Android Cookbook: Nexus Device Hacking 101

Enabling Developer Mode

Overview

The default USB mode for an Android device is either charging or ‘media device’, neither of which is very useful for the types actions / processes necessary for development. Development mode on your Android device enables the Android Debug Bridge protocol over USB, and can be set via Settings.

Of note: In 4.2 (and above), developer options are hidden by default, and there is a procedure to un-hide them. Additionally, Android 4.2 and above have an additional security feature that requires authentication on the device before ADB is enabled each time it is used.

Process – Enable Developer Options (4.2+)

  1. On your Android device, open the Settings app.
  2. Navigate to the ‘About’ section, and scroll down to ‘Build Number’. It should be the last entry.
  3. Tap on the Build Number seven times. A dialog box will pop up after three taps to indicate you are on the right path, and a notice after the seventh tap indicating you are now a developer – which seems a bit pretentious.
  4. Hit the back button and scroll back down to ‘About’, and right above it there should be a new entry for developer options. Select ‘Developer Options’.
  5. Scroll down and enable ‘Stay Awake’ and ‘USB Debugging’. This tells your device to enable ADB for development and also to not go into sleep mode while connected to USB.

Process – Enable Developer Options (older than 4.2)

  1. On your Android device, open the Settings app.
  2. Scroll Down to Developer Options (2nd from the bottom), and select ‘Developer Options’.
  3. Scroll down and enable ‘Stay Awake’ and ‘USB Debugging’. This tells your device to enable ADB for development and also to not go into sleep mode while connected to USB.

Reference

USB States and Drivers (Windows)

Overview

Nexus devices have three USB states; ADB (when booted), Fastboot (bootloader), and ADB composite (recovery). Technically all Android devices in have these same states, but non-Nexus devices are notoriously hard to work with – which is why my focus is on Nexus devices.

Each one of these states has a unique USB ID and a unique computer driver. The USB driver included with the Android SDK supports all of these drivers, but the installation can be a bit interesting. For Windows systems, the overall process is to remove the default drivers that are currently installed and install each of the drivers respectively.

Note: I refer to the generic ‘Nexus’ when possible, and the Nexus 7 when necessary to specify a device (since that is my default hacking device). All of these processes should work with any Nexus device – with some device specific details you will have to discern.

Process

  1. Nexus 7 (all models) Uninstall any Asus USB Android drivers. Reboot if necessary.
  2. Open the control panel, and search for ‘device manager’, select ‘device manager’.
  3. Place the Nexus 7 in recovery mode, and connect to the host USB.
  4. Note a new Nexus 7 device under ‘Other Devices’ with a yellow triangle over it. Select, right click and select ‘install driver’.
    1. Select the ‘let me pick…’ option. Navigate to the ‘<Android SDK installation>/extras/google/usb_drivers’.  Select the ‘android_winusb.inf’ driver file.
    2. Select the ‘Android Composite ADB Interface’ as the driver type.
    3. Complete the installation, and this interface should be recognized. Leave the ‘device manager’ open.
    4. Next – Place the Nexus7 in bootloader mode, and then connect to the host USB.
      1. Note a new Nexus 7 device under ‘Other Devices’ with a yellow triangle over it. Select, right click and select ‘install driver’.
      2. Select the ‘let me pick…’ option. Navigate to the ‘<Android SDK installation>/extras/google/usb_drivers’.  Select the ‘android_winusb.inf’ driver file.
      3. Select the ‘Android Bootloader Interface’ as the driver type.
      4. Complete the installation, and this interface should be recognized. Leave the ‘device manager’ open.
      5. Next – Boot the Nexus 7 to the Android OS, and connect to the host USB. This interface will likely install automatically. If it does not, follow the previous steps selecting the ‘ADB interface’.

Reference

Unlocking Nexus Device

Overview

This process walks through the process to unlock a Nexus device. Since the Nexus devices are the Google reference model devices for development, this is a legitimate process designed into the system. Note – As part of the Nexus unlock process, ALL the partitions are wiped. This is a security control to prevent access to user data.

Process

  1. Connect your nexus device to your build system and confirm that ADB recognizes the device.
  2. Send the device to the bootloader. Note that you can also enter the bootloader through the physical sequence. This will vary from device to device and is tabulated at the Google AOSP Device build page. The Nexus 7 (grouper) can be put in bootloader mode by holding the volume down and power together from a powered down state (no USB connected), and hold until the bootloader screen appears. Then release the buttons and connect to USB.
  3. Alternatively, we can put the device into fastboot mode via ADB as follows.
adb devices
adb reboot-bootloader
  1. Unlock the device with fastboot. The screen will provide warnings and require a confirmation.
fastboot oem unlock

Reference

Locking Nexus Device

Overview

This process defines how to relock your nexus device. This is more of a security measure than anything else, since it prevents the firmware from being flashed without resetting the userspace on the device. If this your target system is not purely a development system and/or it has personal / sensitive information – relock the system after your changes have been implemented.

Process

  1. Connect your Nexus device to your computer and confirm  ADB recognizes the device
  2. Send the device to the bootloader. Note that you can also enter the bootloader through the physical sequence. This will vary from device to device and is tabulated at the Google AOSP Device build page. The Nexus 7 (grouper) can be put in bootloader mode by holding the volume down and power together from a powered down state (no USB connected), and hold until the bootloader screen appears. Then release the buttons and connect to USB.
  3. Alternatively, we can put the device into fastboot mode via ADB as follows.
adb devices
adb reboot-bootloader
  1. Lock the device with fastboot. The screen will provide warnings and require a confirmation.
fastboot oem lock

Reference

Flashing Factory Image (Linux)

Overview

This process defines how to reflash a Nexus device back to the factory image. This will delete any content or configuration on the device. It also requires that the device be unlocked. Remember – it is always good to have a safety net, so offload any important files and keep a backup. This process and a complete backup of your configuration is your safety net for Nexus hacking – keep it handy.

Process

  1. Download the appropriate image from https://developers.google.com/android/nexus/images
  2. Expand the image file (.tgz).
  3. Connect the Nexus device to the build computer.
  4. Put the Nexus device in bootloader mode.
  5. Go into the uncompressed image directory. Navigate down until you find the ‘flash-all.sh’ script.
  6. Enter ‘./flash-all.sh’.
  7. Wait for the install to complete, exit and reboot.

Reference

Nexus 7 Rooting from Recovery

Overview

This process defines the process to root your Nexus device from the command line. In most cases this is not necessary, but occasionally it makes some arcane task easier. This process does require the recovery partition be updated to something more useful than the factory recovery.

Process

  1. Alternative Recovery Partition ONLY
  2. Download ‘UPDATE-SuperSU.zip’ from the Chainfire site (or Google for it).
  3. Connect your Android device to your PC (with adb and fastboot).
  4. Copy the “UPDATE-SuperSU.zip” file onto your Android device in at the root of the file system. Using ADB, reboot into the recovery partition.
adb devices
adb push JB-SuperSU.zip /sdcard/
adb reboot recovery
  1. Your Android device should reboot into your alternate recovery interface.
  2. Select ‘install zip file from sdcard’.
  3. Select the ‘UPDATE-SuperSU.zip’ file, and install.
  4. Reboot.
  5. Ensure your device has network connectivity, and run the SuperSU application (which was installed as part of this process). Select and install the update.
  6. Note – SuperSU provides the option in its menu to ‘unroot’ your device. So this is a very recoverable state.
  7. At this point I also recommend installing Busybox  by Stericson from Google Play, and buying SuperSU Pro – it is one way to provide constructive feedback to the community. Note that there is a Pro version of BusyBox also (and I recommend buying it for the same reasons).

Reference

ADB Backup and Restore

Overview

This procedure illustrates the backup and restore process of an Android device using adb. Along with the factory image restore, this is one of a few safety net options that can get your Nexus back to where it was relatively fast.

Process

  1. Connect your Android device to your computer, and open a command line window.
mkdir <backup-dir>
cd <back-dir>
adb devices
  1. If your device is present continue with:
adb backup -apk -shared -all -f backup-2013-12-02.ab
  1. This will require a response on your Android devices to confirm the backup. This is also where the option to encrypt the backup is provided.
  2. To restore:
cd <back-dir>
adb devices
adb restore backup-2013-12-02.ab
  1. This also will require a response on your Android device. If the backup is encrypted, it will require the key used for the backup.
  2. Note – there are no selective restore options.

Reference

Creating a Fastboot Recovery ZipFile

Overview

This process defines the process for creating a fastboot install zip file. This is one packaging option for a custom device ROM.

Process

  1. From the AOSP build directory:
mkdir fastboot
cd fastboot
cp /out/target/product/grouper/*.img .
  1. Create a file named ‘android-info.txt’. Put the following in the file:
    require board=grouper
    save and exit.
  2. Compress the file with:
zip grouper-<romname>.zip *
  1. Flash the ROM to a device from the fastboot interface with:
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
fastboot reboot-bootloader
fastboot –w update grouper-<romname>.zip
  1. This erases all of the partitions except the bootloader, reboots and flashes the ROM update.
  2. NOTE – Do note ever flash or erase the bootloader unless you are absolutely sure you know what you are doing.

Reference

  • Dissection of the Nakasi factory update zip file

Installing Alternate Recovery Image (TWRP) on Nexus

Overview

This process defines the process to install an alternate recovery image. There are a number of recovery partition options, but my favorite is TeamWin Recovery project (TWRP), because it actively supported, had broad device support and has a very clean and function user interface.

In the process below I use TeamWin Recovery Project, but you can substitute Clockwork Mod Recovery or a number of other choices of recovery image.

Process

  1. Download the TWRP image for your device.
  2. Connect the Android device to the computer, and boot to fastboot.
adb devices
adb reboot bootloader
  1. Confirm the device is recognized, and then flash the TWRP image to the recovery partition.
fastboot devices
fastboot flash recovery recovery-twrp*
fastboot reboot bootloader
  1. Use the volume buttons to navigate to ‘recovery’ and click the power button. Wait for TWRP to boot – it can take about 10-20 seconds.
  2. Reboot the device. Enter
adb devices
adb reboot recovery
  1. If the device reboots into to clockwork, you are done. If it cycles to an android graphic with a red exclamation, the OS overwrote the recovery partition.
  2. In that case, reboot the device by holding the power button for about 15 – 30 seconds and let it boot. The process is then to repeat the recovery partition install, with an additional step in TWRP recovery.
  3. To prevent the stock ROM from replacing TWRP, boot TWRP, go to the mount menu and mount system, press the home button, then press Advanced -> File Manager.  Browse to /system and select the file named recovery-from-boot.p then choose to rename the file to recovery-from-boot.bak

Reference

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s