Project

General

Profile

AddingADBRootToAnImage » History » Version 16

Denis 'GNUtoo' Carikli, 12/24/2020 04:57 PM
add warning for zImage

1 8 Denis 'GNUtoo' Carikli
h1. AddingADBRootToAnImage
2 1 Denis 'GNUtoo' Carikli
3 15 Denis 'GNUtoo' Carikli
{{toc}}
4
5
h2. Introduction
6
7
This page explains how to enable adb root support by default without any authentication to an existing Replicant release, for instance to get very early logs or to get a shell very early in the boot process, in order to debug or fix boot issues.
8
9
That tutorial can also be used to do other things like:
10
* Adding root support to a recovery image.
11
* Modifying some files in the initramfs (with some limitations)
12
13 16 Denis 'GNUtoo' Carikli
h2. Issues with zImages
14
15
Some devices (The Galaxy S (GT-I9000), Galaxy SII (GT-I9100), and Galaxy Note (GT-N7000) uses a zImage because the nonfree bootloader doesn't support the boot.img format. Because of that, this tutorial doesn't cover theses devices (yet).
16
17 15 Denis 'GNUtoo' Carikli
h2. Security risks
18
19
Keep in mind that once you add adb root support by default without authentication to a Replicant installation (by modifying the boot.img file), your device becomes potentially vulnerable to "juice jacking":https://en.wikipedia.org/wiki/Juice_jacking .
20
21
So if you want to prevent any issues it might be best to put back the original boot.img once you don't need adb root support by default without any authentication anymore.
22
23
If you add adb root support by default without authentication to the recovery instead, the risk is much more limited as the device would probably need to be rebooted into the recovery to be exposed.
24
25
Also, we didn't investigate if any supported devices would be exposed during charge mode (when the device is off and you plug an USB cable).
26
27 12 Denis 'GNUtoo' Carikli
h2. Adding adb root support to an existing Replicant release.
28
29 6 Denis 'GNUtoo' Carikli
In this tutorial we'll add adb root support to an existing Replicant release.
30
31
This is valid for the following configuration:
32
* *Image*: replicant-6.0-0004-rc1-maguro.zip
33
* *Device*: Galaxy Nexus (GT-I9250)
34
35 9 Denis 'GNUtoo' Carikli
You also need to have unbootimg installed. In Parabola this is part of the "fso-unbootimg package":https://www.parabola.nu/packages/?sort=&q=fso-unbootimg . It's also possible to compile that tool by hand or to other alternative tools that do exactly the same thing.
36
37 6 Denis 'GNUtoo' Carikli
You'll need to adapt it slightly for other devices.
38
39 3 Denis 'GNUtoo' Carikli
First extract the boot.img from the zip
40 1 Denis 'GNUtoo' Carikli
<pre>
41
$ mkdir temp
42
$ cd temp 
43
$ unzip ../replicant-6.0-0004-rc1-maguro.zip
44
$ file boot.img
45
boot.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (androidboot.hardware=tuna)
46
</pre>
47
48 3 Denis 'GNUtoo' Carikli
Then extract the kernel, and initramfs from the boot.img. Also save the infos such as the load address, etc in boot.txt:
49 1 Denis 'GNUtoo' Carikli
<pre>
50
$ unbootimg --kernel kernel.img --ramdisk ramdisk.cpio.gz -i boot.img | tee boot.txt
51
total image size:   5619712
52
kernel size:        4604340
53
kernel load addr:   0x80008000
54
ramdisk size:       1009915
55
ramdisk load addr:  0x81000000
56
2nd boot size:      0
57
2nd boot load addr: 0x80f00000
58
kernel tags addr:   0x80000100
59
page size:          2048
60
board:              `'
61
cmdline:            `androidboot.hardware=tuna'
62
id:                 9b90141066f527ecd3909d2ab8e383ebd995fd40000
63
</pre>
64
65 3 Denis 'GNUtoo' Carikli
Then uncompress the initramfs
66 1 Denis 'GNUtoo' Carikli
<pre>
67
$ gunzip ramdisk.cpio.gz
68
$ file ramdisk.cpio 
69
ramdisk.cpio: ASCII cpio archive (SVR4 with no CRC)
70
</pre>
71
72 3 Denis 'GNUtoo' Carikli
Then edit the default.props, we use sed on the raw cpio image for simplicity (we don't have permissions and username to take care of this way):
73 1 Denis 'GNUtoo' Carikli
<pre>
74 4 Denis 'GNUtoo' Carikli
$ sed 's#ro.adb.secure=1#               #' -i ramdisk.cpio
75 3 Denis 'GNUtoo' Carikli
$ sed 's#ro.secure=1#ro.secure=0#' -i ramdisk.cpio
76 1 Denis 'GNUtoo' Carikli
$ sed 's#persist.sys.usb.config=none#persist.sys.usb.config=adb #' -i ramdisk.cpio
77 2 Denis 'GNUtoo' Carikli
</pre>
78 1 Denis 'GNUtoo' Carikli
79 3 Denis 'GNUtoo' Carikli
Then recompress the initramfs
80 1 Denis 'GNUtoo' Carikli
<pre>
81
$ gzip ramdisk.cpio
82 3 Denis 'GNUtoo' Carikli
</pre>
83
84
We then recreate the image with the infos we saved in boot.txt. Note that the base is 0x80000000. The kernel has an offset and will be in 0x80008000:
85
<pre>
86 1 Denis 'GNUtoo' Carikli
$ mkbootimg --cmdline="androidboot.hardware=tuna" --kernel kernel.img --ramdisk ramdisk.cpio.gz  --base 0x80000000 -o boot_new.img
87
</pre>
88
89 3 Denis 'GNUtoo' Carikli
Verify that we got all the arguments right:
90 1 Denis 'GNUtoo' Carikli
<pre>
91
$ unbootimg -i boot_new.img | tee boot_new.txt
92
$ diff -u boot.txt boot_new.txt
93
$ --- boot.txt	2020-02-18 00:39:59.890285634 +0100
94
+++ boot_new.txt	2020-02-18 00:44:16.208897037 +0100
95
@@ -1,7 +1,7 @@
96
 total image size:   5619712
97
 kernel size:        4604340
98
 kernel load addr:   0x80008000
99
-ramdisk size:       1009915
100
+ramdisk size:       1010280
101
 ramdisk load addr:  0x81000000
102
 2nd boot size:      0
103
 2nd boot load addr: 0x80f00000
104
@@ -9,4 +9,4 @@
105
 page size:          2048
106
 board:              `'
107
 cmdline:            `androidboot.hardware=tuna'
108
-id:                 9b90141066f527ecd3909d2ab8e383ebd995fd40000
109
+id:                 dd37b2ae1e50be62fe5c94b81b85aa56ffea17be000
110 3 Denis 'GNUtoo' Carikli
</pre>
111
112 7 Denis 'GNUtoo' Carikli
You can then reflash the boot.img image.
113
114
Don't forget to adjust the heimdall arguments for your device.
115
116
If in doubt, it's better to consult the Replicant installation instructions that have the good heimdall arguments, as wrong arguments can completely break your device, making it too complicated to repair (you'd have to un-solder and re-solder resistors that are hardly visible).
117 3 Denis 'GNUtoo' Carikli
<pre>
118
heimdall flash --boot boot.img --recovery boot.img
119 1 Denis 'GNUtoo' Carikli
</pre>
120 5 Denis 'GNUtoo' Carikli
121
Then you can use adb:
122
<pre>
123
$ adb logcat -b main
124
</pre>
125 10 Denis 'GNUtoo' Carikli
126
h2. Example for the GT-I9300
127
128
This is valid for the following configuration:
129
* *Image*: replicant-6.0-0004-rc1-i9300.zip
130
* *Device*: Galaxy SIII (GT-I9300)
131
132
For other devices like the GT-I9300, the boot.img (or recovery.img) have other parameters:
133
<pre>
134
 unbootimg -i boot.img 
135
total image size:   4239360
136
kernel size:        3391376
137
kernel load addr:   0x40008000
138
ramdisk size:       844653
139
ramdisk load addr:  0x41000000
140
2nd boot size:      0
141
2nd boot load addr: 0x40f00000
142
kernel tags addr:   0x40000100
143
page size:          2048
144
board:              `'
145
cmdline:            `console=ttySAC2,115200'
146
id:                 d34c0412b72d37a2287331e28d902a769c4a86e9000
147
</pre>
148 11 Denis 'GNUtoo' Carikli
149
So we need to adjust the --cmdline and the --base accordingly:
150
<pre>
151
mkbootimg --cmdline="console=ttySAC2,115200" --kernel kernel.img --ramdisk ramdisk.cpio.gz  --base 0x40000000 -o boot_new.img
152
</pre>
153
154
Like with the Galaxy nexus, when we recreate the image with the infos we saved in boot.txt, we need to make sure that the base is right.
155
156
Here the base is 0x40000000, which results in the kernel offset (or load address) of 0x40008000.
157 12 Denis 'GNUtoo' Carikli
158 13 Denis 'GNUtoo' Carikli
h2. Going further
159 12 Denis 'GNUtoo' Carikli
160 14 Denis 'GNUtoo' Carikli
The Linux kernel has more in depth documentation about initramfs in a file named "ramfs-rootfs-initramfs.rst":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/filesystems/ramfs-rootfs-initramfs.rst?h=v5.7-rc5 which document how to extract an initramfs and how to recreate one.
161
162
However we didn't test that yet. Tests and tutorials are welcome.
163
164
We also need to understand if something specific needs to be done for the file permissions when extracting, modifying and rebuilding an initramfs.