[GUIDE] Howto create an insecure boot image for asus tf101

---

NOTE: I started few days ago working with the boot image.
I'm not an Android expert. If you find an error in this post, let me know.
Use this information at your own risk. If you brick your tablet, don't blame on me.
Nothing of the tools used here are written by me. I'm not taking credit for another's work.

I have rooted my tf101 with the instructions from the mashi's thread. (http://forum.xda-developers.com/show....php?t=1125714)
I was curious about the root process of our beloved tablet.
For add root at the stock firmware you need the su packages and a proper boot image.
I've worked for years on linux machines, so I know that you need the "su" command to become root.
But what about the boot image? What does it need for?

I've googled and found some information that I'd like to share with you:
For using adb as superuser, and push the su package, you need to flash a so called "insecure boot" on your tablet/phone.
The process is easy:

NOTE: Even if I'm on a Windows machine, I prefer to do this work in linux. The entire process has been done in an Ubuntu 11.04 virtual machine.

What you need:
- a PC running linux
- BootTools and BlobTools from Rayman84 (http://androidroot.mobi/)
- mkbootimg (mkbootfs is optional) from the android repository

I assume that you have all the above tools in your $PATH variable.

First of all you need a stock boot image; you can extract one from your tablet (with nvflash) or from the latest stock firmware (US-VERSION - WW-VERSION)
We're going for the official packages from the ASUS website. Download it on your home directory (or wherever you want).
Let's start:

Code:

mkdir stock_firmware
cd stock_firmware
unzip ../UpdateLauncher_WW_epaduser_84411.zip
unzip ASUS/Update/WW_epad-user-8.4.4.11.zip
blobunpack blob
bootunpack blob.LNX

Now we have a lot of "strange" files:

Code:

ASUS
blob
blob.APP
blob.EBT
blob.HEADER
blob.LNX
blob.LNX-config
blob.LNX-kernel.gz
blob.LNX-ramdisk.cpio.gz
blob.PT
blob.SOS
META-INF

For our work, we just need blob.LNX-ramdisk.cpio.gz

Code:

mkdir boot_img
cd boot_img
gunzip -dc ../blob.LNX-ramdisk.cpio.gz | cpio -i
vi default.prop (or "gedit default.prop" if you want a GUI)

Here you have to change the line "ro.secure=1" in "ro.secure=0"
The final file should appears as this:

Code:

#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=0

Almost done. Let's repack:

Code:

find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz

or alternatively:

Code:

mkbootfs ./ | gzip > ../newramdisk.cpio.gz

Finally make the boot.img:

Code:

cd ..
mkbootimg --kernel blob.LNX-kernel.gz --ramdisk newramdisk.cpio.gz -o boot.img

Now you have your boot.img, ready to be flashed with nvflash.
For information on what to do with this file, please refer to the mashi or brk threads.

Again, I've taken this information from google.
All the credits and many thanks to:
Rayman for the BlobTools and the BootTools - http://androidroot.mobi/
Mashi for his thread on rooting the stock kernel - http://forum.xda-developers.com/show....php?t=1125714
Brk for his batch script - http://forum.xda-developers.com/show....php?t=1185104

If you found this guide useful, hit the "Thanks" button.

For your convenience, you can find the tools used attached in this post (compiled on Ubuntu 11.04).

UPDATE: I have written a script (thanks gnufabio for the idea) that automatically modify a stock boot.img into an insecure one.
ex:

Code:

./insecure.sh boot.img

when the script finishes you will find a file called my_boot.img ready to be flashed with nvflash.
Bootunpack and mkbootimg should be in your $PATH.
This script doesn't do much error checking, so keep your eyes open.

HF

hey thanks very nice guide

Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.

I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?

Quote:

Originally Posted by SammyC

Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.

I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?

I haven't try but i guess yes.
If you really want to recompile/repackage the kernel, you can refer to this http://www.droidforums.net/forum/res...wn-kernel.html ; it's about the Motorola Droid, but some concepts are universal for all the android devices.

HF

Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:

Code:

mcpio -c ramdisk-folder/
mcpio -e ramdis-archive.cpio.gz

Thanks - Very useful to have this in this section. I tried the example, and it all worked fine on an old Ubuntu dist.

Quote:

Originally Posted by gnufabio

Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:

Code:

mcpio -c ramdisk-folder/
mcpio -e ramdis-archive.cpio.gz

Well, that's a lot easier...
I didn't know your script, thanks for sharing.

Updated the first post with a bash script to automate the entire process.

Yesterday I've succesfully recompiled the stock kernel and I'm thinking on write another guide like this one on the subject.
The process is a little complicate, i'm looking for an easy way to explain but it's hard.
Anyway I'm working on it in my spare time.

That would be great if you could.

ASUS haven't (yet) released the source for the kernel in their latest 3.2 build. If you've updated to 3.2, you can still root and repackage using this method. Just use nvflash to save off the kernel from your running device as per the backup/restore thread, then use bootunpack on that and follow the rest of the instructions