Project

General

Profile

AddingADBRootToAnImage » History » Version 15

Denis 'GNUtoo' Carikli, 05/17/2020 09:14 PM
Add more context

1 8 Denis 'GNUtoo' Carikli
h1. AddingADBRootToAnImage
2 1 Denis 'GNUtoo' Carikli
3 15 Denis 'GNUtoo' Carikli
{{toc}}
4
5
h2. Introduction
6
7
This page explains how to enable adb root support by default without any authentication to an existing Replicant release, for instance to get very early logs or to get a shell very early in the boot process, in order to debug or fix boot issues.
8
9
That tutorial can also be used to do other things like:
10
* Adding root support to a recovery image.
11
* Modifying some files in the initramfs (with some limitations)
12
13
h2. Security risks
14
15
Keep in mind that once you add adb root support by default without authentication to a Replicant installation (by modifying the boot.img file), your device becomes potentially vulnerable to "juice jacking":https://en.wikipedia.org/wiki/Juice_jacking .
16
17
So if you want to prevent any issues it might be best to put back the original boot.img once you don't need adb root support by default without any authentication anymore.
18
19
If you add adb root support by default without authentication to the recovery instead, the risk is much more limited as the device would probably need to be rebooted into the recovery to be exposed.
20
21
Also, we didn't investigate if any supported devices would be exposed during charge mode (when the device is off and you plug an USB cable).
22
23 12 Denis 'GNUtoo' Carikli
h2. Adding adb root support to an existing Replicant release.
24
25 6 Denis 'GNUtoo' Carikli
In this tutorial we'll add adb root support to an existing Replicant release.
26
27
This is valid for the following configuration:
28
* *Image*: replicant-6.0-0004-rc1-maguro.zip
29
* *Device*: Galaxy Nexus (GT-I9250)
30
31 9 Denis 'GNUtoo' Carikli
You also need to have unbootimg installed. In Parabola this is part of the "fso-unbootimg package":https://www.parabola.nu/packages/?sort=&q=fso-unbootimg . It's also possible to compile that tool by hand or to other alternative tools that do exactly the same thing.
32
33 6 Denis 'GNUtoo' Carikli
You'll need to adapt it slightly for other devices.
34
35 3 Denis 'GNUtoo' Carikli
First extract the boot.img from the zip
36 1 Denis 'GNUtoo' Carikli
<pre>
37
$ mkdir temp
38
$ cd temp 
39
$ unzip ../replicant-6.0-0004-rc1-maguro.zip
40
$ file boot.img
41
boot.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (androidboot.hardware=tuna)
42
</pre>
43
44 3 Denis 'GNUtoo' Carikli
Then extract the kernel, and initramfs from the boot.img. Also save the infos such as the load address, etc in boot.txt:
45 1 Denis 'GNUtoo' Carikli
<pre>
46
$ unbootimg --kernel kernel.img --ramdisk ramdisk.cpio.gz -i boot.img | tee boot.txt
47
total image size:   5619712
48
kernel size:        4604340
49
kernel load addr:   0x80008000
50
ramdisk size:       1009915
51
ramdisk load addr:  0x81000000
52
2nd boot size:      0
53
2nd boot load addr: 0x80f00000
54
kernel tags addr:   0x80000100
55
page size:          2048
56
board:              `'
57
cmdline:            `androidboot.hardware=tuna'
58
id:                 9b90141066f527ecd3909d2ab8e383ebd995fd40000
59
</pre>
60
61 3 Denis 'GNUtoo' Carikli
Then uncompress the initramfs
62 1 Denis 'GNUtoo' Carikli
<pre>
63
$ gunzip ramdisk.cpio.gz
64
$ file ramdisk.cpio 
65
ramdisk.cpio: ASCII cpio archive (SVR4 with no CRC)
66
</pre>
67
68 3 Denis 'GNUtoo' Carikli
Then edit the default.props, we use sed on the raw cpio image for simplicity (we don't have permissions and username to take care of this way):
69 1 Denis 'GNUtoo' Carikli
<pre>
70 4 Denis 'GNUtoo' Carikli
$ sed 's#ro.adb.secure=1#               #' -i ramdisk.cpio
71 3 Denis 'GNUtoo' Carikli
$ sed 's#ro.secure=1#ro.secure=0#' -i ramdisk.cpio
72 1 Denis 'GNUtoo' Carikli
$ sed 's#persist.sys.usb.config=none#persist.sys.usb.config=adb #' -i ramdisk.cpio
73 2 Denis 'GNUtoo' Carikli
</pre>
74 1 Denis 'GNUtoo' Carikli
75 3 Denis 'GNUtoo' Carikli
Then recompress the initramfs
76 1 Denis 'GNUtoo' Carikli
<pre>
77
$ gzip ramdisk.cpio
78 3 Denis 'GNUtoo' Carikli
</pre>
79
80
We then recreate the image with the infos we saved in boot.txt. Note that the base is 0x80000000. The kernel has an offset and will be in 0x80008000:
81
<pre>
82 1 Denis 'GNUtoo' Carikli
$ mkbootimg --cmdline="androidboot.hardware=tuna" --kernel kernel.img --ramdisk ramdisk.cpio.gz  --base 0x80000000 -o boot_new.img
83
</pre>
84
85 3 Denis 'GNUtoo' Carikli
Verify that we got all the arguments right:
86 1 Denis 'GNUtoo' Carikli
<pre>
87
$ unbootimg -i boot_new.img | tee boot_new.txt
88
$ diff -u boot.txt boot_new.txt
89
$ --- boot.txt	2020-02-18 00:39:59.890285634 +0100
90
+++ boot_new.txt	2020-02-18 00:44:16.208897037 +0100
91
@@ -1,7 +1,7 @@
92
 total image size:   5619712
93
 kernel size:        4604340
94
 kernel load addr:   0x80008000
95
-ramdisk size:       1009915
96
+ramdisk size:       1010280
97
 ramdisk load addr:  0x81000000
98
 2nd boot size:      0
99
 2nd boot load addr: 0x80f00000
100
@@ -9,4 +9,4 @@
101
 page size:          2048
102
 board:              `'
103
 cmdline:            `androidboot.hardware=tuna'
104
-id:                 9b90141066f527ecd3909d2ab8e383ebd995fd40000
105
+id:                 dd37b2ae1e50be62fe5c94b81b85aa56ffea17be000
106 3 Denis 'GNUtoo' Carikli
</pre>
107
108 7 Denis 'GNUtoo' Carikli
You can then reflash the boot.img image.
109
110
Don't forget to adjust the heimdall arguments for your device.
111
112
If in doubt, it's better to consult the Replicant installation instructions that have the good heimdall arguments, as wrong arguments can completely break your device, making it too complicated to repair (you'd have to un-solder and re-solder resistors that are hardly visible).
113 3 Denis 'GNUtoo' Carikli
<pre>
114
heimdall flash --boot boot.img --recovery boot.img
115 1 Denis 'GNUtoo' Carikli
</pre>
116 5 Denis 'GNUtoo' Carikli
117
Then you can use adb:
118
<pre>
119
$ adb logcat -b main
120
</pre>
121 10 Denis 'GNUtoo' Carikli
122
h2. Example for the GT-I9300
123
124
This is valid for the following configuration:
125
* *Image*: replicant-6.0-0004-rc1-i9300.zip
126
* *Device*: Galaxy SIII (GT-I9300)
127
128
For other devices like the GT-I9300, the boot.img (or recovery.img) have other parameters:
129
<pre>
130
 unbootimg -i boot.img 
131
total image size:   4239360
132
kernel size:        3391376
133
kernel load addr:   0x40008000
134
ramdisk size:       844653
135
ramdisk load addr:  0x41000000
136
2nd boot size:      0
137
2nd boot load addr: 0x40f00000
138
kernel tags addr:   0x40000100
139
page size:          2048
140
board:              `'
141
cmdline:            `console=ttySAC2,115200'
142
id:                 d34c0412b72d37a2287331e28d902a769c4a86e9000
143
</pre>
144 11 Denis 'GNUtoo' Carikli
145
So we need to adjust the --cmdline and the --base accordingly:
146
<pre>
147
mkbootimg --cmdline="console=ttySAC2,115200" --kernel kernel.img --ramdisk ramdisk.cpio.gz  --base 0x40000000 -o boot_new.img
148
</pre>
149
150
Like with the Galaxy nexus, when we recreate the image with the infos we saved in boot.txt, we need to make sure that the base is right.
151
152
Here the base is 0x40000000, which results in the kernel offset (or load address) of 0x40008000.
153 12 Denis 'GNUtoo' Carikli
154 13 Denis 'GNUtoo' Carikli
h2. Going further
155 12 Denis 'GNUtoo' Carikli
156 14 Denis 'GNUtoo' Carikli
The Linux kernel has more in depth documentation about initramfs in a file named "ramfs-rootfs-initramfs.rst":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/ramfs-rootfs-initramfs.rst?h=v5.7-rc5 which document how to extract an initramfs and how to recreate one.
157
158
However we didn't test that yet. Tests and tutorials are welcome.
159
160
We also need to understand if something specific needs to be done for the file permissions when extracting, modifying and rebuilding an initramfs.