Re-signing the system

---

Various aspects of the Nook system are signed with a signature from Barnes & Noble.
There are a few places where signatures are compared.
Various system apps used a single "shared id" and they must all have the same signature.
/system/framework/framework-res.apk must have a correct signature with respect to AndroidManifest.xml.
In any case, it's your Nook, what are you going to do?

Re-signing the system

• make a full backup and make sure that it is good
• create your own signature http://developer.android.com/tools/p...p-signing.html
• make a directory for your patch
• create the subdirectory META-INF\com\google\android\
• put a copy of update-binary in there
• write a updater-script and put it in there
• create the subdirectory system\app
• create the subdirectory system\framework

For each of your APKs in /system/app and also /system/framework/framework-res.apk:

• unzip them somewhere
• delete the whole directory META-INF from them
• zip the directory
• jarsigner them with your own personal signature
• zipalign the APK (optional if you are lazy and don't see the point)
• put it in the appropriate patch directory

Then:

• zip the patch directory
• copy it to your SD card
• make sure that your WiFi is turned on if you are using ADB over WiFi!
• recovery boot using ClockworkMod
• install the patch from SD card
• reboot

updater-script

Code:

# Replace signed components
mount("ext2", "/dev/block/mmcblk0p5", "/system");
package_extract_dir("system/app", "/system/app");
package_extract_dir("system/framework", "/system/framework");
unmount("/system");

# Delete packages.xml
mount("ext3", "/dev/block/mmcblk0p8", "/data");
delete("/data/system/packages.xml");
unmount("/data");

Flies in the ointment, caveats, etc...

The packages.xml contains some form of certs that have all changed.
Right now, the simplest way I know to deal with this is just to delete packages.xml.
The problem is, this will break most user applications since the user IDs will no longer agree.
The easiest thing to do is just to reinstall them.
For applications with a lot of data, it would be best to back up the configs or data.

When you first boot up, you may think that you are in a "boot loop".
The boot animation will run continuously.
If you have ADB connect still (and you had better!) you can fix this.
Your launcher application is probably causing lots of error on startup.

There are two ways to fix the problem with the launcher (or any other app)

• uninstall and reinstall it
• go into /data/data/com.myapp.whatever and chown everything to the user id of the application.
  
  Code:

  busybox chown -R 10011: databases

  Don't chown the lib directory if there is one.

Then you should have a device that boots up normally.

Good luck, Mr. Phelps.

Quote:

Originally Posted by Renate NST

• create your own signature http://developer.android.com/tools/p...p-signing.html

Renate,
Won’t it be easier to use Andriod media key?
If we do, we can patch packages.xml, instead of deleting it, right?

Quote:

Originally Posted by Renate NST

For each of your APKs in /system/app and also /system/framework/framework-res.apk:

• unzip them somewhere
• delete the whole directory META-INF from them
• zip the directory
• jarsigner them with your own personal signature
• zipalign the APK (optional if you are lazy and don't see the point)
• put it in the appropriate patch directory

I wrote a script to do just that, can be adapted easily...

Code:

@set keystore=..\keys\media.jks
@set storepass=android
@set alias=media
@set resigned_dir=.\new

@for %%i in ( .\*.apk ) do @(
  echo %%i
  copy %%i %resigned_dir%\%%~ni_%%~xi
  zip -d %resigned_dir%\%%~ni_%%~xi META-INF\*
  jarsigner -keystore %keystore% -storepass %storepass% %resigned_dir%\%%~ni_%%~xi %alias%
  zipalign -f 4 %resigned_dir%\%%~ni_%%~xi %resigned_dir%\%%~ni%%~xi
  del %resigned_dir%\%%~ni_%%~xi
)
@goto :eof

Just my 2 cents…

---------- Post added at 04:31 PM ---------- Previous post was at 04:22 PM ----------

Quote:

Originally Posted by Renate NST

...
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.

Guys,
If you run into a problem following Renate steps, it’ll be practically impossible to troubleshot without logcat log.
It might be a bit safer to use ADB over USB then over Wireless.
Even if you run into boot loop, ADB should work still.
I’m not 100% sure, if you need framework operational to establish wireless connection (for ADB to use).
ADB over USB definitely doesn't need framework running.

Yes, of course I used a script to resign the individual APKs.
Yours is nice though.

I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Did you re-sign framework-res.apk too?

Well, one advantage of deleting packages.xml is that it gets rid of the cruft.

I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.

P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.

That's also a warning to not presume that your Nook is dead just because the display loops.

Quote:

Originally Posted by Renate NST

Yes, of course I used a script to resign the individual APKs.
Yours is nice though.

Thank you!

Quote:

Originally Posted by Renate NST

I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?

I don’t remember now, it was long time ago.
AFAIR, it was 4 keys
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
You can download them still from Google repository
http://mirror.yongbok.net/pub/pub/li...duct/security/
Most ppl call media key androiddebug key, don’t ask me why.

Quote:

Originally Posted by Renate NST

Did you re-sign framework-res.apk too?

Not as of now. Waiting for your Reader.apk...

Quote:

Originally Posted by Renate NST

Well, one advantage of deleting packages.xml is that it gets rid of the cruft.

I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.

I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.

Quote:

Originally Posted by Renate NST

P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.

Yep. Thanks for confirming this!

Quote:

Originally Posted by Renate NST

It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.

When I see Nook booting image "with running dots", ADB is up already.
I was under impressing that’s the image ppl see while in boot loop.
ps shows it as bootanimation process
I guess, we are NOT on the same page again…

The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.

Quote:

Originally Posted by Renate NST

The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.

Renate,
I neither completely agree with you on bootanimation app nor want to pollute this thread with useless (IMO) discussion about it. If you want discuss it further – could you open another thread?

Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.

There are a number of problems with that, starting out that the opening screen is white on white.
Also, my Nook seems to think it's a phone now and the hack that I did for the "n" button is broken.

I switched back to the stock version.
On the plus side, my Nook now opens with just a button press and no swiping.
I remember some people were interested in that.
It's probably something in settings.db

Quote:

Originally Posted by Renate NST

Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.

AFAIR, everything on emulator is signed with keys I posted and nothing with B&N key - you don't need to resign.

Quote:

Originally Posted by Renate NST

Various aspects of the Nook system are signed with a signature from Barnes & Noble.

Renate,
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Pull (backup) them to PC
Resign
Stop framework
Push resigned APKs to NST
Replace B&N cert reference in packages.xml to the one we used
Start framework
It might be some manual steps...
Do you think it might be useful?

And another script to restore...

First thing, I think that doing a system update to replace (as recommended in my first post) is overkill.
I wasn't sure whether simply starting and stopping the framework from the shell would be sufficient.
Apparently it is.
My only excuse is that I've bricked my Nook about 20 times and was being conservative.

What you want to sign your Nook with is your choice.
I hadn't looked into using any common signatures.
Android only mentions the single debug key in their documentation.
The emulator apks are signed with an Android signature, but not the same as the debug key.

Quote:

Originally Posted by ApokrifX

I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'

Ok, but there is also all the other sharedUserId="1000"

I'm not sure how the cert references work in packages.xml

Does it work for framework-res.apk too?