Android

From YobiWiki
Jump to navigation Jump to search

Links

App stores

Alternate views on the official market:

Alternate markets:

User manuals

Some internals info here

Short notes

Tools

apt-get install android-tools-adb
apt-get install android-tools-fastboot

USB permissions on the host

Create /etc/udev/rules.d/99-android.rules for Nexus phones:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", MODE="0666", OWNER="<your_account>" # all Nexus

Then execute /etc/init.d/udev reload

Enter Fastboot mode

  • Power off phone
  • Depends on the phone, e.g.:
    • Nexus S: keep volume-up pressed while pressing power on for 5 secs
    • Nexus 4: keep volume-down pressed while pressing power on for 5 secs
    • You've entered fastboot

Alternatively, fastboot can be triggererd from adb: adb reboot-bootloader

OEM unlock

This will wipe ALL DATA!!!

fastboot oem unlock

OEM unlock for rooted devices

Once the device has been unlocked and rooted, it can be locked/unlocked again without wiping all the data, at least on some phone models.
Install BootUnlocker

Factory images for Nexus phones

Example for Nexus S: (requires OEM unlock)

wget https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz
tar xzf soju-imm76d-factory-ca4ae9ee.tgz
cd soju-imm76d
./flash-all.sh

Example for Nexus 4: (requires OEM unlock)
cf https://support.google.com/nexus/4/answer/2936226?hl=en
Factory Images "occam" for Nexus 4 -> Android 4.3 (JWR66Y)

wget https://dl.google.com/dl/android/aosp/occam-jwr66y-factory-74b1deab.tgz
tar xzf occam-jwr66y-factory-08d2b697.tgz
cf occam-jwr66y
./flash-all.sh

Rooting without recovery

Chainfire's CF-Auto-Root makes life really easy to install SuperSU
e.g. for Nexus 4: (requires OEM unlock)

wget http://download.chainfire.eu/297/CF-Root/CF-Auto-Root/CF-Auto-Root-mako-occam-nexus4.zip
unzip -j CF-Auto-Root-mako-occam-nexus4.zip image/CF-Auto-Root-mako-occam-nexus4.img
sudo fastboot boot CF-Auto-Root-mako-occam-nexus4.img

Consider buying the PRO license key too...

Recovery

Example for Nexus S: (requires OEM unlock)

wget http://download2.clockworkmod.com/recoveries/recovery-clockwork-6.0.2.5-crespo.img
fastboot flash recovery recovery-clockwork-6.0.2.5-crespo.img

Example for Nexus 4: (requires OEM unlock)

wget http://download2.clockworkmod.com/recoveries/recovery-clockwork-6.0.3.4-mako.img
fastboot flash recovery recovery-clockwork-6.0.3.4-mako.img

Stock recovery

To show menu with stock recovery, hold "power" and press "volume-up" on Nexus 4

Rooting

Requires Clockworkmod recovery

Using ChainsDD SuperUser

wget http://downloads.noshufou.netdna-cdn.com/superuser/Superuser-3.1.3-arm-signed.zip
=> drop on /sdcard/ (or use adb sideload)
=> recovery -> install from zip -> Superuser-3.1.3-arm-signed.zip

ChainFire SuperSU

wget http://download.chainfire.eu/345/SuperSU/UPDATE-SuperSU-v1.51.zip
=> drop on /sdcard/ (or use adb sideload)
=> recovery -> install from zip -> UPDATE-SuperSU-v1.51.zip

Details:

/system/app/Superuser.apk
/system/etc/init.d/99SuperSUDaemon
/system/etc/install-recovery.sh (lsattr: -----i--A----)
/system/bin/.ext/.su (rwsr-sr-x = 06755)
/system/xbin/daemonsu (rwsr-sr-x = 06755)
/system/xbin/su (rwsr-sr-x = 06755)

The 4 binaries may be locked by a "chattr +i" but this seems to break some OTA updates, so better to change manually OTA updates first.
Version 1.51 still chattr +i /system/etc/install-recovery.sh but this breaks JWR66V to JWR66Y OTA update.

Keep rooting over OTA

Apparently SuperSU has some "survival mode" that you can turn on in the settings but I don't know what it does...
Once you have busybox installed (see below), you can set the su binary immutable to avoid an OTA update to kill its setuid bit:

mount -o remount,rw /system
chattr +i /system/xbin/su
mount -o remount,ro /system

There is also a "OTA Rootkeeper" application to do the same
If you need to reflash a custom recovery to install a custom OTA update, see this article

Edit I'm not sure the chattr method works.
OTA update JWR66Y-from-JWR66V failed because of /system/etc/install-recovery.sh being locked with chattr +i and used by SuperSU to launch daemonsu.
To solve it I had to modify manually the patch and apply it through custom recovery:
Avoid Clockworkmod recovery to be overwritten.
Avoid su setuid bit to be overwritten.

  • OTA update was left in /cache and failed being applied as explained above
  • Unzip 6136cbe0fb21994b8bd463d137ac75b953ba8e9b.signed-occam-JWR66Y-from-JWR66V.6136cbe0.zip
  • rm -rf recovery
  • Edit META-INF/com/google/android/updater-script :
--- updater-script.orig2013-08-27 17:40:36.500787411 +0200
+++ updater-script2013-08-27 17:40:10.912302554 +0200
@@ -1371,11 +1371,8 @@
             6713bc8134b88289bf2fd5c17bf30d0d174d6eb0, 374184,
             9d87d330c5490fec0fca02ba3d7ba17fa7d65e8c, package_extract_file("patch/system/vendor/lib/mediadrm/libwvdrmengine.so.p"));
 set_progress(0.999987);
-delete("/system/recovery-from-boot.p",
-       "/system/etc/install-recovery.sh");
+delete("/system/recovery-from-boot.p");
 show_progress(0.100000, 10);
-ui_print("Unpacking new recovery...");
-package_extract_dir("recovery", "/system");
 ui_print("Symlinks and permissions...");
 set_perm_recursive(0, 0, 0755, 0644, "/system");
 set_perm_recursive(0, 2000, 0755, 0755, "/system/bin");
@@ -1383,7 +1380,6 @@
 set_perm(0, 0, 0755, "/system/bin/ping");
 set_perm(0, 2000, 0750, "/system/bin/run-as");
 set_perm(1014, 2000, 0550, "/system/etc/dhcpcd/dhcpcd-run-hooks");
-set_perm(0, 0, 0544, "/system/etc/install-recovery.sh");
 set_perm_recursive(0, 0, 0755, 0555, "/system/etc/ppp");
 set_perm(0, 2000, 0755, "/system/vendor");
 set_perm_recursive(0, 2000, 0755, 0644, "/system/vendor/etc");
@@ -1407,6 +1403,8 @@
 set_perm_recursive(0, 2000, 0755, 0644, "/system/vendor/pittpatt/models/recognition");
 set_perm(0, 0, 0644, "/system/vendor/pittpatt/models/recognition/face.face.y0-y0-22-b-N.bin");
 set_perm_recursive(0, 2000, 0755, 0755, "/system/xbin");
+set_perm(0, 0, 06755, "/system/xbin/su");
+set_perm(0, 0, 06755, "/system/xbin/daemonsu");
 ui_print("Patching remaining system files...");
 apply_patch("/system/build.prop", "-",
             e336e937ec01a4e2fcb60d3659e296a30701ebf9, 2742,

ADB

To reveal developer menu on Jelly Bean, tap 10x on "settings/about/build nr"
Then enable usb debug.
USB debugging is pretty secured since Jelly Bean but beware for older versions!

adbd insecure

As USB debugging is now pretty secure, let's enable immediate root access:
Install adbd insecure
Open app -> enable & enable at boot time

adb & recovery

From recovery, you can also use adb:

  • adb shell
  • adb sideload update.zip
  • adb push

etc

Busybox

From Google Play: https://play.google.com/store/apps/details?id=stericson.busybox&hl=en
Local install:

adb install stericson.busybox-1.apk
=> Run busybox -> install -> smart install

Consider buying Busybox Pro...

Modifying stuffs in system partition using su

adb push some_file /sdcard/
adb shell su -c "mount -o remount,rw /system"
adb shell su -c "cat /sdcard/some_file > /etc/some_file"
sleep 1
adb shell su -c "mount -o remount,ro /system"

Modifying stuffs in system partition with insecure adbd

adb shell mount -o remount,rw /system
adb push some_file /etc/some_file
sleep 1
adb shell mount -o remount,ro /system

Encrypt device

See official help
Some reports say they had to repeat the process several times on Nexus 4 before encryption started. I didn't have that problem.

One major caveat is that this is the same password for disk encryption and screen unlock, cf this longstanding bugreport.
On a rooted device this can be achieved thanks to Cryptfs password or simply by doing:

vdc cryptfs changepw <new_password>

Note that it will have to be done every time the screen PIN or pwd is changed.
See also http://nelenkov.blogspot.jp/2012/08/changing-androids-disk-encryption.html

Nexus 4

https://en.wikipedia.org/wiki/Nexus_4

Hardware

  • Chipset: Qualcomm Snapdragon™ S4 Pro processor with 1.5GHz Quad-Core Krait CPUs
  • Operating System: Android 4.2, Jelly Bean
  • Network: 3G (WCDMA), HSPA+
  • Display: 4.7-inch WXGA True HD IPS Plus (1280 x 768 pixels)
  • Memory: 8GB / 16GB
  • RAM: 2GB
  • Camera: 8.0MP rear / 1.3MP HD front
  • Battery: 2,100mAh Li-Polymer (embedded) / Talk time: 15.3 hours / Standby: 390 hours
  • Size: 133.9 x 68.7 x 9.1mm
  • Weight: 139g
  • Other:
    • NFC: Broadcom BCM2079x family: BCM20793 over I2C, cf /dev/bcm2079x-i2c
    • SE: ST33 from STMicroelectronics
    • Wireless charging
    • Miracast
    • BT 4.0
    • SlimPort for HDMI

Versions

physical mark

  • FCC ID: ZNFE960 IC:2703C-E960
  • MODEL LG-960 MADE IN KOREA

under fastboot, stock

  • PRODUCT_NAME - mako
  • VARIANT - mako 16GB
  • HW VERSION - rev_11
  • BOOTLOADER VERSION - MAKOZ10o
  • BASEBAND VERSION - M9615A-CEFWMAZM-2.0.1700.48
  • CARRIER INFO - None
  • SERIAL NUMBER - xxxxxx
  • SIGNING - production
  • SECURE BOOT - enabled
  • LOCK STATE - lock

under 'About phone' from the settings, stock 4.2.2

  • Android 4.2.2
  • Baseband M9615A-CEFWMAZM-2.0.1700.48
  • Kernel 3.4.0-perf-g7ce11cd
  • Build JDQ39

under 'About phone' from the settings, 4.3

  • Android 4.3
  • Baseband M9615A-CEFWMAZM-2.0.1700.84
  • Kernel 3.4.0-perf-gf43c3d9
  • Build JWR66V then JWR66Y

My tunings

  • Original recovery
  • Rooted with "SuperSU"
    • "SuperSU" protected by PIN
    • Rooting maintained over OTA updates (using chattr +i and "SuperSU" survival mode)
  • OEM locked again
    • "Bootunlocker" app to unlock without wiping
  • Avast Mobile Security
    • anti theft with anchor in system (so even factory reset doesn't help)
    • application firewall (wifi/3g/roaming per app)
  • USB debugging activated and paired with my PC
    • "adbd insecure" installed
  • "BusyBox Pro"
  • "OpenVPN Install" & "OpenVPN Settings"
  • "SSHDroidPro"
  • Encrypted
    • with better pwd at boot time, using "Cryptfs password" app
  • Bluetooth & Belkin A2DP for car: no need to unlock my screen
    • "Bluetooth Auto Connect" -> pairs when screen is turned on
    • "Bluetooth connect and play" -> starts playing when paired
  • "AdAway" installed via "F-Droid"
  • "Nexus 4 Dot" as live wallpaper
  • "Helium" to backup & sync apps via Google Drive

Nexus S

Old notes here

Versions

physical sticker behind battery

  • Model: GT-I9023
  • FCC ID: A3LGTI9023
  • SSN: -I9023GSMH
  • IMEI: xxxxxxx
  • S/N: xxxxxxx

under fastboot, after upgrade to 4.1.2

  • Bootloader version - I9020XXLC2
  • Baseband version - I9020XXKI1
  • Carrier info - EUR

under 'About phone' from the settings, after upgrade to 4.1.2

  • Android 4.1.2
  • Baseband I9023XXKI1
  • Kernel 3.0.31-g5894150 android-build@vpbs1 #1
  • Build JZO54K

Upgrading to 4.1.2

OTA update is available and the phone proposed me to start upgrade process
update zip is located in /cache

android# ls -l /cache
pc$ adb pull /cache/9U4MCfNt.zip .

Preparation

  • Go to fastboot (vol-up + power)
  • Go to recovery
  • Backup & restore / Backup
  • Mount USB
  • Copy all /sdcard content to PC
  • Reboot -> enter fastboot again

Preparation bis

  • edit 9U4MCfNt.zip to remove recovery/ and edit META-INF/com/google/android/updater-script
    • remove all commands about recovery
    • add following line to keep rooted: set_perm(0, 0, 6755, "/system/bin/su");
    • radio image don't seem to be affected by update, nothing to do here

This time I tried differently:

  • pc$ adb push 9U4MCfNt.zip /cache
  • dd if=boot.img of=boot-fit.img bs=262144 count=28 #(with original boot.img from 4.1.1)
  • fastboot flash boot boot-fit.img

Upgrade

This time I tried differently:

  • Reboot and accept upgrade, it will reboot the phone and let Clockwork recovery applying the patch
  • Despite the set_perm, recovery told me "Root access possibly lost. Fix? /system/bin/su" and I accepted, just in case...
  • Backup & restore / Backup
  • Mount USB
  • Copy new backup to PC
  • Reboot

Rooting again

  • Extract new 4.1.2 boot.img (e.g. using clockworkmod backup or:)
  • modify it & flash it back, see below
android$ su
android# cat /dev/mtd/mtd2 > /sdcard/boot.img
adb pull /sdcard/boot.img .
abootimg -x boot.img
mkdir ramdisk
cd ramdisk
gzip -dc ../initrd.img | cpio -i
sed -i 's/ro.secure=1/ro.secure=0/' default.prop
find . -print|cpio -o -Hnewc|gzip > ../initrd.img2
cd ..
abootimg -u boot.img -r initrd.img2
dd if=boot.img of=boot-fit.img bs=262144 count=28
fastboot flash boot boot-fit.img

Installing Cyanogenmod

See http://wiki.cyanogenmod.org/w/Install_CM_for_crespo and repository for Crespo
Boot into cyanogenmod recovery

  • Wipe data/factory reset
adb shell mount /data
adb push YOURROMZIP.zip /sdcard/
  • Install zip from sdcard
  • Choose zip from sdcard...
  • Reboot

To install Google apps, see http://wiki.cyanogenmod.org/w/Gapps

Rooting Samsung Galaxy Tab 10.1

cf http://forum.xda-developers.com/showthread.php?t=1239185
I used a WinXP within a virtualbox under Debian
When flashing with Odin3 I had problems process being stuck at SetupConnection
Trick was to unplug physically the USB cable, start Odin3, plug the cable, connect the USB device through virtualbox to WinXP

Once rooted, upgrade the Superuser application
Once started, the app should detect su binary needs also to be updated. Follow instructions.

To enter clockwork recovery: power off / press vol down + power till 2 icons appear / press vol down to select left icon / press vol up / you should see recovery menu now

Installing new Market application:
Some apk are lying around, here is how I use them
First test their certificate as I don't want to get a malicious app:

$ adb install Vending_3.1.5.apk 
Failure [INSTALL_FAILED_ALREADY_EXISTS]


This is ok, but e.g. this one seems more worrisome, I wouldn't try it:

$ adb install Vending_3.1.6.apk 
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

Make your backups!
Replace manually /system/app/Vending.apk by the new version and reboot.
If trouble you may try to clean the Dalvik cache from Clockwork recovery advanced menu

busybox  mount -o remount,rw /system
mv /system/app/Vending.apk /sdcard/Vending_1.0.apk
mv /sdcard/Vending_3.1.5.apk /system/app/Vending.apk
chown 0.0 /system/app/Vending.apk
busybox  mount -o remount,ro /system

Misc

Wi-Fi & client certs

To be able to authenticate to a Wi-Fi network using client certificates via TLS:
If needed, export certificate from IE in Pkcs#12 PFX, *with* private key, *with* all certs, *without* strong enc, *without* deletion of private key.
Rename .pfx file as .p12
(source: http://www.google.com/support/mobile/bin/answer.py?answer=168466&topic=27214#1086573)
Copy pkcs#12 certificate to root of USB storage.
File must end with .p12, not .pfx!
One single file with key+cert+cacerts is ok
Wi-Fi params: 802.1x EAP / TLS / phase2: None / CA cert: cf previous import / user cert: idem / Identity: DOMAIN\user... / Anonymous id: empty / password:...

Note that after each reboot, you'll have to select manually one of the protected networks to unlock the secure storage of personal certificates or open manually the certificates storage:
Settings > Location & Security > Use secure credentials
See also Keystore Unlocker

Importing certs

Since Android 3.0, no need for rooting anymore
If troubles, use PEM format, with file extension .crt

  • drop certs on /sdcard/
  • go to settings / personal: security / credential storage: install from storage & select both certs

ADB

  • Manual, covers adb, am, pm, etc

Installing an app in /system/app :

adb push MyApp.apk /sdcard/
adb shell su -c "mount -o remount,rw /system"
adb shell su -c "cp /sdcard/MyApp.apk /system/app/"
sleep 1
adb shell su -c "mount -o remount,ro /system"
adb reboot
adb shell pm list packages -s # Should be there now

Removing an app from /system/app:

adb shell su -c "mount -o remount,rw /system"
adb shell su -c "rm /system/app/MyApp.apk"
sleep 1
adb shell su -c "mount -o remount,ro /system"
adb reboot

Test menu

Dial *#*#4636#*#* (== *#*#INFO#*#*)

SMSC configuration

To configure the SMSC (SMS gateway) on Android is not straight forward.
Access a hidden settings menu by dialing *#*#4636#*#* (*#*#INFO#*#*) -> phone settings -> SMSC -> Refresh (to get current value)
To update that field, if it does not work in plain or between quotes, try encode it in PDU

  • First byte is length of SMSC info, so if it's e.g. +32475161616, it's 11 digits to code on 6 bytes, + 1 byte to code type of SMSC address => 7 bytes
  • Second byte is the type of SMSC address, 91 for international format
  • Next bytes are the SMSC digits, padded with "f" if odd, then nibble-swapped so in our example: 32475161616F => 2374151616F6
  • Full PDU-encoded SMSC is then: 07912374151616F6 -> Update

Screenshots

Run ddms (from SDK) -> Tools / Device / Screen capture

USB tethering

Plug phone & PC via USB
Activate USB tethering (Settings / Wireless & networks / Tethering / USB Tethering)
It works OOB on Debian, nothing to do

Mounting USB as MTP or PTP

New Nexus devices don't use USB mass storage anymore but MTP or PTP, mainly to be able to access data both from Android & PC at the same time.
There are two methods using fuse so make sure your user is member of fuse group:

sudo adduser <your_user> fuse

and make sure your user can access the USB device (cf above: /etc/udev/rules.d/...)

Using mtpfs

See this article

sudo apt-get install mtpfs mtp-tools
mkdir ~/MyAndroid
mtpfs ~/MyAndroid
...
fusermount -u ~/MyAndroid

Problem is that it's very slow to mount

Using go-mtpfs

See this article

sudo apt-get install golang fuse git-core libmtp-dev libfuse-dev
mkdir /tmp/go 
GOPATH=/tmp/go go get github.com/hanwen/go-mtpfs
sudo mv /tmp/go/bin/go-mtpfs /usr/local/bin/
mkdir ~/MyAndroid
go-mtpfs ~/MyAndroid &
...
fusermount -u ~/MyAndroid

Using gphotofs

This method requires the phone to share files over USB as Camera (PTP), *not* MTP.

sudo apt-get install gphotofs
mkdir ~/MyAndroid
gphotofs ~/MyAndroid
...
fusermount -u ~/MyAndroid

Problem is that it only shows DCIM & Pictures
Not sure if it's a limitation of Android or Gphoto...

Applications

See Android Apps

Applications development

See Android SDK

Using the embedded SE

See Android SE

Backuping via BackupPC

I'm a big fan of BackupPc and this guy managed to link android & backuppc so let's give it a try.
Check the mentioned link but his setup is a bit different, running CyanogenMod while I'm using a stock fw.
Instructions here suppose your phone is rooted.

IP

Backuppc server needs to reach the phone so your phone needs a static (or DHCP statically attributed) IP or whatever dyndns system.

SSH

I'm using SshDroidPro
Make sure backuppc key is properly installed in /data/data/berserker.android.apps.sshdroidpro/home/.ssh/authorized_keys
Then test it as user backuppc, trying to access the phone and accept the server key fingerprint.

rsync

To get rsync binary, I found rsync backup for Android which downloads a rsync binary during install (a weird way to deal with a GPL program IMHO).
The actual binary it downloads is available here.
But Android wget doesn't support https so you've to transfer it to your phone by another mean.
One way is to install the application I mentioned and let it download that binary.
Then, to install it at a more rooted-Android standard place:

cd /system/xbin
busybox mount -o remount,rw /system
cp /data/data/eu.kowalczuk.rsync4android/files/rsync /system/xbin/
chmod 755 /system/xbin/rsync
chown root.shell /system/xbin/rsync
busybox mount -o remount,ro /system

Wi-Fi

Make sure Wi-Fi will stay on!
Menu > Settings > Wireless & networks > Wi-Fi settings > Menu > Advanced > Wi-Fi sleep policy > Never (or never when powered)

BackupPC config

My config: create new host in backuppc web interface with:

   XferMethod = rsync
   RsyncShareName = [/data/, /efs/ (useful??), /system/, /mnt/asec/, /mnt/sdcard/]
   RsyncClientPath = /system/xbin/rsync
   BackupFilesExclude = /mnt/sdcard/ => [/oruxmaps/mapfiles, /clockworkmod/backup, /radio_dump_*, /videos]

Note that in the mentioned link he's using RsyncShareName = / and playing with BackupFilesOnly but for me it looks like BackupFilesOnly was not respected, so I preferred to have separate RsyncShareName
Some info on APP2SD here and here
I had errors "Ping too slow" so I increased

   PingMaxMsec = 400

as anyway it's on local network

Non-rooted device

For non-rooted devices the setup is a bit different:

  • SSH server will run on a non-privilegied port, e.g. port 2222
  • login will be done with sshdroid permissions, not root, so it cannot access rsync binary neither /data content
  • rsync needs to be available so we'll transfer it again, as sshdroid user:
scp -P2222 rsync galaxy:/data/data/berserker.android.apps.sshdroid/home/bin/

then make it executable

  • BackupPC config is e.g.:
   XferMethod = rsync
   RsyncShareName = [/mnt/sdcard/]
   RsyncClientPath = /data/data/berserker.android.apps.sshdroid/home/bin/rsync
   BackupFilesExclude = /mnt/sdcard/ => [/Movies]
   RsyncClientCmd: add "-p2222" to ssh options: "$sshPath -p2222 -q -x -l root $host $rsyncPath $argList+"
   RsyncClientRestoreCmd: add "-p2222" to ssh options: "$sshPath -p2222 -q -x -l root $host $rsyncPath $argList+"

Because we cannot directly backup /data content, what can be done is to use e.g. MyBackupPro to backup most of the data to the SD card, in a scheduled way.