MobileRead Forums - View Single Post

Peripathetic · 02-07-2020, 04:09 PM

About boot images:

Spoiler:

Why

I can think of at least two reasons to do it, feel free to add your own:

Enable the Android Debug Bridge (ADB) interface to make all kinds of changes to the device with a utility program from a computer
Change the way files on the device are made available when it is connected via USB: instead of exposing the user data partition as a mass storage device, use the MTP mode. The benefit is that the device can now be used while it is connected to the computer and even when files are being transferred.

How

Obtain the boot image: either by (1) extracting the file boot.img from the update.zip manually downloaded from the Tolino Website (this file will be useful later), or - if you really must - by (2) reading it from your device, for example:

adb shell dd if=/dev/block/mmcblk0p1 of=/cache/boot.img
adb pull /cache/boot.img

Note: this will work from the recovery mode only, unless ADB is already enabled in the boot image.
Extract boot.img: there is a multitude of ways to do it but if you're using Windows, the most convenient method is to use Android Image Kitchen: drag the file boot.img onto unpackimg.bat and a ramdisk directory will appear
Inside the unpacked image, there are two files of interest: default.prop and init.rc
In default.prop, we change the three properties to read:

ro.debuggable=0
ro.secure=0
persist.sys.usb.config=mtp,adb

Or, if you do not want to change the USB connection to MTP the last line should read:

persist.sys.usb.config=mass_storage,adb
Next, in the file init.rc, we change:

setprop ro.adb.secure 0

The point is not just to enable ADB but to let us have superuser privileges (popularly known as "root"), which is necessary to do anything interesting. The above steps are not enough to accomplish this, however: the ADB daemon binary provided with the boot image, located under sbin/adbd, will still refuse to run as root, so it has to be either (a) replaced or (b) patched.

For the sake of argument, patching would involve finding out where it makes the setuid() and setgid() calls to drop root privileges and replacing them with NOPs. From the android_filesystem_config.h file in the Android source (or prior knowledge) we can learn that ADB runs under the UID 2000 shell, so that would be the value to look for.

Replacing the binary is much easier though. We could compile one ourselves. Or we could perhaps borrow one from a version of the ADBD Insecure app. However, since as I get older I also become more lazy and this month I'm about to get older again, I reached straight for the low-hanging fruit and helped myself to the adbd binary from this article in German describing how to obtain root access on the Tolino Shine 3, which (although referring to an earlier firmware version) practically guaranteed it was going to work and indeed it does.

Whichever way you prefer, the last steps are then:

Replace or patch sbin/adbd to allow superuser access
Run repackimg.bat to create the modified image file, image-new.img

Conclusions

I wanted to write the above step-by-step since I haven't seen it written anywhere, so maybe it will be helpful to some people at some point but if you just want the result, it is attached here (for the most recent firmware version as of now): boot-13.2.1-adb-root-mtp.img.zip

For the instructions how to flash it, see the previous post.

Let me also add that recovery images (twrp.img or recovery.img) can be edited in a similar way, although for TWRP it would be more useful to compile it from the sources for any more significant changes.

One more thing to mention is that enabling ADB can lead to a potential security issue: when you plug in to charge your device from an unknown source (such as in a public place) you can never be sure what you are connecting to is just a charger: someone could potentially attempt to scan your device for data using ADB. Many devices use fingerprinting to limit ADB access to pre-approved computers but here it's accessible to everyone.

On the other hand, the Tolino already gives access to all the files to anything connected through USB by default, so perhaps the best way to address this issue is not to charge it from untrusted sources, which should be easy enough as the battery lasts quite a while.

Using ADB

To check if ADB is working correctly, run:

adb devices

List of devices attached
########,... device

If the list is empty, the device is not connected.
To check if ADB has superuser access:

adb shell echo $USER_ID

0

If the user ID is 2000 then ADB is running with limited privileges (this is the case if you keep the original sbin/adbd intact).
If, after using ADB, you want to eject the device in Windows but it is "busy," you have to run:
adb kill-server
Finally, enabling ADB also opens up a convenient way to run TWRP (enter recovery mode):
adb reboot recovery

For anything that follows, I assume you have ADB and/or TWRP access set up.

02-07-2020, 04:09 PM	#14
Peripathetic Enthusiast Posts: 38 Karma: 90402 Join Date: Feb 2019 Device: Tolino Shine 3	Patching the Boot Image About boot images: Spoiler: A boot image is the first thing to be run by the bootloader when a device starts in the usual way (that is, not in recovery or bootloader mode). Here, it consists of an operating system (Linux) kernel (core) and a small filesystem with a couple of basic scripts and utilities to get things going such as mount other partitions. Why I can think of at least two reasons to do it, feel free to add your own: Enable the Android Debug Bridge (ADB) interface to make all kinds of changes to the device with a utility program from a computer Change the way files on the device are made available when it is connected via USB: instead of exposing the user data partition as a mass storage device, use the MTP mode. The benefit is that the device can now be used while it is connected to the computer and even when files are being transferred. How Obtain the boot image: either by (1) extracting the file boot.img from the update.zip manually downloaded from the Tolino Website (this file will be useful later), or - if you really must - by (2) reading it from your device, for example: adb shell dd if=/dev/block/mmcblk0p1 of=/cache/boot.img adb pull /cache/boot.img Note: this will work from the recovery mode only, unless ADB is already enabled in the boot image. Extract boot.img: there is a multitude of ways to do it but if you're using Windows, the most convenient method is to use Android Image Kitchen: drag the file boot.img onto unpackimg.bat and a ramdisk directory will appear Inside the unpacked image, there are two files of interest: default.prop and init.rc In default.prop, we change the three properties to read: ro.debuggable=0 ro.secure=0 persist.sys.usb.config=mtp,adb Or, if you do not want to change the USB connection to MTP the last line should read: persist.sys.usb.config=mass_storage,adb Next, in the file init.rc, we change: setprop ro.adb.secure 0 The point is not just to enable ADB but to let us have superuser privileges (popularly known as "root"), which is necessary to do anything interesting. The above steps are not enough to accomplish this, however: the ADB daemon binary provided with the boot image, located under sbin/adbd, will still refuse to run as root, so it has to be either (a) replaced or (b) patched. For the sake of argument, patching would involve finding out where it makes the setuid() and setgid() calls to drop root privileges and replacing them with NOPs. From the android_filesystem_config.h file in the Android source (or prior knowledge) we can learn that ADB runs under the UID 2000 shell, so that would be the value to look for. Replacing the binary is much easier though. We could compile one ourselves. Or we could perhaps borrow one from a version of the ADBD Insecure app. However, since as I get older I also become more lazy and this month I'm about to get older again, I reached straight for the low-hanging fruit and helped myself to the adbd binary from this article in German describing how to obtain root access on the Tolino Shine 3, which (although referring to an earlier firmware version) practically guaranteed it was going to work and indeed it does. Whichever way you prefer, the last steps are then: Replace or patch sbin/adbd to allow superuser access Run repackimg.bat to create the modified image file, image-new.img Conclusions I wanted to write the above step-by-step since I haven't seen it written anywhere, so maybe it will be helpful to some people at some point but if you just want the result, it is attached here (for the most recent firmware version as of now): boot-13.2.1-adb-root-mtp.img.zip For the instructions how to flash it, see the previous post. Let me also add that recovery images (twrp.img or recovery.img) can be edited in a similar way, although for TWRP it would be more useful to compile it from the sources for any more significant changes. One more thing to mention is that enabling ADB can lead to a potential security issue: when you plug in to charge your device from an unknown source (such as in a public place) you can never be sure what you are connecting to is just a charger: someone could potentially attempt to scan your device for data using ADB. Many devices use fingerprinting to limit ADB access to pre-approved computers but here it's accessible to everyone. On the other hand, the Tolino already gives access to all the files to anything connected through USB by default, so perhaps the best way to address this issue is not to charge it from untrusted sources, which should be easy enough as the battery lasts quite a while. Using ADB To check if ADB is working correctly, run: adb devices List of devices attached ########,... device If the list is empty, the device is not connected. To check if ADB has superuser access: adb shell echo $USER_ID 0 If the user ID is 2000 then ADB is running with limited privileges (this is the case if you keep the original sbin/adbd intact). If, after using ADB, you want to eject the device in Windows but it is "busy," you have to run: adb kill-server Finally, enabling ADB also opens up a convenient way to run TWRP (enter recovery mode): adb reboot recovery For anything that follows, I assume you have ADB and/or TWRP access set up. Last edited by Peripathetic; 02-07-2020 at 04:29 PM.