Archive for the ·


· Category...

Android Hacking

Comments Off

In a recent post on his blog, Thanassis Tsiodras has an impressive tale of his Android hacking adventures. Wanting to run Debian from chroot, he ends up customizing the boot image; attaching a serial logger to the headphone jack; and intercepting the over-the-air update image to control the boot process.

At last, it seems he achieved what wanted, but of course at an extremely high price. Most mobile devices are now very hostile towards any other use than was is dictated by the manufacturer and OS vendor. Thanassis ends his article on a sober note, saying that once even this hack is secured against “Android might as well be called iOS”.

Comments Off

Microsoft-Nokia’s new phone: It’s an Android

Comments Off

In a surprise move, the result of the Nokia buyout by Microsoft is a new Android based phone, the X2. (Yes, I double checked that it was not a 1st April story). BBC reports that the mid-range smart-phone will be Android based, but that the UI will look like Microsoft’s Windows Phone.

At an estimated price of 100 Euros, the specs are not overwhelming, with 1 GB RAM, 5 MP camera. However, interestingly it’s a dual SIM phone. That suggests it’s targeting the Asian market, where people are shopping around for the best SMS and calling rates, and dual SIM phones are very popular.

As expected, the phone will not feature the common Google service apps, like Gmail, Calendar, Hangouts, Maps, and Youtube, but instead replace them with Microsoft equivalents like Outlook, Skype, and Bing. However, it also means that the Google Play store will not be available either, so Microsoft and Nokia will somehow have to back-fill their own market. Or perhaps developers will have to submit their Android apps to yet another market. Many open source apps are already dual-hosted on Google Play and the free software based app market F-Droid.

Comments Off

Android SDK tools on Debian Wheezy

Comments Off

After downloading the Android SDK bundle, I could not start adb and fastboot, getting somewhat bizarre error messages like:

bash: ./adb: No such file or directory

bash: ./fastboot: No such file or directory

./adb: error while loading shared libraries: cannot open shared object file: No such file or directory

All of those were due to missing dependencies for i386 libraries. Doda’s article on the topic solved the issue. They can be installed by:

dpkg --add-architecture i386
aptitude update
aptitude install libstdc++6:i386 libgcc1:i386 zlib1g:i386 libncurses5:i386

Comments Off

Replicant on Galaxy Nexus

Comments Off

After nearly two years on a custom built Android OS, it was time to upgrade. I now have the latest (4.0.4) Replication build for Galaxy Nexus running.

Before installing, I went through a few extra flashes, just to make sure everything would go smoothly. I started out with putting back the original factory images, provided by Google. Download, unpack, and run the included script That was up and running within a minute or two.

Next, I tried CyanogenMod’s build for Galaxy Nexus, including the ClockworkMod Recovery boot image. I used the touch image found here, and simply flashed with:
fastboot flash recovery recovery-clockwork-touch-

I used the from here, and followed the installation procedure using the recovery image seen here. The only difference was that I had to boot the phone fully to have access through adb. Pushing the zip file while in recovery mode did not seem to work. Besides that, everything went smooth. It’s probably worth noting that the camera still works with the CM 10.1.2 build.

So far, so good. Now for the Replicant images. I downloaded the 4.0 0004 build. The instructions suggests the Heimdall recovery image for installation, but I tried to flash through fastboot instead. Thus the install went something like this, while the phone was on the bootloader screen (not in recovery mode).

sudo fastboot erase boot
sudo fastboot erase userdata
sudo fastboot flash boot boot.img
sudo fastboot flash recovery recovery.img
sudo fastboot flash system system.img
sudo fastboot flash userdata userdata.img
sudo fastboot reboot

That worked fine. Replicant booted, and it all looks good. Note that the recovery image which came with the Replicant build was an older version of the ClockworkMod, without touch. So, following the CM install steps above, I could have skipped that. But it doesn’t make a big difference.

The only problem with the Replicant image is that it does not contain a free version of the firmware drivers for things like WiFi and camera, and thus they don’t ship the proprietary binary blobs either. Now, that might be what you want, however, I choice to include the wifi binaries. I copied the ones from the CyanogenMod build. It went something like this:

First remount /system writeable
adb shell
mount -o rw,remount -t ext4 /dev/block/platform/omap/omap_hsmmc.0/by-name/system /system

Back on the terminal on the host computer, I extracted the firmware files, and copied them over. And then a reboot.
unzip -x system/vendor/firmware/*
adb push system/vendor/firmware /system/vendor/firmware

The last bit was to reinstall the various packages and configurations. For .apk files, they can easily be installed with adb. Then the configuration can be copied over. Just make sure the copied files get the same owner and group as its application. For some applications, like httpmon, this was easy. However, for K-9 it got a bit messy since the chown and chgrp commands are somewhat lacking. The later can operate recursively, but you still need to use both.

adb install Gibberbot-37.apk
adb install httpmon-27.apk
adb push org.jtb.httpmon /data/data/org.jtb.httpmon

The Replicant distribution comes with the FOSS app market F-Droid pre-installed, so that’s convenient. That market includes applications like Firefox K-9 Mail, Gibberbot, APV PDF Viewer, httpmon, Orbot, Orweb. (It turned out that Firefox for ARM6 had to be downloaded from here).

Comments Off

Andor’s Trail

Comments Off

Andor’s Trail is a free and open (FOSS) single player RPG for Android. Although still under heavy development, the game is already fully playable, and the world map, quests and story is very impressive, with more to come.

Recently, an updated beta version was released, with even more maps and quests. The game is available from the FOSS market, and Google’s Play Market.

Comments Off

CyanogenMod 7 on Nexus S

Comments Off

Building the Android OS from source has caused me a bit of pain, so it was therefore a pleasant surprise to see just how easy the CyanogenMod team has made their install and update process. For the Nexus S, it boiled down to: Follow the instructions, any everything just works. Therefore these are just some background notes; for full details, see the CyanogenMod install page.

What is a bit confusing in the Android world, are all the obscure and redundant code names from everything from hardware, models, OS, firmware, versions, regions. The Google Nexus binary pages gives some hints, as does the Android build instructions. For the Nexus S, it is crucial to know that the alternative codename is “crespo”. Furthermore, it is useful know that it has a “HDPI” display, and comes in three variations: “GT-I9020 (Super AMOLED) and GT-I9023 (Super Clear LCD), each aimed at different markets. The SPH-D720 is the newer 4G version of the phone available in the US.” (Wikipedia). Also, the radio binaries have different codes, e.g. “XXKB3″. This then forms the “baseband version” code on the form “I9023xxkd1″, which can be found under Settings -> About phone.

CyanogenMod is just a layer on top of the Android OS, thus it’s tracking the Android versions. Here we are talking about “Gingerbread” for the 2.3.x series, and “Ice Cream Sandwich” (aka. ICS) for the 4.x versions. (Who comes up with all these useless names??) Although Google pushed Android 4 to certain Nexus S devices in December 2011, and CM 9 (which based on Android 4) have nightly builds for the “crespo”, their stable CM 7 is still at Android 2.3.7. In addition to the basic OS, you might also want the Google Apps, although, some of them might have to be downloaded from the Market (now renamed to “Play”) anyway.

So, with that out of the way, and assuming the basic tools adb and fastboot in place (possibly from a previous build session), the upgrade can be summarized as this (with specific versions and URLs bound to change):


Flash the recovery image:
adb reboot-bootloader
sudo fastboot flash recovery recovery-clockwork-
sudo fastboot reboot

Copy the CM files to the “sdcard” of the phone:
adb push /sdcard/
adb push /sdcard/
adb reboot-bootloader

Follow the install instructions from CM for the rest. I was surprissed to learn that the data on the SD card was not wiped as well (I thought “Wipe data/factory reset” would take care of this). However, maybe I missed a step.

Comments Off

More Android Apps

Comments Off

Following the list from yesterday, here’s more useful Android apps, this time both from the F-Droid and Android Market (aka. Play). First from F-Droid (APK file):

And from the Android / Google Play Market

Finally, there’s a few which can, or have to, be downloaded from the creator’s web site:

Comments Off

Cell phone privacy guide for Android

1 comment

The Pirate Party of Canada has a nice list of applications and add-ons for Android phones which enhance security and privacy. It boils down to

Replicant – Free Android alternative

Comments Off

The Replicant project was covered by Computer World today, with an interview of one of the main developers Paul Kocialkowski. The article was also picked up by Slashdot, where the mod was more cynical. Kocialkowski talked about the importance of free hardware and software when communicating in an insecure environment, and the difficulty of implementing an alternative when many of the drivers and firmware for key hardware is proprietary and secret.

Currently, Replicant is only supported by a few phones, including HTC Dream, Nexus One and Nexus S. The last one is probably interesting, as it is still a reasonably modern phone, can run Android 4.0, and have “factory binaries” available so you can start from scratch if you get stuck.

