Modded recovery and boot images

Search This thread
By:
Advanced…
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
Here is a zip file containing a modified recovery and boot image, as well as a few other things:
http://rapidshare.com/files/166164961/AndroidMod.zip
http://jf.nyquil.org/AndroidMod.zip
http://android-dls.com/forum/index.php?f=24&t=191&rb_v=viewtopic (see post for actual link to file)


NOTE: if you need a complete RC30 to v1.3 guide, see this page.


The recovery image (recovery_testkeys.img) uses the test keys that are distributed with the android platform source. This means that an OTA update or an update.zip update must be signed with the test key in order for it to install. In other words, it will no longer install OTA updates from t-mobile. You don't want them stealing back root access from you now do you? :).

I've also included the test keys and the SignApk.jar tool, so you can sign your own update scripts (for use only with the modified recovery image). You can resign any image, even if it has been signed before. So for example, if you needed to install an "official" t-mobile update, you must re-sign it with the test keys first.

Another bonus in this recovery image is that ADB is enabled while in recovery mode. You can't adb into a shell (no sh binary), but you can at least use it to push and pull files from the device. For example, you could push an update.zip file to the sdcard.


The boot image (boot_nosecure.img) has been modified so that adb has root access by default. So when you do an adb shell, you automatically get a root shell. You can remount the system image using adb, and then push files directly to the system partition.


Finally, the "update - Restore Original RC29 Boot Image.zip" file is an update.zip file signed with the test keys, which will restore your boot partition back to the stock RC29 image. Useful if you accidentally hose your boot partition..



To install the recovery image onto your phone:

Code: 
D:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img
912 KB/s (0 bytes in 1767424.001s)

D:\Android\AndroidMod>adb shell
$ su
su
# mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
# cd /system
cd /system
# cat /data/local/recovery.img > recovery.img
cat /data/local/recovery.img > recovery.img
# flash_image recovery recovery.img
flash_image recovery recovery.img
#


Note: You must place the recovery image at /system/recovery.img. the init.rc boot script automatically flashes the recovery partition with that file every time you boot up the phone.

At this point, it's probably a good idea to reboot the phone into recovery mode, and make sure it loads OK. If the recovery image is corrupt somehow, it will throw you back into SPL mode (the multi-color bootloader screen). If that happens, just boot the phone normally, and reflash recovery image.

Once it boots into recovery mode, press alt+L, and the next to top line of text should say something like "using test keys.". If it doesn't, then you're still using the original recovery image.



Note: If you are planning on installing the modified RC30 update, you can ignore the following - there is no need to install the boot image. The update already has a newer, modified boot image.


Now that you know you have the modified recovery image loaded, you can install the boot image:

Code: 
D:\Android\AndroidMod>adb push boot_nosecure.img /data/local/boot.img
939 KB/s (0 bytes in 1533952.001s)

D:\Android\AndroidMod>adb shell
$ su
su
# flash_image boot /data/local/boot.img
flash_image boot /data/local/boot.img
# rm /data/local/boot.img
rm /data/local/boot.img
#

Now reboot the phone and let it boot normally. If the boot image was corrupted, it will boot into recovery mode instead. You can use the included update zip file to reload the original RC29 boot image.

Otherwise, if it boots up normally, open a command prompt however you like (telnet, adb, terminal emulator app, etc.) and type "getprop ro.secure". If it says 0, then you're running the modified boot image. Otherwise, if it says 1, you're still running the original boot image.
 
Last edited:
  • Like
Reactions: faex
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
Attachement..

Hmm. It doesn't look like the attachment made it.. Does anyone have some space I could throw the file up at? It's around 5mb.
 
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
jriley60 said:
anyway to test and make sure i did this correctly.. other than my phone booted and is not a paperweight
Click to expand...
Click to collapse

To check the boot image, boot the phone normally, and then get a shell with adb. Type "id", and see if you are root :)

To check the recovery image, boot up the phone into recovery mode. Once you're in recovery mode, Press alt-l to show the text. The next to top line should say something like "using test keys"
 
N

neoobs

Retired Moderator
Mar 25, 2008
1,239
11
JesusFreke said:
To check the boot image, boot the phone normally, and then get a shell with adb. Type "id", and see if you are root :)

To check the recovery image, boot up the phone into recovery mode. Once you're in recovery mode, Press alt-l to show the text. The next to top line should say something like "using test keys"
Click to expand...
Click to collapse

When will we see the files? Can you just upload to RS and we will mirror?
 
J

jriley60

Senior Member
Nov 1, 2008
198
1
Atlanta
boot.img is in correct. assuming typing id in telnet returning uid=0(root) gid=0(root) means i'm root then i'm good, thank you so much. looks like i really should install the emulator it might make things a little easier
 
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
jriley60 said:
boot.img is in correct. assuming typing id in telnet returning uid=0(root) gid=0(root) means i'm root then i'm good, thank you so much. looks like i really should install the emulator it might make things a little easier
Click to expand...
Click to collapse


Well, that does mean you have root, but that doesn't say anything about whether the boot.img was installed correctly. If you're telneting in, then you would have root access regardless of whether you are running a stock boot image or my modified one.

My boot image allows adb to connect to the phone as root. If you don't use adb, there's no reason to install my modified boot image.




Actually, there's an easier way to tell if you're running my boot image. Get to a command prompt (telnet, adb, terminal emulator app, whatever), and type

getprop ro.secure

If it says 0, then you correctly installed my boot image. Otherwise, if it says 1, you're still running the stock image.
 
Q

quedijo

Senior Member
Jul 19, 2007
86
2
Thanks! Was waiting for this.

Now to screw with my phone like crazy :p
 
Last edited:
R

RyeBrye

Member
Oct 30, 2008
49
6
Not that I don't trust you... but...

Ok... I don't trust you implicitly enough to reflash my phone with your stuff :)

Any chance you can post diffs against the android source tree so I can apply your changes and build it myself?

No offense - I just like to know what's going on...
 
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
RyeBrye said:
Ok... I don't trust you implicitly enough to reflash my phone with your stuff :)

Any chance you can post diffs against the android source tree so I can apply your changes and build it myself?

No offense - I just like to know what's going on...
Click to expand...
Click to collapse

Not at all :)

The recovery tool is just a stock build (almost) from the android source, using the test keys, which is the default if you don't specify keys of your own. The only change I made was to make it print out "using test keys" when it runs, just to make it easy to tell if it's running. I can give you a diff if you really want.. but it's a simple change though, and doesn't affect the actual functionality.


For the boot image, I replaced the initramfs image in the boot.img included in the official RC29 update, with the initramfs image from a default build of the android source, which has the ro.secure property set to 0.

I first tried the boot.img that was generated by the default android build, but I had issues with getting wifi to work, so I tried merging the initramfs image with the RC29 boot.img, and it seems to work fine.

I suspect you could accomplish the same thing by extracting the initramfs image from the RC29 boot.img, un-gzipping and un-cpioing it, and then modifying the default.prop file to set ro.secure to 0. Then you would have to package it back up and stick it back into the RC29 boot.img.

ro.secure is the property that the adb service looks at to determine if it should use root user, or drop to the shell user. When ro.secure is 0, adb will run as root.


It can be a bit of a pain to get the android source to build though. Make sure you get the dream specific product files (they aren't downloaded by default when you do a "repo sync"). You'll also encounter issues where it can't find libaudio.so or librpc.so. You'll have to copy these from the phone to a couple of output folders in order for the build to proceed.

If you get stuck, feel free to give me a holler and I'll try and help out.

Be warned.. the build takes quite a while.. on the order of an hour or two at least. But then again, I was doing it in a VM.. it may be faster if you do it on a native linux box.
 
humble

humble

Senior Member
Dec 17, 2007
199
5
Samsung Galaxy Tab S8
i cant get it to work i know I'm doing something wrong:( can you(everyone)help me out(i have Vista 64) i get this error

this i what i type
# C:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img​

this is the error
C:AndroidAndroidMod: not found​

please and thank you

EDIT: could we do it off the sdcard?

