntheADBshellcommandline,enterthefollowingcommand(seeChapter3formoreinformationabouttheddcommand):ddif=datalocal/misc.imgof=devblock/mmcblk0p17

2.VerifytheMD5hashofwhatwascopiedbyenteringthefollowingcommand:datalocal/busyboxmd5sumdevblock/mmcblk0p17

TheMD5hashoutputshouldmatchthefollowingstringexactly:c88dd947eb3b36eec90503a3525ae0de.Ifitdoesnotmatchexactly,repeatthesesteps.

DowngradingtheFirmwareInthisstep,youflashasignedversionofthefirmwareearlierthantheonewithwhichyourdeviceshipped.AsmentionedinChapter2,thebootloaderlooksforaspecificallynamedfileforupdatestothedevicefirmware.Youcopythesigneddowngradezipfiletothedevice’sSDcardusingADBcommands.

1.InacommandpromptwindowonyourlocalPC,enterthefollowingcommandtoopentheADBshellininteractivemode:adbshell.

2.Enterthefollowingcommandtorenamethefile:adbpushPG05IMG_downgrade.zipsdcardPG05IMG.zip

3.EnterthefollowingcommandtoverifytheMD5hashofthepushedfile:datalocal/busyboxmd5sumsdcardPG05IMG.zip

TheMD5hashoutputshouldmatchthefollowingstringexactly:aae974054fc3aed275ba3596480ccd5b.Ifitdoesnotmatchexactly,repeatStep2andcheckitagain.Youmayalsowanttodownloadthefileagain.Donotunplugyourphoneorrebootit—ifyourphoneisturnedofforrebootsatthispoint,itislikelytobepermanentlybricked.Justkeeptryinguntilthehashcomesoutcorrectly.4.Whenthehashstringmatches,enterthefollowingcommand:adbrebootbootloader

5.WhenthewhiteHBOOTbootloaderscreenshowsup,usethevolumeupanddownbuttonstoselectthe“bootloader”optionandpressthepowerbuttontoselectthebootloader.Thebootloaderlocatesthesignedzipfileandflashesittoyourdevice.

6.Whenyouareaskedtoupgrade,selectthe“yes”option.Getacupofcoffeeandletitdoitsthing.Theflashandrebootcantakealongtime.7.Whenit’sdone,selectthe“reboot”optionandallowittoreboot.

Whenthephonehasrebooted,useafileexplorer(suchasESFileExplorer)tolocatePG05IMG.ziponyourSDcardanddeleteit.Thisisimportantasyouwilllaterplaceanothersignedfirmwarethereforflashingtoupgradethefirmware.

GainingTemporaryRoottoUnlocktheMMCYouaregoingtofollowalmostthesameprocedureasyoudidearlierwhenpushingfilestothedevice.Thenyouwillrunthetwo-partexploittogaintemporaryrootandunlocktheMMC.

1.InyourPCcommandpromptwindow,makesurethatyouareinthefoldertowhichyouextractedalltheThunderBoltexploitfiles.2.Runthefollowingcommands:adbpushpsneuterdatalocal/

adbpushbusyboxdatalocal/

adbpushwpthisdatalocal/

adbshellchmod777datalocal/psneuter

adbshellchmod777datalocal/busybox

adbshellchmod777datalocal/wpthis

3.Runthefollowcommandstogettemporaryroot:adbshell

datalocal/psneuter

RememberthisexploitthrowsyououtofADBshell,sodon’tpanic.SimplyreopentheADBshellandcontinuewiththefollowingstep.

4.RuntheMMCunlock:datalocal/wpthis

exit

RewritingtheBootloaderFirstyoupushtheHBOOTtothefilesystemandverifytheMD5hash.ThenyouwritethefiletotheMMCandverifytheMD5hash.Thisisthesinglemostcriticalmomentofthisprocess.IfyoudonotgetanexacthashfromtheMD5SUMcommandyoumustrewriteuntilyougetthecorrectMD5hash.

Ifthispartoftheprocedureisdoneincorrectly,youcancompletelybrickyourphone.Goslowly,readaheadanddon’tpanic.

1.InyourPCcommandpromptwindow,makesurethatyouareinthefoldertowhichyouextractedalltheThunderBoltfiles.2.Enterthefollowingcommandtopushthefiletoyourdevice:adbpushhbooteng.nb0datalocal/

3.OpentheADBshellandcheckthefile’shashvalueusingthefollowingcommands:adbshell

datalocal/busyboxmd5sum

datalocal/hbooteng.nb0

4.Lookcarefullyattheoutput.Itmustmatchthefollowingstring:6991368ee2deaf182048a3ed9d3c0fcb.IftheoutputoftheMD5SUMcommanddoesnotmatchthestringexactly,youmustdownloadthefileagain.

5.FromtheADBshell’s#prompt,enterthefollowingcommandtowritethenewbootloader:ddif=datalocal/hbooteng.nb0

of=devblock/mmcblk0p18

6.Whenthatprocesscompletes,youneedtoverifytheMD5hashofwhatendedupintheMMCmemoryblock.AttheADBshellprompt,enterthefollowingcommand:datalocal/busyboxmd5sumdevblock/mmcblk0p18

TheMD5hashoutputshouldmatchthefollowingstringexactly:6991368ee2deaf182048a3ed9d3c0fcb.Ifitdoesnotmatchexactly,repeatStep5.Donotunplugyourphoneorrebootit—ifyourphoneisturnedofforrebootsatthispoint,itislikelytobepermanentlybricked.

7.Whenthehashstringmatches,enterthefollowingcommandstoleavetheADBshellandrebootyourdevice:exit

adbreboot

UpgradingtheFirmwareNowyouuseADBtocopytheupgradezipfiletoyourSDcardandallowthenewbootloadertowriteittoyourdevice.

1.MakesureyouhaveaPCcommandpromptwindowopenandareinthefolderwhereyouplacedthesignedzipfile.2.EnterthefollowingcommandtopushthefiletoyourSDcard:adbpushPG05IMG_MR1_upgrade.zip

sdcardPG05IMG.zip

3.Becauseweonlyacquiredtemporaryrootearlier,wemustpushtheBusyBoxbinarytothedeviceaswell:adbpushbusyboxdatalocal/

4.VerifythattheupgradeRUUfirmwarematchestheMD5SUMhashforthefile(7960c7977c25b2c8759605be264843ea):adbshell

datalocal/busyboxmd5sumsdcardPG05IMG.zip

Ifthehashstringsdonotmatch,downloadtheupgradezipfileandpushittotheSDcardagainuntiltheydomatch.5.OncethefileiscorrectlywrittentoyourSDcard,youcanletthenewbootloaderwritethenewfirmware:exit

adbrebootbootloader

WhenthewhiteHBOOTscreenbootsup,usethevolumeandpowerbuttonstoselectthe“bootloader”option.ThebootloaderwillcheckforPG05IMG.zipandflashit.Againwhenaskedtoupgrade,select“yes”andgoforacupofcoffee—itcantakeawhile.Whentheflashingiscompleted,rebootthedeviceandremovePG05IMG.zipfromyourSDcard.

AtthispointyouarerunningadevicethatisS-OFF—ithasthesecurityflagoffandisrunningrelease(asopposedtodeveloper)firmware.

DownloadSuperUser.apkfromGooglePlaybysearchingfortheSuperUserapplication.YoucanalsopurchaseandinstallRomManagertohaveaccesstocustomrecoveriesandcustomROMfirmwareforflashing.

Ifyouweretoacceptadownloadpushedovertheair(OTA)fromyourcarrier,youwouldbeverylikelytoundoallofyourhardwork:itwillunrootandremovethecustomfirmware.ItisbestnottoacceptOTAupdates.However,ifyouinstallacustomROM,youareunlikelytoseeOTAupdates,asmostROMsblockthem.MostcustomROMsreleasetheirownupdatesbasedontheOTAs.

Chapter10:DroidCharge:FlashingwithODIN

Inthischapter:•InformationabouttheDroidCharge•RootingtheDroidCharge

TheDroidChargeisawell-roundedAndroidsmartphonewithahigh-contrastdisplayandaccesstoVerizon’sLTE(4G)network.

CustomizingtheROMandfirmwareonaDroidChargeinvolvesstepsratherdifferentfromusingADBtosendandreceivecommandsandfilestothedevice.AlthoughADBcanbeusedtocommunicatewithaSamsung(aswithnearlyallAndroiddevices),mostfirmwaremodificationproceduresonSamsungdevicesuseasoftwaresuiteknownasODIN.SimilartotheFastbootprotocol,ODINisatoolthattakesfirmwarepackages(rootedROMs,recoveriesandothercustomizations)andwritesthemtothememoryofaSamsungdevice.ODINmakesforafairlyeasyrootingprocess.Whileitismoreuser-friendlythanthecommandline,ODINitselfisnotterriblyintuitiveandrequiressomebasicexplanationoftheinterface.

ODINflashestoyourphone’sfilesystemspeciallyformattedpackagesin.tar.md5format.Theeasiestwaytoaccomplishroot-levelaccessistoflashtheClockworkModrecoveryandthenusetherecoverytoinstalltherootedROMofyourchoice.

Neverflashapackagethatyoudonotknowisintendedforyourdeviceandfirmware(bootloader)version.

ResourcesRequiredforthisWalkthroughYoucandownloadalltherequiredpiecesofsoftwarefromhttp://forum.xda-developers.com/showpost.php?p=15897406.Ataminimum,youneed:

•driversfortheDroidCharge•ODIN3.x

•ClockworkModinaformatforODINtoflash•arootedcustomizedROMtoflashwithClockworkMod.

TherearecompletepackagesfortheDroidChargethatincludearootedROMandClockworkMod.Flashinganall-in-onepackage,suchastheonelistedintheXDAforumpostathttp://forum.xda-developers.com/showpost.php?p=15897406willresultinasingleflashstepinsteadofmultiplesteps.

WalkthroughIfyoudownloadedaChargeKitfromhttp://forum.xda-developers.com/showpost.php?p=15897406,youneedtoextractODINtoafolderofitsownsomewhereonyourmachine.ThisfolderisprimarilyforrunningtheODINutility;trynottoputflashablefilesandotherfilesintoit.

ConnectingtheDevicetoODINRuntheODINutilitybydouble-clickingtheODINexecutable.YoushouldseetheutilityasinFigure10-1.

Figure10-1:TheODINutility

ForthephonetocommunicatewiththeODINutility,itneedstobeindownloadmode.Putthephoneindownloadmodebyfollowingthesesteps:

1.PullthebatteryfromyourDroidCharge.2.PlugyourDroidChargeintoyourcomputerwiththeUSBcable.ThephonewilltakeitspowerfromthePCinmostcases.(Seethe“Troubleshooting”sectionifyouhaveaproblem.)

3.Holdthevolumedownbuttonuntilyouseealargeyellowtriangle.4.YourphoneisindownloadmodeandODINshouldnowshowaconnecteddeviceintheID:COMwindow.

FlashingtheDeviceThisstageinvolvesbrowsingtoafileyouwanttoflashandusingODINtoflashittothedevice.

1.OpentheODINutilityonthePC.2.ClickthecheckboxinfrontofthePDAbutton.

3.ClickthePDAbutton.Youarepresentedwithafileselectiondialog.ThebuttonyouuseisthePDAbutton.Itcannotbestressedenoughthatyoudonotuseanyotherbuttontoflashyourphone.

4.NavigatetothefileyouwishtoflashtoyourDroidCharge.Thiscouldbeanall-in-oneROM–Root–RecoverypackageortheClockworkModfile.

5.Selecta.tar.md5file;itspathisplacedinthetextboxtotherightofthePDAbutton.6.Uncheckthe“AutoReboot”checkbox(belowtheID:COMboxes).7.Pressthe“Start”button.

ODINwillshowthedownloadprocess.Donotinterrupttheprocess.Whenthedownloadhascompleted,ODINwilldisplayablue“Restart”andthenshowagreen“Pass”intheID:COMbox.

If“Pass”doesnotshow,youneedtostarttroubleshootingtheflashprocess.UsingODINisafairlysafeandstraightforwardactivity.Ifyouexperienceissues,skiptothe“Troubleshooting”section.

8.Disconnectyourphonetorebootit.Ifyouinsertedthebatteryfortroubleshooting,youwillneedtopullthebatteryoutaswell.

•IfthepackageyouinstalledwithODINwasarecoverypackage,youcannowbootintorecoverytoinstallacustomrootedROM.UsetheinformationinChapter3onClockworkModtoinstallacustomROMwithit.•Tobootintorecovery,pressthehome,volumeupandpowerbuttonsallatthesametimewhilebooting.WhentheSamsunglogoappears,youcanreleasethepowerbuttonbutcontinuetopresstheotherbuttons.

TroubleshootingIfyourODINinterfacedoesnotflashthegreen“Pass”intheID:COMrectangle,considersomeofthesetroubleshootingtips:

•Ifthedeviceseemstoshutdownwithoutcompletingtheprocess,theremaybeaproblemwiththeamountofpowerbeingsenttothedeviceviatheUSBcable.TrychangingUSBportsandensurethatyouareusingarearUSBport.•OnlyuseaUSBportdirectlyinthecomputer,neveraUSBhubora“front”USBport.IfyoudonotuseamainUSBport,thereisapossibilityofinterferenceandtheremaynotbesufficientvoltagefortheflashtocomplete.

•VerifythattheUSBcableyouareusingisadatacableandnotjustachargingcable.TryadifferentcombinationofUSBcableandport.•IfthereisaproblemwhenthephoneisconnectedtoODINandinDownloadmode,reinsertthebatteryfortheflash.Afteryouflashyourpackage,removethebatterytorestartthedevice.

•ODINdoesnotliketoshare,soturnoffallothersoftware.Disableorturnoffanti-virussoftware,firewallsandothersecuritysoftware.•Thereisalwaysthepossibilityofabaddownloadofyourflashpackages.Downloadyourpackageagain,whetheritisanall-in-onepackageorarecoveryorROMpackage.

Chapter11:NexusS:AnUnlockedDevice

Inthischapter:•InformationabouttheNexusS•RootingtheNexusS

TheNexusSisGoogle’ssecondflagshipvanillaAndroidsmartphone.Periodically,Googlereleasesonephoneinconjunctionwithadevicemanufacturer.Thesephonesfeature“Nexus”branding.NexusphonesarevanillaAndroidinstallations,withnointerfaceoroperatingsystemcustomizations.UnlockedorunlockablebootloadersandfreelyavailabledriverbinariesmaketheNexusphoneshighlyprizedbythehackingandhobbyistcommunities.

UnlockeddevicesareusuallylockedfromthefactorybuthavefirmwareinplacethatallowsthemtobeunlockedwithFastbootcommands.TheNexusSfollowsthispattern.UnliketheGoogleNexusOne,theNexusSallowsthebootloadertoberelockedaswell.AfterunlockingtheNexusS,itisfairlystraightforwardtousenativeFastbootflashingfunctionalitytoflashtherecoveryorfirmwareofyourchoice.

NexusphonesareunlockedbecauseGoogleseesthemasdeveloperdevices.DevelopersneedtobeabletoaccesstheAndroidoperatingsystemataverylowlevel.Whenadeveloperiscreatinganapplication,thereneedstobeacommondevicethatcanbeconsideredtobethereferencedeviceforaparticularversionofAndroid.

ConnectingtheDevicetoaPCTheNexusSmayrequiresomespecialattentiontoconnecttoyourPCsothatADBandFastbootcommandscanbeused.BesuretodownloadandinstallthecorrectdriversforyourNexusSfromthereferencethreadathttp://forum.xda-developers.com/showthread.php?t=935819.

Afterinstallingthethird-partydrivers,youshouldthoroughlytestADBandFastbootconnectivity.RefertoAppendixAforconnectivitytestsandAndroidSDKinstallationinstructions.

ResourcesRequiredforthisWalkthroughDownloadtherequiredfilestoadedicatedfolderonyourPCtomakeiteasiertoperformtheflashing:

•driversforFastbootandADBconnectivity•acustomrecovery,suchasClockworkMod

•theSuperUserbinaryandapplicationfromthereferencethreadontheXDAforum.

Walkthrough

UnlockingtheDeviceFollowthesestepstounlocktheNexusSandprepareitforflashingacustomrecovery.

1.Backupeverythingonyourdevice.UnlockingtheNexuswillcompletelyeraseallthedataonthedeviceaswellasontheSDcard.ConnectthedevicetoyourPC,mounttheSDcardasstorageandcopyallitscontentstoyourPC.Whenyouhavecompletedthere-rootingprocedure,youwillbeabletocopybackthecontentsofyourSDcard.

2.PutyourNexusSinFastbootmode:a.Startwiththedeviceoff.

b.Poweritonwhilepressingthevolumeupandpowerbuttons.ThedeviceshouldboottothewhiteFastbootscreenwiththeskatingAndroids.

3.FromacommandpromptwindowonyourPC,runthefollowingcommandtounlockyourNexusS:fastbootoemunlock

4.Yourdevicewillpromptyoutoverifythatyouwanttounlock.Rememberthatunlockingnotonlyerasesyourdevice,italsovoidsyourwarranty.5.Pressthevolumeupbuttonandthenthepowerbuttontoverifytheunlock.

Thedevicewillwipeandreboot.Whenthephonereboots,itwillbeunlockedandcanbeflashedwiththeFastbootcommand.

FlashingtheDevicewithaRecoveryNextyouwillusetheFastbootcommandtoflashthedevicewiththeClockworkModrecovery.MakesurethatyoudownloadtherecoveryappropriatefortheNexusS.ThereferencethreadontheXDAforumwillhavealinktothelatestversion.

1.PuttheNexusSinFastbootmode.2.WiththedeviceconnectedtoyourPC,enterthefollowingcommandfromthefoldertowhichyoudownloadedClockworkMod:fastbootflashrecoveryrecovery-clockwork-crespo.img

Note:Thenameoftheimagefilemayincludeaversionnumberthatwillchangewiththeversionoftherecovery.

Afterthesuccessfulflash,youcanrebootintorecoverybypoweringtheNexusonwhileholdingthevolumeupandpowerbutton.WhenthewhiteHBOOTscreencomesup,selecttherecoveryoption.

FlashingtheDevicewiththeSuperUserapplication1.UsetheClockworkModmountUSBoption(seeChapter4)tomounttheSDcardasmassstorage.

2.CopySuperUser.ziptotherootoftheSDcard.

3.Usethe“InstallZip”optiontoselecttheSuperUserapplicationandflashittoyourNexusS.

Atthispoint,yourNexusSisunlockedandrooted.However,itwillreplacetherecoveryonrebootthankstothefilesystemprotectionsystem:codeinthebootprocesswilldetectthattherecoveryhasbeenalteredandrewritethedefaultrecoverytotherecoverypartition.Tochangethisbehavior,followthesesteps:

1.Downloadarootpermissionsfileexplorer,suchastheRootFileExplorer,thatcanmountthefilesystemforreadingandwriting.2.Mountthefilesystemaswritable(inRootFileExplorer,clickthegray“Mountr/w”button).

3.Navigatetothe/etcfolder.

4.Renametherecovery-install.shfiletorecovery-install.old.

5.OpenGooglePlay,downloadRomManagerandinstallit.6.Usethe“InstallClockworkRecovery”optiontoreinstallClockworkModrecovery.

Atthispoint,ClockworkModshouldbepermanentandyouarerootedandreadytoinstallcustomROMsorothercustomizations.

Chapter12:MotorolaXoom:AnUnlockedHoneycombTablet

Inthischapter:•InformationabouttheMotorolaXoom•RootingtheMotorolaXoom

TheXoomisanunlockedtabletthatwasreleasedwiththeHoneycomb(Android3.0)operatingsystem.ItwasoneofthefirsttabletsreleasedwiththisversionofAndroid.

TheXoomisconsideredadevelopers’device.AswithitsGoogleExperienceDevicestablemates,itiseasilyunlockedusingtheFastbootcommands.RootingandflashingcustomROMsiseasy.However,theHoneycombsourcecodewasreleasedlatebyGoogle,atthesametimeasthesourceforIceCreamSandwich(Android4.0).BothHoneycombandIceCreamSandwichhavenearlyidenticaldriverrequirements,somostdevelopersdidnotseethepointinbuildingcustomROMsforaninferiorOSversion.ThismeansthattherearefewercustomROMsforitthanthereareforotherversionsofAndroidforwhichdevelopershaveaccesstothesourcecoderepositories.

ResourcesRequiredforthisWalkthroughTocarryouttheprocedure,youneedthefollowingsetup:

•TheXoomneedstobeinDebugmode.•ADBmustbeinstalledandfunctioning.

•AnexternalSDcardmustbeinstalledontheXoom.•YoumustdownloadthefollowingfilesfromtheXDAforumathttp://forum.xda-developers.com/showthread.php?p=17135571:

•therootzipfile•theimagerecoveryfile.

WalkthroughThebasicstepsofrootingtheXoomareasfollows:

1.PlacetherootzipfileontheSDcard.2.UnlocktheXoom.

3.FlashtherecoverytotheXoom.4.Usetherecoverytoflashauniversalroot.

PushingtheRootFiletotheSDCardYouneedtodownloadtheuniversalrootfilefromthelinkathttp://forum.xda-developers.com/showthread.php?p=17135571

andplaceitontheSDcard.YoumayneedtouseanadaptertoconnecttheSDcardasanexternalstoragemedium.Onceyouhavecopiedxoom-universal-root.ziptotheSDcard,youcanplacetheSDcardinyourXoom.

UnlockingtheXoomIfyouhavenotdonesopreviously,youneedtounlocktheXoombootloader.TheprocessisfairlysimplebutrequirescarefulreadingoftheXoomscreenduringtheprocess.FollowthesestepstounlocktheXoombootloader.

Unlockingyourdevicewillcompletelyerasethedataonit(includingdataontheSDcard).TheinternalmemorydesignandthewaythedeviceunlockscompletelyresetstheXoomtofactorycondition.Youwilllosealldata.

1.ConnecttheXoomtoyourPCwiththeUSBcableandverifythattheXoomisinDebugmode.2.OpenacommandpromptwindowonyourPCandenterthefollowingcommandtoboottheXoomintoFastbootmode:adbrebootbootloader

IfthisstepdoesnotworkmakesurethatADBissetupcorrectly(refertoAppendixA).YoucanalsogettheXoomintoFastbootmodebypoweringitoffandpressingthepowerandvolumeupbuttonsuntilFastbootmodeappears.

InFastbootmode,theXoomcanaccepttheFastbootcommandsthatyouwillusetoflashthecustomrecovery.Thisisthemodeyouwouldusetorecoverasoftbrickofanykind.IfyoucangetthedevicetoboottoFastbootmode,youcangenerallyflashsomesortofusableROMorrecoveryandgetyourselfoutofsoftbricksandbootloops.TheXoomisfairlybulletproofinthisregard.

WiththeXoominFastbootmode,youcanunlockthebootloaderbyfollowingthesesteps:

1.Inacommandpromptwindow,enterthefollowingcommand:fastbootoemunlock

2.ReadtheXoomscreencarefully.Thereisawarningthatyouarevoidingyourwarrantyandthatyouwilllosealldata.Paycloseattentiontothestepsnecessarytoverifytheunlock.Youwillusethevolumeupanddownbuttonstoverifyorbackoutoftheprocess.

Afterunlocking,theXoomwillrebootandfunctionasusual.Thereisnodifferenceinthedeviceatthispointexceptthatthebootloaderisunlocked.

FlashingtheDevicewithaRecoveryThenextstepistoflashthecustomversionoftheClockworkModrecovery.ThiscustomversiontakesintoaccounttheXoom’speculiaruseofinternalmemoryasanSDcard.Inessence,itcompletelyskipstheneedforanSDcard.Youshouldhavedownloadedafilenamedsolarnz-<versionnumber>.img.

YoucannotflashazipfilefromFastbootmode—youcanonlyflashimagefiles.YouusezipfileswithClockworkModorsomeothercustomrecovery.

1.PuttheXoombackintoFastbootmode:adbrebootbootloader.

2.Enterthefollowingcommand:fastbootflashrecoverysolarnz-######.###.img

Itisimportantthatthefilenameyouenterisexactlythenameofthefileyoudownloaded.Itisalsoextremelyimportantthatyouusethe“recovery”keywordwiththeFastbootflashcommandtoensurethatyouflashthecorrectpartition.

TheXoomwillreportthatitisflashingthefileandthenindicatewhentheprocessiscomplete.Atthispoint,yourXoomhastheClockworkModrecoveryinstalledandcanbebootedintotherecoveryforcustomizations,suchasflashingcustomkernels,themes,orstartupanimationsandfullcustomROMs.

DonotrebootyourXoomuntilyouhaveflasheditwithauniversalrootoryouwillhavetoreflashtheClockworkModfiletotherecoverypartition.Ifyoudonotdothis,systemrecovery-from-boot.pwillrevertyourrecoverypartitiontothedefaultrecoveryuponyournextreboot.

FlashingtheDevicewithaUniversalRootToachieverootedfullaccesstotheexistingfilesystem,youneedtoflashtheuniversalrootpackagethatyoudownloaded.Thispackagecontainsthefilesfortherootedfilesystemandthesuperuserbinariesforaccessingsystem-

levelpermissionsandfiles.

Thisstagehasabitoftrickytiming.Ifyoumissthetiming,youwillneedtoreflashtheClockworkModrecovery.Therecoverysystemhasabuilt-inauto-restorefeature.TheoverviewisthatyouusetheFastbootcommandtoreboottheXoom;whenyouseetheMotorolalogo,youpressvolumedownandthenvolumeuptobumpthesystemintothenewrecovery.

Followthesestepstoflashtheuniversalrootfile:

1.Ifyouhavenotyetdoneso,copytheuniversalrootzipfiletotherootofyourSDcard(nottoafolder)andinsertthecardintotheXoom.

YourXoomshouldshowthesuccessfulmessagefromflashingtheClockworkModrecoveryfile.

2.EnterthefollowingcommandintothecommandpromptwindowtoreboottheXoom:adbreboot

3.WhenyouseetheMotorolalogo,counttothreeandpressthevolumedownbutton.Youshouldsee“AndroidRecovery”appearonthescreen.4.PressthevolumeupbuttontobootintothenewlyinstalledClockworkModrecovery.

Ifyoumisstheopportunitytobootintotherecovery,youmayhavetogobackandreflashtheClockworkModrecoverytotherecoverypartitionbecausesystemrecovery-from-boot.pwillreverttothedefaultrecovery.

5.Usethevolumebuttonstoselectthe“InstallZipfromsdcard”optionandpressthepowerbutton.6.Selectthe“ChooseZip”option.

7.NavigatewiththevolumeupanddownbuttonstotheuniversalrootzipfileyouplacedontheSDcardandselectitwiththepowerbutton.8.Confirmtheinstallation.Whentheinstallationhasfinished,navigatebacktothemainClockworkModmenuandreboottheXoom.

YourXoomisnowunlockedandrooted.Youcanusethevolumeupkeyor

thecommandadbrebootrecoverytobootintorecoveryandboottheROMsandcustomizationsyouwant.CheckouttheXDAXoomforumforthelatestandgreatestfromthehard-workingdevelopersofROMs,kernels,andcustomizations.

RefertoChapter4forspecificinstructionsonusingClockworkModrecovery.

Chapter13:NookColor:RootingwithaBootableSDCard

Inthischapter:•InformationabouttheNookColor•RootingtheNookColor

TheNookColor,releasedbyBarnesandNoble,wasoriginallyintendedtobeaneReaderbasedonAndroid.InthehandsofAndroidhackers,itquicklybecameoneofthebest-valuetabletsthatcouldbepurchased.OncerootedandwithacustomROM,itwastransformedintoausableandfullyfunctionalAndroidtablet.

Becauseofthenatureofthedevicestartuproutine(itdoesnotsupporttheFastbootprotocol),aslightlydifferentmethodisneededtorootandROMtheNookColorcomparedtootherAndroidtablets.YouuseanSDcardthathasbeenmadebootablebyflashinganimagefiletoit.WhentheSDcardisinsertedintotheNookColor,ittakesprecedenceovertheNookColornativebootroutineandthefilesontheSDcardarebooted.Thisallowsyoutodofunstuff,suchaswritinganativecustomrecoverytotheEMMCmemoryandrootthedevice.

ThismethodcanalsobeusedforotherminorbrandorunbrandedvarietiesofAndroidtablets(usuallytheyhavenoGooglelicenseorGooglePlaysupport).Thedetailschangebutthecoreskillsarethesame.Besuretoreaduponyourdevicebeforestartingthisoranyrootingprocess.

ResourcesRequiredforthisWalkthroughTocarryouttheprocedure,youneedthefollowingsetup:

•aregisteredNookColor,version1.1•anSDcardthatyoucancompletelywipe

•adedicatedSDcardwriter(mostbuilt-inSDcardwriterswillnotwork—getonethatplugsintoyourUSBport)•aGmailaccountthatyouhavelinkedtoYouTube

•theAuto-Nooterimagefilefromhttp://forum.xda-developers.com/showthread.php?t=942424

•theWin32DiskImageimagewriterfromhttps://launchpad.net/win32-image-writer/+download.

TheAuto-NooterisaconvenientlittlepieceofsoftwarethatwasbuiltbydevelopersatNookdevs.com.TheAuto-NooterdoesmostofthehardworkwhentheNookColorbootsfromit.AfteryouhavebootedtheNookColorfromtheAuto-NooterSDcard,theSDcardcanbereformattedandremovedorusedasaddedstorage.

WalkthroughThehigh-levelstepsoftheprocessare:

1.Burn(write)thecustombootableimagetotheSDcardusingyourPC.2.BoottheNookColordeviceusingtheSDcard.

3.Allowtheauto-rootroutinetocomplete.

ThiswalkthroughisfortheNookColorversion1.1.Ifyouhaveadifferentversion,readupattheXDAforumtofindthedifferences.Theprimarydifferencesareinthefilesused—thestepsarevirtuallythesame.

CreatingaBootableSDCardRememberthatthisprocesscanalsobeusedforotherversionsoftheNookColorandminorbrandorunbrandedAndroidtablets.

1.RuntheWin32DiskImagewriterprogramthatyoudownloaded.2.ClickthefolderbuttontonavigatetotheAuto-Nooterimagefile.

3.Double-clicktheimagefile.4.Clickonthedrop-downwithdriveletters.SelectthedriveletterthatcorrespondstoyourSDcard.

Youcandouble-checkthedriveletterofyourSDcardbyopeningWindowsExplorerandlookingfortheSDcarddriveletterthere.

Makesurethatyouselectthecorrectdriveletter.Youdon’twanttooverwriteadatapartitionoranotherexternalstoragedevice.Thisprocessirrevocablydeletesallcontentontheselecteddrive.

5.Clickthe“Write”buttonandlettheimagebewrittentotheSDcard.6.Whenthewritingprocessiscomplete,verifythecontentsoftheSDcardbyusingWindowsExplorertoopenit.Youshouldseethefollowingitems:MLO

u-boot.bin

uImage

uRamdisk

BootingtheDevicefromtheSDCardThesestepsguideyouthroughbootingtheAuto-NooterontheNookColorandwrappinguptherootandbootprocess.

1.TurnoffyourNookColorcompletely.2.PlacetheSDcardtowhichyouhavejustwrittentheAuto-NooterintotheNookColor.3.PlugtheUSBcablefromyourcomputerintotheNookColor.ThiswillcausetheNookColortoturnonandbootfromtheSDcard.

ThescreenwillbeoffduringtheAuto-Nooterbooting.Youwillnotseeanythingonthescreen.Bepatient.IfyouareusingtheNookColorcable,the

LEDwillblinkbutthisisirrelevanttotheprocess.

4.Yourcomputerwillindicatethatanewdevicehasbeenpluggedin.CancelanyrequestfordriversfromyourPC.

Whentheprocessisdone,youwillseeanewbootanimation.PulltheSDcardoutoftheNookColortoensureitdoesnotbootfromtheSDcardagain.

MakingtheDeviceMoreUsableAtthispoint,thehardworkhasbeendone—yourNookColorisrooted.However,tomakeitmoreusableyouneedtoenable:

•Googleaccountintegration,soyouhaveGooglePlayaccess•Softkeys,soyouhaveaccesstotheAndroidBack,Home,MenuandSearchkeys.

TheprocessofsettingupandenablingGoogleaccountintegrationusesaclever“backdoor”.Itusesthesign-inintegrationbetweenYouTubeandGoogle.

1.Onboot,taptheAndroid.

2.Tapthe“SkipSignin”button.3.Enablethelocationservicesoption.

4.ConnecttoaknowngoodWi-Ficonnection.5.LaunchtheYouTubeapplicationfromthe“Extras”menubutton.6.TaptheMenubuttontotherightoftheuparrow.

7.Tap“MyChannel”andloginwithyourGoogleaccount.8.ExitYouTubeandlaunchGmailfromthesame“Extras”menu.

9.SynchronizeyourGmailaccountandexit.Thiscouldtakeafewminutes,sobepatient.10.OpenupGooglePlayandacceptthetermsofservice.11.Downloadanapplicationtoverifythatitworks.

Ifthedownloadstallswithoutinstallingtheapplication,reboottheNookandtryagain.

YouneedtosettheSoftkeyssothatyouhaveaccesstotheHome,Back,MenuandSearchkeysnativetoAndroid.

YouneedtosettheSoftkeysprogramasyourdefaultlauncher,tocauseittoloadautomatically.SelecttheSoftkeysapplicationfromyourapplications

drawerandselectthecheckboxthatsetsthesoftkeyactionstoberememberedasthedefaults.Next,settheHomesoftkeytocallyourreallauncherprogrambypressingtheMenubuttonandselectingyourlauncherapplications.

AppendixA:SettingUpAndroidSDKandADBTools

Inthisappendix:•InstallingtheJavaDevelopmentKit•InstallingtheAndroidSDK•Installingtheplatformtools

•SettingupenvironmentvariablesforWindowscomputers

ThisappendixhelpsyoutosetuptheAndroiddevelopertoolsyouusetorootandhackyourphone.

InstallingtheJavaDevelopmentKitThefirststeptogettingaccesstotheAndroiddevelopertoolsistodownloadtheJavaDevelopmentKit(JDK).AlthoughyoudonotusethetoolsprovidedbytheJDK,itmustbeinstalledforyoutobeabletoinstalltheAndroidSDK.

1.Navigateyourbrowsertowww.oracle.com/technetwork/java/javase/downloads/(seeFigureA-1).AnycurrentversionwillworkwithAndroidSDK.

FigureA-1:DownloadingtheJDK

2.ClicktheJavaPlatform(JDK)button.3.Clicktoacceptthelicensingagreementsandthenselectthecorrectinstallerforyourcomputer.MostWindowsuserswillclickonWindowsx86.Ifyouhave64-bitWindows,clickthex64link.

4.Downloadtheinstallertoalocationyoucaneasilyfindonyour

computer.5.Runtheinstallerexecutable.

6.ClickthroughtheJDKinstallationwizardacceptingallthedefaults.

InstallingtheAndroidSDKNowyoucandownloadandruntheinstallerfortheAndroidSDK.

1.Navigateyourbrowsertohttp://developer.android.com/sdk/.

2.Downloadtheappropriatepackageforyouroperatingsystem(Windowsusersshoulddownloadtheinstallerexecutable).

3.Runthedownloadedpackage.4.Clickthroughtheinstaller.

TakespecialnoteofwheretheAndroidSDKisinstalled.Youcanchangethepathbutitisbettertoacceptthedefaultpath.For64-bitsystems,thedefaultpathshouldbesomethinglikeC:\ProgramFiles(x86)\android\android-sdk-windows\.For32-bitsystems,theonlydifferencewillbetheabsenceof“(x86)”fromthepath.

Whenthewizardcompletes,itwillhaveacheckmarktostarttheSDKmanager.YouusetheSDKmanagertodownloadtherequiredplatformtools(i.e.ADBandothers).YoucanalsolaunchtheSDKmanagerfromtheoperatingsystem,asshowninFigureA-2.

FigureA-2:StartingtheSDKmanagermanuallyinWindows

InstallingthePlatformToolsWhentheSDKManagerstarts,itfindsoutfromGooglewhatpackagesareavailablefordownloadandthenpresentsyouwithaninterfacetoselectthepackagesyouwishtoinstall.

1.ClickontheAndroidPlatformToolsentryintheleft-mostcolumn.2.ClicktheAcceptradiobuttonbelowthedescriptionintheright-mostcolumn.

3.AccepttheGoogleUSBDriverPackagebyclickingtheOKbutton.4.Optionally,rejecttheotherpackages.Thissavessomedownloadtime.

5.ClicktheInstallbuttonatthebottomoftheSDKManager.TheselectedSDKpackageswilldownloadandinstall.Whenthedownloadandinstallationprocessiscomplete,youcanclosethearchivedownloaderandtheSDKManager.

Atthispoint,theSDKplatformtools(suchasADB,DDMSandothers)shouldbeinstalledonyourcomputer.Toverifythis,followthesesteps:

1.Openacommandpromptwindow.(OnWindows,presstheWindowskey+R.Arunboxwillpopup.TypecmdandpressEnter.)

2.Inthecommandpromptwindow,youshouldseeapathsuchasC:\Users\<username>followedbyaflashingcursor.Thecursorindicateswhereyourtypedtextwillshowup.Thepathisthefoldercontextinwhichyouareissuingcommands.Inotherwords,everycommandtypedatthispromptwillattempttorunandaffectthefolderatC:\Users\<username>.

3.Clickinthecommandpromptwindow,typecd\,andpressEnter.

TheDOScommandcdstandsfor“changedirectory”.Thebackslashisshorthandfor“therootofthisdisk”.Sothecommandcd\means“changethefoldertotheroot(orhighestlevel)inthisdisk.”Youcanaccessanylocationfromanyfolderusingthetargetfolder’sfullpath.ItisimportanttolearntheseconceptsbecausetheyaresharedwiththeAndroidoperatingsystemcommandprompt.Youwillusethesecommandsfrequently.

4.Typecd“\ProgramFiles(x86)\Android\android-sdk-windows\”andpressEnter.ThisisthepathyounotedwhentheSDKManagerwasinstallingtheSDK.Makesureyouincludethequotationmarks.Wheneverthereisaspaceinyourcommand,youneedtoencloseitinquotationmarks.Ifyouareusinga32-bitoperatingsystem,youwillnothavethe(x86)partofthepath.

5.Nowthatyouareinthecontextoftheandroid-sdk-windowsfolder,youcantesttoseeifthefilesandfoldersforthedevelopertoolsarefunctioning.TypedirandpressEnter.Thelistingoffoldersandfilesshouldincludeafoldercalledplatform-tools.ThisisthefolderinwhichtheADB.execommandlives.

ThedircommandgivesalistingofthefilesandfoldersinthecurrentfoldercontextintheWindowscommandwindow.AttheAndroidcommandline(andinLinux),youusethelscommand.

6.Typecdplatform-toolsandpressEntertochangeyourcontexttotheplatform-toolsfolder.

7.TypeadbandpressEnter.YoushouldseetheADBcommandhelpscreenscrollpast(seeFigureA-3).

FigureA-3:TheADBhelpscreen,whichappearswhenyourunADBwithno

switchesorparameters

SettingUpWindowsEnvironmentVariablesNowthatyouknowthatADBisinstalled,youneedtoplaceaPATHentryinyoursystemvariables.ThiswillenableyoutousetheADBcommandregardlessofthecurrentfoldercontextofyourcommandprompt.Forexample,youwanttobeabletorunthefollowingcommandfromthefoldertowhichyouhavedownloadedacustomTCP/IPmoduleforyourAndroiddevice:

adbpushtcpip.ko\system\etc

Ifyoudonotdothis,youwillalwaysneedtobeinthec:\ProgramFiles(x86)\Android\android-sdk-windows\platform-tools\foldertorunADB.

TomaketheADBcommanduniversallyaccessible(inWindowsVistaandWindows7),followthesesteps:

1.ClicktheWindowsStartbutton.2.Right-clickComputerandselectProperties.

3.ClickAdvancedSystemSettingsintheleftcolumntoopentheSystemPropertiesdialogbox.4.ClicktheEnvironmentVariablesbutton.

5.IntheSystemVariablesbox,scrolldownuntilyouseeanentrylabeledPATH.6.Double-clickthePATHentrytoopentheEditvariablewindow.7.ClickintheVariableValuefieldandplaceyourcursorattheveryendofthestringoftext.

8.Typeasemi-colon(;).9.TypeinthefullpathtoyourADBcommandfolder:C:\ProgramFiles(x86)\Android\android-sdk-windows\platform-tools.

10.ClickonOKtocloseeachoftheopendialogboxesandclosetheSystemPropertiesbox.

YoushouldnowbeabletoaccessADBfromacommandlineprompt,nomatterwhichfoldercontextyourcommandlineisin.Thiscanbeveryusefulifyouareintheprocessoftransferringexploitfilesfromthefolderintowhichyoudownloadedorextractedthem.