User Tools

Site Tools


android:hacking

Android hacking

:!: These are notes to myself. Use with care. Absolutely no warranty!

Gaining temporary root

:!: The psneuter exploit does not work for Android >2.2 (e.g. Gingerbread)

Prerequisites:

Push the psneuter exploit to /data/local and execute it.

adb push psneuter /data/local/psneuter
adb shell /data/local/psneuter
##adb wait-for-device

The daemon adbd will be killed and about 2 seconds later it comes back but now running as root (see psneuter exploit source code for technical details).

adb shell
# <further-commands>

It does not withstand a reboot (temporary, non-permanent).

Permanent root

Prerequisites:

  • USB debugging enabled
  • download SuperOneClick (local copy: superoneclickv1.9.5-shortfuse.zip) and extract archive
    • optional: mv adblinux to adblinux.orig and symlink android SDK's adb to adblinux (only needed for automatic method below; make use of up-to-date/system adb instead of shipped binary)
  • install Superuser App

Automatically

:!: untested

sudo apt-get install libmono-winforms2.0-cil
mono SuperOneClick.exe

Manually

Prerequisites:

  • temporary root
adb push busybox /data/local/tmp/
adb push su-v3 /data/local/tmp/
adb shell
$ cd /data/local/tmp
$ chmod 777 busybox
$ ./busybox ash   # optional for convenience
$ ./busybox mount -o remount,rw /system
$ ./busybox cp busybox /system/bin/
$ ./busybox chmod 755 /system/bin/busybox
$ ./busybox cp su-v3 /system/bin/su
$ ./busybox chmod 6755 /system/bin/su   # uid and gid bit
$ ./busybox mount -o remount,ro /system

Superuser App

https://market.android.com/details?id=com.noshufou.android.su

If Superuser finds the su binary, it should look like this: Settings of Superuser

Working with the terminal

Prerequisites:

  • busybox

Comfortable shell (Almquist-Shell; with completion and much more)

busybox ash

Call busybox without argument to find out what applets are available.

/sdcard/bin/create_busybox_symlinks.sh
echo Creating symlinks...
 
SYMLINKS="[  [[  acpid  addgroup  adduser  adjtimex  arp  arping  ash  awk  	basename  beep  blkid  bootchartd  brctl  bunzip2  bzcat  bzip2  cal  	cat  catv  chat  chattr  chgrp  chmod  chown  chpasswd  chpst  chroot  	chrt  chvt  cksum  clear  cmp  comm  cp  cpio  crond  crontab  cryptpw  	cttyhack  cut  date  dc  dd  deallocvt  delgroup  deluser  depmod  	devmem  df  dhcprelay  diff  dirname  dmesg  dnsd  dnsdomainname  	dos2unix  du  dumpkmap  dumpleases  echo  ed  egrep  eject  env  	envdir  envuidgid  ether-wake  expand  expr  fakeidentd  false  fbset  	fbsplash  fdflush  fdformat  fdisk  fgconsole  fgrep  find  findfs  	flock  fold  free  freeramdisk  fsck  fsck.minix  fsync  ftpd  ftpget  	ftpput  fuser  getopt  getty  grep  gunzip  gzip  halt  hd  hdparm  	head  hexdump  hostid  hostname  httpd  hush  hwclock  id  ifconfig  	ifdown  ifenslave  ifplugd  ifup  inetd  init  insmod  install  ionice  	ip  ipaddr  ipcalc  ipcrm  ipcs  iplink  iproute  iprule  iptunnel  	kbd_mode  kill  killall  killall5  klogd  last  length  less  linux32  	linux64  linuxrc  ln  loadfont  loadkmap  logger  login  logname  	logread  losetup  lpd  lpq  lpr  ls  lsattr  lsmod   lsusb  	lzcat  lzma  lzop  lzopcat  makedevs  makemime  man  md5sum  mdev  	mesg  microcom  mkdir  mkdosfs  mke2fs  mkfifo  mkfs.ext2  mkfs.minix  	mkfs.vfat  mknod  mkpasswd  mkswap  mktemp  modinfo  modprobe  more  	mount  mountpoint  mt  mv  nameif  nc  netstat  nice  nmeter  nohup  	nslookup  ntpd  od  openvt  passwd  patch  pgrep  pidof  ping  ping6  	pipe_progress  pivot_root  pkill  popmaildir  poweroff  printenv  	printf  ps  pscan  pwd  raidautorun  rdate  rdev  readahead  readlink  	readprofile  realpath  reboot  reformime  renice  reset  resize  rev  	rm  rmdir  rmmod  route  rpm  rpm2cpio  rtcwake  run-parts  runlevel  	runsv  runsvdir  rx  script  scriptreplay  sed  sendmail  seq  setarch  	setconsole  setfont  setkeycodes  setlogcons  setsid  setuidgid  sh  	sha1sum  sha256sum  sha512sum  showkey  slattach  sleep  smemcap  	softlimit  sort  split  start-stop-daemon  stat  strings  stty  sum  sv  svlogd  swapoff  swapon  switch_root  sync  sysctl  	syslogd  tac  tail  tar  tcpsvd  tee  telnet  telnetd  test  tftp  	tftpd  time  timeout  top  touch  tr  traceroute  traceroute6  true  	tty  ttysize  tunctl  udhcpc  udhcpd  udpsvd  umount  uname  unexpand  	uniq  unix2dos  unlzma  unlzop  unxz  unzip  uptime  usleep  uudecode  	uuencode  vconfig  vi  vlock  volname  wall  watch  watchdog  wc  wget  	which  who  whoami  xargs  xz  xzcat  yes  zcat  zcip" 
# blacklist (not complete): su, sulogin, lspci
 
BUSYBOX=/system/bin/busybox
 
for i in $SYMLINKS; do
	$BUSYBOX ln -s $BUSYBOX $i
done

Create symlinks:

# busybox mount -o remount,rw /system
# mkdir /system/busybox_bin
# chmod 755 /system/busybox_bin
# cd /system/busybox_bin   # change into this directory for following call to script
# busybox ash /sdcard/bin/create_busybox_symlinks.sh
# chmod 755 *
# cd /
# busybox mount -o remount,ro /system

Export PATH variable; Script for setting up busybox environment

/system/bin/bb
#!/system/bin/sh
 
export PATH=/system/busybox_bin:$PATH
echo PATH=$PATH
 
/system/bin/busybox ash

Set script executable:

chmod 755 /system/bin/bb

Run bb from shell:

$ bb   # exports the busybox-symlinks to $PATH and runs a ash shell
/ $ vi /sdcard/foo.txt  # any busybox applet

LG-P990 (LG Optimus 2X)

ClockworkMod

Prerequisites:

  • USB-debugging enabled
  • temporary root (adbd root!)
  • recommended: create a backup of /dev/block/mmcblk0p7 (original recovery image)

Download ClockworkMod image (local copy: 4.0.0.5-modaco-2x-clockworkmod.zip)

adb push clockworkmod.img /data/local/tmp/
adb shell dd if=/data/local/tmp/clockworkmod.img of=/dev/block/mmcblk0p7
adb reboot recovery    # seems NOT to work... maybe only for dev-devices

Boot into clockworkmod

Press and hold POWER + VOL-DOWN while powering on.

Backup

:!: External SD-card needed

Extract backup images manually

Filesystem is YAFFS2.

Example: Extract system-image:

$ unyaffs system.bin    # extract syste-image to current directory using project "unyaffs"

Removing system apps

Prerequisites:

  • Become root (or use adb in recovery)
  • (optional) busybox
  • (optinal) remove used application data via App-Settings
# busybox mount -o remount,rw /system
# busybox rm /system/app/Email.apk
# busybox pm uninstall com.android.email
# busybox mount -o remount,ro /system

Alternative with adb:

$ adb remount
$ adb shell rm /system/app/<apk name>.apk
$ adb uninstall <package name>

CyanogenMod

Find and install apps not available in your country (e. g. gmail in Germany)

Install MarketEnabler and choose for instance “US T-Mobile”.

Search and install Google Mail in Market for instance.

Disable camera shutter sound

Rename “camera_click.ogg” (photo) and “VideoRecord.ogg” (video cam) in /system/media/audio/ui/.

Alternative (better):

# setprop persist.camera.shutter.disable 1

Still, there's a camera focus sound (probably hard-coded/generated tone). When phone is in silent mode, no sound will be played at all.

android/hacking.txt · Last modified: 2011-12-03 16:36 CET by dominik