[Q] What does the option "-s" used for in "make_ext4fs" ? - Nexus S Q&A, Help & Troubleshooting

Hello,
I'm trying to make /system to ext4 image and boot up
I found that in system/extras/ext4_utils/mkuserimg.sh, the command is
make_ext4fs -s -l $SIZE -a $LABEL $OUTPUT_FILE $SRC_DIR
the out image with option "-s" cannot be mounted when bootup
but without the "-s" option, image can be mounted successful
I checked the image diff, the image with "-s" add crc header and spare format, so it definitly cannot be mounted directly , right ?
My question is : what the option "-s" used for ? Am I need this option in my experiment ?
Thanks

As far as i know -s = silent mode "no shell lines displayed during execution"

GchildT said:
As far as i know -s = silent mode "no shell lines displayed during execution"
Click to expand...
Click to collapse
Appriciate your reply
But, are you sure?... the option '-s' indeed pased as 'spare' in source code, and the out image cannot be mounted...

-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above

ufgeek said:
-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above
Click to expand...
Click to collapse
If you don't mind me asking,
What does simg2img do exactly? and what would be the potential risk if not using -s option?

steeldusk said:
If you don't mind me asking,
What does simg2img do exactly? and what would be the potential risk if not using -s option?
Click to expand...
Click to collapse
I figured it out. simg2img is just a bin file to strip sparsed image and make non-sparsed image, and not using -s just build system without any header. so as long as you can burn image to a right partition, you don't need -s option

make_ext4fs -s -l command
This is how i make my ext4 images. I did not got to test on real device my self yet.
Im building my images from cm source btw. This is the command i use to build recovery: make -j4 recoveryimage
After i build a image i run the make_ext4fs command.(userdata.img and system.img seem to be ext4 build by default for me)
make_ext4fs -s -l 1073741824 -a data out/target/product/m805_892x/userdata.img out/target/product/m805_892x/data
make_ext4fs -s -l 10485760 -a data out/target/product/m805_892x/boot.img out/target/product/m805_892x/data
make_ext4fs -s -l 10485760 -a data out/target/product/m805_892x/recovery.img out/target/product/m805_892x/data
make_ext4fs -s -l 314572800 -a data out/target/product/m805_892x/system.img out/target/product/m805_892x/data
gives:
Creating filesystem with parameters:
Size: 314572800
Block size: 4096
Blocks per group: 32768
Inodes per group: 6400
Inode size: 256
Journal blocks: 1200
Label:
Blocks: 76800
Block groups: 3
Reserved block group size: 23
Created filesystem with 911/19200 inodes and 31635/76800 blocks
Install system fs image: out/target/product/m805_892x/system.img
out/target/product/m805_892x/system.img+out/target/product/m805_892x/obj/PACKAGING/recovery_patch_intermediates/recovery_from_boot.p total size is 126213892
[email protected]:~/ICS$
I my BoardConfig i have this:
BOARD_BOOTIMAGE_PARTITION_SIZE := 10485760
BOARD_RECOVERYIMAGE_PARTITION_SIZE := 10485760
BOARD_SYSTEMIMAGE_PARTITION_SIZE := 314572800
BOARD_USERDATAIMAGE_PARTITION_SIZE := 1073741824
(Google for: build android from source if you dont get what im doing..)
The sizes need to be in bytes it seems.
DD dump you´re partitions and you see the amount of bytes.
Just edding some nice info to a old post

what of for a 128mb phone
ufgeek said:
-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above
Click to expand...
Click to collapse
my phone refuses to flash the image and i think its because of its size 145mb. how do i create a system.img for a 12mb internal memory phone

$ make_ext4fs
Expected filename after options
make_ext4fs [ -l <len> ] [ -j <journal size> ] [ -b <block_size> ]
[ -g <blocks per group> ] [ -i <inodes> ] [ -I <inode size> ]
[ -L <label> ] [ -f ] [ -a <android mountpoint> ]
[ -S file_contexts ]
[ -z | -s ] [ -t ] [ -w ] [ -c ] [ -J ]
<filename> [<directory>]
All is very simply
-s sparse (cut empty bytes)
-l len (size image)

Related

[SCRIPT] 32A - 32B detection script

Hi,
I don't know how-to detect if a device is 32B or 32A automatically.... Logically, if we do a free command during recovery install, we can AUTOMATICALLY check if it's a 32B/A, then, we create a gile on sdcard called 32B/A, or a prop, and when it flash kernel, or wifi module or sound things, we include this prop in the script
Can anyone create this script?
[EDIT]
Many Thanks to Firerat who mades the script, and a little to me, who has the idea!
So the script is here:
Code:
#!/sbin/sh
# Idea : Artifex14
# script : Firerat => THE BEST!
# 28.06.10
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
echo "32a"
else
model=32b
echo "This device is a 32b"
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
I thought about this too. It could be done at the time the rom is flashed, but up to now I only know how to make update-script, not updater-script or update-binary. You could pack all sorts of boot images, and then, say, a system-dream, system-sapphire, and system-magic folder and depending on the board version property, flash the appropriate versions of files, at least in theory that should work, plus it prevents you from having to flash extra files just for cross-device compatibility.
jubeh said:
I thought about this too. It could be done at the time the rom is flashed, but up to now I only know how to make update-script, not updater-script or update-binary. You could pack all sorts of boot images, and then, say, a system-dream, system-sapphire, and system-magic folder and depending on the board version property, flash the appropriate versions of files, at least in theory that should work, plus it prevents you from having to flash extra files just for cross-device compatibility.
Click to expand...
Click to collapse
Can you do the script? For the updaterscript, it's OK!
et a script to run
Code:
free|awk '/Mem/ { print $2 }'
and test that, e.g.
Code:
#!/sbin/sh
# KernelPrep.sh
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
else
model=32b
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
get your updater script to run that, then copy your kernels to /tmp/
Code:
package_extract_dir("kernels", "/tmp");
or
Code:
copy_dir PACKAGE:kernels TMP:
next you can
Code:
write_raw_image("/tmp/boot.img", "boot"),
or
Code:
write_raw_image TMP:boot.img BOOT:
edit:
ps, you don't really need the second if statement, but its easier to read like that
oops , nearly forgot about the kernel modules
Code:
mount /system
install -d /system/lib/modules
ln -s /system/lib/modules /tmp/modules32a
ln -s /dev/null /tmp/modules32b
Firerat said:
et a script to run
Code:
free|awk '/Mem/ { print $2 }'
and test that, e.g.
Code:
#!/sbin/sh
# KernelPrep.sh
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
else
model=32b
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
get your updater script to run that, then copy your kernels to /tmp/
Code:
package_extract_dir("kernels", "/tmp");
or
Code:
copy_dir PACKAGE:kernels TMP:
next you can
Code:
write_raw_image("/tmp/boot.img", "boot"),
or
Code:
write_raw_image TMP:boot.img BOOT:
edit:
ps, you don't really need the second if statement, but its easier to read like that
oops , nearly forgot about the kernel modules
Code:
mount /system
install -d /system/lib/modules
ln -s /system/lib/modules /tmp/modules32a
ln -s /dev/null /tmp/modules32b
Click to expand...
Click to collapse
I'll try that, THANK!
oops typo
if [ "ram" -gt "97884" ];
should be
if [ "$ram" -gt "97884" ];

[Q] mke2fs on acer a200 and mmcblk08p

From adb shell:
mount (This is to check data isn't mounted. If mounted use "umount data")
mke2fs -j -b 4096 /dev/block/mmcblk0p8
tune2fs -O extents,uninit_bg,dir_index -C 1 /dev/block/mmcblk0p8
e2fsck -fy /dev/block/mmcblk0p8
Click to expand...
Click to collapse
When I do the "mke2fs -j -b 4096 /dev/block/mmcblk0p8" command from adb's shell, it takes forever (I let it run for hours). Something I was thinking about, could I simply "rm -rf /dev/block/mmcblk0p8" first, and then run the above commands? Also, should I not add the "-t ext4" option to the mke2fs command?
I am a 20 year user of linux, so I am not clueless to the command line.
kerijan2003 said:
When I do the "mke2fs -j -b 4096 /dev/block/mmcblk0p8" command from adb's shell, it takes forever (I let it run for hours). Something I was thinking about, could I simply "rm -rf /dev/block/mmcblk0p8" first, and then run the above commands? Also, should I not add the "-t ext4" option to the mke2fs command?
I am a 20 year user of linux, so I am not clueless to the command line.
Click to expand...
Click to collapse
I stopped the mke2fs command, and did the following:
"~ # tune2fs -O extents,uninit_bg,dir_index -C 1 /dev/block/mmcblk0p8
tune2fs 1.41.12 (17-May-2010)
Setting current mount count to 1
Please run e2fsck on the filesystem.
~ # e2fsck -fy /dev/block/mmcblk0p8
e2fsck 1.41.12 (17-May-2010)
One or more block group descriptor checksums are invalid. Fix? yes"
It fixed a whole slew of descriptors, and has been at the following for the last two hours:
"Pass 1: Checking inodes, blocks, and sizes"
Does anyone have any ideas?

[Q] Acer Iconia A1 810 almost rooted - suid not enough ?

