Android Hacking
One of the reasons Android is so appealing as an ecosystem is that it is so open. Android does not force you to stay in the confines of the design choices made by the carrier, the manufacturer, or even Google itself. It can upgraded, modified, and enhanced for devices that have long ceased to get manufacturer updates and it allows you to customize your device exactly the way you want it to be.Android openness manifests itself in several ways, but perhaps the most interesting way being the enormous community of tinkerers and hackers who have built a whole world of custom operating system distributions, kernel modifications, and software tweaks for Android. There are literally hundreds of custom versions of the Android operating system (called "ROMs") that can replace the existing version on a given device.
When I bought my first Android and looked into the "ROM" world, it was a little overwhelming. There was so much complexity, so much information, so much terminology, and no definitive place to learn about it all.
Most of the community of tinkerers and hackers who release ROMs for Android are based out of the XDA Forums. While an excellent resources for advanced users, the XDA forums are bewildering at best for the novice who wants to learn the core concepts of Android hacking.
What I want to accomplish in this blog is to give you a resource to understand all the tools and concepts involved in customizing your Android. This blog post is not intended to be a comprehensive step by step set of instructions, but be more of a guide that shows you all the pieces and how they relate. You can then refer to Google / XDA Forums for the nitty gritty specifics for your particular device.
For clarity I want to divide this blog into two parts: tools and concepts. Under tools I will discuss the nuts and bolts of the software you use to modify your phone and what you need to do to get them set up. Under concepts I will discuss the kinds of things you can do to your phone, such as rooting, unlocking the bootloader, flashing a new recovery, etc.
NOTE: Modify-ing your phone is not always officially sanctioned by the manufacturer. Please be aware that you take full responsibility for any damage caused to your device. Any information provided in this blog to be used at your own risk.
Tools
ADB and Fastboot
To do any significant hackking on your Android you need to be able to communicate with it from your computer. There are two tools that allow you to send low level commands to your phone across a USB cable: adb (Android Debug Bridge) and fastboot (a protocol for communicate with the low level firmware of your Android device).Both of these tools are available in the latest release of the Google SDK for Android (also referred to as the ADT). I also recommend downloading and installing a current version of the Java SE JDK if your machine does not have one already. Once you have installed Java and ADT, the adb and fastboot tools can be found in the sdk/platform-tools sub directory of the directory where you installed the ADT.
Note: As far as I can tell fastboot is installed with the ADT. However, if it is not, you must download a copy from the internet (XDA Forums preferably) and copy it to the /sdk/platform-tools directory where the adb.exe resides.
The next step is to put these two tools on your PATH. Instructions for modifying your PATH varying based on your operating system. Here is a good starting point. You should put the entire /sdk/platform-tools directory on your PATH so both adb and fastboot are accessible. To verify this is working correctly you can open your operating system's equivalent of a Command Prompt and type the command:
adb
It should display usage for adb and not a "file not found" error. It may be necessary to restart any running instances of Command Prompt for your changes to the PATH to take effect.
Once adb and fastboot are on your path and can be executed from a Command Prompt window you are ready for the next step.
Once your USB Drivers are installed you can test to make sure everything is setup correctly by opening a Command Prompt and typing:
It should connect to your device and display your device name.
NOTE: If you own an HTC device, you must install the USB Drivers via the HTC Sync program. I had trouble with HTC Sync and adb not working together correctly because HTC Sync kept trying to restart the adb process. To use adb I found I needed to kill the HTC Sync process from the Task Manager.
Congratulations! These are the basic tools you need to start modifying your phone!
Your first step to Android phone customization is to unlock your bootloader so it will accept further modifications. The procedure to unlock your bootloader vary widely from phone to phone and is not even possible on all phones due to manufacturer or carrier restrictions. If you own a Google Nexus device you are lucky. The bootloader can be unlocked via simple adb / fastboot commands. If you own an HTC device, you can unlock your phone through a slightly more lengthy process via HTC Dev (note: however this requires you to wipe your phone). Most other phones require a combination of hacking and workarounds to achieve an unlocked bootloader.
Here is where the XDA Forums start to become useful. If you are unfortunate enough to have a manufacturer without a sanctioned bootloader unlocking method you can search the XDA Forums for instructions on how to unlock the bootloader of your device assuming a hack or workaround has been found.
