doraemon

doraemon

let's go write some rusty code and revolutionize the world!
HomeArchives

Basic Knowledge of Android Hacking

539
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article provides an overview of Android customization, explaining the different partitions in an Android phone and the importance of understanding them before customization. It discusses the A/B System Updates method and the use of Fastboot for unlocking phones and flashing systems. It also mentions the use of ADB for device debugging and the TWRP recovery tool and Magisk for rooting the device.

Basic Knowledge of Android Modding#

The notes are sourced from the Bilibili Geek Bay video: A Must-Watch for Modding! Take You into the World of Android Modding

This tutorial only provides the basic framework and knowledge needed before modding.

For specific operations, please refer to specific tutorials. Otherwise, you may encounter many small problems that cannot be solved during the modding process.

Related Websites:

Android Partition#

Android phones contain several partitions.

Boot Partition#

  • Stores boot and boot-related files, related to booting and startup

  • Contains the Kernel and Ramdisk of the operating system

  • Root operation is to modify the Boot partition

  • If the boot partition is erased or damaged, the phone will be stuck on the first screen during startup

System Partition#

  • Stores the Android system and system applications

  • The system partition contains the entire operating system and system software

  • System upgrades or flashing are often done on this partition

  • If the system partition is damaged, the phone will be stuck on the second screen during startup

Vendor Partition#

There is also a Vendor partition similar to the system partition.

  • It contains some applications and library files customized by the manufacturer

  • Many manufacturers directly put these files from the Vendor partition into the system partition for easier future updates and maintenance

Data Partition#

  • The data partition stores user data, including applications, audio and video, images, system settings, etc.

  • Erasing the data partition will clear user data, but will not affect the normal startup of the phone

Cache Partition#

  • The cache partition of Android

  • Caching can help you quickly open the most frequently accessed data and applications in the system without reloading

  • Erasing the cache will not affect personal data, and it will be automatically generated for subsequent use

Recovery Partition#

  • The recovery partition contains a simple Linux system for recovering and maintaining the phone

  • It can be used to recover and update the contents of other partitions (such as erasing data), similar to Windows PE (Pre-installing environment)

AB Partition#

In recent years, there have been more and more phones without a recovery partition. This is because Android introduced a new OTA upgrade method called A/B System Updates (AB partition) starting from Android 7.0.

This upgrade method sets up two sets of boot and system partitions, Slot A and Slot B. The slot used during normal operation is the main partition, and the other slot is the backup partition.

This allows seamless system upgrades, and users can upgrade the system in the background while using the phone (updating the content of the backup partition). After the upgrade is complete, restart the phone, and the backup partition will automatically switch to the main partition. If the upgrade fails and the system cannot start, it will switch back to the previous partition. The disadvantage is that it will occupy double the System space.

image

VA/B Partition#

To solve the space occupation problem, an improved version of the AB partition OTA upgrade method, Virtual A/B System Updates (VA/B partition), has emerged.

Two generations of systems, sharing the same files, with different files stored in the virtual A/B partition, currently most models equipped with Android 11 or above come with VA/B partition.

image

From the perspective of modding, it is more complicated to flash a third-party recovery in A/B or VA/B partitions because both of these partitions incorporate the recovery partition into the boot partition.

image

Bootloader#

  • If recovery is compared to PE, the bootloader in the fastboot stage is equivalent to the BIOS/UEFI on a computer.
  • The bootloader, as the name suggests, is the boot loader, and it has been working since the moment you press and hold the power button to turn on the phone.
  • During this time, the bootloader will initialize the hardware devices in the phone and boot the operating system kernel (Kernel in the boot partition).
  • In the later stage of booting, we can choose to enter a stage called fastboot (usually by pressing and holding the power button + volume down), which is what we commonly call the flashing mode.
  • Fastboot is lower-level than recovery. In fastboot mode, you can connect the phone to the computer and use commands to flash the phone directly.
  • Unlocking the phone, injecting boot images, and flashing the system all require the use of fastboot.
  • The bootloader does not belong to a specific system partition. If a system partition is damaged and the phone becomes bricked, you can generally enter fastboot to rescue it.
  • Using fastboot to flash the phone is generally called "line flashing" (connecting the phone to the computer with a data cable), and using recovery to flash the phone is generally called "card flashing" (downloading the card flash package to the phone)

Setting Up Computer and Phone Environment#

Fastboot#

  • You can download the Android SDK for the computer from the official Android link, SDK Platform Tools

  • Android SDK Platform-Tools is a component of the Android SDK. It contains tools for interacting with the Android platform, mainly adb and fastboot.

  • After downloading and extracting, you will see the adb and fastboot files. You can open the terminal in this file directory to enter commands to operate the phone

  • If the device cannot be detected, you can install the fastboot driver in the device manager on the computer. Driver link: Modding Resource Collection (jamcz.com)

image

Common Fastboot Commands#

# Show fastboot devices
fastboot devices
# Get device information
fastboot getvar all
# Reboot the phone
fastboot reboot
# Reboot to bootloader
fastboot reboot-bootloader
# Erase partition
fastboot erase (partition name)
Example: Erase the system partition: fastboot erase system
# Flash partition
fastboot flash (partition name) (partition image)
Example: Flash the boot image "boot.img" to the boot partition: fastboot flash boot boot.img
# Boot image
fastboot boot (partition image)
Example: Boot to the recovery partition: fastboot boot recovery.img
# Flash ROM
fastboot update (flash package)
Example: Flash update.zip: fastboot update update.zip
# Unlock Bootloader
fastboot oem unlock (parameter depends on the model)

ADB (Android Debug Bridge)#

  • To connect the phone to the computer, you generally need to enable USB debugging in the Developer Options on the phone, which is ADB (Android Debug Bridge).

  • ADB is a command-line tool provided by Android for debugging devices. With ADB, you can control the phone with various commands on the computer (no need for root).

  • For example, you can use commands to install software on the phone, adjust the screen resolution, simulate key clicks, and perform other fun operations.

  • Many phone toolboxes on the computer, such as modding toolboxes, are based on ADB.

Root#

  • ADB can only achieve some debugging functions. To achieve more functions, you need root permission.

  • Open OEM unlocking in the Developer Options (if available)

  • To root, you generally need to unlock the bootloader (bl lock), then modify the boot file, and flash Magisk (patched boot). The process of rooting is equivalent to modifying the boot partition.

  • Manufacturers generally lock the bootloader to ensure phone security, and you cannot modify the partitions without unlocking the bootloader.

  • Different brands have different unlocking methods, which are not discussed here

Root Methods#

There are generally two methods to root:

1. Root through a third-party recovery#

  • Official recovery generally only has simple recovery functions and will not allow you to flash random things
  • To achieve a similar effect to PE, you need to flash a useful third-party recovery
  • Third-party recovery can not only root but also flash kernels, flash systems, backup data, etc.
  • TWRP is currently a well-known third-party recovery

2. Flashing boot image directly in fastboot#

The principle of Magisk obtaining root is to patch the boot partition. It can be directly operated in recovery, but we can also extract the current system's boot image and hand it over to the Magisk app for patching. After patching, we can manually flash it back to the system.

The boot image can generally be extracted from the firmware package,

For line flash packages, you can usually find the boot.img file by directly extracting it. For card flash packages, there will be a very large payload.bin file after extraction, which can be unpacked using the payload_dumper.exe program. After unpacking, you can find the boot.img. Transfer the obtained boot file to the phone, install the Magisk app on the phone, open it, click install, select patch a file, select boot.img, after patching, the patched image will be exported to the download folder. Copy the patched boot to the computer, restart the phone to fastboot mode, and use the fastboot command (fastboot flash boot) to flash the patched boot to obtain root permission.

Download link for Xiaomi ROMs for all models and versions: XiaomiROM.com - Download the Latest and Historical Versions of Xiaomi ROM Flash Packages

Boot Management Tool Magisk#

Magisk is commonly known as a mask. It can not only be used to obtain root permissions but also mount various modules.

Magisk Rooting Principle#

Magisk mounts a separate Magisk partition that is isolated from the system files to load its own content. Everything is done in the bootloader stage. While implementing functions, it can keep the system partition (system) intact, so it can hide root.

image

9008 Flashing (EDL Serial Port Flashing Mode)#

The flashing (line flashing) tools provided by OnePlus and OPPO are based on 9008, which is a lower-level flashing tool for Qualcomm platforms and is only used as a last resort.

Although the fastboot line flashing method can solve most software problems, it cannot flash some lower-level things, such as baseband serial numbers.

Sometimes the phone becomes a brick and cannot even enter fastboot. At this time, you can only use the 9008 mode to flash the phone.

The 9008 mode can solve almost all software problems of the phone.

Qualcomm Universal: QFIL Tool

image

MediaTek Universal: SP Flash Tool

image

MiFlash (Pro) contains a manufacturer-customized 9008 flashing mode and has added some verification mechanisms. Authorization is required to use 9008.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.