Since so many people are asking, I figured I would write up a quick tutorial on how to modify a boot image. A boot image is a kernel, and an initrd packaged together along with some other information.
This will only concentrate on tearing one apart, modifying it, and putting it back together -- making your own kernel and packaging it is outside the scope.
So, the big thing going around right now is the fact that the lovely carriers have this process (rctd) that runs and chews up CPU. rctd stands for Root Check Toolkit Daemon -- and it does what it sounds like. It checks if you have root, it checks if the system partition has been modified, it checks if the kernel has been modified, etc...etc... Most importantly, it chews up a LOT of CPU and disk IO to do this.
For this to work, you need to have a Linux install, or WLS on Windows 10.
Ubuntu comes packaged with abootimg:
Code:
apt install abootimg
abootimg is used to extract / create / update the Android Boot Image, but first we need out boot image.
adb reboot recovery
adb pull /dev/block/bootdevice/by-name/boot boot.img
Now we extract it.
abootimg -x boot.img
This will give you 3 files:
bootimg.cfg // feel free to take a look if you want, but do not change anything in this file or your kernel probably won't boot.
zImage // This is the Linux kernel. If you grab the sources, and compile a kernel, this is what you get. Again, leave it alone.
initrd.img // This is the initrd (Initial Ramdisk). It is loaded by the kernel to give you a working environment before anything else is loaded. This is what we need to modify
Before we modify initrd, we have to extract it. It is a compressed cpio file. There are several ways to extract it, but this is the method I use:
Code:
mkdir initrd_temp
cd initrd_temp
zcat ../initrd.img | cpio -idv
zcat cats the file while decompressing it. cpio -idv ... -i means extract (yea, wtf), -d means create the directory tree, and -v just means verbose
So now we are in a directory (initrd_temp) with all the files that are in the initrd. The one we care about is init.lge.rc -- we need to edit this file.
If you open it up in an editor, search for this section:
Code:
# LG RCT(Rooting Check Tool)
service rctd /sbin/rctd
class late_start
user root
group root
seclabel u:r:rctd:s0
service ccmd /system/bin/ccmd
class core
user system
group system
socket ccmd stream 0660 root system
seclabel u:r:ccmd:s0
Delete all of that, or comment it out using # signs
Now we need to package everything back up.
Code:
find . | cpio --create --format='newc' | gzip -9 > ../newinitrd.img
cd ..
abootimg --create newboot.img -f bootimg.cfg -k zImage -r newinitrd.img
When you are done, you will have newboot.img, and you need to flash it.
Since we are still in recovery:
Code:
adb push newboot.img /sdcard
adb shell
cd /sdcard
dd if=newboot.img of=/dev/block/bootdevice/by-name/boot
Reboot and enjoy your new -- faster -- rctd and ccmd free kernel.
If doing it this manual way isn't for you, @Zacharee1 has created a script to automate the procedure. I wrote this for people that like to know exactly what is going on. Feel free to poke around in the other files that are in your initrd. You may find other things that you want to tweak. However, be careful, you could make a kernel that won't boot. If that happens, just get into recovery and flash one that does
-- Brian
Did anyone ever figure out what ccmd is?
I am 99% sure it allows remote command execution. Pull it, and take a hex editor to it...
It is nothing good, that is for sure.
It listens on a socket: socket ccmd stream 0660 root system
and
Code:
Unable to start CommandListener (%s)
No permission to run ccmd ccmode commands
Usage: ccmode enable
Usage: ccmode getflag
Usage: ccmode setflag <flag>
-- Brian
Im no good installing anything on windows ciao!!
It would be nice if someone with brains. Not me. Lol can figure out a new kernel for 10p h918 with no rctd and only kcal. ?
Sorry to hijack this thread, but I've made a Telegram thread for this subject https://t.me/joinchat/EkE57g6dCLopBy8xVQRT9w
With LG G5 h850 im not able to boot the image anymore. I always only get the fastboot screen. Maybe there is a difference?
@DMOEdetc If you pull your kernel and send me a link, I will take a look. As far as I know, the Android boot image hasn't changed since the first version.
The init that Android uses may not like files with CR/LF if you are editing it in Windows and not specifying LF only. init may think it is a corrupt file and therefore refuse to load it...
-- Brian
Related
AS MENTIONED IN THE INTRODUCTION TEXT THIS HAS ONLY BEEN TESTED ON AMON RA ROM 1.6.2 BUT SHOULD REALLY WORK ON ANY ROM THAT HAS NO EXT2 AUTO-MOUNT. AND YEAH THIS WHOLE PROCESS HAS BEEN DONE ON A 32a BOARD. FOR THOSE THAT TRY THIS ON OTHER ROMS LET ME KNOW HOW IT GOES.
I've searched and shuffled through the entire forum and made inquiries to ROM authors without much light being shed on this issue. I doubt I am the only one who has been looking for a way of doing this so I decided to do a small HOW-TO. Here I will explain step by step as to how you can implement a script to be part of your ROM that will auto mount an ext2 partition on boot up if such partition is present. I have included all the tools I've used in order to pull this off, and as the title suggests this has only been done on Amon Ra's latest 1.6.2 ROM. In order to follow these instructions you are expected to allready have set up an adb enviroment on your linux box and for the signing process to work you must have sun-java present, the gnu java wont work. And of course a microSD card with an ext2 partition
1. Download install.sh to your home directory
Code:
wget http://www.grindhouse.no/androidtools/install.sh
chmod a+x install.sh
2. Now execute the install.sh script which will create a directory to work in and download a tool and script package and unpack it.
Code:
./install.sh
When the install.sh script is done you need to move the mkbootimg preferebly to your tools directory of your SDK.
Code:
mv toolstomove/mkbootimg <path/to/sdk/tools/mkbootimg>
3. Unpack the RA1.6.2 ROM into a directory in your home dir. In this HOW-TO we will use directory name "ra1.6.2" as an example through out the entire process.
4. Copy the boot.img from ra1.6.2 to the ROM-cooker dir
Code:
cp $HOME/ra1.6.2/boot.img $HOME/ROM-cooker/boot.img
cd $HOME/ROM-cooker
5. Use unpack.pl to extract the ramdisk from the boot image. I've modified the script a little so it automates the entire process and decompresses the ramdisk to a directory
Code:
./unpack boot.img
6. Now you can either replace the init.rc file here with the one I've included in this package or you can add these lines by yourself. In wich case do the following
Code:
cd boot.img-ramdisk
pico init.rc
Press CTRL+w and then CTRL+t and input 27. hit enter. This will take you to line 27 of init.rc so you can add a line right before the init process remounts the rootfs in read-only mode. Add following line:
Code:
mkdir /sdext2 0771 system system
Now scroll down to the end of the init.rc file and add the following:
Code:
service mountsdext2 /system/bin/mountsd
user root
group root
oneshot
7. You have now edited (or replaced) your init.rc file and prepared it to execute a script on boot that will detect an ext2 partition and boot it if there is one to be found. Now you have to make the mountsd script a part of the ROM. Do the following:
Code:
cd $HOME/ROM-cooker
mv toolstomove/mountsd $HOME/ra1.6.2/system/bin/mountsd
rm -rf toolstomove
8. Now that the init.rc file is sorted out and mountsd has been placed in /system/bin of the ROM so it is time to re-pack the boot.img:
Code:
cd $HOME/ROM-cooker
./repack boot.img-kernel boot.img-ramdisk boot.img
rm $HOME/ra1.6.2/boot.img
mv boot.img $HOME/ra1.6.2/boot.img
9. Your ROM now has a new boot image with an updated init.rc and the /system/bin dir has the script needed to auto-mount the microsd ext2. Now you must re-zip the ROM and sign it. Do the following:
Code:
cd $HOME/ra1.6.2
zip -r update.zip *
mv update.zip $HOME/ROM-cooker/update.zip
cd $HOME/ROM-cooker
./sign.pl update.zip
10. The ROM is now signed and you now have a file called update-signed.zip. Connect the phone to your computer and execute thus:
Code:
./push update-signed.zip
11. Now you are ready to flash the modified ROM which will auto-mount an ext2 partition on your microSD. There is no need to wipe before flashing. If you have no prior experience with ROM flashing or whatever just backup your current install. If you're using OpenHOME or anything similar, nothing will be changed or damaged but if you're using MontAlbert's themes with the ROM you will have to flash them again after flashing this modified ROM.
Code:
adb reboot recovery
12. Flash from choose zip and of course choose update-signed.zip. Reboot. After the system boots up again you can now check whats what with either one of the commands:
Code:
[email protected]:~$ adb shell mount | grep sdext2
/dev/block/mmcblk0p2 on /sdext2 type ext2 (rw,noatime,nodiratime,errors=continue)
[email protected]:~/boot$ adb shell busybox df -h | grep sdext2
/dev/block/mmcblk0p2 893.7M 13.0K 846.0M 0% /sdext2
13. Voila! Your RA 1.6.2 ROM now detects and mounts your microSD ext2 partition on boot. Woohoo?
I hope the HOW-TO was easy reading and that you have succeeded in hacking up your ROM. I know that certain ROMs have this as a built-in function but Amon Ra's does not. But since alot of people including myself use his ROM because of the high speed and stability I thought I should contribute to his project and add a cool (and missed?) function to it.
Mind you that you can use the ROM-cooker set to further adjust and hack up the ROM as you see fit. Happy learning!
Very nice!
Now the question many people will ask : why would you automount ext2 if you don't use apps2sd ?
I personally have ubuntu on my ext2 And besides this approach can be used for a number of things, people who have had the need, or wanted to experiment with init.rc doing things on boot, the mountsd script can easily be altered to do what ever needed.
For me its been a learning curve finding these things out, so by sharing it I may spare some people breaking their backs over this whole init.rc thing. people may want to modify init.rc for whatever reason, so I'm sure people wont have a problem finding a way of putting this to use, and its a subject that isnt all that covered on the forum .. and hey .. at least they get a rom kitchen out of the whole shabang
Very interesting! Thank you.
I used your unpack-program to unpack a recovery-image. It seems to work fine. What I am trying to do is change the state the recovery-image returns the phone to. Would it be possible to just replace your mountsd-script with, for example, a script that installs apps? Or is there a better way to do what Im trying to achieve?
Cheers,
edit: I noticed that on the emulator it is sufficient to just place an apk-file in "data/app" to get it installed. Could it be possible that this is all I need a script to do? :O or could I hurt my poor phone by doing so you think?
sandis84 said:
edit: I noticed that on the emulator it is sufficient to just place an apk-file in "data/app" to get it installed. Could it be possible that this is all I need a script to do? :O or could I hurt my poor phone by doing so you think?
Click to expand...
Click to collapse
That's indeed all you need to do.
Hi!
So I tried to create a signed update.zip, but it failed. It didnt create a "update-script"-file, so my device refused to install it. I wrote my own "update-script"-file, but then it complained "no digest" for the file. How do I solve this?
post the contents of your script people might see whats up
so is this all on linux?
also where are the script files for your tutorial
thanks for the time to put together
sitimber said:
so is this all on linux?
also where are the script files for your tutorial
thanks for the time to put together
Click to expand...
Click to collapse
Says where its at in the first line : )
Code:
wget http://www.grindhouse.no/androidtools/install.sh
But now that I checked, I have to apologize, I see I have a missed payment with my hosting, I'll fix that within the day. Also sorry I havent been answering the few questions here I've been afk cause of surgery.
sitimber said:
post the contents of your script people might see whats up
Click to expand...
Click to collapse
well, I looked in another "update-script" file and found this:
assert compatible_with("0.2") == "true"
assert getprop("ro.product.device") == "dream" || getprop("ro.build.product") == "dream"
show_progress 0.5 0
write_radio_image PACKAGE:radio.img
show_progress 0.5 10
Click to expand...
Click to collapse
So I figured that nothing was essential other then the line "write_radio_image PACKAGE:radio.img". Also ofcourse I made sure it contained the name of my image-file instead of "radio.img". This gave me the "no digest" message, so now I feel unsure on how to create a working update.zip.
edit:
SOLVED! How silly of me. When you sign the update, a hash of each file is put in manifest.mf. Since I added the update-script after signing the file, ofcourse the digest(hash) was missing. Now everything works alot better and I can proceed... until I get stuck again
Cheers,
edit2:
Just to get a better understanding, what exactly does each line do here? Or where can I read about this?
Code:
service mountsdext2 /system/bin/mountsd
user root
group root
oneshot
edit3:
Ok, so I have experimentet, but I still dont manage to solve those last steps. I tried to edit init.rc and just add "mkdir /testdir 0000 system system" where the other directories were created. I then repacked it, zipped it, signed it, put it on my sdcard, started up a custom recovery, installed the update and rebooted. Everything seems to work fine. But when I start adb and check around, I dont see the "testdir"-directory. Also when I check in init.rc my line is gone. Do you guys have an idea of where I went wrong?
sitimber said:
so is this all on linux?
also where are the script files for your tutorial
thanks for the time to put together
Click to expand...
Click to collapse
it doesnot necesarily have to be linux ...you can also do it in windows using cygwin and dsxda's android rom kitchen
You should do a nandroid backup and reboot your phone before trying to flash anything to your phone. This how to involves flashing directly to mtd2, if you don't know what you are doing then please use one of the custom roms available in the Sticky Wiki.
#### Update One Fixed scripts
#### Update Two Added instructions to compile and install the wlan.ko module
#### Update Three Fixed get-CDMAHero-source.sh typo
#### Update Four Added Instructions for Jaunty repo's for Ubunut 9.10
First off i would like to give credit to all the people who have made information and scripts available. I used bits and peices of info and tools written by and or made available by these people.
Armin Coralic http://blog.coralic.nl for creating some nice scripts and making them available
chuckhriczko for helping me out in the middle of the night.
LoxDev for creating a wonderfull how to about creating img's and zip's
tkirkton for helping out with enabling legacy jaunty repos to install java 1.5
Second I am writing this How To, so a complete newbie would be able to understand.
REQUIREMENTS....
Ubuntu Desktop 9.04 or better 32bit (cause thats what i used)
Android SDK (Needed to push and pull files as well as shell access to the phone. You will need to set this up by following the instructions found at http://www.android.com)
Legacy repo's enabled in apt to allow java 1.5 to install
Root access. I ran all commands below as root
I created a dir called "heroc" in my /root directory.
Download zip file below and unzip it in the heroc dir that you should have created.
STEPS
.5 Enable Legacy Repo's to allow java 1.5 to install (below is a cut from tkirktons post on page 7)
Code:
in Ubuntu 9.10, the Java 1.5 package doesn't even list. Here's what I had to do to get it to load:
1. Access a repository from the previous build (9.04 Jaunty will work: commands to put into /etc/apt/sources.list -
deb [URL]http://mirrors.us.kernel.org/ubuntu[/URL] jaunty main restricted universe multiverse
deb [URL]http://mirrors.us.kernel.org/ubuntu[/URL] jaunty-backports main restricted universe multiverse
deb [URL]http://mirrors.us.kernel.org/ubuntu[/URL] jaunty-security main restricted universe multiverse
deb [URL]http://mirrors.us.kernel.org/ubuntu[/URL] jaunty-updates main restricted universe multiverse
2. Set the max age higher than the default. This can be accomplished by editing the /etc/apt/apt.conf.d/20archive. Here's what my lines in that file look like:
APT::Archives:MaxAge "2880";
APT::Archives:MinAge "2";
APT::Archives:MaxSize "1000";
Making these two changes should work...although I have the Intrepid, Hardy and Dapper repositories in mine as well (didn't know which one would work, so I overkilled it).
Run the script again after making the changes and let me know if it works.
.
to update just run
Code:
# apt-get update
1. Create your work environment by running createandroidRepo.sh. This will take some time depending on your internet connection. Make sure you are in the heroc dir.
Code:
# unzip Scripts.zip
# chmod a+x *
# ./createAndroidRepo.sh
This will create a dir call my android and setup all the files and programs needed to compile the kernel. This will take some time to complete.
2. You need to download the source using the get-CDMAHero-source.sh
Code:
# ./get-CDMAHero-source.sh
This will download the source, and extract it to its own directory.
3. you will need to have your .config file handy for the next steps. If you don't have it then you will need to get it by doing the following
Code:
# adb pull /proc/config.gz /root/heroc/config.gz
# gunzip config.gz
The first command will pull the gzipped config from your phone and place it into the heroc dir. the second command will extract the file as "config"
4. This is where it gets fun. We now have everything downloaded and are going to start the process of compiling our kernel.
Code:
# cd heroc_ef05d31a
# export ARCH=arm
# export CROSS_COMPILE=arm-eabi-
# export PATH=$PATH:~/heroc/myandroid/prebuilt/linux-x86/toolchain/arm-eabi-4.4.0/bin
# make menuconfig
After you run "make menuconfig" it will bring up a the config menu for our kernel. Go to the bottom and select "Load an alternate configuration file". It will then prompt you to select the config file you want to use. You will need to point it to where you have the config file. So type in "/root/heroc/config"
After you have loaded the config file you can edit what ever you want. however if you don't know what do disable or enable then i wouldn't mess around to much.
Next you will need to save your config file. Choose "Save an alternate configuration file", and save it as "/root/heroc/heroc_ef05d31a/.config"
You can now exit menuconfig
5. Time To Compile the kernel and wlan.ko module
Code:
# make
# export KERNEL_DIR=/root/heroc/heroc_ef05d31a/
# cd myandroid/system/wlan/ti/sta_dk_4_0_4_32/
# make
The kernel will take some time. go grab a drink and have a snack. If all goes well you should end up with a zImage file in "~/heroc//arch/arm/boot/". After the kernel is compiled you need to compile the wlan.ko module by executing the last three commands
6. Next we need to copy the zImage back to the heroc dir
Code:
# cp /root/heroc/heroc_ef05d31a/arch/arm/boot/zImage /root/heroc/zImage
7. Ok so now we need to get the boot image from our phone. We need this cause it has more than just the kernel. I contains the ramdisk image as well. and we need to take the boot image and decompress it and remove the old kernel and add our new compiled kernel, then recompress it to newboot.img
Code:
# adb shell
# cat /dev/mtd/mtd2 > /sdcard/mtd2.img
# exit
# adb pull /sdcard/mtd2.img /root/heroc/mtd2.img
# mv mtd2.img boot.img
The first two commands will open a terminal shell to your phone and copy the boot image to your sdcard. the last two commands will pull the the boot image from your phone, place it in your heroc dir and rename the file to boot.img
8. Now we will split apart the boot.img using some scripts.
Code:
# ./extract-kernel.pl boot.img
# ./extract-ramdisk.pl boot.img
# rm boot.img-kernel
# cp zImage boot.img-kernel
# ./mkbootfs boot.img-ramdisk | gzip > ramdisk-boot
# ./mkbootimg --kernel boot.img-kernel --ramdisk ramdisk-boot --cmdline "no_console_suspend=1 console=null" -o newBoot.img --base 0x19200000
The first command extracts the stock kernel from boot.img. The second command extracts the ramdisk from boot.img. The third command will delete the stock kernel. the fourth command renames our zImage to boot.img-kernel. The fifth command takes boot.img-ramdisk folder and zips it up into ramdisk-boot. The sixth comand takes our kernel (renamed to "boot.img-kernel") and ramdisk-boot and combines it back to form a new file called newboot.img.
9. Now we need to flash our "newboot.img" file to our phone. You should reboot your phone before flashing this will insure that you don't get any out of memory errors and will keep your phone from booting into fastboot (Thx Obelisk79).
Code:
# adb push newBoot.img /sdcard/newBoot.img
# adb shell
# cat /dev/zero > /dev/mtd/mtd2 (you may get an error here. don't worry about it)
# flash_image boot /sdcard/newBoot.img
# reboot
The first command will push your boot image to the phone. the second command will bring up shell access to your phone. the third command will zero out mtd2 and get it ready to write your image. the fourth command will flash boot(mtd2) with newboot.img. the last command will reboot your phone
10. After the phone reboots we need to get the wlan.ko file to the phone so that wireless will work
Code:
# adb push /root/myandroid/system/wlan/ti/sta_dk_4_0_4_32/wlan.ko /sdcard/wlan.ko
# adb shell
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# cp /sdcard/wlan.ko /system/lib/modules/wlan.ko
# exit
Now you have a kernel that you compiles with everything work with the exception of power mgmt.
Just as soon as i figure out how to make an update.zip i will post instructions on how to do this
Added it to the CDMA Hero Guides wiki article.
gu1dry said:
Added it to the CDMA Hero Guides wiki article.
Click to expand...
Click to collapse
dang you beat me to it.
Not sure why, but had to run dos2unix on the the first script, not sure if it is all of them, but it was giving me the error
/bin/bash^M: bad interpreter: No such file or directory
Click to expand...
Click to collapse
dos2unix took care of the issue. Also Thanks for the guide, greatly appreciated!!!
make sure you run the script with the "./" , also you may need to chmod +x the files.
Is there a way to get this to run on the Emulator? I tried to specify the zImage after I compiled it but it won't boot when specifying it. Or will that not work for the HTC zImage?
Excellent guide. Can't wait to try it.
blehzz said:
Is there a way to get this to run on the Emulator? I tried to specify the zImage after I compiled it but it won't boot when specifying it. Or will that not work for the HTC zImage?
Click to expand...
Click to collapse
Check out this link
Check out this link
Click to expand...
Click to collapse
Thanks will have a look. Seems to be the Android kernel and not the HTC kernel though, but will read further into it
blehzz said:
Thanks will have a look. Seems to be the Android kernel and not the HTC kernel though, but will read further into it
Click to expand...
Click to collapse
not sure but i think this will work for you
Code:
# emulator -kernel /path/to/your/zImage
First script didn't work for me on ubuntu. Copying and pasting line by line works.
i'll repack the scripts again
not sure but i think this will work for you
Click to expand...
Click to collapse
that's what i tried... emulator never runs when i specify that zImage it built successfully.
Has anybody tried this yet with Ubuntu running under VMware on a PC running Windows? I know that (in theory) VMware's USB compatibility is spectacularly good (it somehow manages to give the guest OS direct ownership and control of the host PC's USB root hub), but up to now I've only tried it to run XP/32 under Vista/64 and Windows 7/64.
FYI, you can download VMware player for free (as in beer) and use it to run Ubuntu 9.04 with their complete blessing. Just make sure you download a guest OS that configures the hardware (memory, cpu, etc) the way you want it to be, because changing the hardware config is one of the few things you genuinely can't do with the free player. If someone here has the full version (and can find somewhere to host it so the bandwidth charges didn't eat him alive), he could even create an Ubuntu distro that's already set up and configured to build Android kernels for others here to download and use.
To use the first script: open up Synaptics, then download "tofromdos". Now, run "fromdos createAndroidRepo.sh", and it should work then
ROM?
Can someone post how to compile a kernel, and make a ROM, and put it all together in a update.zip? Would be really REALLY nice!
Jason(bikcmp)
Thanks for this guide I'm compiling a kernel right now Just a question, how do I change the kernel version name... like you did in that one screenshot?
bikcmp said:
Can someone post how to compile a kernel, and make a ROM, and put it all together in a update.zip? Would be really REALLY nice!
Jason(bikcmp)
Click to expand...
Click to collapse
Its coming
bikcmp said:
Can someone post how to compile a kernel, and make a ROM, and put it all together in a update.zip? Would be really REALLY nice!
Jason(bikcmp)
Click to expand...
Click to collapse
its in general options in menuconfig.
NOTE: I started few days ago working with the boot image.
I'm not an Android expert. If you find an error in this post, let me know.
Use this information at your own risk. If you brick your tablet, don't blame on me.
Nothing of the tools used here are written by me. I'm not taking credit for another's work.
I have rooted my tf101 with the instructions from the mashi's thread. (http://forum.xda-developers.com/showthread.php?t=1125714)
I was curious about the root process of our beloved tablet.
For add root at the stock firmware you need the su packages and a proper boot image.
I've worked for years on linux machines, so I know that you need the "su" command to become root.
But what about the boot image? What does it need for?
I've googled and found some information that I'd like to share with you:
For using adb as superuser, and push the su package, you need to flash a so called "insecure boot" on your tablet/phone.
The process is easy:
NOTE: Even if I'm on a Windows machine, I prefer to do this work in linux. The entire process has been done in an Ubuntu 11.04 virtual machine.
What you need:
- a PC running linux
- BootTools and BlobTools from Rayman84 (http://androidroot.mobi/)
- mkbootimg (mkbootfs is optional) from the android repository
I assume that you have all the above tools in your $PATH variable.
First of all you need a stock boot image; you can extract one from your tablet (with nvflash) or from the latest stock firmware (US-VERSION - WW-VERSION)
We're going for the official packages from the ASUS website. Download it on your home directory (or wherever you want).
Let's start:
Code:
mkdir stock_firmware
cd stock_firmware
unzip ../UpdateLauncher_WW_epaduser_84411.zip
unzip ASUS/Update/WW_epad-user-8.4.4.11.zip
blobunpack blob
bootunpack blob.LNX
Now we have a lot of "strange" files:
Code:
ASUS
blob
blob.APP
blob.EBT
blob.HEADER
blob.LNX
blob.LNX-config
blob.LNX-kernel.gz
blob.LNX-ramdisk.cpio.gz
blob.PT
blob.SOS
META-INF
For our work, we just need blob.LNX-ramdisk.cpio.gz
Code:
mkdir boot_img
cd boot_img
gunzip -dc ../blob.LNX-ramdisk.cpio.gz | cpio -i
vi default.prop (or "gedit default.prop" if you want a GUI)
Here you have to change the line "ro.secure=1" in "ro.secure=0"
The final file should appears as this:
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=0
Almost done. Let's repack:
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
or alternatively:
Code:
mkbootfs ./ | gzip > ../newramdisk.cpio.gz
Finally make the boot.img:
Code:
cd ..
mkbootimg --kernel blob.LNX-kernel.gz --ramdisk newramdisk.cpio.gz -o boot.img
Now you have your boot.img, ready to be flashed with nvflash.
For information on what to do with this file, please refer to the mashi or brk threads.
Again, I've taken this information from google.
All the credits and many thanks to:
Rayman for the BlobTools and the BootTools - http://androidroot.mobi/
Mashi for his thread on rooting the stock kernel - http://forum.xda-developers.com/showthread.php?t=1125714
Brk for his batch script - http://forum.xda-developers.com/showthread.php?t=1185104
If you found this guide useful, hit the "Thanks" button.
For your convenience, you can find the tools used attached in this post (compiled on Ubuntu 11.04).
UPDATE: I have written a script (thanks gnufabio for the idea) that automatically modify a stock boot.img into an insecure one.
ex:
Code:
./insecure.sh boot.img
when the script finishes you will find a file called my_boot.img ready to be flashed with nvflash.
Bootunpack and mkbootimg should be in your $PATH.
This script doesn't do much error checking, so keep your eyes open.
HF
hey thanks very nice guide
Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.
I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?
SammyC said:
Excellent. I've been looking around trying to work out how to package up a kernel build, this helps a great deal.
I'm assuming that I just replace the blob.LNX-kernel.gz with my built zImage?
Click to expand...
Click to collapse
I haven't try but i guess yes.
If you really want to recompile/repackage the kernel, you can refer to this http://www.droidforums.net/forum/rescue-squad-guides/31452-how-compile-your-own-kernel.html ; it's about the Motorola Droid, but some concepts are universal for all the android devices.
HF
Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:
Code:
mcpio -c ramdisk-folder/
mcpio -e ramdis-archive.cpio.gz
Thanks - Very useful to have this in this section. I tried the example, and it all worked fine on an old Ubuntu dist.
gnufabio said:
Good work, btw give a look to this script i made: mcpio
Unpacking and repacking the ramdisk will be easier:
Code:
mcpio -c ramdisk-folder/
mcpio -e ramdis-archive.cpio.gz
Click to expand...
Click to collapse
Well, that's a lot easier...
I didn't know your script, thanks for sharing.
Updated the first post with a bash script to automate the entire process.
Yesterday I've succesfully recompiled the stock kernel and I'm thinking on write another guide like this one on the subject.
The process is a little complicate, i'm looking for an easy way to explain but it's hard.
Anyway I'm working on it in my spare time.
That would be great if you could.
ASUS haven't (yet) released the source for the kernel in their latest 3.2 build. If you've updated to 3.2, you can still root and repackage using this method. Just use nvflash to save off the kernel from your running device as per the backup/restore thread, then use bootunpack on that and follow the rest of the instructions
raypou said:
ASUS haven't (yet) released the source for the kernel in their latest 3.2 build. If you've updated to 3.2, you can still root and repackage using this method. Just use nvflash to save off the kernel from your running device as per the backup/restore thread, then use bootunpack on that and follow the rest of the instructions
Click to expand...
Click to collapse
it's exactly the method used here: http://forum.xda-developers.com/showthread.php?t=1198303
If anyone interested, here're win32 binaries of BlobTools and BootTools
Just compiled from git repo.
I unpacked a rom with a kernelblob in the root directory, and edited init.rc. Which command should I use to repackage it? If I follow the guide (instead of boot.img I used kernelblob, no extension) I get the EEE Pad logo then scrambled, colored lines all over.
If I, however, install the base rom, then the one where I changed something in the kernelblob, it boots up.
theMIROn said:
If anyone interested, here're win32 binaries of BlobTools and BootTools
Just compiled from git repo.
Click to expand...
Click to collapse
Hi, makebootimg.exe doesn't work. It gives error saying: error: could not load kernel 'blob.LNX-kernel.gz'
Tried same files in linux and worked fine.
Can you try to fix this?
EDIT: tried to compile myself but got the same issue. I think is related with the need to change source code to make this run on windows.
Working boottools for windows available here: http://forum.xda-developers.com/showpost.php?p=17237701&postcount=443
brk said:
Hi, makebootimg.exe doesn't work. It gives error saying: error: could not load kernel 'blob.LNX-kernel.gz'
Tried same files in linux and worked fine.
Can you try to fix this?
Click to expand...
Click to collapse
yep, it's code issue
attached BootTools-Win32.zip with fixed mkbootimg.exe
is there this guide for tf201?
BR
Maframan
maframan said:
is there this guide for tf201?
BR
Maframan
Click to expand...
Click to collapse
You should probably check the TF201 forum.
Could this method be used to pack a new Splash Screen? (I want to change that annoying ASUS logo to something better) Would I go about the Flash_Image method to flash the image after compiled? (I do Not have NvFlash, but I am rooted with Cwm)
Which blobs would I modify as well, just the EBT?
rebound821 said:
NOTE: I started few days ago working with the boot image.
I'm not an Android expert. If you find an error in this post, let me know.
Use this information at your own risk. If you brick your tablet, don't blame on me.
Nothing of the tools used here are written by me. I'm not taking credit for another's work.
I have rooted my tf101 with the instructions from the mashi's thread. (http://forum.xda-developers.com/showthread.php?t=1125714)
I was curious about the root process of our beloved tablet.
For add root at the stock firmware you need the su packages and a proper boot image.
I've worked for years on linux machines, so I know that you need the "su" command to become root.
But what about the boot image? What does it need for?
I've googled and found some information that I'd like to share with you:
For using adb as superuser, and push the su package, you need to flash a so called "insecure boot" on your tablet/phone.
The process is easy:
NOTE: Even if I'm on a Windows machine, I prefer to do this work in linux. The entire process has been done in an Ubuntu 11.04 virtual machine.
What you need:
- a PC running linux
- BootTools and BlobTools from Rayman84 (http://androidroot.mobi/)
- mkbootimg (mkbootfs is optional) from the android repository
I assume that you have all the above tools in your $PATH variable.
First of all you need a stock boot image; you can extract one from your tablet (with nvflash) or from the latest stock firmware (US-VERSION - WW-VERSION)
We're going for the official packages from the ASUS website. Download it on your home directory (or wherever you want).
Let's start:
Code:
mkdir stock_firmware
cd stock_firmware
unzip ../UpdateLauncher_WW_epaduser_84411.zip
unzip ASUS/Update/WW_epad-user-8.4.4.11.zip
blobunpack blob
bootunpack blob.LNX
Now we have a lot of "strange" files:
Code:
ASUS
blob
blob.APP
blob.EBT
blob.HEADER
blob.LNX
blob.LNX-config
blob.LNX-kernel.gz
blob.LNX-ramdisk.cpio.gz
blob.PT
blob.SOS
META-INF
For our work, we just need blob.LNX-ramdisk.cpio.gz
Code:
mkdir boot_img
cd boot_img
gunzip -dc ../blob.LNX-ramdisk.cpio.gz | cpio -i
vi default.prop (or "gedit default.prop" if you want a GUI)
Here you have to change the line "ro.secure=1" in "ro.secure=0"
The final file should appears as this:
Code:
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=0
persist.service.adb.enable=0
Almost done. Let's repack:
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
or alternatively:
Code:
mkbootfs ./ | gzip > ../newramdisk.cpio.gz
Finally make the boot.img:
Code:
cd ..
mkbootimg --kernel blob.LNX-kernel.gz --ramdisk newramdisk.cpio.gz -o boot.img
Now you have your boot.img, ready to be flashed with nvflash.
For information on what to do with this file, please refer to the mashi or brk threads.
Again, I've taken this information from google.
All the credits and many thanks to:
Rayman for the BlobTools and the BootTools - http://androidroot.mobi/
Mashi for his thread on rooting the stock kernel - http://forum.xda-developers.com/showthread.php?t=1125714
Brk for his batch script - http://forum.xda-developers.com/showthread.php?t=1185104
If you found this guide useful, hit the "Thanks" button.
For your convenience, you can find the tools used attached in this post (compiled on Ubuntu 11.04).
UPDATE: I have written a script (thanks gnufabio for the idea) that automatically modify a stock boot.img into an insecure one.
ex:
Code:
./insecure.sh boot.img
when the script finishes you will find a file called my_boot.img ready to be flashed with nvflash.
Bootunpack and mkbootimg should be in your $PATH.
This script doesn't do much error checking, so keep your eyes open.
HF
Click to expand...
Click to collapse
Hi Sir,
First of all thankyou for you guide because I did follow you guide and created the insecure boot.image succesfully. I still have one problem, after flashing the boot.image, I still could not root the android device. Why is that? Do I need to change something else in the boot.img?
Dear All,
I have been building some custom Android ROMS for the past few years, and my latest toy is a Flytouch 3 I wanted to share some of my findings and methods here, perhaps other newbies like me will find it useful.
1. FT3 ROM contents:
FT3 ROMs will be in RAR or ZIP format and have 2 or 3 files in them as explained below. Just unzip or unrar the package to use them:
firmware2 - flash tool which burns the firmware ( I guess...lol)
bootloader-discovery - 7zip file which contains the bootloader
IMPORTANT! Do not flash a wrong bootloader to your device or it will be bricked! Actually this is the only way you can brick the thing, it's pretty sturdy in that sense. If you are not sure, do not copy bootloader-recovery to your sdcard when flashing, it will boot with your existing bootloader anyway.
firmware-discovery - 7zip file which contains the firmware and it's the main file you want to edit.
2. firmware-discovery contents:
This is the easy part! Modifying this file will let you modify system and data partitions. You can also use different ramdisks and kernels compatible with your device. It's a 7zip file and you can unpack and repack easily with the 7-zip file manager (http://www.7-zip.org/).
I use 7-zip on Windows although I use Ubuntu Linux as my main OS. There is something wrong with my 7-zip installation most probably, but I was too lazy to check it If you are on Windows anyway, you are good, just download and use 7-zip from the URL above. I advise that you do all your firmware-discovery editing within 7-zip file manager. That way, you won't have to worry about re-packing with the correct 7-zip settings. At least, that's how I do it and had no problems.
firmware-discovery will have these files in the 7zip package:
uImage - kernel
Very important Your kernel will make the difference between having and not having certain functionality, even if your hardware supports it.
uImage_recovery - recovery file - I beleive this is what runs when you push menu+power.
ramdisk.img - ramdisk
This is one of the interesting files you might want to play with. Ramdisk is a simple file system with some crucial files, mainly init.rc that lets you control the boot process. You can also stick a initlogo.rle image here to display a splash image in initial boot. More details below at title 4.
data.tar - /data partition - tar archive
All user data is stored here, including apps and user definable settings. This is what gets wiped when you do a recovery by pushing menu+power.
system.tar - /system partition - tar archive
System data, drivers and apps, including Android OS itself (except kernel). Certainly the most interesting part for the average modder
3. Editing system.tar and data.tar:
This might be the bulk of your modding, and most probably what will be most visible to the end user.
I very strongly suggest that you use a Linux system to edit these files. If you use Windows, file permissions will not be saved! If Windows is your main OS, simply install a VM host such as VirtualBox and install your fav Linux distro inside it. Most of them will have an Archive Manager with a GUI and will certainly support TAR. Even without a GUI, you can use "tar" and "untar" commands from a terminal to unpack and repack these files. When you are on Linux, TAR files will preserve file ownership and file permissions. This can be very crucial in your modding.
For modders who are new to Linux, I can recommend Ubuntu. It's very user friendly and easy to use in my opinion.
When you are done editing system.tar and data.tar copy them to your Windows box and drop and them to firmware-recovery file within 7-zip file manager.
4. Unpack, Edit and Repack ramdisk.img:
Now we are on to more serious stuff ramdisk.img consists of a 64 byte U-Boot header, followed by a gzip compressed ramdisk cpio image. So we need to strip the first 64 bytes, and use gunzip to extract it to a folder. After making the changes in the folder, we need apply cpio+gzip compression to the folder and add the 64 byte u-boot header again. You will need to use Linux and install the mkimage tool for these operations.
Here's the command to install mkimage tool in Ubuntu:
Code:
sudo apt-get install uboot-mkimage
It sounds complicated, but no worries, I have some shell scripts that can do all that for you! Thanks to leeh33 from Techknow for the scripts below:
unpack_ramdisk.sh
Code:
mkdir ramdisk
cd ramdisk
dd if=../ramdisk.img bs=64 skip=1 of=ramdisk.gz
gzip -dc ramdisk.gz | cpio -idmv
rm ramdisk.gz
repack_ramdisk.sh
Code:
cd ramdisk
find . | cpio -o -H newc -C 512 | gzip -n > ../ramdisk.cpio.gz
cd ..
mkimage -A ARM -O Linux -T ramdisk -C none -a 0x41000000 -e 0x41000000 -n hRamdisk -d ramdisk.cpio.gz ramdisk.img
rm ramdisk.cpio.gz
Create the scripts above using a text editor or download the attachment to this post and put the scripts together with your ramdisk.img file in a new folder. Executing unpack_ramdisk.sh will create a folder named ramdisk and extract the ramdisk contents here. You can edit e.g. init.rc in this folder, or add a static bootlogo. To add a custom bootlogo create a initlogo.rle image file by following this guide: http://www.androidtablets.net/forum/android-tablet-hacking/438-how-setup-static-bootlogo-before-animated-boot-animation.html Then place the resulting initlogo.rle file directly in the ramdisk directory.
After you are done editing the ramdisk folder, simply run repack_ramdisk.sh and your new ramdisk.img will be created, replacing the old one. Copy the ramdisk.img file to your Windows box again and drop it to firmware-recovery file within 7-zip file manager.
That's it, you have a custom ROM now! Please feel free to ask questions or correct me if you think I have any errors in the info above.
Happy Modding!!!
Tolga
Big problem about my device...
Thank you for this useful post!
I have seen a good knowledge about these devices(flytouch 3) and decided to post my question here:
I have a big problem! I used IUW Burning tool to flash my device. my device is:
SuperPad III (As box says)
Model: ANDR P1001
I decided to try tim's custom rom. It doesn't work. After restarting the device, screen become black (There was no connection
with screen, it was not turned on). The device had vibration when I pressed power button. It continued vibrating periodically(like it was restarting).
After that I flashed my device using IUW with most likely firmware, but during the process I FORGOT TO CHOOSE userdata.img FILE!
Now the device can't even communicate with pc.
OTG method is not working. The device no more vibrates at start up! At motherboard led is lighting when pressing power button.So IS MY DEVICE DEAD? Or is there any solution in this situation(Alternative communication, or whatever...)
Posting multiboot kernel with grub-style curses boot selection menu.
This is targeted towards linux users who have a multitude of distros on their tf300.
The kernel itself is Tailormoon's 2.2.9 version of Graiden kernel which included Rabits multiboot.
The difference is that I've modified the initrd to scan all drives at boot to look for linux root filesystems or .img files.
Just put all your .img files in the root of your sdcard (dock or internal), or in /data/media/linux, and boot up.
All detected filesystems will then be displayed in an an ncurses menu allowing you to select any one of them.
To install:
- Unpack the blob and install using fastboot:
> fastboot flash boot kernel.blob
- or install using your recovery
Notes:
- Press volume down button when rabits logo pops up to boot into android.
- As with Graiden/Tailormoon, unpack module.tar to your distro's module folder in order to modprobe etc.
- Also a reminder for linux rootfs, you need to mount or copy /data and /system from your android filesystem to get the wifi firmwares you need to fire up your wifi (this is true for any linux on tf300 AFAIK)
- The boot system does not use kexec so kexecboot users may already be satisfied with their current setup. I'm no fan of kexec and hence have not seen the need to include it.
TODO:
- No timer, boot menu sits there indefinitely until a choice is made
- Add android to boot menu so no need for volume down
- Add option for modifying kernel boot parameters, booting to single user etc
Thanks
Dave Driesen
Attaching source code for the boot menu as requested.
The menu is very simple. It just reads a config file provided by the initrd scripts, and outputs its own config file. Both are to be provided by command line parameter.
Makefile is included but you'll obviosuly need curses dev package to build.
Usage:
apt-get install ncurses-dev (or whatever the alternative is for your distro)
tar -xcf bootmenu-src.tar.gz && cd bootmenu-src && make
done!
The rest of the source (such as partition scanning code and OS boot code) consists of modification to Rabits' multiboot which are freely available inside the initrd. I will not post them here as I did not originally create them. If you're interested, I suggest unpacking the initrd and getting stuck in there.
Fyi, here's some scripts for unpacking/packing a kernel.blob.. I don't support these and you'll need to install the relevant tools (blobpack/abootimg/cpio) if you're keen. But this is what I use; may it help others in building blobs, or understanding the steps involved.:
unpack.sh:
Code:
#!/bin/bash
DIR=$(pwd)
# Stage 1 - unpack the blob
mkdir 1.kernel
cp $1 1.kernel/kernel.blob
cd 1.kernel
blobunpack kernel.blob
# Stage 2 - Extract boot image (compressed initrd)
mkdir ../2.LNX
cd ../2.LNX
abootimg -x ../1.kernel/kernel.blob.LNX
# Stage 3 - Decompress initrd
mkdir ../3.initrd.gz
cd ../3.initrd.gz
zcat ../2.LNX/initrd.img >initrd.cpio
# Stage 4 - Unpack initrd
mkdir ../4.initrd
cd ../4.initrd
cpio -id < ../3.initrd.gz/initrd.cpio
# This will leave fully uncompressed kernel in directory "4.initrd"
pack.sh:
Code:
#!/bin/bash
DIR=$(pwd)
# Stage 5 - Pack initrd
mkdir 5.initrd.cpio
cd 4.initrd
find . | cpio --create --format='newc' > ../5.initrd.cpio/initrd.cpio
# Stage 6 - gzip compress initrd
mkdir ../6.initrd.img
cd ../6.initrd.img
gzip ../5.initrd.cpio/initrd.cpio -c9 --stdout --best >initrd.img
# Stage 7 - Create Android boot image
mkdir ../7.LNX
cd ../7.LNX
mkdir content
cp ../2.LNX/* content
cp ../6.initrd.img/initrd.img content
abootimg --create kernel.LNX -f content/bootimg.cfg -k content/zImage -r content/initrd.img && rm -rf content
# Stage 8 - Sign the Android boot image.
# You'll need to do this or your device may reject the blob.
# I could never find a tool for this so just prepend the signature using echo.
mkdir ../8.kernel
cd ../8.kernel
blobpack kernel_unsigned.blob LNX ../7.LNX/kernel.LNX
echo -n -e "-SIGNED-BY-SIGNBLOB-\0\0\0\0\0\0\0\0" >kernel.blob
cat kernel_unsigned.blob >> kernel.blob
rm kernel_unsigned.blob
# Your finished kernel.blob is now in directory "8.kernel"
Awesome stuff!
Wow - this is very very nice! What a job thank you for sharing. I do have issues though - but they are related to my setup - i cant mount /root on /dev/loop (or something along those lines) so the boot process defaults to Android (which actually boots out the box from this (which is nice - had a ****load of issues with other kernels and the original rabits kernel thing) any ideas for the /dev/loop thing?
Again thanks man - so nice!
Nice work, but can you post the source code please? Thanks.
thanks for posting, wouldn't mind trying linux on here after all these years. is this kernel fine with android 5.1.1?
dkzeb said:
i cant mount /root on /dev/loop (or something along those lines) so the boot process defaults to Android
Click to expand...
Click to collapse
Is this an extfs? Usually when you get the mount failure, be it in original Rabits or this multiboot, I find that if I drop to a shell and try to mount by hand, the mount command throws an error either way. Most often this then turns out to be due FS settings ("Check filesystem after X mounts, or X days etc). Checking the FS or using tune2fs to disable periodic checking makes this go away.
You can drop to a busybox shell by pressing "s" when the rabits logo shows up.
Insane PPC said:
thanks for posting, wouldn't mind trying linux on here after all these years. is this kernel fine with android 5.1.1?
Click to expand...
Click to collapse
I'm not sure but doubt it.. Tbh I never got any Android version over Cromi-X 5.4 to run reliably on the TF300 :/ Interested to hear your opinion but for me they all turned out to be slow, unstable (crashes, reboots), drained the battery or just plain impossible to implement. Hence went back to Cromi-X 5.4 and probably staying there forever.
Linux on the TF300 is ok but has many challenges, some of which simply cannot be overcome. Biggest problem is that NVidia dropped support for Tegra3 about 5 minutes after launch. They are not releasing new drivers for contemporary ABIs, something you WILL need if you want to run any kind of recent Xorg using the device's Tegra3 hardware features. That includes touch pad and graphics accelleration.
So you're basically stuck with distro's from 2012 and must be very careful what packages you upgrade or your TF300 will lose OS support for some of its HW features.