Hi!

Today, I will speaking a bit about Android boot.img.

I’ve been wondering what it is that makes the Android phones go root. In facts, my theory was the following : we only need su to get root.

To check that, I coded a boot.img unpacker. The link to download it is below.

The boot.img format is defined in this kernel file : android/system/core/mkbootimg/bootimg.h.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

/*
** +-----------------+
** | boot header     | 1 page
** +-----------------+
** | kernel          | n pages 
** +-----------------+
** | ramdisk         | m pages 
** +-----------------+
** | second stage    | o pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
**
** 0. all entities are page_size aligned in flash
** 1. kernel and ramdisk are required (size != 0)
** 2. second is optional (second_size == 0 -> no second)
** 3. load each element (kernel, ramdisk, second) at
**    the specified physical address (kernel_addr, etc)
** 4. prepare tags at tag_addr.  kernel_args[] is
**    appended to the kernel commandline in the tags.
** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr
** 6. if second_size != 0: jump to second_addr
**    else: jump to kernel_addr
*/

With this, we can code a decent unpacker. The packer would be about using mkbootimg but i don’t need it for now.

What I basically did to get to see what make a Nexus One get rooted it to compared the original boot.img to the corresponding SuperBoot boot.img. What I saw is the following :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

diff -ru original/default.prop rooted/default.prop
--- original/default.prop 2010-04-25 11:58:52.143574246 +0200
+++ rooted/default.prop 2010-04-25 11:59:12.373574922 +0200
@@ -1,7 +1,7 @@
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
-ro.secure=1
+ro.secure=0
ro.allow.mock.location=0
-ro.debuggable=0
-persist.service.adb.enable=0
+ro.debuggable=1
+persist.service.adb.enable=1
diff -ru original/init.rc rooted/init.rc
--- original/init.rc 2010-04-25 11:58:52.163574413 +0200
+++ rooted/init.rc 2010-04-25 11:59:12.393586264 +0200
@@ -230,6 +230,11 @@

## Daemon processes to be run by init.
##
+service superboot /system/bin/sh /superboot/superboot.sh
+    user root
+    group root
+    oneshot
+
service console /system/bin/sh
console

Only in rooted/: superboot

Well, we can clearly see that some property are there to unlock a security and enable permanent USB Debugging mode.

More over, only the job is done in the superboot directory which contains :

  • su
  • superboot.sh
  • Superboot.apk

Hell yeah, seems like my theory hold ;) .

m_101

Resources