Hopefully your device supports unlocking its bootloader, because if it does not, your customization abilities are very limited.
In addition to checking / loading your device's version of the Android operating system, your bootloader is also responsible for booting into "recovery mode" if necessary. Think of recovery like the an emergency boot disk for your PC operating system. It is the program that is run in case your operating system is corrupted. It can flash a fresh copy of the operating system if necessary to correct a corrupted ROM.
The default "recovery" program that comes with Android is very limited, and refuses to flash any copies of an operating system (or anything for that matter) that is not signed properly by Google. This is a good security mechanism to prevent hackers from subverting your phone's operating system, but it gets in the way when we want to install a custom operating system version!
Once your bootloader is unlocked, it becomes willing to let you change the recovery program that comes installed on the phone. You can replace the default recovery with another recovery that is more flexible and accepting of radical changes to your phone. Currently there are at least two good custom recoveries on the market: TeamWin Recovery Pro (abbreviated TWRP) and ClockworkMod Recovery (abbreviated CM). There may be others, but these two are the most commonly used. I personally recommend ClockworkMod Recovery as it seems the most polished and easy to use. Feel free to experiment.
You can download the appropriate recovery image and flash it to your phone, overwriting the default recovery. Instructions vary phone by phone, but the basic idea is that you connect your phone, reboot it into the bootloader program, download the recovery image, and run this command:
A custom recovery lets you do several things. It can flash a custom version of the operating system which is of course the holy grail of phone modification. It can also flash programs and files into the system partition of your phone. This is important when you want to get "root access" on your phone, as you will need to flash the Superuser or SuperSU program to the system partition to then grant root access to other programs (more on this later).
Finally and most importantly, a custom recovery lets you perform a full backup of your system. Such a backup is called a "nandroid" backup (for reasons that are unclear to me). It is ABSOLUTELY essential that you perform a full nandroid backup and copy it off your phone before proceeding with further customizations. If you corrupt your phone to the point where it becomes unusable (referred in the community as "bricking" your phone because you just turned your expensive phone into an inoperable brick) you want a backup to restore it with.
One of the benefits of having a custom recovery is that you can flash applications or scripts to the system partition of your phone. This is useful for several reasons. If you do not want to change your ROM but you want to remove the "bloatware" applications that the manufacturer or carrier put on your phone, you can flash scripts that will uninstall these applications from the system partition (consult XDA Forums for more details). In some cases you can also flash tweaks to your existing ROM (such as muting startup sounds, or changing the transparency / color / icons of system elements). You can also flash new applications to the system partition, which leads us to the next step.
You can achieve "root" on your stock ROM. Installing a custom ROM is not required, although most custom ROMs come with "root" automatically built in.
Achieving root is simple once you have a custom recovery. You can download a program such as Superuser or SuperSU from the XDA Forums, and put it on your phones internal memory. Then you reboot into your custom recovery and "flash" the zip. This will install the Superuser or SuperSU program into the system partition of your device, which gives it root access. Once it is installed there, it can grant additional non-system partition apps root access whenever they ask for it.
Achieving root allows you to install applications such as BusyBox, Rom-Manager (if you are using ClockworkMod Recovery), and Titanium Backup, all of which make it easier to control customizations (such as custom recoveries, custom ROMs, do nandroid backups, do application backups, etc.) all from your phone's home screen instead of a Command Prompt with adb / fastboot.
A ROM is composed of a copy of the Android operating system together with system applications, usually from Google (such as Gmail). It can include a version of a manufacturer's skin (such as HTC's Sense or Samsung's TouchWiz). It can include a root granting application (such as Superuser or SuperSU) and a host of other tweaks and modifications.
ROMs are purpose built for specific phones. A Galaxy S3 ROM will not work on a HTC Droid DNA. Do no try to mix and match.
ROMs advertise on their XDA Forum page what features they include (including what performance, battery, or sound tweaks they include, as well as things such as "bloatware removed" and "Superuser / Busybox" included). Read all description and instructions very carefully so you know exactly what you are getting into when you install a ROM.
ROMs can be advertised as being "zip-aligned" and "deodexed" which essentially means the are eligible for theme-ing or installing custom icon sets, among other things.
I view this blog is a work in progress! I intend to modify it as I learn more and as I get more feedback. Please feel free to add commentary in the comments section or email me directly at smouring@nearinfinity.com. You can also follow me on Twitter at @marlhammer.
Once adb and fastboot are on your path and can be executed from a Command Prompt window you are ready for the next step.
USB Drivers
In order for adb / fastboot to communicate with your device you need to install the correct USB drivers for your specific device. If you are fortunate enough to have a Google Nexus device you can download and install drivers from here. Otherwise you will need to download the appropriate USB drivers from the manufacturer. A good place to start is here. That link also includes good instructions on how to actually install USB drivers once you have downloaded them.Once your USB Drivers are installed you can test to make sure everything is setup correctly by opening a Command Prompt and typing:
adb devices -lIt should connect to your device and display your device name.
NOTE: If you own an HTC device, you must install the USB Drivers via the HTC Sync program. I had trouble with HTC Sync and adb not working together correctly because HTC Sync kept trying to restart the adb process. To use adb I found I needed to kill the HTC Sync process from the Task Manager.
Congratulations! These are the basic tools you need to start modifying your phone!
Concepts
So you can talk to your phone over a USB cable. Now what?Unlocking Your Bootloader
The bootloader of your phone is a small piece of firmware responsible for booting your phone and checking / loading your operating system. It is akin to the BIOS on your computer. Most manufacturers ship their phones with the bootloader "locked". This means that the bootloader will not accept any changes to any of the software it loads (including the operating system and the "recovery" image discussed later).Your first step to Android phone customization is to unlock your bootloader so it will accept further modifications. The procedure to unlock your bootloader vary widely from phone to phone and is not even possible on all phones due to manufacturer or carrier restrictions. If you own a Google Nexus device you are lucky. The bootloader can be unlocked via simple adb / fastboot commands. If you own an HTC device, you can unlock your phone through a slightly more lengthy process via HTC Dev (note: however this requires you to wipe your phone). Most other phones require a combination of hacking and workarounds to achieve an unlocked bootloader.
Here is where the XDA Forums start to become useful. If you are unfortunate enough to have a manufacturer without a sanctioned bootloader unlocking method you can search the XDA Forums for instructions on how to unlock the bootloader of your device assuming a hack or workaround has been found.
Hopefully your device supports unlocking its bootloader, because if it does not, your customization abilities are very limited.
Custom Recovery
Unlocking your bootloader is not exiting in and of itself. Its what an unlocked bootloader lets you do next that is really exciting.In addition to checking / loading your device's version of the Android operating system, your bootloader is also responsible for booting into "recovery mode" if necessary. Think of recovery like the an emergency boot disk for your PC operating system. It is the program that is run in case your operating system is corrupted. It can flash a fresh copy of the operating system if necessary to correct a corrupted ROM.
The default "recovery" program that comes with Android is very limited, and refuses to flash any copies of an operating system (or anything for that matter) that is not signed properly by Google. This is a good security mechanism to prevent hackers from subverting your phone's operating system, but it gets in the way when we want to install a custom operating system version!
Once your bootloader is unlocked, it becomes willing to let you change the recovery program that comes installed on the phone. You can replace the default recovery with another recovery that is more flexible and accepting of radical changes to your phone. Currently there are at least two good custom recoveries on the market: TeamWin Recovery Pro (abbreviated TWRP) and ClockworkMod Recovery (abbreviated CM). There may be others, but these two are the most commonly used. I personally recommend ClockworkMod Recovery as it seems the most polished and easy to use. Feel free to experiment.
You can download the appropriate recovery image and flash it to your phone, overwriting the default recovery. Instructions vary phone by phone, but the basic idea is that you connect your phone, reboot it into the bootloader program, download the recovery image, and run this command:
fastboot flash recovery YOUR_RECOVERY_FILE.imgA custom recovery lets you do several things. It can flash a custom version of the operating system which is of course the holy grail of phone modification. It can also flash programs and files into the system partition of your phone. This is important when you want to get "root access" on your phone, as you will need to flash the Superuser or SuperSU program to the system partition to then grant root access to other programs (more on this later).
Finally and most importantly, a custom recovery lets you perform a full backup of your system. Such a backup is called a "nandroid" backup (for reasons that are unclear to me). It is ABSOLUTELY essential that you perform a full nandroid backup and copy it off your phone before proceeding with further customizations. If you corrupt your phone to the point where it becomes unusable (referred in the community as "bricking" your phone because you just turned your expensive phone into an inoperable brick) you want a backup to restore it with.
One of the benefits of having a custom recovery is that you can flash applications or scripts to the system partition of your phone. This is useful for several reasons. If you do not want to change your ROM but you want to remove the "bloatware" applications that the manufacturer or carrier put on your phone, you can flash scripts that will uninstall these applications from the system partition (consult XDA Forums for more details). In some cases you can also flash tweaks to your existing ROM (such as muting startup sounds, or changing the transparency / color / icons of system elements). You can also flash new applications to the system partition, which leads us to the next step.
Rooting
"Rooting" your phone is sometimes synonymous with installing a custom ROM or unlocking your bootloader. In reality the concepts are very different. Achieving "root" on your phone allows you run applications as the "root" (or administrator) user on your phone, much like you might run an application as the Administrator user on a Windows PC. Applications with root privileges can control more of the phone functionality (including setting CPU speeds, activating wireless hotspot functionality that is otherwise disabled by your carrier, etc.) than is otherwise possible.You can achieve "root" on your stock ROM. Installing a custom ROM is not required, although most custom ROMs come with "root" automatically built in.
Achieving root is simple once you have a custom recovery. You can download a program such as Superuser or SuperSU from the XDA Forums, and put it on your phones internal memory. Then you reboot into your custom recovery and "flash" the zip. This will install the Superuser or SuperSU program into the system partition of your device, which gives it root access. Once it is installed there, it can grant additional non-system partition apps root access whenever they ask for it.
Achieving root allows you to install applications such as BusyBox, Rom-Manager (if you are using ClockworkMod Recovery), and Titanium Backup, all of which make it easier to control customizations (such as custom recoveries, custom ROMs, do nandroid backups, do application backups, etc.) all from your phone's home screen instead of a Command Prompt with adb / fastboot.
Custom ROM
The final and ultimate step in Android customization is flashing a custom ROM. Now that you have a custom recovery you can instruct it to replace the stock ROM image with a custom one downloaded from XDA Forums. Instructions for installation vary with each ROM, so I will not try to go through step by step instructions, just summarize the principles involved.A ROM is composed of a copy of the Android operating system together with system applications, usually from Google (such as Gmail). It can include a version of a manufacturer's skin (such as HTC's Sense or Samsung's TouchWiz). It can include a root granting application (such as Superuser or SuperSU) and a host of other tweaks and modifications.
ROMs are purpose built for specific phones. A Galaxy S3 ROM will not work on a HTC Droid DNA. Do no try to mix and match.
ROMs advertise on their XDA Forum page what features they include (including what performance, battery, or sound tweaks they include, as well as things such as "bloatware removed" and "Superuser / Busybox" included). Read all description and instructions very carefully so you know exactly what you are getting into when you install a ROM.
ROMs can be advertised as being "zip-aligned" and "deodexed" which essentially means the are eligible for theme-ing or installing custom icon sets, among other things.
More Advanced Topics
There is even more to Android customization than what I have discussed above. I will give a short summary of some more advanced topics, but I will be short because I do not have much personal experience working with them.Custom Kernels
The kernel is the core part of the Linux operating system (which Android is based on). To improve capabilities or compatibility some folks on the XDA Forums can created custom versions of the Android kernel. These can be flashed to your phone along with a custom ROM to achieve specific functionality.S-OFF
On some devices it is possible to achieve "S-OFF" which disables internal security protocols in your phone. Achieving S-OFF gives you total and complete control over every aspect of your phone, even more so than a custom ROM does. It is highly sought after, but very hard to achieve on most phones due to manufacturer or carrier restrictions. Achieving S-OFF allows you to do things like flash custom "radios" (see below).Radios
You can also flash custom "radios" (in other words, change the firmware that controls your phone's internal wireless antennas). This is done sometimes to improve performance, fix bugs, or configure your phone to work on networks it was not otherwise intended to work on.Conclusion
Hopefully you now have enough understanding of the Android phone customization landscape to start working on your own phone!I view this blog is a work in progress! I intend to modify it as I learn more and as I get more feedback. Please feel free to add commentary in the comments section or email me directly at smouring@nearinfinity.com. You can also follow me on Twitter at @marlhammer.
No comments:
Post a Comment