Dear all,
I almost managed to root my A1 810... But I need advice to effectively achieve it.
Here are the main steps I followed :
Under linux (Ubuntu 14.04) (These are not detailed instructions, only the main steps. I will post a detailed step by step once finalized)
Code:
- From PC : upload busybox binary file to the tablet
- From Tablet : install "ExDialer & Contacts"
- From Tablet : initiate engineer mode (Dial *#*#3646633#*#* from ExDialer)
- From Tablet : initiate telnetd (run command from MTKlogger from within ExDialer)
- From PC : initiate a shell on tablet with adb
- From the shell : initiate a telnet local connection to tablet
- From the telnet session find out the position of the Android partition (cat /proc/dumchar_info)
- From the telnet session dump the android partition to a gzip file (dd if=/dev/block/mmcblk0 bs=4096 skip=17664 count=262144 | gzip > /data/local/tmp/system.img.gz)
- From PC : download the system image
- From PC : mount the system image on a loop device
- From PC : copy a su binary file to /system/bin ()within the mounted system image)
- From PC : set the correct permissions to the su executable (sudo chmod 06755 su) => it's here that you really getting the root permission
- From PC : unmount image
- From PC : upload the upaded image to the tablet (adb push)
- From the telnet session copy the updated system image to the android partition (zcat /data/local/tmp/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=17664 count=262144) (Take care that's the dangerous part !!!!)
- Restart the tablet.
I didn't brick my tablet ... But it is not effectively rooted either
I checked from the terminal emulator that "su" has the correct properties :
ls -l su
-rwsr-sr-x root shell 311872 2014-08-15 23:16 su
But when I try something like :
su
ls /data
I get : opendir failed. Permission denied.
Obviously, I am not root...
Any idea ?
You can root with:
POOT: This app is a one click root app. No computer needed
Framaroot: Framaroot is a oneclick root app . No computer needed
This is the most popular one!
Z4Root: Z4Root is an oneclick root app . No computer needed
Towelroot: Towelroot is an oneclick root app. No computer needed
Baidu: No information
Vroot: No information
Gingerbreak: This app can root almost all gingerbread devices
Downloads:
Poot - Download the app >>here<<
Framaroot - Download the app inside this XDA Thread - >> CLICK HERE <<
Z4ROOT - Download the app inside this XDA Thread - >> CLICK HERE <<
Towelroot - Download the app inside this XDA Thread - >> CLICK HERE <<
Baidu ROOT - Download the app >> HERE <<
vROOT - Download the app >> HERE <<
Gingerbreak - Download the app inside this XDA Thread - >> CLICK HERE <<
Flash a SU ZIP - Download the ZIP >> HERE << and flash it on your unlocked bootloader phone !
Hit thanks if you liked this post or this post has helped you out !<br/>
Sent through my Galaxy Note using Tapatalk 4
Bink Feed: Thank you for trying.
There are many people trying to root this tablet since KitKat OTA has been issued... without any success.
Most or all the tools you listed have already been tested, again, without any success.
(see [ToolKit] Acer Iconia v0.8.3)
Since KitKat, the [ToolKit] Acer Iconia v0.8.3 does not work anymore. The main reason is that the "run command" used in engineering mode disappeared.
Yesterday, I found it again : it is now in the parameters from MTKLogger (!)
With that finding, I now have access to the guts of the android system.
I need help from the community to understand what I is missing :
Based on the rooting guide Acer Iconia B1 A71 Root written by entonjackson (many thanks to him)
I managed to extract a valid system image (dd if=/dev/block/mmcblk0 ... | gzip > system.img.gz)
I mounted that image (mount -o loop system.img /media/iconia)
I changed the permission of /system/xbin/su (chmod 06755 su)
I wrote back the system image to the tablet android partition (zcat system.img.gz | dd of=/dev/block/mmcblk0 ...)
et voilà !
... the only remaining problem is that I did not gain root access, even if su has now the correct properties (-rwsr-sr-x root root)
Anybody can tell me what else should I change in the android system image ?
Answering to myself...
##STANDARD DISCLAIMER => No responsibility, blah, blah, ...##
With KitKat, it is also necessary to have a running "su daemon".
A solution is to create a "install-recovery.sh" file in /system/etc. This script is executed at each boot.
Detailed step by step:
Files: (remove [grr] from ht[grr]tp)
busybox binary, for example from ht[grr]tp://busybox.net/downloads/binaries/latest/busybox-armv7l (to be renamed to busybox)
su binary, Superuser.apk and install-recovery.sh to be extracted from ht[grr]tp://download.clockworkmod.com/superuser/superuser.zip​Operating system:
Any decent Linux distribution (I'm on Ubuntu since years)​1/ copy busybox binary to the tablet
[email protected]:~$ adb push busybox /data/local/tmp/
[email protected]:~$ adb shell
[email protected]:/ $ chmod 755 /data/local/tmp/busybox​2/ start a telnet daemon on the tablet
install "ExDialer - Dialer & Contacts" on the tablet
Initiate engineering mode: dial *#*#ENGMODE#*#*
Go to the "Log and Debugging" tab
Launch MTKLogger
Go to the settings
Select "Run Command"
Type: /data/local/tmp/busybox telnetd -l /system/bin/sh -p 1234
Press ok. Now a telnet daemon should be running on the tablet with some kind of privileges.​3/ connect to the tablet (adb shell + telnet):
[email protected]:~$ adb shell
[email protected]:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234​4/ Find out the start address and size of the System partition
[email protected]:/ $ cat /proc/dumchar_info​
Code:
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000c00000 0x0000000000000000 2 /dev/misc-sd
mbr 0x0000000000080000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x0000000000080000 0x0000000000080000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000100000 2 /dev/block/mmcblk0
pro_info 0x0000000000300000 0x0000000000500000 2 /dev/block/mmcblk0
nvram 0x0000000000500000 0x0000000000800000 2 /dev/block/mmcblk0
protect_f 0x0000000000a00000 0x0000000000d00000 2 /dev/block/mmcblk0p2
protect_s 0x0000000000a00000 0x0000000001700000 2 /dev/block/mmcblk0p3
seccfg 0x0000000000020000 0x0000000002100000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000002120000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x0000000002180000 2 /dev/block/mmcblk0
recovery 0x0000000000a00000 0x0000000002780000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x0000000003180000 2 /dev/block/mmcblk0p4
misc 0x0000000000080000 0x0000000003780000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000003800000 2 /dev/block/mmcblk0
expdb 0x0000000000a00000 0x0000000003b00000 2 /dev/block/mmcblk0
android 0x0000000040000000 0x0000000004500000 2 /dev/block/mmcblk0p5
cache 0x000000002bc00000 0x0000000044500000 2 /dev/block/mmcblk0p6
usrdata 0x0000000332020000 0x0000000070100000 2 /dev/block/mmcblk0p7
bmtpool 0x0000000000000000 0x00000000ff3f00a8 2 /dev/block/mmcblk0
Part_Name:Partition name you should open;
Size:size of partition
StartAddr:Start Address of partition;
Type:Type of partition(MTD=1,EMMC=2)
MapTo:actual device you operate
Look at the line "android". Convert the associated start address and the size in number of 4096 blocks. Considering the values above, I obtained: start adress = 17664x4096, size = 262144x4096.​5/ dump the content of the android partition (it's there that the su binary will go)
[email protected]:/ $ dd if=/dev/block/mmcblk0 bs=4096 skip=17664 count=262144 | /data/local/tmp/busybox gzip > /data/local/tmp/system.img.gz​6/ copy that file to the PC and make a copy (who knows... it may be useful)
[email protected]:~$ adb pull /data/local/tmp/system.img.gz
[email protected]:~$ cp system.img.gz system.img.untouched.gz​7/ mount that file (change "user" to your current user name in the following instructions)
[email protected]:~$ mkdir /home/user/Iconia_system
[email protected]:~$ gunzip system.img.gz
[email protected]:~$ sudo mount -o loop system.img /home/user/Iconia_system​8/ make some change to the android file system (removing old su binary, backing up old install-recovery.sh, installing new su, new install-recovery.sh):
[email protected]:~$ sudo rm -f /home/user/Iconia_system/bin/su
[email protected]:~$ sudo rm -f home/user/Iconia_system/xbin/su
[email protected]:~$ sudo rm -f /system/app/Superuser.*
[email protected]:~$ sudo rm -f /system/app/Supersu.*
[email protected]:~$ sudo rm -f /system/app/superuser.*
[email protected]:~$ sudo rm -f /system/app/supersu.*
[email protected]:~$ sudo rm -f /system/app/SuperUser.*
[email protected]:~$ sudo rm -f /system/app/SuperSU.*
[email protected]:~$ sudo cp /home/user/Iconia_system/etc/install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh.bak
[email protected]:~$ sudo cp su /home/user/Iconia_system/xbin/su
[email protected]:~$ sudo chown root.root /home/user/Iconia_system/xbin/su
[email protected]:~$ sudo chmod 6755 /home/user/Iconia_system/xbin/su
[email protected]:~$ sudo ln -s /system/xbin/su /home/user/Iconia_system/bin/su
[email protected]:~$ sudo cp Superuser.apk /home/user/Iconia_system/app
[email protected]:~$ sudo chmod 644 /home/user/Iconia_system/app/Superuser.apk
[email protected]:~$ sudo cp install-recovery.sh /home/user/Iconia_system/etc/install-recovery.sh
[email protected]:~$ sudo chmod 755 /home/user/Iconia_system/etc/install-recovery.sh​9 remove some bloatware (optional)
[email protected]:~$ sudo rm /home/user/Iconia_system/app/e.g. PlusOne.apk
[email protected]:~$ sudo rm /home/user/Iconia_system/priv-app/e.g. AccuWeather.apk​10/ unmount the android file system
[email protected]:~$ sudo umount /home/user/Iconia_system​11/ compress the file
[email protected]:~$ gzip system.img​12/ push it back to the tablet
[email protected]:~$ adb push system.img.gz /data/local/tmp/​13/ connect to the tablet and "burn" the modified file system (be patient, will take up to 10 minutes)
[email protected]:~$ adb shell
[email protected]:/ $ /data/local/tmp/busybox telnet 127.0.0.1 1234
[email protected]:/ $ /data/local/tmp/busybox zcat /data/local/tmp/system.img.gz | dd of=/dev/block/mmcblk0 bs=4096 seek=17664 count=262144
[email protected]:/ $ exit
[email protected]:/ $ exit​14/ restart the tablet
Huge Thanx, works for me too Great work
Edit: Mhh, OK, The system boots with "preinstalled" Superuser, but if i try to give some apps root permission, there is no root popup from superuser, and no root. Can you Plesse upload your system.img.gz to test it with that?
Maybe it works With the SuperSu Binarys...
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.
Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?
I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)
Optimissimus99 said:
Huge Thanx, works for me too Great work
Edit: Mhh, OK, The system boots with "preinstalled" Superuser, but if i try to give some apps root permission, there is no root popup from superuser, and no root. Can you Plesse upload your system.img.gz to test it with that?
Maybe it works With the SuperSu Binarys...
Click to expand...
Click to collapse
Bruno25 said:
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.
Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?
I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)
Click to expand...
Click to collapse
Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
[email protected] ~/iconia $ adb shell
[email protected]:/ $ su
[email protected]:/ # mount -o rw,remount /system
mount: Operation not permitted
fREAST0 said:
Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
[email protected] ~/iconia $ adb shell
[email protected]:/ $ su
[email protected]:/ # mount -o rw,remount /system
mount: Operation not permitted
Click to expand...
Click to collapse
I think it is not the same problem: I also cannot remount /system rw. It seems to be a new security level introduced with KitKat on the A1-810.
I am still looking for a solution.
A potential solution is to change the content default.prop in boot.img.
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no
I read that ro.secure=1 should be change to ro.secure=0 and ro.debuggable=0 to ro.debuggable=1
But for that, boot.img has to be dumped, splitted (kernel + ramdisk), ramdisk has to be "uncpio", changed, "cpio", merged back with the kernel and write back to the tablet.
The standard tools (abootimg, unpack-bootimg.pl, ...) cannot split correctly boot.img (they look for a gzip magic number preceded by some zeros... But in that case, the gzip magic numbers are preceded by FFs...).
Moreover, the boot.img (dumped directly from the tablet since it is not available from Acer web site) has 3 ramdisks, which is really unusual !
I am a little bit scared to brick my tablet...
Bruno25 said:
I think it is not the same problem: I also cannot remount /system rw. It seems to be a new security level introduced with KitKat on the A1-810.
I am still looking for a solution.
A potential solution is to change the content default.prop in boot.img.
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no
I read that ro.secure=1 should be change to ro.secure=0 and ro.debuggable=0 to ro.debuggable=1
But for that, boot.img has to be dumped, splitted (kernel + ramdisk), ramdisk has to be "uncpio", changed, "cpio", merged back with the kernel and write back to the tablet.
The standard tools (abootimg, unpack-bootimg.pl, ...) cannot split correctly boot.img (they look for a gzip magic number preceded by some zeros... But in that case, the gzip magic numbers are preceded by FFs...).
Moreover, the boot.img (dumped directly from the tablet since it is not available from Acer web site) has 3 ramdisks, which is really unusual !
I am a little bit scared to brick my tablet...
Click to expand...
Click to collapse
That sounds like a probable cause for the system partition.
Anyway i got root working (still no system R/W), using files and the binaries from http://download.chainfire.eu/supersu with a modified script (update-binary form that zip, which is used in recovery) to work while the system.img is mounted.
sudo mkdir /home/user/iconia
cd /home/user/iconia/
sudo mkdir system
wget http://download.chainfire.eu/452/SuperSU/UPDATE-SuperSU-v2.02.zip?retrieve_file=1
unzip UPD[...] -d supersu
wget http://fs1.d-h.st/download/00138/WBX/update-binary
sudo chmod u+x update-binary
sudo mount -o loop system.img system
sudo ./update-binary
sudo umount system
gzip system.img and so on
Click to expand...
Click to collapse
fREAST0 said:
That sounds like a probable cause for the system partition.
Anyway i got root working (still no system R/W), using files and the binaries from http://download.chainfire.eu/supersu with a modified script (update-binary form that zip, which is used in recovery) to work while the system.img is mounted.
Click to expand...
Click to collapse
Thank you fo the tip ! I didn't ever think to use the update-binary script offline !
Bruno25 said:
I confirm it works with superuser.apk from clockworkmod.
SuperSU seems a little bit more tricky to install if you don't have direct rw access to /system.
Did you copy the install-recovery.sh script into /system/etc and set the correct rights (755) ?
Maybe you need to clean some cache ?
Do you have another supersuser app (or binary) installed ?
The "su" command from adb shell works ?
I am uploading my system.img.gz (be careful, it is for Acer_AV0K0_A1-810_RV0BRC01_WW_GEN1) (2 hours left)
Click to expand...
Click to collapse
Upload finished (remove [grr] from ht[grr]tp) => ht[grr]tp://mq3dk1y9c3.mesfichiers.org/
fREAST0 said:
Im getting the same problems as @Optimissimus99.
install-recovery has the right perms, using superuser from cwm, su in adb shell works, but i cant remount /system
Code:
[email protected] ~/iconia $ adb shell
[email protected]:/ $ su
[email protected]:/ # mount -o rw,remount /system
mount: Operation not permitted
Click to expand...
Click to collapse
In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/
twu2 said:
In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/
Click to expand...
Click to collapse
@twu: are you sure the special mount is still used in the A1-810 using KK? I thought it was only a JB special, but you could be right...
I will play with the rooting method of this thread as soon as my A1-810 is on KK...
twu2 said:
In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/
Click to expand...
Click to collapse
No joy
Code:
[email protected]:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)
By the way, I noticed that my mount command is weird :
Code:
[email protected]:/ # which mount
/system/bin/mount
[email protected]:/ # ls -l /system/bin/mount
lrwxrwxrwx root root 2013-08-23 12:51 mount -> wrapper.sh
Content of wrapper.sh :
Code:
#!/system/bin/sh
CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)
case "$CMD" in
"busybox")
if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/xbin/busybox $ARG
# return $?
return 0
;;
"mount")
if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/bin/toolbox mount $ARG
# return $?
return 0
;;
esac
exit 0
It may come from a previous JB busybox installation (?)
If I force the use of toolbox :
Code:
[email protected]:/ # toolbox mount -o remount,rw /system /system/
mount: Operation not permitted
Am I the only one with that messy configuration ?
Bruno25 said:
No joy
Code:
[email protected]:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)
By the way, I noticed that my mount command is weird :
Code:
[email protected]:/ # which mount
/system/bin/mount
[email protected]:/ # ls -l /system/bin/mount
lrwxrwxrwx root root 2013-08-23 12:51 mount -> wrapper.sh
Content of wrapper.sh :
Code:
#!/system/bin/sh
CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)
case "$CMD" in
"busybox")
if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/xbin/busybox $ARG
# return $?
return 0
;;
"mount")
if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/bin/toolbox mount $ARG
# return $?
return 0
;;
esac
exit 0
It may come from a previous JB busybox installation (?)
If I force the use of toolbox :
Code:
[email protected]:/ # toolbox mount -o remount,rw /system /system/
mount: Operation not permitted
Am I the only one with that messy configuration ?
Click to expand...
Click to collapse
IIRC that wrapper is included in the toolkit for the A1 root, i think @twu2 made it
Skickat från min GT-I9505 via Tapatalk
fREAST0 said:
IIRC that wrapper is included in the toolkit for the A1 root, i think @twu2 made it
Skickat från min GT-I9505 via Tapatalk
Click to expand...
Click to collapse
You remembered well: the wrapper and all the busybox links comes from the toolkit (inside the a1su.tgz file).
Bruno25 said:
You remembered well: the wrapper and all the busybox links comes from the toolkit (inside the a1su.tgz file).
Click to expand...
Click to collapse
I don't have kitkat in my a1-810 (not got any OTA about this).....
in JB, yes, mount /system command will force to use busybox to mount it (toolbox not work).
twu2 said:
I don't have kitkat in my a1-810 (not got any OTA about this).....
in JB, yes, mount /system command will force to use busybox to mount it (toolbox not work).
Click to expand...
Click to collapse
Dear twu2, since you are still with JB , could you post the content of your /default.prop ? I would like to check what should be changed in mine to get rw access to /system
/default.prop, Android 4.4.2, Acer Iconia A1-810
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=1
ro.allow.mock.location=0
persist.mtk.aee.aed=on
ro.debuggable=0
ro.adb.secure=1
persist.sys.usb.config=mtp
persist.service.acm.enable=0
ro.mount.fs=EXT4
ro.persist.partition.support=no
Kitkat Root
twu2 said:
In A1-810, you need this command to remount /system:
Code:
mount -o remount,rw /system /system/
Click to expand...
Click to collapse
Bruno25 said:
No joy
Code:
[email protected]:/ # mount -o remount,rw /system /system/
mount: permission denied (are you root?)
By the way, I noticed that my mount command is weird :
Code:
[email protected]:/ # which mount
/system/bin/mount
[email protected]:/ # ls -l /system/bin/mount
lrwxrwxrwx root root 2013-08-23 12:51 mount -> wrapper.sh
Content of wrapper.sh :
Code:
#!/system/bin/sh
CMD=`basename $0`
ARG="$*"
NEWARG="-o remount,rw /system /system/"
LArg=$(eval echo \$$#)
case "$CMD" in
"busybox")
if [ $1 == "mount" ] && (([ $2 == "-o" ] && ([ $3 == "rw,remount" ] || [ $3 == "remount,rw" ])) || [ $2 == "-oremount,rw" ] || [ $2 == "-oremount,rw" ]); then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/xbin/busybox $ARG
# return $?
return 0
;;
"mount")
if ([ $1 == "-o" ] && ([ $2 == "rw,remount" ] || [ $2 == "remount,rw" ])) || [ $1 == "-oremount,rw" ] || [ $1 == "-orw,remount" ]; then
if [ $LArg == "/system" ] || [ $LArg == "/system/" ]; then
/system/xbin/.mount_wrapper/mount $NEWARG
# return $?
return 0
fi
fi
/system/bin/toolbox mount $ARG
# return $?
return 0
;;
esac
exit 0
It may come from a previous JB busybox installation (?)
If I force the use of toolbox :
Code:
[email protected]:/ # toolbox mount -o remount,rw /system /system/
mount: Operation not permitted
Am I the only one with that messy configuration ?
Click to expand...
Click to collapse
For the RW workaround, you need to place a superuser app in /system/app, an su binary in /system/bin an su binary in /system/xbin, a busybox binary in /system/bin, and an su binary in /system/bin/.ext4. The one in /system/bin/.ext4 lets you do a mount -o remount,RW /system /system/ for RW workaround. You need all 3 su binaries. Take this system.IMG.gz as an example. Do a mount -o loop to see contents. Do not flash it to tablet because it is a jellybean a1-810 image. I repeat, do not flash it.
http://forum.xda-developers.com/showthread.php?t=2240029
Press a1-810 and download the pa_cus1 image. I can't post the direct link due to the 10 post policy.
carl031462 said:
For the RW workaround, you need to place a superuser app in /system/app, an su binary in /system/bin an su binary in /system/xbin, a busybox binary in /system/bin, and an su binary in /system/bin/.ext4. The one in /system/bin/.ext4 lets you do a mount -o remount,RW /system /system/ for RW workaround. You need all 3 su binaries. Take this system.IMG.gz as an example. Do a mount -o loop to see contents. Do not flash it to tablet because it is a jellybean a1-810 image. I repeat, do not flash it.
http://forum.xda-developers.com/showthread.php?t=2240029
Press a1-810 and download the pa_cus1 image. I can't post the direct link due to the 10 post policy.
Click to expand...
Click to collapse
No joy, yet,
Code:
[email protected]:/ # ls -al /system/bin/.ext4/
lrwxrwxrwx root root 2014-08-29 22:08 su -> /system/xbin/su
[email protected]:/ # busybox mount -o remount,rw /system /system/
mount: permission denied (are you root?)

Android 10_Q system-as-root

As the thread starter state's...
Android 10 'System-As-Root' was never supposed to be released. Google it.
It never was. Nothing wrong with my fone. boot-debug.img IS the system-as-root, it just isnt a root app.
User-debug will be tied to your account, so dont expect to see them ever again...
So many naysayers saying my fone company got it wrong, that my fone is fecked up...
Na.. System-As-Root = root, as good as it's ever gonna be in the open, provided by boot-debug.
You have root but cant flash a dynamic /system. Magisk KILL's Developer/Feature Flags. With stock boot, feature flags is seen, but shows 'experimental' nothing else. With boot-debug, all feature flags are shown. First thing you'll do is flash magisk. Why does magisk remove this access? In particular for YOU is 'settings-dynamic-system' (used to overlay your gsi - needed to flash gsi). Without these feature flags to set, how will your magisk'd fone boot gsi on system-as-root a-only? It cant. Uninstall magisk... but magisk leaves traces on the fone that prevent earlier versions of magisk being installed, so how can we test earlier versions? That we know worked before?
Magisk'd boot removes the feature flags section from developer menu in Android 10_Q. Why?
This is needed to mount any gsi on an 'a-only' 'system-as-root', by mounting to 'upper' partition, which wipes when re-flashing stock boot.img. Do the work in the upper (like we do in twrp) reflash to the lower after 'sync' will retain your work before reflashing stock boot.img, so no root app needed, but we need one to cut down on how tedious it all is now.. at least they keep you at home... safe lol...
Magisk is only using overlay because it works in pie... in fact, all using magisk are using PIE exploits that dont work in android 10 system as root!! (just a noticed warning )
SystemRW works in PIE, even works in my system-as-root but useless, cause the point, being able to write system while in fone gui, is negated by the fact that system is ro, in about 20 different locations, in about a billion different mount points and well... right down to file sizes for each file in each partition contained within the super.img, but what I dont get is why it works in twrp, yet not in the gui.. (i'm in the directory so cant mount it when using fone, duh...)
As for the other tool to create rw in the super partition, I'll say this:
Pie is dying. Re-write your apps to work with the android 10 super, which is NOT the same as PIE super.img... (this is not a super.img ring any bell's?)
Both rw tool authors stuck on them damn pie's.. I'd swap parted to get the auto resize of space on the fly, I'd give my 10 cents worth, but you know better... if they kill all fones previous to android 10... google win.
They gave us root.
Overlay your own tools!
In a system-as-root booted fone. Feck safety net, I use my nokia 8310 to this day..
And for the naysayers...
D:\0\AdbStation>adb reboot download
D:\0\AdbStation>fastboot flashing unlock_critical
(bootloader) Start unlock flow
OKAY [ 4.196s]
Finished. Total time: 4.196s
D:\0\AdbStation>fastboot --disable-verity --disable-verification flash boot boot
-debug.img
Sending 'boot' (32768 KB) OKAY [ 0.764s]
Writing 'boot' OKAY [ 0.515s]
Finished. Total time: 1.420s
D:\0\AdbStation>fastboot -w
Erasing 'userdata' OKAY [ 0.452s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 6311931 4k blocks and 1581056 inodes
Filesystem UUID: aa3b871c-2496-11ec-9dd6-d71d0c30be37
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (180 KB) OKAY [ 0.016s]
Writing 'userdata' OKAY [ 0.047s]
Erasing 'cache' OKAY [ 0.016s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 110592 4k blocks and 110592 inodes
Filesystem UUID: aa63fe86-2496-11ec-99f6-f719dec4c630
Superblock backups stored on blocks:
32768, 98304
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (68 KB) OKAY [ 0.016s]
Writing 'cache' OKAY [ 0.031s]
Erasing 'metadata' OKAY [ 0.016s]
Erase successful, but not automatically formatting.
File system type raw data not supported.
Finished. Total time: 0.889s
D:\0\AdbStation>fastboot reboot
Rebooting OKAY [ 0.000s]
Finished. Total time: 0.000s
D:\0\AdbStation>adb disable-verity
Error getting verity state. Try adb root first?
D:\0\AdbStation>adb root
restarting adbd as root
D:\0\AdbStation>adb shell
Armor_X5_Q:/ # whoami
root
Armor_X5_Q:/ # mount -o rw,remount /
'/dev/block/dm-3' is read-only
Armor_X5_Q:/ # mount -o rw,remount /sys
Armor_X5_Q:/ # cd sys
Armor_X5_Q:/sys # ls
block bus dev firmware kernel mtk_rgu
bootinfo class devices fs module power
Armor_X5_Q:/sys # bootinfo
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # bootinfo --help
/system/bin/sh: bootinfo: inaccessible or not found
127|Armor_X5_Q:/sys # devices
/system/bin/sh: devices: inaccessible or not found
127|Armor_X5_Q:/sys # cd dev
Armor_X5_Q:/sys/dev # ls
block char
Armor_X5_Q:/sys/dev # cd /
Armor_X5_Q:/ # cd /
Armor_X5_Q:/ # ls
acct d init.environ.rc metadata sbin
apex data init.rc mnt sdcard
bin debug_ramdisk init.usb.configfs.rc odm storage
bugreports default.prop init.usb.rc oem sys
cache dev init.zygote32.rc proc system
charger etc init.zygote64_32.rc product ueventd.rc
config init lost+found product_services vendor
Armor_X5_Q:/ # cd system
Armor_X5_Q:/system # cd bin
Armor_X5_Q:/system/bin # ls
AudioSetParam hwclock printenv
abb hwservicemanager printf
acpi i2cdetect procrank
adbd i2cdump profman
aee i2cget ps
aee_aed i2cset pwd
aee_aed64 iconv racoon
aee_archive id readlink
aee_core_forwarder idmap realpath
aee_dumpstate idmap2 reboot
am idmap2d recovery-persist
apexd ifconfig renice
app_process ime requestsync
app_process32 incident resize.f2fs
app_process64 incident_helper resize2fs
applypatch incidentd restorecon
appops init rm
appwidget inotifyd rmdir
art_apex_boot_integrity input rmmod
ashmemd insmod rss_hwm_reset
atrace install rtt
audioserver install-recovery.sh run-as
auditctl installd runcon
awk ionice schedtest
badblocks iorapd screencap
base64 iorenice screenrecord
basename ip sdcard
batterywarning ip-wrapper-1.0 secdiscard
bc ip6tables secilc
bcc ip6tables-restore sed
blank_screen ip6tables-save sendevent
blkid ip6tables-wrapper-1.0 sensorservice
blockdev iptables seq
bmgr iptables-restore service
boot_logo_updater iptables-save servicemanager
bootstat iptables-wrapper-1.0 setenforce
bootstrap keystore setprop
bpfloader keystore_cli_v2 setsid
bu kill settings
bugreport killall sgdisk
bugreportz kpoc_charger sh
bunzip2 lbs_dbg sha1sum
bzcat lcdc_screen_cap sha224sum
bzip2 ld.mc sha256sum
cal librank sha384sum
cameraserver linker sha512sum
cat linker64 showmap
charger linker_asan simpleperf
chcon linker_asan64 simpleperf_app_runner
chgrp lmkd sleep
chmod ln sload_f2fs
chown load_policy sm
chroot locksettings sort
chrt log split
cksum logcat ss
clatd logd sspm_log_writer
clear loghidlsysservice st_factorytests
cmd logname start
cmp logwrapper stat
comm losetup statsd
connsyslogger lpdump stop
content lpdumpd storaged
cp ls strings
cpio lshal stty
crash_dump32 lsmod surfaceflinger
crash_dump64 lsof svc
cut lspci swapoff
dalvikvm lsusb swapon
dalvikvm32 make_f2fs sync
dalvikvm64 md5sum sysctl
date mdlogger tac
dd mdnsd tail
debuggerd media tar
defrag.f2fs mediadrmserver taskset
device_config mediaextractor tc
devmem mediametrics tc-wrapper-1.0
dex2oat mediaserver tcpdump
dexdiag met-cmd tee
dexdump met_log_d telecom
dexlist microcom terservice
dexoptanalyzer migrate_legacy_obb_data.sh thermald
df mini-keyctl time
diff mkdir timeout
dirname mke2fs tombstoned
dmctl mkfifo toolbox
dmesg mkfs.ext2 top
dnsmasq mkfs.ext3 touch
dos2unix mkfs.ext4 toybox
dpm mknod tr
drmserver mkswap traced
du mktemp traced_probes
dumpstate mobile_log_d trigger_perfetto
dumpsys modemdbfilter_client true
e2fsck modinfo truncate
e2fsdroid modprobe tty
echo monkey tune2fs
egrep more tzdatacheck
emdlogger1 mount ueventd
emdlogger2 mountpoint uiautomator
emdlogger3 move_widevine_data.sh ulimit
emdlogger5 mtkbootanimation umount
env mtpd uname
expand mv uncrypt
expr nc uniq
fallocate ndc unix2dos
false ndc-wrapper-1.0 unlink
fgrep netcat unshare
file netd unzip
find netdiag uptime
flags_health_check netstat usbd
flock netutils-wrapper-1.0 usleep
fmt newfs_msdos uudecode
free nfcstackp uuencode
fsck.f2fs nice uuidgen
fsck_msdos nl vdc
fsverity_init nohup viewcompiler
fsync notify_traceur.override.sh vintf
gatekeeperd notify_traceur.sh vmstat
getconf nproc vold
getenforce nsenter vold_prepare_subdirs
getevent oatdump vr
getprop od vtservice
gpuservice oem-iptables-init.sh wait_for_keymaster
grep paste watch
groups patch watchdogd
gsi_tool perfetto wc
gsid pgrep which
gunzip pidof whoami
gzip ping wificond
head ping6 wm
heapprofd pkill xargs
hid pm xxd
hostname pmap yes
hw pppd zcat
Armor_X5_Q:/system/bin # getenforce
Enforcing
Armor_X5_Q:/system/bin # setenforce 0
Armor_X5_Q:/system/bin # get enforce
/system/bin/sh: get: inaccessible or not found
127|Armor_X5_Q:/system/bin # getenforce
Permissive
Armor_X5_Q:/system/bin # root mofo's, System-As-Root! boot-debug rocks!
> ^C
130|Armor_X5_Q:/system/bin # Who needs su
/system/bin/sh: Who: inaccessible or not found
127|Armor_X5_Q:/system/bin # whoami
root
Armor_X5_Q:/system/bin #

mitm on android emulator: a howto

Hello all,
I'd like to braindump how I managed to make android emulator v30 work with mitm, hope that helps someone.
Since it was not possible to neither write nor make writable the /system partition, I decided to roll my own system.img and that actually worked. I'm not going to upload a script because I might not remember 100%, but I'll going to descibe the steps in full, even though they exist elsewhere. The commands might not be exact, too, so if there's a typo you'll need to figure it out yourself.
Also, it will be a bit confusing because I shall refer to 2 files named system.img, one is the 2G file that comes with android, the other is 700M or something file that you will be creating in the process. I'll refer them as #1 and #2.
1. What is needed: android studio and emulator, linux, xattr, https://github.com/LonelyFool/lpunpack_and_lpmake , https://github.com/tytso/e2fsprogs, mitmproxy, parted. Build these github projects, you'll need their binaries in the process.
also, 'mkdir build' somewhere.
2. Find system.img (#1) in your android studio installation, then extract the system partition:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop5
$ partprobe /dev/loop5
$ ls /dev/loop5p*
/dev/loop5p1 /dev/loop5p2
$ lpunpack_and_lpmake/bin/lpunpack /dev/loop5p2 build
$ ls build
system.img system-ext.img product.img vendor.img
$ losetup -d /dev/loop5
3. Make system.img (#2) writable and usable. This is ext4 crunched with feature shared_blocks, which makes it not really writable even in theory, as it deduplicates identical blocks in the filesystem. You'll need to convert that to a normal ext4, but, there's not enough space to do that operation. So you'll need to expand the partition to accomodate for this. How much? Empirically, I added 30M to a 700M partition:
$ ls -l system.img
700000000 # for example
$ e2fsprogs/resize/resize2fs system.img 730M
$ ls -l system.img
730000000 # for example
$ e2fsprogs/e2fsck/e2fsck -f system.img
$ e2fsprogs/e2fsck/e2fsck -E unshared_blocks system.img
$ e2fsprogs/e2fsck/e2fsck -f system.img
4. Modify the now writable partiton to your heart's content (we're still with system.img #2 here). I needed to add just one file, mitmproxy-ca-cert.cer . According to the mitmproxy docs, the name must be the hash of the certificate:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop6
$ mount /dev/loop6 /mnt
$ hashed_name=`openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
$ echo $hashed_name
c8750f0d
$ cp mitmproxy-ca-cert.cer /mnt/system/ext/security/cacerts/$hashed_name.0
$ cd /mnt/system/ext/security/cacerts/
$ chmod 644 $hashed_name.0
Now check if your android has extra attributes in these certificate files. Mine does:
$ xattr 00abcde.0 # some random certificate
security.selinux
$ xattr -p security.selinux 00abcde.0
ubject_r:system_security_cacerts_file:s0
if yes, you'll need it on this file too:
$ xattr -w security.selinux ubject_r:system_security_cacerts_file:s0 $hashed_name.0
and be done with the partition
$ umount /mnt
$ losetup -d /dev/loop6
5. Create new super-partition, the one we used as /dev/loop5p2. You'll need the file sizes of your .img partitions, and your command to create a super.img file will look like this:
$ cat repack
#!/bin/sh
P=/android/super/1
~/src/lpunpack_and_lpmake/bin/lpmake --metadata-size 65536 --super-name super --metadata-slots 2 --device super:2496462848 --group main:2647101440 \
--partition system:readonly:786432000:main --image system=$P/system.img \
--partition system_ext:readonly:131952640:main --image system_ext=$P/system_ext.img \
--partition product:readonly:1468575744:main --image product=$P/product.img \
--partition vendor:readonly:102739968:main --image vendor=$P/vendor.img \
--output $P/super2.img
the interesting numbers are the corresponding partition sizes (in --partition), and, if f ex you increased the system.img #2 to 30M in the step 3, the number in --device:super should be the size of /dev/loop5p2 in bytes plus at least these 30M (but also okay if a bit more).
6. Finally, create a new system.img #1 . Create a backup copy of it, and then append some 30M there, and fix the partition
$ dd if=/dev/zero of=system-new.img flags=append bs=1M size=30
$ losetup -f system-new.img
$ losetup -a | grep system-new.img
/dev/loop7
$ parted /dev/loop7
GNU Parted 3.3
Using /dev/loop7
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: Loopback device (loopback)
Disk /dev/loop7: 2444MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 2097kB 1049kB vbmeta
2 2097kB 2443MB 2441MB super
you will need to expand the partion 2 to the max (plus minus same 30M). If is fails fix the number and retry:
(parted) resizepart 2 24460MB
Error: The location 24460MB is outside of the device /dev/loop7.
and finally copy data back:
$ partprobe /dev/loop7
$ dd if=super.img of=/dev/loop7p2 bs=1M
$ losetup -d /dev/loop7
and that's it. After that, rename system-new.img to system.img, and hopefully the emulator could run this new image.
Also, to check that the certificate is there and recognized, go to the setting/certificates/trusted certificates, the mitmproxy one should be in the list.
Hopefully this will be helpful.
Cheers!
/dk

Categories

Resources