Development and modification of firmware for Android phones on the example of HTC Hero GSM. Part 1

The reasons why people put modified firmware versions are different. Someone wants to surprise a friend with a funny download animation, someone lacks a certain functionality (for example, vpn), someone wants to squeeze maximum performance out of his phone by overclocking the processor, and someone has been waiting for a new version of the Android operating system for five months your favorite HTC Hero.
At the moment, there is already a great many of the most unimaginable assemblies for a wide variety of Android-based phones. Sometimes they even appear in one form or another on Habré.
I want to tell you about the process and features of creating custom firmware based on the official one. This knowledge was obtained in the process of developing one of the few domestic firmware based on Android 2.1 for the HTC Hero GSM. And more or less successfully tested on themselves and other turned up users of one large Russian forum.
Despite the fact that all of the following was done for the HTC Hero, these rules and features are in full force for all phones, especially those developed by HTC and using the proprietary shell Sense.
For the experiments we need:

• Android SDK preferably the latest version
• The apktool utility for reengineering system applications
• Smali / baksmali utilities for de-optimizing system applications
• The unyaffs utility for extracting system files from an image
• Script split_bootimg.pl to extract the kernel and ramdisk
• The testsign utility for signing the service pack and individual applications
• installed and configured JRE
• Android phone
• superuser rights and a modified recovery routine ( recovery rom )

All of the above is available in versions for both Linux and Windows. But in my examples, I will focus on using Linux.
Of course, neither root- rights nor recovery are needed for us to start development, but if we want to try out our creation, we will need them. For HTC Hero, you can use RA-hero-v1.6.2 .
Probably, it's time to remind that the use of unofficial firmware deprives us of a guarantee, but where ours did not disappear. And despite the fact that most operations are safe - you should always clearly understand what is being done and why, so as not to cause irreversible harm to your android

The foundation

There are several different approaches to firmware development.

• Build from Android Open Source Project sources
• Build from CyanogenMod project sources
• Modification of the firmware provided by the phone manufacturer

Despite the fact that the Android platform seems to be open, it seems that real phones use closed components. These are the drivers distributed in binary form (wifi / gps / fm), and key system components, such as the Market and other Google services. Also here you need to add the development of companies in the field of interface, such as HTC Sense , Motoblur, TouchWiz from Sumsung. This creates in places insurmountable difficulties in developing firmware from source codes.
I propose to dwell on the modification of ready-made firmware provided by phone vendors.
Firmware for HTC phones exist in two forms:

• RUU. Rom Update Utility (Firmware Update Utility ). Utility for Windows OS that updates the phone
• OTA. Over the Air (Update by "air"). The package downloaded by the phone itself via the wifi / gprs network, which is installed on the phone without any computer participation

Recently, OTA updates consist of binary diffs , which somewhat complicates the use of these diffs as a basis . Since this requires a specific phone with a specific version of the firmware, which may simply be impracticable if we want to adapt the firmware from one phone to another. Or it involves a long and painful juggling of the identifier of the phone followed by downloading the update without installing it. And, perhaps, this procedure will have to be repeated several times.
We will use RUU update.
')

Removing rom.zip

1. Download the appropriate version of RUU for the phone of interest to us. Find which you can either on the site HTC, or in other sources . For HTC Hero we will use the Android 2.1 version released for Chunghwa operator (Taiwan) , released in early June
2. RUU utility when updating the phone flashes several areas at once:

• boot loader (hboot)
• linux + ramdisk kernel (boot)
• firmware for radio module (radio)
• recovery routine
• system partition (/ system)
• user section (/ data)

However, we cannot allow the RUU utility to overwrite our lovingly installed bootloader and recovery. In order to continue to be able to install not only official firmware. To do this, we need to remove the radio / boot / system / data.
In essence, RUU is an InstallShield installer that carries the images we need in rom.zip.
Run it and get into the title screen welcome. Without going further, open the% TEMP% system folder, in which we see 2 new folders, in one of which we will find the rom.zip file. We copy in a lonely place and we close RUU cancel installation.

Unpacking images

After unpacking the received archive and deleting images that are not interesting for us, we will see:

1. $ ls -1 rom boot.img Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img system.img userdata.img
2. $ ls -1 rom boot.img Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img system.img userdata.img
3. $ ls -1 rom boot.img Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img system.img userdata.img
4. $ ls -1 rom boot.img Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img system.img userdata.img
5. $ ls -1 rom boot.img Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img system.img userdata.img

The phone carries 512MB NAND Flash, which are divided into the following logical blocks

1. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
2. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
3. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
4. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
5. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
6. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
7. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"
8. $ adb shell cat / proc / mtd dev: size erasesize name mtd0: 00040000 00020000 "misc" mtd1: 00500000 00020000 "recovery" mtd2: 00280000 00020000 "boot" mtd3: 0aa00000 00020000 "system" mtd4: 08200000 00020000 "cache" mtd5: 0a5c0000 00020000 "userdata"

As we see, these areas of memory are directly related to the images we received. RUU makes the recording of as-is images, but we want to change the content of the system, so we need to unpack them.
Yaffs2 is used as a file system for NAND in android

1. $ adb shell mount | grep yaffs / dev / block / mtdblock3 on / system type yaffs2 ( ro ) / dev / block / mtdblock5 on / data type yaffs2 ( rw,nosuid,nodev ) / dev / block / mtdblock4 on / cache type yaffs2 ( rw,nosuid,nodev )
2. $ adb shell mount | grep yaffs / dev / block / mtdblock3 on / system type yaffs2 ( ro ) / dev / block / mtdblock5 on / data type yaffs2 ( rw,nosuid,nodev ) / dev / block / mtdblock4 on / cache type yaffs2 ( rw,nosuid,nodev )
3. $ adb shell mount | grep yaffs / dev / block / mtdblock3 on / system type yaffs2 ( ro ) / dev / block / mtdblock5 on / data type yaffs2 ( rw,nosuid,nodev ) / dev / block / mtdblock4 on / cache type yaffs2 ( rw,nosuid,nodev )
4. $ adb shell mount | grep yaffs / dev / block / mtdblock3 on / system type yaffs2 ( ro ) / dev / block / mtdblock5 on / data type yaffs2 ( rw,nosuid,nodev ) / dev / block / mtdblock4 on / cache type yaffs2 ( rw,nosuid,nodev )

Unpack the system and data (/ cache remains empty)

1. $ mkdir system && cd system && unyaffs .. / .. / .. / rom / system.img $ mkdir .. / data && cd .. / data && unyaffs .. / .. / .. / rom / userdata.img
2. $ mkdir system && cd system && unyaffs .. / .. / .. / rom / system.img $ mkdir .. / data && cd .. / data && unyaffs .. / .. / .. / rom / userdata.img

As a result, we obtained a full-fledged root tree, suitable for flashing to a phone, which contains system libraries, framework, system applications, configuration files, etc.


It should be borne in mind that the unpacked archive contains symbolic links that will be lost on file systems that do not support them (fat / ntfs). Which we can restore through the update script, which will be discussed in another article.

Core

We also need a boot partition, which is essentially a linux kernel (for the selected firmware, this is 2.6.29 armv6l) with a ramdisk and has the following format :

  ** + ----------------- +
 ** |  boot header |  1 page
 ** + ----------------- +
 ** |  kernel |  n pages
 ** + ----------------- +
 ** |  ramdisk |  m pages
 ** + ----------------- +
 ** |  second stage |  o pages
 ** + ----------------- +
 **
 ** n = (kernel_size + page_size - 1) / page_size
 ** m = (ramdisk_size + page_size - 1) / page_size
 ** o = (second_size + page_size - 1) / page_size 

If we want to replace the kernel, or modify the initialization scripts, we need to extract them from the boot- image. To do this, we need a wonderful perl script split_bootimg.pl by William Enck .

1. $ split_bootimg.pl .. / rom / boot.img $ ls boot.img-kernel boot.img-ramdisk.gz data system
2. $ split_bootimg.pl .. / rom / boot.img $ ls boot.img-kernel boot.img-ramdisk.gz data system
3. $ split_bootimg.pl .. / rom / boot.img $ ls boot.img-kernel boot.img-ramdisk.gz data system

With the kernel itself, we can do nothing except how to replace it with another, and the ramdisk can be unpacked for later change and configuration:

1. $ mkdir ramdisk && cd ramdisk && gzip -dc .. / boot.img-ramdisk.gz | cpio -i $ ls data default.prop dev init init.goldfish.rc init.hero.rc init.rc logo.rle proc sbin sys system
2. $ mkdir ramdisk && cd ramdisk && gzip -dc .. / boot.img-ramdisk.gz | cpio -i $ ls data default.prop dev init init.goldfish.rc init.hero.rc init.rc logo.rle proc sbin sys system
3. $ mkdir ramdisk && cd ramdisk && gzip -dc .. / boot.img-ramdisk.gz | cpio -i $ ls data default.prop dev init init.goldfish.rc init.hero.rc init.rc logo.rle proc sbin sys system

In this article, we don’t want to do anything with the kernel or with ramdisk , and therefore we will pack everything back (or go back a step and don’t touch the boot at all )

1. find . | cpio --quiet -o -H newc | gzip > .. / new-ramdisk.gz $ cd .. && mkbootimg --kernel boot.img-kernel --ramdisk new-ramdisk.gz --cmdline "no_console_suspend=1 console=null" -o newboot --base 0x19200000
2. find . | cpio --quiet -o -H newc | gzip > .. / new-ramdisk.gz $ cd .. && mkbootimg --kernel boot.img-kernel --ramdisk new-ramdisk.gz --cmdline "no_console_suspend=1 console=null" -o newboot --base 0x19200000

For other phones, the base offset settings may vary. Commandline we get from split_bootimg when unpacking.

Update script

To update, we will use an update script, which is written in the special script language edify , the syntax of which can be found in the android sources . The script / META-INF / com / google / android / update-script could be:

1. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
2. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
3. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
4. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
6. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
7. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
8. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
9. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
10. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
11. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
12. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
13. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
14. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
15. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
16. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
17. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
19. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
20. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
21. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
23. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
24. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
25. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10
26. show_progress 0.1 0 format CACHE: format SYSTEM: copy_dir PACKAGE:system SYSTEM: set_perm_recursive 0 0 0755 0644 SYSTEM: set_perm_recursive 0 2000 0755 0755 SYSTEM:bin set_perm 0 3003 02755 SYSTEM:bin/netcfg set_perm 0 3004 02755 SYSTEM:bin/ping set_perm_recursive 1002 1002 0755 0440 SYSTEM:etc/bluez set_perm 0 0 0755 SYSTEM:etc/bluez set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh set_perm_recursive 0 0 0755 0555 SYSTEM:etc/ppp set_perm 0 0 04755 SYSTEM:etc/ppp/ip-up-vpn show_progress 0.1 10 show_progress 0.2 0 copy_dir PACKAGE:data DATA: show_progress 0.2 10 show_progress 0.3 0 format BOOT: write_raw_image PACKAGE:boot.img BOOT: show_progress 0.3 10

While this script is very primitive and the only thing that it does is prepares the appropriate sections.

Sign Service Pack

In order for us to be able to flash our firmware, we need to sign the update package. This process is similar to the process of signing jar-packages . Your (or test) certificate is added to the package and checksums for the files inside it are saved.

1. $ zip -r habrarom.zip . $ java -classpath ../../bin/testsign.jar testsign habrarom.zip habrarom-signed.zip
2. $ zip -r habrarom.zip . $ java -classpath ../../bin/testsign.jar testsign habrarom.zip habrarom-signed.zip

Radio module firmware

This is the easiest part in terms of creating a service pack, but also the most dangerous in terms of the consequences of an unsuccessful update.
The update package is created absolutely identical to the previous one, only it will contain a binary blob from the radio, which we extracted from the RUU and a script to write it to the appropriate section of memory.
A simple script:

1. show_progress 0.1 0 write_radio_image PACKAGE:Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img show_progress 0.1 10
2. show_progress 0.1 0 write_radio_image PACKAGE:Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img show_progress 0.1 10
3. show_progress 0.1 0 write_radio_image PACKAGE:Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img show_progress 0.1 10

Not much that will be included in this update package.

1. $ ls -1 META-INF Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img
2. $ ls -1 META-INF Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img
3. $ ls -1 META-INF Radio_Signed_HERO_63.18.55.06O_6.35.15.01.img

All this is packaged and signed as previously.

Firmware

Despite the fact that we have not added any new functionality to the received firmware yet, we would like to try to flash and boot into it.
For this

1. Copy to the root of the map our update package
2. Boot into recovery
3. Making nanroid backup
4. We do wipe
5. Stitching
6. Reboot

We are glad that our patient survived a difficult operation.


The following important issues that did not directly modify the prepared basic firmware were not included in this review. Questions faced by any custom creator, and I came across directly when creating the Russian version of firmware 2.1 for HTC Hero GSM

• Add root, busybox
• De-optimization ( deodexing ) packages. Using smali / baksmali. Resolving odex dependencies
• remote odex application optimization
• Modification of system packages. Signature of packages: when necessary and when it can be neglected. Packaging applications. Update application resources without rebuilding
• Localization of the system, as an example of large-scale modification of the system.
• Decompiling and assembling system application / bytecode resources. Correcting system application errors
• zip-align, png optimization
• Application signing and circular bailing problem when using shared uid
• Using initialization scripts on the example of transferring data from one partition to another (dalvik-cache2cache, app2sd)

In the meantime, we are looking forward to when the update of the FOTA client will be followed by an upgrade of the system itself to version 2.1-update1.

In previous and future series

1. Part 1. Creating firmware in update.zip format based on RUU. Unpacking / packing boot. Update script. Sign service pack and applications.
2. Part 2. Adding busybox. Adding root. Mount to write. Initialization script Editing ramdisk.