Today, I will speaking a bit about Android boot.img.
I've been wondering what it is that makes the Android phones go root.
In facts, my theory was the following : we only need su to get root.
To check that, I coded a boot.img unpacker. The link to download it is below.
The boot.img format is defined in this kernel file : android/system/core/mkbootimg/bootimg.h.
/* ** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | second stage | o pages ** +-----------------+ ** ** n = (kernel_size + page_size - 1) / page_size ** m = (ramdisk_size + page_size - 1) / page_size ** o = (second_size + page_size - 1) / page_size ** ** 0. all entities are page_size aligned in flash ** 1. kernel and ramdisk are required (size != 0) ** 2. second is optional (second_size == 0 -> no second) ** 3. load each element (kernel, ramdisk, second) at ** the specified physical address (kernel_addr, etc) ** 4. prepare tags at tag_addr. kernel_args[] is ** appended to the kernel commandline in the tags. ** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr ** 6. if second_size != 0: jump to second_addr ** else: jump to kernel_addr */
With this, we can code a decent unpacker.
The packer would be about using mkbootimg but i don't need it for now.
What I basically did to get to see what make a Nexus One get rooted it to compared the original boot.img to the corresponding SuperBoot boot.img.
What I saw is the following :
diff -ru original/default.prop rooted/default.prop --- original/default.prop 2010-04-25 11:58:52.143574246 +0200 +++ rooted/default.prop 2010-04-25 11:59:12.373574922 +0200 @@ -1,7 +1,7 @@ # # ADDITIONAL_DEFAULT_PROPERTIES # -ro.secure=1 +ro.secure=0 ro.allow.mock.location=0 -ro.debuggable=0 -persist.service.adb.enable=0 +ro.debuggable=1 +persist.service.adb.enable=1 diff -ru original/init.rc rooted/init.rc --- original/init.rc 2010-04-25 11:58:52.163574413 +0200 +++ rooted/init.rc 2010-04-25 11:59:12.393586264 +0200 @@ -230,6 +230,11 @@ ## Daemon processes to be run by init. ## +service superboot /system/bin/sh /superboot/superboot.sh + user root + group root + oneshot + service console /system/bin/sh console Only in rooted/: superboot
Well, we can clearly see that some property are there to unlock a security and enable permanent USB Debugging mode.
More over, only the job is done in the superboot directory which contains :
- su
- superboot.sh
- Superboot.apk
Hell yeah, seems like my theory hold ;) .
- HOWTO: Unpack, Edit, and Re-Pack Boot Images
- Superboot - rooting the Nexus One
- Original Nexus One images
- m_101 GIT repository