Google

2011-11-06

On Rooting Android

When I got my iPod Touch, I immediately started looking for methods to  root it, but never felt the need on my Android Nexus S, as I was already able to do pretty much anything including free-of-charge tethering (thank you T-mobile).

The newest Android version (v4 or Ice Cream Sandwich, a.k.a ICS),  has been announced a few weeks back and smart folks at xda forums have already managed to port the SDK version for my phone. Of course, phone needs to be rooted to flash the new rom.

Although you probably have lots of your data like your contacts backed up to Google Cloud, there is no way you can keep 'all' your data backed up at this point and rooting wipes out your device.

A couple of funny thing happened when I looked at rooting instructions. All of them tell you to make a full back up of your system, but you will be lucky if you find any instructions on what exactly to back up and how? Most of the tools mentioned want you to be rooted to begin with. It maybe possible to use Astro File Manager or 'adb pull' commands from Android SDK but the things you can do are limited 'before' you root. In fact, this is one of the reasons people root their phones because they would like to keep their 'data' when they buy a new phone (e.g. high scores in a game, or play lists in a music app...).

At this point, applications may write their data anywhere as there is no 'designated' location to keep app data and therefore there is no easy way to back that data up even if it was possible for a user to access /data folder, which is 'usually' where apps write. There is a feature request on this but as of now, no solution.

Anyway, the other funny bit is about an SDK tool named 'fastboot'. There are tons of material on web that tell you how to use it, problem is that latest SDKs do not have this tool. If you head over to Android SDK download page, you will notice that there is only a link to android-sdk_r15-windows.zip (i.e. revision 15). The last revision that had the 'fastboot' was r13 and there is no link to it.

If you are a developer, you probably know how to get older versions of SDK using SDK manager but mere mortals do not need to despair either! Here is what you can do:

Hover over the r15 link, you will notice that it is pointing to http://dl.google.com/android/android-sdk_r15-windows.zip So, to download r13, simply replace 'r15' with 'r13' in the link and you should be able to download the r13 version. Once you download it, you can extract the fastboot.exe from 'tools' folder. In the current revision, Google has moved adb.exe from 'tools' folder to 'platform-tools' folder. You might want to put this one there too.

One more thing. You need to install USB drivers on your machine. When you download SDK, you will be able to get the Google USB drivers for your device. The catch is that it won't work when you are in 'fastboot' mode (at least for Nexus S) if your windows is 64bit. You will then need to install PDANet drivers so that your Nexus S is detected. You can find those links here. Good luck!

Btw, what do you get out of all this hassle? Here is a pretty good video from NexusHacks.

Update: 2011-11-06 - Root-ed

I finally found an easy to use hack to root my Nexus S without destroying/wiping any data (i.e. without unlocking the bootloader). I would like to emphasize this again, because I have read tons of so called 'guides' which seems to use 'rooting' and 'bootloader unlocking' interchangeably.

If you are like me, you may want to understand why do you need to do these things mentioned in the 'guides' instead of blindly following them. There is a lot of mumbo-jumbo to confuse the hell out of a regular user like myself. So, I had to look deeper into whole Android boot process and architecture to make sense of it. Hope this helps others as well.

Root - Super User
As in any other unix/linux variant, your purpose is to become the most powerful user with no restrictions on your Android. I.e. you want to become 'root' or 'super user'. That way you can install any application or even a totally new Android system (e.g. CyanogenMod). It's your device, your do whatever you like with it.

Well, you wish! Android will not just allow a regular user to become root. From a security perspective, you really would not want that anyway. Imagine any software messing with your device? Yep, that would be malware.

But you own the device and "you" want to become root! Well, you have two options:

1) You will need to find an exploit, as malware does. A hack, that elevates your privileges to become root. This is exactly what the 'zergRush Exploit' mentioned below does.

2) If there is no known hack, the other option is to go through steps in those rooting guides. Most of them will tell you that you will need to "unlock your boot loader".

Why unlock your boot loader?
Well, you are trying to become root in the Android Operating System but it does not allow you and boot loader is the software that comes "before" the (Android) Operating System. In other words, it's the initialization code that loads the (Android) OS and if you can mess with it, you can hack into that Android OS or replace it all together with a modified version perhaps.

Bootloader has two stages. The first stage of the bootloader (also referred as 'IPL' or "Initial Program Load") provides support for loading recovery images to the flash memory of the device.

If boot loader detects certain keypress (in Nexus S this would be Power button + Volume up), it goes in to a special mode called 'fastboot mode' where you can use 'recovery' option to flash a new (or old) image. From this point on you are on the second phase of the boot process. You may see acronyms like 'SPL', which means 'Secondary Program Loader' and refers to this second phase.

This is also why you usually see instructions for manually installing OTA (Over The Air) update files where you are told to drop the update.zip file in the root of sdcard, and then turn your device on while pressing 'special keys' for your phone and choose 'recovery' option. Upgrading your firmware is basically flashing a new (firmware) image.

However, we have a problem there. Usually, the boot-loader is "locked" so that it will load only recovery images that are signed by a certain authority. This might be Google or your wireless carrier.

So, if we can unlock the boot loader, then we can use a 'custom recovery image' like ClockworkMod Recovery, which allows us to install a 'custom firmware' like CyanogenMod (a.k.a CyanogenMod ROM). As these ROMs may include not only Android OS but IPL/SPL as well, there is a risk of making your phone unusable, commonly referred as 'bricking' the phone in case there is a bug in the IPL/SPL code.

Phones like my Nexus S are pure Android Devices. Wireless carrier does not install any customized software on it, it does not cripple any of the abilities and Google allows us to 'unlock' the bootloader by running a simple command:

"fastboot oem unlock"

I explained above how to get fastboot.exe. So you get that and other pre-reqs and then issue the command to unlock your boot-loader, which apparently voids your warranty and "WIPES YOUR DEVICE" including your SDCard.

In my case, I did not want that to happen without taking a full back up of the system, which was not really possible because I did not have root access. A bit of a chicken and egg problem...

Solution: Exploit to become Root
This method depends on DooMLoRD's Easy Rooting Toolkit v1.0, which is using what's called "zergRush Exploit".

The whole process took me less than a minute:


---------------------------------------------------------------

              Easy rooting toolkit (v1.0)

                   created by DooMLoRD

        using exploit zergRush (Revolutionary Team)

   Credits go to all those involved in making this possible!

---------------------------------------------------------------

 [*] This script will:

     (1) root ur device using zergRush exploit
     (2) install Busybox (1.18.4)
     (3) install SU files (3.0.5)

 [*] Before u begin:

     (1) make sure u have installed adb drivers for ur device
     (2) enable "USB DEBUGGING"
           from (Menu\Settings\Applications\Development)
     (3) enable "UNKNOWN SOURCES"
           from (Menu\Settings\Applications)
     (4) [OPTIONAL] increase screen timeout to 10 minutes
     (5) connect USB cable to PHONE and then connect to PC
     (6) skip "PC Companion Software" prompt on device

---------------------------------------------------------------

 CONFIRM ALL THE ABOVE THEN

Press any key to continue . . .
--- STARTING ----
--- WAITING FOR DEVICE
adb server is out of date.  killing...
* daemon started successfully *
--- cleaning
--- pushing zergRush"
3215 KB/s (23052 bytes in 0.007s)
--- correcting permissions
--- executing zergRush

[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00015118
[*] Scooting ...
[*] Sending 149 zerglings ...
[+] Zerglings found a way to enter ! 0x10
[+] Overseer found a path ! 0x000151e0
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x40119cd4 0x0054
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd255dd 0xafd3908f
[*] Popping 24 more zerglings
[*] Sending 173 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!
--- WAITING FOR DEVICE TO RECONNECT
if it gets stuck over here for a long time then try:
   disconnect usb cable and reconnect it
   toggle "USB DEBUGGING" (first disable it then enable it)
--- DEVICE FOUND
--- pushing busybox
4149 KB/s (1075144 bytes in 0.253s)
--- correcting permissions
--- remounting /system
--- copying busybox to /system/xbin/
2099+1 records in
2099+1 records out
1075144 bytes transferred in 0.097 secs (11083958 bytes/sec)
--- correcting ownership
--- correcting permissions
--- installing busybox
--- pushing SU binary
1276 KB/s (22228 bytes in 0.017s)
--- correcting ownership
--- correcting permissions
--- correcting symlinks
--- pushing Superuser app
4739 KB/s (762010 bytes in 0.157s)
--- cleaning
--- rebooting
ALL DONE!!!
Press any key to continue . . .
At the end of this, you get SuperUser v3.0.5(39) installed on your Nexus S. This exploit seems to be working with many other Android phones. There is a growing list in the forum linked above. It's also easy to go back if you want to unroot.

I launched SuperUser, clicked "Preferences" and tapped "Su binary v3.0" to update it to the latest version (3.0.3 as of now). I also set "Automatic Response" to "Allow". To test:


$ PS Z:\adil\scripts\powershell> adb shell

$ su

su

# whoami

whoami

whoami: unknown uid 0



This means I have root access on my Nexus S and my bootloader is still locked! What's next?

* Install Backup Software: Now that I have 'root' access, I can now install all these 'backup software' mentioned on all those rooting sites. I installed 'Titanium Backup'. Then I took a full back up of the system to my sdcard, and then mounted the phone via usb to take back up of everything on my sdcard to my hard drive.

* Install Rom Manager: This is to be able to 'flash custom ROMs (i.e. install customized Android versions). I installed 'Rom Manager' but have not done anything else yet.

One last thing tonight... Once I became root, I was able to get more information about my system and manually create backup images as shown below

$ adb shell
$ su
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00200000 00040000 "bootloader"
mtd1: 00140000 00040000 "misc"
mtd2: 00800000 00040000 "boot"
mtd3: 00800000 00040000 "recovery"
mtd4: 1d580000 00040000 "cache"
mtd5: 00d80000 00040000 "radio"
mtd6: 006c0000 00040000 "efs"

# cat /dev/mtd/mtd2 > /sdcard/mtd2.img ## Boot image
# cat /dev/mtd/mtd3 > /sdcard/mtd3.img ## Recovery image


Then connected phone to my pc using 'USB mass storage' mode and backed up these two images to my hard drive:

robocopy /mir l:\ z:\adil\Backup\Android\sdcard\

where l: refers to sdcard drive
z: is where in hard drive I backed it up to
and  /mir makes a mirror copy of everything in the sdcard (be careful with this option, if you use it incorrectly by specifying wrong target, you may wipe out the target).

I am, however, not sure if these will be enough to get things back. See the update below for proper Backup/Restore procedures.

Update 2011-11-07 More on Back up and Rom Management

Revenge of Stock ROM
Stock ROM is the original Android Image. Below, you will find how it tries to keep its integrity.

Today I wanted to use "ROM Manager" app to take a backup. To my surprise,
"ROM Manager" > "Backup Current ROM"
got me into a black screen with a yellow exclamation mark and an android icon underneath. Apparently, "ClockworkMode Recovery" (CWM) was overridden by Stock ROM after the reboot. Boot loader had detected that it was tempered with and had restored previous version.

Reinstalling ClockworkMod Recovery
This is pretty straight forward as I still have root access on my Nexus S.
  • Launch "ROM Manager"
  • Tap "Flash ClockworkMod Recovery
  • Select "Google Nexus S"
Making ClockworkMod Recovery Stick
Once done, you get a message that says "Successfully flashed ClockworkMod Recovery". This solution is temporary. One suggested solution is to rename the file that's causing this as follows:

$ adb shell   ## Use adb Android SDK tool to open a shell (see above)
$ su          ## Become root
# mv /system/etc/install-recovery.sh /system/etc/donot_install-recovery.sh  ## rename the file

failed on '/system/etc/install-recovery.sh' - Read-only file system

Unfortunately, you get an error back. The reason is that /system partition is mounted as read-only (ro) and before you can make any changes to files under it, you will need to mount it as read-write (rw).

First, we have to find out where the /system is mounted:

# mount |grep system

/dev/block/platform/s3c-sdhci.0/by-name/system /system ext4 ro,relatime,barrier=1,data=ordered 0 0

What does this mean:
  • First block is telling us about the actual directory under which /system partion will show its data
  • Second block is what we are mounting (/system)
  • Third block is the filesystem. This used to be yaffs2 but now we see it is 'ext4'
  • Fifth block are the options and what matters for us is the 'ro' parameter telling us mount is read-only
For further reading on Android partitions, take a look at this post.

With this knowledge we will use mount command to remount /system to the same location but this time with 'rw' parameter to be able to modify its content

# mount -o remount,rw -t ext4 /dev/block/platform/s3c-sdhci.0/by-name/system /system

Now we can go ahead and make the change.


# mv /system/etc/install-recovery.sh /system/etc/donot_install-recovery.sh
# ls -l /system/etc

-rw-r--r-- root     root        58357 2011-09-30 09:06 NOTICE.html.gz
-rw-r--r-- root     root       236823 2011-09-30 09:06 apns-conf.xml
drwxr-xr-x root     root              2010-11-24 16:42 bluetooth
-rw-r--r-- root     root          682 2010-11-24 16:42 contributors.css
-r--r----- bluetooth bluetooth      935 2010-11-24 16:42 dbus.conf
drwxr-xr-x root     root              2010-11-24 16:42 dhcpcd
-rw-r--r-- root     root        11865 2011-04-29 12:18 event-log-tags
-rw-r--r-- root     root          238 2010-11-24 16:42 gps.conf
-rw-r--r-- root     root           25 2010-11-24 16:42 hosts
-r-xr-x--- root     shell        1200 2010-11-24 16:42 init.goldfish.sh
-rw-r--r-- root     root         7696 2010-11-24 16:42 media_profiles.xml
drwxr-xr-x root     root              2011-09-30 09:06 permissions
drwxr-xr-x root     root              2010-11-24 16:42 ppp
-rw-r--r-- root     root          104 2010-11-24 16:42 secomxregistry
drwxr-xr-x root     root              2011-09-30 09:06 security
drwxr-xr-x root     root              2011-04-29 12:18 updatecmds
-rw-r--r-- root     root          531 2010-11-24 16:42 vold.fstab
drwxr-xr-x root     root              2010-11-24 16:42 wifi
-r-xr--r-- root     root          415 2008-08-01 08:00 donot_install-recovery.sh


Then, we should go back to Rom Manager and flash ClockworkMod Recovery one last time and it should stick around between reboots.


Using ClockworkMod Recovery for Backup

There is a long guide here explaining various options with screenshots but it's pretty basic.

1) Manual Backup

Select "ROM Manager" > "Reboot into Recovery" (for manual management). Phone will boot into ClockworkMod Recovery console.

Use "Volume down/up" buttons to move up or down and "Power" button to select an option.

As we wanted to take a full back up, we want to choose the option that says "backup and restore"

We then choose backup option and let the tool work its magic.

In my phone, the process took about 10 minutes. There is a progress bar that gives some visual feedback and when all is done you get "Backup complete!" message at the bottom.



2) Backup via ROM Manager

This is quite straightforward as it is an option in the "ROM Manager" application.

Select "ROM Manager" > "Backup Current ROM"

Enter a backup name, or tap "OK" to accept the suggested name.

Phone boots into recovery mode and starts the back up process.

After the backup is finished, phone boots back up.

Backed up files reside under /sdcard/clockworkmod/backup/{backup_name} folder. Below is the list of files after a backup

l:\clockworkmod\backup\2011-11-07-19.41.58\
 183.4 m        .android_secure.vfat.tar
   8.0 m        boot.img
   12672        cache.yaffs2.img
 478.3 m        data.ext4.tar
     298        nandroid.md5
   8.0 m        recovery.img
 174.8 m        system.ext4.tar


Testing Restore from Backup

At the end of the day, all this effort is to be able to restore from a backup to get Android back to the original (Stock) state.

So, I booted into ClockworkMod Recovery mode and
wiped cache, 
wiped dalvik cache, 
wiped data/factory-reset...

After the reboot, Nexus S came up and kicked off Google's Welcome Wizard. I skipped it and there it was. My Nexus S as if I just bought it. The only difference was that SuperUser app was still there.

To restore everything back:

  • I installed ROM Manager from Market
  • Flashed ClockworkMod Recovery 
  • Tapped "Manage and Restore Backups"
  • Selected the latest backup (the one above)
  • Phone went into Recovery Mode and recovery started
  • After about 5 minutes, phone rebooted again
  • Android came up and everything was restored successfully as if I never wiped my phone! 
It was perfect. Well, too perfect in fact because apparently I had not renamed "/system/etc/install-recovery.sh"  before taking the latest backup. So, after the restore ClockworkMod Recovery was gone, but  it only takes a minute to get it back there.

Update: - 12/02/2011

Here is a very detailed, thoughtful article from security researcher Dan Rosenberg on "Rooting and Plagiarism". It helps put things into context.

No comments: