View Single Post
Old 02-07-2020, 04:09 PM   #14
Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.Peripathetic composes epic poetry in binary.
Posts: 38
Karma: 90402
Join Date: Feb 2019
Device: Tolino Shine 3
Patching the Boot Image

About boot images:
A boot image is the first thing to be run by the bootloader when a device starts in the usual way (that is, not in recovery or bootloader mode). Here, it consists of an operating system (Linux) kernel (core) and a small filesystem with a couple of basic scripts and utilities to get things going such as mount other partitions.


I can think of at least two reasons to do it, feel free to add your own:
  • Enable the Android Debug Bridge (ADB) interface to make all kinds of changes to the device with a utility program from a computer
  • Change the way files on the device are made available when it is connected via USB: instead of exposing the user data partition as a mass storage device, use the MTP mode. The benefit is that the device can now be used while it is connected to the computer and even when files are being transferred.
  • Obtain the boot image: either by (1) extracting the file boot.img from the manually downloaded from the Tolino Website (this file will be useful later), or - if you really must - by (2) reading it from your device, for example:

    adb shell dd if=/dev/block/mmcblk0p1 of=/cache/boot.img
    adb pull /cache/boot.img

    Note: this will work from the recovery mode only, unless ADB is already enabled in the boot image.
  • Extract boot.img: there is a multitude of ways to do it but if you're using Windows, the most convenient method is to use Android Image Kitchen: drag the file boot.img onto unpackimg.bat and a ramdisk directory will appear
  • Inside the unpacked image, there are two files of interest: default.prop and init.rc
  • In default.prop, we change the three properties to read:


    Or, if you do not want to change the USB connection to MTP the last line should read:


  • Next, in the file init.rc, we change:

    setprop 0
The point is not just to enable ADB but to let us have superuser privileges (popularly known as "root"), which is necessary to do anything interesting. The above steps are not enough to accomplish this, however: the ADB daemon binary provided with the boot image, located under sbin/adbd, will still refuse to run as root, so it has to be either (a) replaced or (b) patched.

For the sake of argument, patching would involve finding out where it makes the setuid() and setgid() calls to drop root privileges and replacing them with NOPs. From the android_filesystem_config.h file in the Android source (or prior knowledge) we can learn that ADB runs under the UID 2000 shell, so that would be the value to look for.

Replacing the binary is much easier though. We could compile one ourselves. Or we could perhaps borrow one from a version of the ADBD Insecure app. However, since as I get older I also become more lazy and this month I'm about to get older again, I reached straight for the low-hanging fruit and helped myself to the adbd binary from this article in German describing how to obtain root access on the Tolino Shine 3, which (although referring to an earlier firmware version) practically guaranteed it was going to work and indeed it does.

Whichever way you prefer, the last steps are then:
  • Replace or patch sbin/adbd to allow superuser access
  • Run repackimg.bat to create the modified image file, image-new.img

I wanted to write the above step-by-step since I haven't seen it written anywhere, so maybe it will be helpful to some people at some point but if you just want the result, it is attached here (for the most recent firmware version as of now):

For the instructions how to flash it, see the previous post.

Let me also add that recovery images (twrp.img or recovery.img) can be edited in a similar way, although for TWRP it would be more useful to compile it from the sources for any more significant changes.

One more thing to mention is that enabling ADB can lead to a potential security issue: when you plug in to charge your device from an unknown source (such as in a public place) you can never be sure what you are connecting to is just a charger: someone could potentially attempt to scan your device for data using ADB. Many devices use fingerprinting to limit ADB access to pre-approved computers but here it's accessible to everyone.

On the other hand, the Tolino already gives access to all the files to anything connected through USB by default, so perhaps the best way to address this issue is not to charge it from untrusted sources, which should be easy enough as the battery lasts quite a while.

Using ADB
  • To check if ADB is working correctly, run:

    adb devices

    List of devices attached
    ########,... device

    If the list is empty, the device is not connected.
  • To check if ADB has superuser access:

    adb shell echo $USER_ID


    If the user ID is 2000 then ADB is running with limited privileges (this is the case if you keep the original sbin/adbd intact).
  • If, after using ADB, you want to eject the device in Windows but it is "busy," you have to run:
    adb kill-server
  • Finally, enabling ADB also opens up a convenient way to run TWRP (enter recovery mode):
    adb reboot recovery
For anything that follows, I assume you have ADB and/or TWRP access set up.

Last edited by Peripathetic; 02-07-2020 at 04:29 PM.
Peripathetic is offline   Reply With Quote