[Q] Multiboot on rooted, locked bootloader devices with switch_root, is it possible?
I own a rooted asus transformer pad 300T. Being a big linux (Linux as in GNU/linux) fan, I wanted to install arch linux on it. This does however require an unlocked bootloader. Out of the box, the bootloader is locked, although it can be unlocked with an app provided by Asus. Unlocking does however void the warranty on the tablet and this is unacceptable for me and many other users.
This is why, over the past few weeks, I have been searching around XDA and the web to find alternative ways of flashing custom roms, leaving the bootloader locked and keeping my precious warranty. On of the first things I bumped into was Kexec. Although perfectly suited for my needs, Kexec is problematic in combination with the tegra 3 SoC: It freezes in the process of switching kernels, the cause for this unknown and very hard to debug. To overcome this, kexec-hardboot was created: A variant of kexec involving a cold reboot. Kexec-hardboot is, however, not suitable for locked bootloaders: It requires flashing a custom kernel which isn't an option in this situation.
Although it appears impossible to boot an alternative kernel, I figured it might be possible to switch to a different root partition, leaving the kernel unharmed. This my plan to achieve this:
After successfully booting stock android, an app/script performs the following operations:
The actions Question:
- Activitymanager, bluetooth and radio are shut down (This is what happens when normally shutting down android, before filesystems are unmounted)
- rootfs is remounted readwrite and directory '/tmproot' is created
- an instance of tmpfs is mounted on /tmproot, an initramfs-like structure is created with static busybox and a special script 'init'
- '/system','/data', '/cache' and similar partitions are unmounted (This should be equivalent to shutting down the mount service)
- android's init process is instructed to run 'exec /tmproot/busybox switch_root /tmproot init', /tmproot becomes '/' and the 'init' script is executed
- The 'init' script mounts the partition/image file containing the arch linux filesystem and performs another 'exec switch_root', making the archlinux fs '/' and starting systemd (arch linux's alternative to init) as PID 1
- Systemd follows it's normal startup sequence: Arch linux is succesfully booted!
Although this is currently nothing but a fantasy, I believe this idea should work. There is only one thing I have not yet found the solution to: The process calling 'exec switch_root' must
be PID 1. This means the android 'init' process had to directly run the command. The obvious thing to do here would of course be to modify init.rc to execute this when told to, but as init.rc lives in the initramfs, I can't make any modifications that would survive a reboot.
So to cut things short: How do I make init run a custom command on runtime?
Thanks in advance,
An android hacking noob