15 replies to this topic

[Phoenix Silver]

Paul had a good idea to use boot.img to root his Zte Skate.
I wondered how this was made ?
I share with you what i have found.


AS USUAL USE THIS GUIDE AT YOUR OWN RISK I'M NOT RESPONSIBLE IF YOU BRICK YOUR HANDSET.


The first thing you need is to get the boot.img of your phone.

As your phone isn't rooted you need an app to install a small exploit. This app is romdump, thanks Sebastian404 to have provided it.

App can be downloaded here :

http://ftpb.free.fr/files/romdump.zip


I) get the boot.img

Extract the files and follow the next steps :

I do these steps with adb but you can use a terminal emulator too (see the readme.txt in the zip)

so type the following 3 commands

adb push install /data/local/
adb shell chmod 04755 /data/local/install
adb shell /data/local/install

Following the readme.txt

you should see something like following:

[citation]
Android ROM dumper v0.72b
©2010 Sebastian404[*] Android local root exploid © The Android Exploid Crew
[+] Using basedir=/sqlite_stmt_journals, path=/data/local/install
[+] opening NETLINK_KOBJECT_UEVENT socket
[+] sending add message ...[*] Try to invoke hotplug now, clicking at the wireless[*] settings, plugin USB key etc.[*] You succeeded if you find /system/bin/romdump.


Once you see that you need to turn your Wifi on and off, usualy in
Settings / Wireless & Networks / Wi-Fi

now thats done, type the following:

adb shell romdump


then wait for it to finish, it can take a while.

Once the program has finished you should find a directory in the root of
your SD card called romdump and a sub-directory named after your device
model. Take those files and give them to someone who knows how to make a
recovery zip.
[/citation]

Take the boot.img in the sdcard and copy it in your computer

I recommand you create a directory named Superboot where you'll put all the tools needed by this guide.

The first tool you need to install is cpio
So ubuntu users do a sudo apt-get install cpio
Arch users do a pacman -S cpio

The second tool you need is split_bootimg.pl that you can download here :

http://ftpb.free.fr/...plit_bootimg.pl

Save it in the same dir than boot.img

in this dir type split_bootimg.pl boot.img
note all the values given by split_boot.img you'll need them later

This is what my blade give :

Page size: 2048 (0x00000800)
Kernel size: 3203212 (0x0030e08c)
Ramdisk size: 149760 (0x00024900)
Second size: 0 (0x00000000)
Board name:
Command line: androidboot.hardware=blade console=ttyMSM2,115200 g_android.product_id=0x1354 g_android.serial_number=Alice-Blade

2 files have been created boot.img-kernel & boot.img-ramdisk.gz


II) extract the ramdisk

Follow the steps :

1) cp boot.img-ramdisk.gz ramdisk.cpio.gz (we make a backup in case)
2) gzip -d ramdisk.cpio.gz (extract the ramdisk)
3) mkdir tmp
cd tmp
cp ../ramdisk.cpio . (we take ramdisk appart to work)

4) cpio -i -F ramdisk.cpio (extract the ramdisk.cpio in the tmp folder to have a clean environment)

5) rm ramdisk.cpio (Remove the ramdisk.cpio in the tmp)


III) Insert super user in your ramdisk

Edit the file init.rc and find the line ## Daemon processes to be run by init.

After the second ##
Insert the four folowing lines

service superboot /system/bin/sh /superboot/superboot.sh
user root
group root
oneshot

Save the file and quit.

Now we need the app Superuser.apk and the script superboot.sh which install the superuser.apk

Download them here :

http://ftpb.free.fr/...uperboot.tar.gz

Thanks to Paul to have provided the script superboot.sh

Extract the file in the directory tmp


IV) Recreate the boot.img

1) cpio -i -t -F ../ramdisk.cpio | cpio -o -H newc -O ../ramdisk_new.cpio (Recreate the ramdisk.cpio named ramdisk_new_cpio)

cd ..
mv boot.img-ramdisk.gz boot.img-ramdisk.gz.sauve (backup the old ramdisk)

rename ramdisk_new_cpio img-ramdisk
gzip img-ramdisk (recompress the new ramdisk)

You need now a tool called mkbootimg that you can download here :

http://ftpb.free.fr/files/mkbootimg
and download it in the superboot directory

chmod +x mkbootimg (to make it executable)
mv boot.img boot.img.sauve (save the old boot.img)

type now the following command

mkbootimg --kernel boot.img-kernel --ramdisk boot.img-ramdisk.gz --cmdline androidboot.hardware=blade console=ttyMSM2,115200 g_android.product_id=0x1354 g_android.serial_number=Alice-Blade --pagesize 2048 --output boot.img

WARNING REPLACE THE VALUES BY YOUR OWN VALUES GIVEN BY SPLIT_BOOTIMG.PL


V) Flash your new boot.img

Download fastboot here :

http://ftpb.free.fr/files/fastboot.zip

Extract it in the superboot directory

and type the following commands :

chmod +x fastboot-linux
adb reboot bootloader
./fastboot-linux flash boot boot.superboot.img
./fastboot-linux reboot

Once your handset is rebooted it will be rooted.

I'll appreciate any comment / error / improvement that you'll say me.
Thanks

Alice.

Edited by Phoenix Silver, 09 August 2011 - 09:52 PM.

[Phoenix Silver]

Reserved.

[t0mm13b]

Brilliant guide darling - well done! kiss

[Phoenix Silver]

t0mm13b, on 09 August 2011 - 06:59 PM, said:

Brilliant guide darling - well done! kiss

Ty honey kiss

[leopesto]

could it be applied to other devices? like the galaxy S+ that isn't yet rooted....




Leo

[Phoenix Silver]

yes if you can get the boot.img the rest is easy

[wbaw]

Phoenix Silver, on 09 August 2011 - 09:51 PM, said:

yes if you can get the boot.img the rest is easy

The problem is that you usually need root to get the boot.img & often need root to be able to flash your modified version.

So to follow this guide, a root exploit like the one used in romdump needs to work & it wont work on gingerbread or 2.2.2 phones.

Of course if you already have a working root exploit, then you don't need to repack boot.img, you can do whatever you want anyway.

[Phoenix Silver]

yes sure but this method is usefull anyway if you would want to distribute your roms or to install other things

so how do you dump the boot.img if romdump doesn't work ?

but i saw a generic romdump in the net which maybe works
i'll give it a try

[sm4tik]

Phoenix Silver, on 09 August 2011 - 10:09 PM, said:

yes sure but this method is usefull anyway if you would want to distribute your roms or to install other things

so how do you dump the boot.img if romdump doesn't work ?

but i saw a generic romdump in the net which maybe works
i'll give it a try

When I got my stock 2.2 blade I had to temp root it with z4root before I could run romdump. I still don't know how clean the dump is, but atleast I got it. Kallt_kaffe was thinking of writing a OneClickRomDumper app using the same root method as his OneClickRecovery, but I don't know far he got with it or was the idea just buried. Link

Edited by sm4tik, 12 August 2011 - 10:25 PM.

[KonstaT]

sm4tik, on 12 August 2011 - 09:21 PM, said:

When I got my stock 2.2 blade I had to temp root it with z4root before I could run romdump. I still don't know how clean the dump is, but atleast I got it. Kallt_kaffe was thinking of writing a OneClockRomDumper app using the same root method as his OneClickRecovery, but I don't know far he got with it or was the idea just buried. Link

OneClickRomDump can be found here:
http://android.modac...ost__p__1674763

Edited by KonstaT, 12 August 2011 - 09:31 PM.

[sm4tik]

KonstaT, on 12 August 2011 - 09:31 PM, said:

OneClickRomDump can be found here:
http://android.modac...ost__p__1674763

So he did do it No wonder I had missed it..

[wbaw]

Phoenix Silver, on 09 August 2011 - 10:09 PM, said:

yes sure but this method is usefull anyway if you would want to distribute your roms or to install other things

so how do you dump the boot.img if romdump doesn't work ?

but i saw a generic romdump in the net which maybe works
i'll give it a try

Romdump uses a root exploit to dump the rom, it wont work on more recent versions of android because that security vulnerability has been fixed. I think you need a working root exploit to be able to dump the boot image, so your phone has to already be rooted, then it makes little difference if you root your boot.img or just add su & superuser to your system partition - the 'one click' type root exploits usually do that anyway.

The exploit that z4root uses has been fixed in gingerbread & 2.2.2 roms too. I think gingerbreak was fixed in 2.3.3 & a pdf exploit was fixed in 2.3.5.

Edited by wbaw, 13 August 2011 - 04:44 AM.

[wbaw]

I guess that paul rooted the skate first by building a version of clockworkmod for the skate based on the .32 kernel source code & loaded that using adb to reboot into fastboot mode in order to grab the rom & boot.img. Just a guess, but that's how I'd do it.

Ideally we don't want any root exploits that can be used in an app without any interaction to work, that means your phone has no protection from malicious apps. We just need fastboot & a kernel zimage that will boot on the device to root it.

Edited by wbaw, 15 August 2011 - 01:12 AM.

[Phoenix Silver]

I agree

[C3C0]

Phoenix Silver, on 09 August 2011 - 06:54 PM, said:

IV) Recreate the boot.img

1) cpio -i -t -F ../ramdisk.cpio | cpio -o -H newc -O ../ramdisk_new.cpio (Recreate the ramdisk.cpio named ramdisk_new_cpio)

Hi. I think there is a problem with this one. cpio -t reads the list of files from input ramdisk. So in case you add new files

into new ramdisk they will not be included. You should probably use something like

1) find . | cpio -o -H newc -O ../ramdisk_new.cpio

as this will go through the whole new file structure and add also new files into output ramdisk.

[C3C0]

Another thing. It is also necessary to find out the base address for your device and specify it in

--base parameter when doing mkbootimg
Base address can be get using the terminal emulator on your device issuing:

1) $ gzip -d -c /proc/config.gz | grep CONFIG_PHYS_OFFSET

Edited by C3C0, 09 December 2011 - 07:17 AM.