[GUIDE] Howto create an insecure boot image for asus tf101

rebound821 · Jul 30, 2011

NOTE: I started few days ago working with the boot image.
I'm not an Android expert. If you find an error in this post, let me know.
Use this information at your own risk. If you brick your tablet, don't blame on me.
Nothing of the tools used here are written by me. I'm not taking credit for another's work.

I have rooted my tf101 with the instructions from the mashi's thread. (http://xdaforums.com/showthread.php?t=1125714)
I was curious about the root process of our beloved tablet.
For add root at the stock firmware you need the su packages and a proper boot image.
I've worked for years on linux machines, so I know that you need the "su" command to become root.
But what about the boot image? What does it need for?

I've googled and found some information that I'd like to share with you:
For using adb as superuser, and push the su package, you need to flash a so called "insecure boot" on your tablet/phone.
The process is easy:

NOTE: Even if I'm on a Windows machine, I prefer to do this work in linux. The entire process has been done in an Ubuntu 11.04 virtual machine.

What you need:
- a PC running linux
- BootTools and BlobTools from Rayman84 (http://androidroot.mobi/)
- mkbootimg (mkbootfs is optional) from the android repository

I assume that you have all the above tools in your $PATH variable.

First of all you need a stock boot image; you can extract one from your tablet (with nvflash) or from the latest stock firmware (US-VERSION - WW-VERSION)
We're going for the official packages from the ASUS website. Download it on your home directory (or wherever you want).
Let's start:

Code:

mkdir stock_firmware
cd stock_firmware
unzip ../UpdateLauncher_WW_epaduser_84411.zip
unzip ASUS/Update/WW_epad-user-8.4.4.11.zip
blobunpack blob
bootunpack blob.LNX

Now we have a lot of "strange" files:

Code:

ASUS
blob
blob.APP
blob.EBT
blob.HEADER
blob.LNX
blob.LNX-config
blob.LNX-kernel.gz
blob.LNX-ramdisk.cpio.gz
blob.PT
blob.SOS
META-INF

For our work, we just need blob.LNX-ramdisk.cpio.gz

Code:

mkdir boot_img
cd boot_img
gunzip -dc ../blob.LNX-ramdisk.cpio.gz | cpio -i
vi default.prop (or "gedit default.prop" if you want a GUI)

Here you have to change the line "ro.secure=1" in "ro.secure=0"
The final file should appears as this:

Code:

#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=0

Almost done. Let's repack:

Code:

find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz

or alternatively:

Code:

mkbootfs ./ | gzip > ../newramdisk.cpio.gz

Finally make the boot.img:

Code:

cd ..
mkbootimg --kernel blob.LNX-kernel.gz --ramdisk newramdisk.cpio.gz -o boot.img

Now you have your boot.img, ready to be flashed with nvflash.
For information on what to do with this file, please refer to the mashi or brk threads.

Again, I've taken this information from google.
All the credits and many thanks to:
Rayman for the BlobTools and the BootTools - http://androidroot.mobi/
Mashi for his thread on rooting the stock kernel - http://xdaforums.com/showthread.php?t=1125714
Brk for his batch script - http://xdaforums.com/showthread.php?t=1185104

If you found this guide useful, hit the "Thanks" button.

For your convenience, you can find the tools used attached in this post (compiled on Ubuntu 11.04).

UPDATE: I have written a script (thanks gnufabio for the idea) that automatically modify a stock boot.img into an insecure one.
ex:

Code:

./insecure.sh boot.img

when the script finishes you will find a file called my_boot.img ready to be flashed with nvflash.
Bootunpack and mkbootimg should be in your $PATH.
This script doesn't do much error checking, so keep your eyes open.

HF

maxwintrobe · Jul 31, 2011

hey thanks very nice guide

SammyC · Jul 31, 2011

Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.

I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?

rebound821 · Jul 31, 2011

SammyC said:
Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.

I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?

I haven't try but i guess yes.
If you really want to recompile/repackage the kernel, you can refer to this http://www.droidforums.net/forum/rescue-squad-guides/31452-how-compile-your-own-kernel.html ; it's about the Motorola Droid, but some concepts are universal for all the android devices.

HF

gnufabio · Jul 31, 2011

Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:

Code:

mcpio -c ramdisk-folder/
mcpio -e ramdis-archive.cpio.gz

hachamacha · Jul 31, 2011

Thanks - Very useful to have this in this section. I tried the example, and it all worked fine on an old Ubuntu dist.

rebound821 · Jul 31, 2011

gnufabio said:
Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:

Code:

mcpio -c ramdisk-folder/ mcpio -e ramdis-archive.cpio.gz

Well, that's a lot easier...
I didn't know your script, thanks for sharing.

rebound821 · Aug 1, 2011

Updated the first post with a bash script to automate the entire process.

Yesterday I've succesfully recompiled the stock kernel and I'm thinking on write another guide like this one on the subject.
The process is a little complicate, i'm looking for an easy way to explain but it's hard.
Anyway I'm working on it in my spare time.

SammyC · Aug 1, 2011

That would be great if you could.

raypou · Aug 5, 2011

ASUS haven't (yet) released the source for the kernel in their latest 3.2 build. If you've updated to 3.2, you can still root and repackage using this method. Just use nvflash to save off the kernel from your running device as per the backup/restore thread, then use bootunpack on that and follow the rest of the instructions

rebound821 · Aug 5, 2011

raypou said:
ASUS haven't (yet) released the source for the kernel in their latest 3.2 build. If you've updated to 3.2, you can still root and repackage using this method. Just use nvflash to save off the kernel from your running device as per the backup/restore thread, then use bootunpack on that and follow the rest of the instructions

it's exactly the method used here: http://xdaforums.com/showthread.php?t=1198303

theMIROn · Aug 6, 2011

If anyone interested, here're win32 binaries of BlobTools and BootTools
Just compiled from git repo.

nex7er · Aug 25, 2011

I unpacked a rom with a kernelblob in the root directory, and edited init.rc. Which command should I use to repackage it? If I follow the guide (instead of boot.img I used kernelblob, no extension) I get the EEE Pad logo then scrambled, colored lines all over.

If I, however, install the base rom, then the one where I changed something in the kernelblob, it boots up.

brk · Sep 1, 2011

theMIROn said:
If anyone interested, here're win32 binaries of BlobTools and BootTools
Just compiled from git repo.

Hi, makebootimg.exe doesn't work. It gives error saying: error: could not load kernel 'blob.LNX-kernel.gz'
Tried same files in linux and worked fine.
Can you try to fix this?

EDIT: tried to compile myself but got the same issue. I think is related with the need to change source code to make this run on windows.

brk · Sep 7, 2011

Working boottools for windows available here: http://xdaforums.com/showpost.php?p=17237701&postcount=443

theMIROn · Sep 25, 2011

brk said:
Hi, makebootimg.exe doesn't work. It gives error saying: error: could not load kernel 'blob.LNX-kernel.gz'
Tried same files in linux and worked fine.
Can you try to fix this?

yep, it's code issue
attached BootTools-Win32.zip with fixed mkbootimg.exe

maframan · May 6, 2012

is there this guide for tf201?

BR
Maframan

philburkhardt · May 6, 2012

maframan said:
is there this guide for tf201?

BR
Maframan

You should probably check the TF201 forum.

Thing O Doom · May 19, 2012

Could this method be used to pack a new Splash Screen? (I want to change that annoying ASUS logo to something better) Would I go about the Flash_Image method to flash the image after compiled? (I do Not have NvFlash, but I am rooted with Cwm)
Which blobs would I modify as well, just the EBT?

serti6610 · Nov 22, 2015

rebound821 said:
NOTE: I started few days ago working with the boot image.
I'm not an Android expert. If you find an error in this post, let me know.
Use this information at your own risk. If you brick your tablet, don't blame on me.
Nothing of the tools used here are written by me. I'm not taking credit for another's work.

I have rooted my tf101 with the instructions from the mashi's thread. (http://xdaforums.com/showthread.php?t=1125714)
I was curious about the root process of our beloved tablet.
For add root at the stock firmware you need the su packages and a proper boot image.
I've worked for years on linux machines, so I know that you need the "su" command to become root.
But what about the boot image? What does it need for?

I've googled and found some information that I'd like to share with you:
For using adb as superuser, and push the su package, you need to flash a so called "insecure boot" on your tablet/phone.
The process is easy:

NOTE: Even if I'm on a Windows machine, I prefer to do this work in linux. The entire process has been done in an Ubuntu 11.04 virtual machine.

What you need:
- a PC running linux
- BootTools and BlobTools from Rayman84 (http://androidroot.mobi/)
- mkbootimg (mkbootfs is optional) from the android repository

I assume that you have all the above tools in your $PATH variable.

First of all you need a stock boot image; you can extract one from your tablet (with nvflash) or from the latest stock firmware (US-VERSION - WW-VERSION)
We're going for the official packages from the ASUS website. Download it on your home directory (or wherever you want).
Let's start:

Code:

mkdir stock_firmware cd stock_firmware unzip ../UpdateLauncher_WW_epaduser_84411.zip unzip ASUS/Update/WW_epad-user-8.4.4.11.zip blobunpack blob bootunpack blob.LNX

Now we have a lot of "strange" files:

Code:

ASUS blob blob.APP blob.EBT blob.HEADER blob.LNX blob.LNX-config blob.LNX-kernel.gz blob.LNX-ramdisk.cpio.gz blob.PT blob.SOS META-INF

For our work, we just need blob.LNX-ramdisk.cpio.gz

Code:

mkdir boot_img cd boot_img gunzip -dc ../blob.LNX-ramdisk.cpio.gz | cpio -i vi default.prop (or "gedit default.prop" if you want a GUI)

Here you have to change the line "ro.secure=1" in "ro.secure=0"
The final file should appears as this:

Code:

# # ADDITIONAL_DEFAULT_PROPERTIES # ro.secure=0 ro.allow.mock.location=0 ro.debuggable=0 persist.service.adb.enable=0

Almost done. Let's repack:

Code:

find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz

or alternatively:

Code:

mkbootfs ./ | gzip > ../newramdisk.cpio.gz

Finally make the boot.img:

Code:

cd .. mkbootimg --kernel blob.LNX-kernel.gz --ramdisk newramdisk.cpio.gz -o boot.img

Now you have your boot.img, ready to be flashed with nvflash.
For information on what to do with this file, please refer to the mashi or brk threads.

Again, I've taken this information from google.
All the credits and many thanks to:
Rayman for the BlobTools and the BootTools - http://androidroot.mobi/
Mashi for his thread on rooting the stock kernel - http://xdaforums.com/showthread.php?t=1125714
Brk for his batch script - http://xdaforums.com/showthread.php?t=1185104

If you found this guide useful, hit the "Thanks" button.

For your convenience, you can find the tools used attached in this post (compiled on Ubuntu 11.04).

UPDATE: I have written a script (thanks gnufabio for the idea) that automatically modify a stock boot.img into an insecure one.
ex:

Code:

./insecure.sh boot.img

when the script finishes you will find a file called my_boot.img ready to be flashed with nvflash.
Bootunpack and mkbootimg should be in your $PATH.
This script doesn't do much error checking, so keep your eyes open.

HF

Hi Sir,

First of all thankyou for you guide because I did follow you guide and created the insecure boot.image succesfully. I still have one problem, after flashing the boot.image, I still could not root the android device. Why is that? Do I need to change something else in the boot.img?

[GUIDE] Howto create an insecure boot image for asus tf101

Senior Member

Attachments

Senior Member

Member

Senior Member

Retired Recognized Developer

Senior Member

Senior Member

Senior Member

Member

Member

Senior Member

Member

Attachments

Senior Member

Senior Member

Senior Member

Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts