Tuesday, November 26, 2013

Nexus 4 Rooting from source code


There are so many documents dealing with rooting Android devices. But most of webpages describe it using binaries already pre-built by Hacker groups. It is not enough for rookies who want to build their own binaries from source code, kernel to user level. This manual is written for them.

Before Rooting we need to prepare to restore original release binaries. We can get full binary images and vendor specific driver binaries for custom build from here: https://developers.google.com/android/

Android web pages(http://source.android.com/index.html) already contain all information. I just added comments dedicated to Nexus 4 and re-arrange their order.

Target Setting

After setup for debugging.

tmax@jaeyounglee2:~/work/android$ adb reboot bootloader// reboots the divece into the bootloader
tmax@jaeyounglee2:~/work/android$ sudo /home/tmax/work/android/adt-bundle-linux-x86-20130522/sdk/platform-tools/fastboot oem unlock...OKAY [104.709s]finished. total time: 104.709s //<- this option is hidden (not discribed in "fastboot help" and in my case I need to use "sudo"

Building Kernel

Process is ...

  1. Check Version matching Nexus 4
  2. Download Toolchain
  3. Download Binary git and Check commit log
  4. Download Source git
  5. Build

1. Check Version

 I checked here http://source.android.com/source/build-numbers.html . Currently(2013-11-16), the latest version is android-4.3_r1.1

2. Download Toolchain

$ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6

Toolchain is set for 64bit as default. So if you try to build kernel on 32bit machine,  you can see the error msg of "/lib64/ld-linux-x86-64.so.2: No such file or directory"

You can set for 32bit by using "git checkout" but I do not know whether this way is reasonable or not... 

commit d73a051b1fd1d98f5c2463354fb67898f0090bdbAuthor: Jing Yu <jingyu@google.com>Date:   Tue Apr 24 14:03:34 2012 -0700
    Upgrade to host 64bit arm-eabi toolchain.        Change-Id: I48f78b81044285b5694f68e3f928797c8b9a1799
commit b4ecd7806d8f46cddeacaf9f8de92c191fb266e4Author: Jing Yu <jingyu@google.com>Date:   Thu Feb 16 15:55:47 2012 -0800
    Commit arm-eabi-4.6 toolchain for building kernel.        Refer to SOURCES for where to download source code and how to    configure the toolchain.        Change-Id: Idb7b187c9c257a87a740e8c60df34a4ed4359222

3. Download Binary Repository

3. Nexus 4 is made by LGE, and based on QUALCOMM chipsets. Download Binary: git clone https://android.googlesource.com/device/lge/mako-kernel

The red number stands for the matching commit-id of the kernel source repository. 

tmax@jaeyounglee2:~/work/android/kernel/mako-kernel$ git log
commit daa498456e695773fe5922d739b68b2ed6d9a1eeAuthor: The Android Open Source Project <initial-contribution@android.com>Date:   Mon Nov 4 10:13:55 2013 -0800
    Snapshot to 3d209bd5b1ec95655f2f5681c586c5c177b30915
commit 91f898464acfddd7289f274aa2f54ec0b80e470fAuthor: Jean-Baptiste Queru <jbq@google.com>Date:   Thu Jul 25 10:54:43 2013 -0700
    mako: prebuilt kernel
    55bf2b1 msm: kgsl: implement server-side waits
    Snapshot of commit 06ff62d6b601d62bef7b13e4e6b5cd68b638d530

If you have already download platform source tree, for example android-4.3_r1.1, you can find the same kernel directory, <platform source root directory>/device/lge/mako-kernel.
This directory is the same git directory, just downloaded with  released commit id by "repo sync".

4. Download Source Repository

$ git clone https://android.googlesource.com/kernel/msm
$ git branch -a
$ git checkout --track remotes/origin/android-msm-mako-3.4-jb-mr2
$ git checkout 55bf2b1 -b test

5. Build

$ export PATH=$(pwd)/arm-eabi-4.6/bin:$PATH
$ export ARCH=arm
$ export SUBARCH=arm
$ export CROSS_COMPILE=arm-eabi-
$ make mako_defconfig
$ make

Building Platform Binary

Go back to http://source.android.com/source/index.html

Download platform source tree
For Android 4.3
$ repo init -u https://android.googlesource.com/platform/manifest -b android-4.3_r1.1

Download vendor drivers.


Set basic environment variables & command such like lunch.
tmax@tmax3:~/work/android/android-4.3_r1.1$ source build/envsetup.sh
including device/asus/deb/vendorsetup.sh
including device/asus/flo/vendorsetup.sh
including device/asus/grouper/vendorsetup.sh
including device/asus/tilapia/vendorsetup.sh
including device/generic/armv7-a-neon/vendorsetup.sh
including device/generic/mips/vendorsetup.sh
including device/generic/x86/vendorsetup.sh
including device/lge/mako/vendorsetup.sh
including device/samsung/maguro/vendorsetup.sh
including device/samsung/manta/vendorsetup.sh
including device/samsung_slsi/arndale/vendorsetup.sh
including device/samsung/toroplus/vendorsetup.sh
including device/samsung/toro/vendorsetup.sh
including device/ti/panda/vendorsetup.sh
including sdk/bash_completion/adb.bash
 Set your target specific setting by "lunch"

tmax@tmax3:~/work/android/android-4.3_r1.1$ lunch
You're building on Linux
Lunch menu... pick a combo:
     1. aosp_arm-eng
     2. aosp_x86-eng
     3. aosp_mips-eng
     4. vbox_x86-eng
     5. aosp_deb-userdebug
     6. aosp_flo-userdebug
     7. full_grouper-userdebug
     8. full_tilapia-userdebug
     9. mini_armv7a_neon-userdebug
     10. mini_mips-userdebug
     11. mini_x86-userdebug
     12. full_mako-userdebug
     13. full_maguro-userdebug
     14. full_manta-userdebug
     15. full_arndale-userdebug
     16. full_toroplus-userdebug
     17. full_toro-userdebug
     18. full_panda-userdebug
Which would you like? [aosp_arm-eng] full_mako-eng

tmax@tmax3:~/work/android/android-4.3_r1.1$ make -j TARGET_BUILD_TYPE=debug

TARGET_BUILD_TYPE=debug supports richer debug utility.

Additional to the guide, I need to install "sudo apt-get install libstdc++6:i386". If you do not install it, you see the following error message.

prebuilts/misc/linux-x86/bison/bison: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: No such file or directory
Caution!: If build error occurs even though all source code is downloaded and I follow all guideline, try "make clean" and re-make. Maybe there is a dependency problem between packages.

if we succeed building source tree, we can find our result in out/debug/target/product/mako/:  boot.img, recovery.img, system.img, userdata.img. Maybe ramdisk.img ramdisk-recovery.img are intermediate file for boot.img, recovery.img

tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ ls -al
total 365608
drwxrwxr-x  9 tmax tmax      4096 Nov 25 21:42 .
drwxrwxr-x  3 tmax tmax      4096 Nov 25 20:51 ..
-rw-rw-r--  1 tmax tmax        19 Nov 25 20:52 android-info.txt
-rw-r--r--  1 tmax tmax   6350848 Nov 25 21:32 boot.img
-rw-rw-r--  1 tmax tmax     33868 Nov 25 20:51 clean_steps.mk
drwxrwxr-x  4 tmax tmax      4096 Nov 25 21:33 data
drwxrwxr-x  2 tmax tmax      4096 Nov 25 21:36 fake_packages
-rw-rw-r--  1 tmax tmax     59503 Nov 25 21:36 installed-files.txt
-rw-rw-r--  1 tmax tmax   5937560 Nov 25 21:11 kernel
drwxrwxr-x 13 tmax tmax      4096 Nov 25 21:36 obj
-rw-rw-r--  1 tmax tmax       605 Nov 25 20:51 previous_build_config.mk
-rw-rw-r--  1 tmax tmax    409356 Nov 25 21:32 ramdisk.img
-rw-rw-r--  1 tmax tmax    965463 Nov 25 21:32 ramdisk-recovery.img
drwxrwxr-x  3 tmax tmax      4096 Nov 25 21:32 recovery
-rw-r--r--  1 tmax tmax   6907904 Nov 25 21:32 recovery.img
drwxrwxr-x  9 tmax tmax      4096 Nov 25 23:47 root
drwxrwxr-x  5 tmax tmax      4096 Nov 25 21:33 symbols
drwxrwxr-x 13 tmax tmax      4096 Nov 25 21:32 system
-rw-r--r--  1 tmax tmax 252779152 Nov 25 21:36 system.img
-rw-r--r--  1 tmax tmax 100877852 Nov 25 21:33 userdata.img

Write Flash


We can understand whole partitions of Android after reading http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images

boot.img - kernel + ramdisk
recovery.img - similar to boot.img but for recovery mode
system.img - base files and utilities in  /system
userdata.img - other user data

I can flash each binary individually as follows. If I type
tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ sudo ~/work/android/platform-tools/fastboot flash recovery recovery.img
sending 'recovery' (6746 KB)...
OKAY [  0.214s]
writing 'recovery'...
OKAY [  0.376s]
finished. total time: 0.590s
tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ sudo ~/work/android/platform-tools/fastboot flash boot  boot.img
sending 'boot' (6202 KB)...
OKAY [  0.209s]
writing 'boot'...
OKAY [  0.330s]
finished. total time: 0.539s
tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ sudo ~/work/android/platform-tools/fastboot flash system system.img
erasing 'system'...
OKAY [  0.923s]
sending 'system' (246854 KB)...
OKAY [  7.777s]
writing 'system'...
OKAY [ 13.720s]
finished. total time: 22.420s
tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ sudo ~/work/android/platform-tools/fastboot flash userdata userdata.img
erasing 'userdata'...
OKAY [  0.821s]
sending 'userdata' (98513 KB)...
OKAY [  3.107s]
writing 'userdata'...
OKAY [  4.842s]
finished. total time: 8.770s
tmax@tmax3:~/work/android/android-4.3_r1.1/out/debug/target/product/mako$ sudo ~/work/android/platform-tools/fastboot reboot
finished. total time: 0.001s


Be careful replacing system.img and userdata.img. Replacing only boot.img and recovery.img makes a root-accessible target.


Rel mode boot.img

tmax@tmax3:~/work/android/android-4.3_r1.1$ adb root on
adbd cannot run as root in production builds
tmax@tmax3:~/work/android/android-4.3_r1.1$ adb shell
shell@mako:/ $ cat default.prop

ENG mode boot.img

tmax@tmax3:~/work/android/android-4.3_r1.1$ adb root on
adbd is already running as root tmax@tmax3:~/work/android/android-4.3_r1.1$ adb shell
root@mako:/ # cat default.prop

Test to Write /root/

root@mako:/ # mount -o remount,rw /
root@mako:/ # cp default.prop /root/test.txt
root@mako:/ # cd /root/
root@mako:/root # ls

No comments: