Rich Freeman on 7 Jan 2016 07:49:32 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Rooting Phone Experiences

On Thu, Jan 7, 2016 at 9:39 AM, Mike DePaulo <> wrote:
> And above fastboot is your recovery environment.

I guess this is just definitions, but I'd say that recovery is BELOW fastboot.

> Your recovery environment lets you flash new ROMs. Sometimes people
> install new recovery environments, but in case you mess up your
> recovery environment, fastboot lets you recover your recovery
> environment.

Correct, many do choose do do their flashing from recovery.  Either
does work, though I tend to prefer using fastboot.

A bit more background.

The phone's ROM (and perhaps some flash that isn't normally touched)
loads the bootloader image and runs it.  I believe the bootloader
loads the radio image for the baseband CPU, which then runs
independently (I'm not 100% sure on that - the baseband CPU could very
well be bootstraped before the bootloader runs).

At that point the bootloader looks for keyboard input.  If there is
nothing going on it loads the boot image which is a standard linux
kernel+initramfs (linux in general supports embedding an initramfs in
the kernel).  If there is input the details are a bit
device-dependent, but you have an option of going into either fastboot
or recovery mode.

Fastboot is implemented purely in the bootloader, and it just accepts
images which are at most checksum/signature-verified and then loaded
into the appropriate partition.  The bootloader doesn't understand
anything about filesystems/etc.

If you tell the bootloader to go into recovery image it does the exact
same thing as a normal boot, except it loads the kernel+initramfs from
the recovery partition instead of the boot partition.  The recovery
initramfs typically is self-contained with all the userspace needed to
display the UI and let users do all their flashing.  At that point
you're running a full linux OS with userspace in the initramfs and it
can do anything your PC can do - like mount filesystems and edit
things at the file level and so on.  Heck, while nobody has
implemented this it could even configure the network and give you a
browser or mount sshfs shares or whatever.

Going back to the normal boot process - the boot kernel+initramfs
typically mounts the system partition and then transitions execution
over to it (I'd have to look up the details).  In this regard this is
fairly similar to a traditional linux distro, except that the
initramfs is combined with the kernel image in a raw boot partition
and not stored as separate files in a boot filesystem.

So, the two basic ways to go about flashing stuff on android are:
1.  Flash raw images using fastboot.  This would be a bit like a linux
distro where to install it you boot a CD and dd an image file to
/dev/sda or something like that.  Since phone images tend to be
one-size-fits-all anyway I find this to be the cleanest approach -
you're completely wiping what is there and ending up with a controlled
2.  Run an install zip file from recovery.  These zip files contain a
bunch of files, a manifest with signatures/etc, and install scripts.
These can be used to everything from wiping the system partition and
reloading it to just verifying a known initial state and just updating
selected files (which is how over-the-air updates work).  They can be
also used to just make tweaks, such as installing supersu but not
otherwise touching the existing install.

Oh, and one more thing to keep in mind.  Android Pay is now being a
lot more particular about modifications to the system partition, which
means that it won't work on most third-party ROMs.  Right now it
doesn't look at the boot image, so a workaround is to use a
"systemless root" which is basically a modified kernel that adds some
kind of system call back-door and then you can run an app which
triggers it.  There won't be any files added to the system partition,
so the checks don't spot them.

I really see the whole Android Pay situation leading to an arms race.
Google will start checking the boot image.  Then the boot image kernel
will start intercepting reads of the boot image like a rootkit and
return vendor-signed data and not the real boot image, and so on.
Short of them going the full trusted computing route Google can't
really verify what is running on the phone.  (And if they ever do go
the trusted computing route get ready for the virus that resets the
TPM and permanently disables Android Pay on 90% of Android phones or
whatever, unless they use a TPM that can't be reset.  Whenever I read
about hardware fuses I just wonder when the first virus comes along
and permanently trips them all.)

Again, hopefully this is helpful.  The android boot process would
actually be a great short talk of its own.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --