Android

Links

• Wikipedia

App stores

• Android Market

Alternate views on the official market:

• AndroLib
• Cyrket

Alternate markets:

• AppsLib
• AndSpot (beta)
• GetJar
• Handmark
• Mobango
• Handango
• explorePDA
• MiKandi
• MobiHand
• Mobspot
• Smartphone.net
• AndroidGear
• SlideME

User manuals

• Android 2.3 Manual
• HTC Wildfire Manual
• Nexus S Manual

Some internals info here

Short notes

Tools

apt-get install android-tools-adb
apt-get install android-tools-fastboot

USB permissions on the host

Create /etc/udev/rules.d/99-android.rules for Nexus phones:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", MODE="0666", OWNER="<your_account>" # all Nexus

Then execute /etc/init.d/udev reload

Enter Fastboot mode

Depends on the phone, e.g.:

• Nexus S: keep volume-up pressed while pressing power on for 5 secs
• Nexus 4: keep volume-down pressed while pressing power on for 5 secs

OEM unlock

This will wipe ALL DATA!!!

fastboot oem unlock

OEM unlock for rooted devices

Once the device has been unlocked and rooted, it can be locked/unlocked again without wiping all the data, at least on some phone models.
Install BootUnlocker

Factory images for Nexus phones

• https://developers.google.com/android/nexus/images

Example for Nexus S: (requires OEM unlock)

wget https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
tar xzf soju-imm76d-factory-ca4ae9ee.tgz
cd soju-imm76d
./flash-all.sh

Rooting without recovery

Chainfire's CF-Auto-Root makes life really easy to install SuperSU
e.g. for Nexus 4: (requires OEM unlock)

wget http://download.chainfire.eu/297/CF-Root/CF-Auto-Root/CF-Auto-Root-mako-occam-nexus4.zip
unzip -j CF-Auto-Root-mako-occam-nexus4.zip image/CF-Auto-Root-mako-occam-nexus4.img
sudo fastboot boot CF-Auto-Root-mako-occam-nexus4.img

Consider buying the PRO license key too...

Recovery

• http://www.clockworkmod.com/rommanager

Example: (requires OEM unlock)

wget http://download2.clockworkmod.com/recoveries/recovery-clockwork-6.0.2.5-crespo.img
fastboot flash recovery recovery-clockwork-6.0.2.5-crespo.img

Rooting

Requires Clockworkmod recovery

Using ChainsDD SuperUser

wget http://downloads.noshufou.netdna-cdn.com/superuser/Superuser-3.1.3-arm-signed.zip
=> drop on /sdcard/
=> recovery -> install from zip -> Superuser-3.1.3-arm-signed.zip

Keep rooting over OTA

Apparently SuperSU has some "survival mode" that you can turn on in the settings but I don't know what it does...
Once you have busybox installed (see below), you can set the su binary immutable to avoid an OTA update to kill its setuid bit:

mount -o remount,rw /system
chattr +i /system/xbin/su
mount -o remount,ro /system

There is also a "OTA Rootkeeper" application to do the same
If you need to reflash a custom recovery to install a custom OTA update, see this article

ADB

To reveal developer menu on Jelly Bean, tap 10x on "settings/about/build nr"
Then enable usb debug.
USB debugging is pretty secured since Jelly Bean but beware for older versions!

adbd insecure

As USB debugging is now pretty secure, let's enable immediate root access:
Install adbd insecure
Open app -> enable & enable at boot time

Busybox

From Google Play: https://play.google.com/store/apps/details?id=stericson.busybox&hl=en
Local install:

adb install stericson.busybox-1.apk
=> Run busybox -> install -> smart install

Consider buying Busybox Pro...

Modifying stuffs in system partition using su

adb push some_file /sdcard/
adb shell su -c "mount -o remount,rw /system"
adb shell su -c "cat /sdcard/some_file > /etc/some_file"
sleep 1
adb shell su -c "mount -o remount,ro /system"

Modifying stuffs in system partition with insecure adbd

adb shell mount -o remount,rw /system
adb push some_file /etc/some_file
sleep 1
adb shell mount -o remount,ro /system

Encrypt device

See official help
Some reports say they had to repeat the process several times on Nexus 4 before encryption started. I didn't have that problem.

One major caveat is that this is the same password for disk encryption and screen unlock, cf this longstanding bugreport.
On a rooted device this can be achieved thanks to Cryptfs password or simply by doing:

vdc cryptfs changepw <new_password>

Note that it will have to be done every time the screen PIN or pwd is changed.
See also http://nelenkov.blogspot.jp/2012/08/changing-androids-disk-encryption.html

Nexus 4

https://en.wikipedia.org/wiki/Nexus_4

Hardware

• Chipset: Qualcomm Snapdragon™ S4 Pro processor with 1.5GHz Quad-Core Krait CPUs
• Operating System: Android 4.2, Jelly Bean
• Network: 3G (WCDMA), HSPA+
• Display: 4.7-inch WXGA True HD IPS Plus (1280 x 768 pixels)
• Memory: 8GB / 16GB
• RAM: 2GB
• Camera: 8.0MP rear / 1.3MP HD front
• Battery: 2,100mAh Li-Polymer (embedded) / Talk time: 15.3 hours / Standby: 390 hours
• Size: 133.9 x 68.7 x 9.1mm
• Weight: 139g
• Other:
  • NFC: Broadcom BCM2079x family: BCM20793 over I2C, cf /dev/bcm2079x-i2c
  • SE: ST33 from STMicroelectronics
  • Wireless charging
  • Miracast
  • BT 4.0
  • SlimPort for HDMI

Versions

physical mark

• FCC ID: ZNFE960 IC:2703C-E960
• MODEL LG-960 MADE IN KOREA

under fastboot, stock

• PRODUCT_NAME - mako
• VARIANT - mako 16GB
• HW VERSION - rev_11
• BOOTLOADER VERSION - MAKOZ10o
• BASEBAND VERSION - M9615A-CEFWMAZM-2.0.1700.48
• CARRIER INFO - None
• SERIAL NUMBER - xxxxxx
• SIGNING - production
• SECURE BOOT - enabled
• LOCK STATE - lock

under 'About phone' from the settings, stock 4.2.2

• Android 4.2.2
• Baseband M9615A-CEFWMAZM-2.0.1700.48
• Kernel 3.4.0-perf-g7ce11cd
• Build JDQ39

Nexus S

Old notes here

Versions

physical sticker behind battery

• Model: GT-I9023
• FCC ID: A3LGTI9023
• SSN: -I9023GSMH
• IMEI: xxxxxxx
• S/N: xxxxxxx

under fastboot, after upgrade to 4.1.2

• Bootloader version - I9020XXLC2
• Baseband version - I9020XXKI1
• Carrier info - EUR

under 'About phone' from the settings, after upgrade to 4.1.2

• Android 4.1.2
• Baseband I9023XXKI1
• Kernel 3.0.31-g5894150 android-build@vpbs1 #1
• Build JZO54K

Upgrading to 4.1.2

OTA update is available and the phone proposed me to start upgrade process
update zip is located in /cache

android# ls -l /cache
pc$ adb pull /cache/9U4MCfNt.zip .

Preparation

• Go to fastboot (vol-up + power)
• Go to recovery
• Backup & restore / Backup
• Mount USB
• Copy all /sdcard content to PC
• Reboot -> enter fastboot again

Preparation bis

• edit 9U4MCfNt.zip to remove recovery/ and edit META-INF/com/google/android/updater-script
  • remove all commands about recovery
  • add following line to keep rooted: set_perm(0, 0, 6755, "/system/bin/su");
  • radio image don't seem to be affected by update, nothing to do here

This time I tried differently:

• pc$ adb push 9U4MCfNt.zip /cache
• dd if=boot.img of=boot-fit.img bs=262144 count=28 #(with original boot.img from 4.1.1)
• fastboot flash boot boot-fit.img

Upgrade

This time I tried differently:

• Reboot and accept upgrade, it will reboot the phone and let Clockwork recovery applying the patch
• Despite the set_perm, recovery told me "Root access possibly lost. Fix? /system/bin/su" and I accepted, just in case...
• Backup & restore / Backup
• Mount USB
• Copy new backup to PC
• Reboot

Rooting again

• Extract new 4.1.2 boot.img (e.g. using clockworkmod backup or:)
• modify it & flash it back, see below

android$ su
android# cat /dev/mtd/mtd2 > /sdcard/boot.img
adb pull /sdcard/boot.img .
abootimg -x boot.img
mkdir ramdisk
cd ramdisk
gzip -dc ../initrd.img | cpio -i
sed -i 's/ro.secure=1/ro.secure=0/' default.prop
find . -print|cpio -o -Hnewc|gzip > ../initrd.img2
cd ..
abootimg -u boot.img -r initrd.img2
dd if=boot.img of=boot-fit.img bs=262144 count=28
fastboot flash boot boot-fit.img

Test menu

Dial *#*#4636#*#* (== *#*#INFO#*#*)

Android 2.3

Getting fastboot & Android sources

There are several binaries around but I wanted to build my own. Maybe not the shortest way... I downloaded all android sources...
cf http://source.android.com/source/downloading.html
Some missing deps on my 64-but debian when I tried to compile everything: gperf, libc6-dev-i386, lib32ncurses5-dev ia32-libs g++-multilib lib32z1-dev lib32readline6-dev

. build/envsetup.sh
lunch crespo-eng
make -j2

Maybe we can just compile adb & fastboot:

make adb
make fastboot

cf http://www.cduce.org/~abate/build-android-adb-debian-sid-amd64

Getting adb & Android SDK

Get it from http://developer.android.com/sdk/index.html
Run tools/android -> in installed packages make sure to have "Android SDK Tools", latest revision and "Android SDK Platform-tools", latest revision
It brings also adb but not fastboot
If you want to update SDK: tools/android update sdk

adb

You need to activate USB debugging:

• Settings > Applications > Development > USB debugging

Some examples:

• adb devices
• adb shell
• adb logcat

adb as root

Once the phone is rooted, you can, from a shell with e.g. adb shell invoke "su" & get root.
But to get immediately into root, the file /default.prop needs to contain ro.secure=0
But that file is restored from boot.img at each boot so you need to modify that one
See http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images#Alternative_Method
but there is also abootimg in debian:

• Taking the boot.img from Samsung (see above in I9023_EUR_GRI54_XXKB3/I9023_EUR_GRI54_XXKB3/PDA_SOJU_GRI54_TMO_EUR_MR1_SIGNED.tar).

abootimg -x boot.img
mkdir ramdisk
cd ramdisk
gzip -dc ../initrd.img | cpio -i
sed -i 's/ro.secure=1/ro.secure=0/' default.prop
find . -print|cpio -o -Hnewc|gzip > ../initrd.img2
cd ..
abootimg -u boot.img -r initrd.img2
fastboot flash boot boot.img

For the last command, the phone needs of course to be in fastboot mode
Reboot phone
I had to re-enable USB debugging but now adb shell brings me immediately a root shell :)
Note that link mentioned above proposes an alternative way to flash the boot partition, directly from adb shell as root

Without this setup, it's a bit cumbersome to automate root commands from host, it looks like

adb shell su -c "netcfg usb0 dhcp"

and the SuperUser app prompts you for confirmation on the phone for each new command

Got a failure when trying to flash back a 8Mb boot.img?
From example above I started from a boot.img smaller than the full boot partition but if you create a new boot.img or start from an image of the full partition taken manually or with clockworkmod, boot.img will be 8Mb-large (8388608) and fastboot fails with "FAILED exceed blocks 0x00000020 > 0x0000001e".
I'm not really sure about what size the file should be but as it's filled with zeroes till reaching 8Mb, I decided to cut it:
0x00000020 => 0x0000001e means for me 8388608 / 0x20 * 0x1e = 7864320, so I did:

dd if=boot.img of=boot2.img bs=262144 count=30 
fastboot flash boot boot2.img

And it worked!
Note that on ICS I need to use count=28

dd if=boot.img of=boot2.img bs=262144 count=28

Images structure

You may want to explore .img content (from backups, stock ROMs etc).
Actually all .img are not the same

bootloader.img

/dev/mtd/mtd0
Unknown format

radio.img

/dev/mtd/mtd5
Unknown format, for baseband

recovery.img

/dev/mtd/mtd3
Unknown format

boot.img

/dev/mtd/mtd2
See here for details on the structure, and abootimg on Debian

system.img

Yaffs2 image, can be unpacked with unyaffs
Note that unyaffs failed unpacking stock system.img 2.3.3 & userdata.img but works fine on clockworkmod backups

data.img

Yaffs2 image, can be unpacked with unyaffs

cache.img

/dev/mtd/mtd4
Yaffs2 image, can be unpacked with unyaffs

misc

/dev/mtd/mtd1
Not backuped by clockworkmod

efs

/dev/mtd/mtd6
Yaffs2 image, can be unpacked with unyaffs
Not backuped by clockworkmod
Contains stuffs linked to baseband & bluetooth

Screenshots

Run ddms (from SDK) -> Tools / Device / Screen capture

USB tethering

Plug phone & PC via USB
Activate USB tethering (Settings / Wireless & networks / Tethering / USB Tethering)
It works OOB on Debian, nothing to do

Getting busybox

Need rooted phone, see above
Google's stripped busybox, called toolbox, is far from enough once you get a shell on the phone

• Get Busybox Installer from Market

Examples to use busybox versions instead of toolbox versions when the command exists twice:

# busybox mount -o remount,rw /system
# /system/xbin/mount -o remount,rw /system

Wi-Fi & client certs

To be able to authenticate to a Wi-Fi network using client certificates via TLS:
If needed, export certificate from IE in Pkcs#12 PFX, *with* private key, *with* all certs, *without* strong enc, *without* deletion of private key.
Rename .pfx file as .p12
(source: http://www.google.com/support/mobile/bin/answer.py?answer=168466&topic=27214#1086573)
Copy pkcs#12 certificate to root of USB storage.
File must end with .p12, not .pfx!
One single file with key+cert+cacerts is ok
Wi-Fi params: 802.1x EAP / TLS / phase2: None / CA cert: cf previous import / user cert: idem / Identity: DOMAIN\user... / Anonymous id: empty / password:...

Note that after each reboot, you'll have to select manually one of the protected networks to unlock the secure storage of personal certificates or open manually the certificates storage:
Settings > Location & Security > Use secure credentials
See also Keystore Unlocker

Importing certs

I could only manage it via a webserver & crafted headers:

<?php
header("Content-Type: application/x-x509-ca-cert");
?>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

You may try this free service: http://www.realmb.com/droidCert/ which seems to do the same.
But even if imported they seem not to be used e.g. for IMAP TLS.

Importing CA certs in /system

Android < 3.0

Source: CACert wiki.
You don't need the full Android SDK, just adb binary.
I'm not sure if it's really the proper way but to get recognized the BouncyCastle lib which was already on my system (apt-get install libbcprov-java) I did

sudo ln -s /usr/share/java/bcprov.jar /usr/lib/jvm/java-6-sun/jre/lib/ext/

Adding CACert certificates:

adb pull /system/etc/security/cacerts.bks
wget http://www.cacert.org/certs/root.crt
wget http://www.cacert.org/certs/class3.crt
keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT -file root.crt
keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias CACERT3 -file class3.crt 
adb shell busybox mount -o remount,rw /system
adb push cacerts.bks /system/etc/security
adb shell busybox mount -o remount,ro /system

• reboot phone
• try https://www.cacert.org, should work without warning

Now my IMAP TLS which is using a CACert-signed certificate works with strict TLS setting on the phone, cool!

WARNING this has broken proper upgrades and I had to mangle the update.zip to restore first the original cacert.bks file then get it patched.
Before I patched it again, my imap server gave me a lot of "couriertls: read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" errors before I realized it was because I didn't have the CACert certificates anymore...

Android 3.0 & 4.0

Seems much easier:
no need for rooting anymore!

• drop certs on /sdcard/
• go to settings / personal: security / credential storage: install from storage & select both certs

SMSC configuration

To configure the SMSC (SMS gateway) on Android is not straight forward.
Access a hidden settings menu by dialing *#*#4636#*#* (*#*#INFO#*#*) -> phone settings -> SMSC -> Refresh (to get current value)
To update that field, if it does not work in plain or between quotes, try encode it in PDU

• First byte is length of SMSC info, so if it's e.g. +32475161616, it's 11 digits to code on 6 bytes, + 1 byte to code type of SMSC address => 7 bytes
• Second byte is the type of SMSC address, 91 for international format
• Next bytes are the SMSC digits, padded with "f" if odd, then nibble-swapped so in our example: 32475161616F => 2374151616F6
• Full PDU-encoded SMSC is then: 07912374151616F6 -> Update

Tools

ADB

• Manual, covers adb, am, pm, etc

Installing an app in /system/app :

adb push MyApp.apk /sdcard/
adb shell su -c "mount -o remount,rw /system"
adb shell su -c "cp /sdcard/MyApp.apk /system/app/"
sleep 1
adb shell su -c "mount -o remount,ro /system"
adb reboot
adb shell pm list packages -s # Should be there now

Removing an app from /system/app:

adb shell su -c "mount -o remount,rw /system"
adb shell su -c "rm /system/app/MyApp.apk"
sleep 1
adb shell su -c "mount -o remount,ro /system"
adb reboot

Applications

See Android Apps

Applications development

See Android SDK

Using the embedded SE

See Android SE

Backuping via BackupPC

I'm a big fan of BackupPc and this guy managed to link android & backuppc so let's give it a try.
Check the mentioned link but his setup is a bit different, running CyanogenMod while I'm using a stock fw.
Instructions here suppose your phone is rooted.

IP

Backuppc server needs to reach the phone so your phone needs a static (or DHCP statically attributed) IP or whatever dyndns system.

SSH

I'm using SshDroidPro
Make sure backuppc key is properly installed in /data/data/berserker.android.apps.sshdroidpro/home/.ssh/authorized_keys
Then test it as user backuppc, trying to access the phone and accept the server key fingerprint.

rsync

To get rsync binary, I found rsync backup for Android which downloads a rsync binary during install (a weird way to deal with a GPL program IMHO).
The actual binary it downloads is available here.
But Android wget doesn't support https so you've to transfer it to your phone by another mean.
One way is to install the application I mentioned and let it download that binary.
Then, to install it at a more rooted-Android standard place:

cd /system/xbin
busybox mount -o remount,rw /system
cp /data/data/eu.kowalczuk.rsync4android/files/rsync /system/xbin/
chmod 755 /system/xbin/rsync
chown root.shell /system/xbin/rsync
busybox mount -o remount,ro /system

Wi-Fi

Make sure Wi-Fi will stay on!
Menu > Settings > Wireless & networks > Wi-Fi settings > Menu > Advanced > Wi-Fi sleep policy > Never (or never when powered)

BackupPC config

My config: create new host in backuppc web interface with:

   XferMethod = rsync
   RsyncShareName = [/data/, /efs/ (useful??), /system/, /mnt/asec/, /mnt/sdcard/]
   RsyncClientPath = /system/xbin/rsync
   BackupFilesExclude = /mnt/sdcard/ => [/oruxmaps/mapfiles, /clockworkmod/backup, /radio_dump_*, /videos]

Note that in the mentioned link he's using RsyncShareName = / and playing with BackupFilesOnly but for me it looks like BackupFilesOnly was not respected, so I preferred to have separate RsyncShareName
Some info on APP2SD here and here
I had errors "Ping too slow" so I increased

   PingMaxMsec = 400

as anyway it's on local network

Non-rooted device

For non-rooted devices the setup is a bit different:

• SSH server will run on a non-privilegied port, e.g. port 2222
• login will be done with sshdroid permissions, not root, so it cannot access rsync binary neither /data content
• rsync needs to be available so we'll transfer it again, as sshdroid user:

scp -P2222 rsync galaxy:/data/data/berserker.android.apps.sshdroid/home/bin/

then make it executable

• BackupPC config is e.g.:

   XferMethod = rsync
   RsyncShareName = [/mnt/sdcard/]
   RsyncClientPath = /data/data/berserker.android.apps.sshdroid/home/bin/rsync
   BackupFilesExclude = /mnt/sdcard/ => [/Movies]
   RsyncClientCmd: add "-p2222" to ssh options: "$sshPath -p2222 -q -x -l root $host $rsyncPath $argList+"
   RsyncClientRestoreCmd: add "-p2222" to ssh options: "$sshPath -p2222 -q -x -l root $host $rsyncPath $argList+"

Because we cannot directly backup /data content, what can be done is to use e.g. MyBackupPro to backup most of the data to the SD card, in a scheduled way.

Rooting Samsung Galaxy Tab 10.1

cf http://forum.xda-developers.com/showthread.php?t=1239185
I used a WinXP within a virtualbox under Debian
When flashing with Odin3 I had problems process being stuck at SetupConnection
Trick was to unplug physically the USB cable, start Odin3, plug the cable, connect the USB device through virtualbox to WinXP

Once rooted, upgrade the Superuser application
Once started, the app should detect su binary needs also to be updated. Follow instructions.

To enter clockwork recovery: power off / press vol down + power till 2 icons appear / press vol down to select left icon / press vol up / you should see recovery menu now

Installing new Market application:
Some apk are lying around, here is how I use them
First test their certificate as I don't want to get a malicious app:

$ adb install Vending_3.1.5.apk 
Failure [INSTALL_FAILED_ALREADY_EXISTS]

This is ok, but e.g. this one seems more worrisome, I wouldn't try it:

$ adb install Vending_3.1.6.apk 
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

Make your backups!
Replace manually /system/app/Vending.apk by the new version and reboot.
If trouble you may try to clean the Dalvik cache from Clockwork recovery advanced menu

busybox  mount -o remount,rw /system
mv /system/app/Vending.apk /sdcard/Vending_1.0.apk
mv /sdcard/Vending_3.1.5.apk /system/app/Vending.apk
chown 0.0 /system/app/Vending.apk
busybox  mount -o remount,ro /system