EDIT2: i think i found my own mistake this cant be done in Windows i need to have shell with adb meaning time to whip out VM
 
Last edited:
A

alansj

Member
Nov 6, 2008
44
47
JesusFreke said:
For the boot image, I replaced the initramfs image in the boot.img included in the official RC29 update, with the initramfs image from a default build of the android source, which has the ro.secure property set to 0.

I first tried the boot.img that was generated by the default android build, but I had issues with getting wifi to work, so I tried merging the initramfs image with the RC29 boot.img, and it seems to work fine.
Click to expand...
Click to collapse

Can you talk more about this step of the process? How did you do this "merging"? Did you use mkbootimg?

JesusFreke said:
I suspect you could accomplish the same thing by extracting the initramfs image from the RC29 boot.img, un-gzipping and un-cpioing it, and then modifying the default.prop file to set ro.secure to 0. Then you would have to package it back up and stick it back into the RC29 boot.img.
Click to expand...
Click to collapse

And this could be done without going through the whole process of doing an Android build, right? I'm just thinking about how one might build a simple utility to allow editing of the ramdisk.
 
JesusFreke

JesusFreke

Inactive Recognized Developer
Oct 23, 2008
736
54
Dallas
alansj said:
Can you talk more about this step of the process? How did you do this "merging"? Did you use mkbootimg?
Click to expand...
Click to collapse

I just used the good ol hex-editor. The gzip file starts with a few specific bytes (don't remember them offhand..), so you can search through the image. There are 2 gzip files, the initramfs is the last one. In mine, it starts at offset 0x00154000.

Once you find it, just cut it out and dump the new one in (there is some 00 padding after the gzip file ends.. not sure if you need to keep the padding or not). You also have to update the size of the initramfs, which is at offset 0x00000010.


alansj said:
And this could be done without going through the whole process of doing an Android build, right? I'm just thinking about how one might build a simple utility to allow editing of the ramdisk.
Click to expand...
Click to collapse

Yes.
 
Darkrift

Darkrift

Senior Member
Oct 5, 2006
535
22
San Tan Valley, Arizona
JesusFreke, per some requests in #android on freenode I have setup a wiki (not a device wiki like xda's but more like an "information about android/g1 and how to tweak it" wiki) and would like to put this on there. Let me know if you care (unless you would like to add it in your own words), the wiki is http://android-dls.com/wiki and its still very new, but im trying to to get it built up (RyeBrye is doing most of the work).
 
Q

quedijo

Senior Member
Jul 19, 2007
86
2
humble said:
i cant get it to work i know I'm doing something wrong:( can you(everyone)help me out(i have Vista 64) i get this error

this i what i type
# C:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img​

this is the error
C:AndroidAndroidMod: not found​

please and thank you

EDIT: could we do it off the sdcard?
Click to expand...
Click to collapse

First of, you do know that when we refer to "C:\..." we refer to windows via a command prompt (or "cmd") and when you see "# ..." we refer to a shell connection to the Android phone.

Second, you do have the Android SDK right? If not download it HERE. Now extract that to a folder, preferably close to the C: root. (ex. C:\AndroidSDK)

1)Either extract/copy the files from the "AndroidMod.zip" to the Android Tools folder from the SDK (ex. C:\AndroidSDK\Tools) OR copy "adb.exe" and "AdbWinApi.dll" from the Android Tools folder from the SDK (ex. C:\AndroidSDK\Tools)to the folder where you have extracted the "AndroidMod.zip" to.

2)Open up a command prompt. Start -> Run (or Windows key + R) and type "cmd"

3)CD to the directory where the files are.

EXAMPLE:
C:\Users\[your_user_name_here]> cd \
C:> cd androidsdk\tools
C:\AndroidSDK\Tools>

4) Now follow the Instructions.
 
You must log in or register to reply here.

Similar threads

K
How-to- Root, Hack, and Flashing your G1/Dream Read first!!
Replies
2K
Views
3M
LucidREM
LucidREM
cyanogen
[UPDATED 7/26 - v1.4] Pimped out recovery image with new features
Replies
2K
Views
742K
E
evereste
I
Nandroid v2.0 - Full NAND backup and restore tool (tried and tested!)
Replies
453
Views
1M
pol-der
pol-der
A
HOWTO: Unpack, Edit, and Repack Boot Images
Replies
70
Views
277K
B
brusca.lyfe
P
[Radio] Radio Image update 2.22.23.02
Replies
1K
Views
347K
Phateless
Phateless

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 1
    JesusFreke
    JesusFreke
    Here is a zip file containing a modified recovery and boot image, as well as a few other things:
    http://rapidshare.com/files/166164961/AndroidMod.zip
    http://jf.nyquil.org/AndroidMod.zip
    http://android-dls.com/forum/index.php?f=24&t=191&rb_v=viewtopic (see post for actual link to file)


    NOTE: if you need a complete RC30 to v1.3 guide, see this page.


    The recovery image (recovery_testkeys.img) uses the test keys that are distributed with the android platform source. This means that an OTA update or an update.zip update must be signed with the test key in order for it to install. In other words, it will no longer install OTA updates from t-mobile. You don't want them stealing back root access from you now do you? :).

    I've also included the test keys and the SignApk.jar tool, so you can sign your own update scripts (for use only with the modified recovery image). You can resign any image, even if it has been signed before. So for example, if you needed to install an "official" t-mobile update, you must re-sign it with the test keys first.

    Another bonus in this recovery image is that ADB is enabled while in recovery mode. You can't adb into a shell (no sh binary), but you can at least use it to push and pull files from the device. For example, you could push an update.zip file to the sdcard.


    The boot image (boot_nosecure.img) has been modified so that adb has root access by default. So when you do an adb shell, you automatically get a root shell. You can remount the system image using adb, and then push files directly to the system partition.


    Finally, the "update - Restore Original RC29 Boot Image.zip" file is an update.zip file signed with the test keys, which will restore your boot partition back to the stock RC29 image. Useful if you accidentally hose your boot partition..



    To install the recovery image onto your phone:

    Code: 
    D:\Android\AndroidMod>adb push recovery_testkeys.img /data/local/recovery.img
912 KB/s (0 bytes in 1767424.001s)

D:\Android\AndroidMod>adb shell
$ su
su
# mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system
# cd /system
cd /system
# cat /data/local/recovery.img > recovery.img
cat /data/local/recovery.img > recovery.img
# flash_image recovery recovery.img
flash_image recovery recovery.img
#


    Note: You must place the recovery image at /system/recovery.img. the init.rc boot script automatically flashes the recovery partition with that file every time you boot up the phone.

    At this point, it's probably a good idea to reboot the phone into recovery mode, and make sure it loads OK. If the recovery image is corrupt somehow, it will throw you back into SPL mode (the multi-color bootloader screen). If that happens, just boot the phone normally, and reflash recovery image.

    Once it boots into recovery mode, press alt+L, and the next to top line of text should say something like "using test keys.". If it doesn't, then you're still using the original recovery image.



    Note: If you are planning on installing the modified RC30 update, you can ignore the following - there is no need to install the boot image. The update already has a newer, modified boot image.


    Now that you know you have the modified recovery image loaded, you can install the boot image:

    Code: 
    D:\Android\AndroidMod>adb push boot_nosecure.img /data/local/boot.img
939 KB/s (0 bytes in 1533952.001s)

D:\Android\AndroidMod>adb shell
$ su
su
# flash_image boot /data/local/boot.img
flash_image boot /data/local/boot.img
# rm /data/local/boot.img
rm /data/local/boot.img
#

    Now reboot the phone and let it boot normally. If the boot image was corrupted, it will boot into recovery mode instead. You can use the included update zip file to reload the original RC29 boot image.

    Otherwise, if it boots up normally, open a command prompt however you like (telnet, adb, terminal emulator app, etc.) and type "getprop ro.secure". If it says 0, then you're running the modified boot image. Otherwise, if it says 1, you're still running the original boot image.
    View
    1
    N
    neoobs
    JesusFreke said:
    Look at the original post. I added a link for the zip file..
    Click to expand...
    Click to collapse

    thank you. Sorry
    View

New posts