However, as pointed out in the Slashdot comment above, this project will always trail Google’s releases. And as we’ve seen previously, the source codes does not always follow the release of the OS. Furthermore, Android in itself is not the most exciting OS around. The MeeGo (and presumably Tizen) initiatives are more standard GNU/Linux distributions from the get-go. Including features we’ve taken for granted over the last ten years or more: dependency resolving, updates over repositories, GNU applications. Of course, these will struggle with exactly the same problem: the proprietary drivers.

Comments Off

Android: Unpacking boot.img

Comments Off

After successfully building the Android OS, and flashing to the Galaxy Nexus, I’ve started investigating how it all hangs together. Starting with the boot.img, and unpacking the parts; header, kernel, and ramdisk. The structure is explained in detail on the Wiki, but also in the source for building the boot.img file.

As mentioned on the Wiki, and seen in the source, the page size can be 2048 or 4096 bytes, with the former the default. The header, which is rather boring, containing only a “magic string” (“ANDROID!”) and a checksum takes up the first page of 2048 bytes. It can be separated from a boot.img with the following command:

dd bs=2048 if=boot.img of=header count=1

Next up is the kernel. I’ve yet to find a way to determine its size, however you could go looking for white space padding and then round up to the nearest 2048 bytes. (Also, magic bytes (1F 8B) of the gzipped ramdisk will provide a clue.) In my case, I “cheated” and looked at the size of the kernel file under out/target/product/maguro. It turned out to take 1912 pages, so we can separate it by the following command (skipping the header part):

dd bs=2048 if=boot.img of=kernel skip=1 count=1912

Then it’s only the ramdisk filesystem left (there’s no “second stage” section in use). It will take the rest of the size of the file, which came down to 158 pages in my case:

dd bs=2048 if=boot.img of=ramdisk skip=1913 count=158

The ramdisk is a gziped, cpio packed archive, which can be extracted into its own directory by
mkdir ram
cd ram
gunzip -c ../ramdisk | cpio -i

That should give you the following files and directories


For more about the Android boot process, and kernel, look at the Embedded Linux Wiki.

As seen from the files above, the charger icons displayed when the phone is charging while off is plain PNG images. Might be fun to change. Furthermore, the initial splash screen logo can be changed by adding a file called initlogo.rle to the root directory of the ramdisk. Might try that next.

Comments Off

Building Android on Fedora


Here’s a brief command-by-command guide to building Android 4 (ICS -Ice Cream Sandwich (with extra sugar on top)) from scratch, and deploying the new images on the Samsung Galaxy Nexus, all from Fedora 16. This is heavily based on the Free your Android article, and of course the instructions at

First, install the supporting packages. (Instead of the OpenJDK version, you might have to download the Oracle one, if you get version conflict errors at the make step below.)

yum groupinstall "Development Tools"
yum install java-1.6.0-openjdk kernel-devel git gnupg flex bison gperf zip curl zlib-devel glibc-devel glibc-devel.i686 ncurses-devel.i686 glib-devel.i686 libstdc++.i686 zlib-devel.i686 ncurses-devel.i686 libX11-devel.i686 libXrender.i686 libXrandr.i686 mesa-libGL-devel.i686 readline-devel.i686 arm-gp2x-linux-gcc-c++ python-markdown xmlto libxslt

Download the source. The final sync command will take about an hour.

curl > ~/bin/repo
chmod a+x ~/bin/repo

mkdir android
cd android

repo init -u
repo sync

Download proprietary binaries and drivers. They are available here:

Assuming the Galaxy Nexus – GSM/HSPA+ (“maguro”), there’s two drivers. (Please check the link above for new versions).

tar zvxf imgtec-maguro-iml74k-a796ffae.tgz
tar zvxf samsung-maguro-iml74k-de1cc439.tgz

Build, still assuming the same phone as above. On my somewhat dated dual core 2.6 GHz CPU, it took almost four hours to compile.

source build/
lunch full_maguro-eng
make -j4

Then, transfer the image files to the phone. Make sure the phone is connected over USB, is unlocked, and has USB debugging enabled. After the images are transferred, and the userdata and cache partitions are erased, the phone will reboot. It will show the Android logo, reboot one ore two times more, and then wait maybe a minute or two before the UI is available. And there it is, your home-built Android OS.

out/host/linux-x86/bin/adb reboot bootloader
sudo out/host/linux-x86/bin/fastboot -w -p maguro flashall

If something, or everything, failed and you are left with a useless phone, here are the factory images from Google. Download and unpack the archive corresponding to your phone, and run the script

For more details on “unbricking” your phone, see Derek Ross’ comment.