 In this video, we're continuing looking at my Motorola G and using FastBoot ADB and A-Boot IMG to load different images to it. You're going to have to bear with me. It's kind of a long tutorial, a lot of information here, building on stuff we've done in the past. I hope that you enjoy it. I hope you take something away from it. If it's a little much for you this week, maybe come back next week. We're doing something very similar. I'm going to simplify it. Also check out the link in the description for the source code to a script that basically automates everything we're going to be doing today. Thank you and I hope you enjoy it. This is part of a series we've been working on working with the Android bootloader. I'm using a Motorola G here, but a lot of this should apply to most Android devices that are running FastBoot. If you're not running FastBoot, things will change a little bit obviously as far as getting the images where they need to go. I have my phone plugged in and what I'm going to do is I'm going to sudo ADB reboot into the bootloader. Three programs you need to have installed on your computer, ADB, FastBoot and A-Boot IMG. They should all be in your repositories. A-Boot IMG is called A-Boot IMG and FastBoot and ADB are called Android-tools-ADB But just search for those in your repositories. They should be there. So my phone's rebooted. I don't have a counterpoint on it because it's a real thing to see. I'm just at the bootloader screen that says, you know, regular power-up, factory reset, recovery, blah blah blah. On my desktop here, if I list out, you can see I have the recovery image for TeamWin recovery project. And what I want to do is I want to boot into that. So what I'm going to do is I'm going to say FastBoot and I'm going to say Boot that image. And my phone just restarted and it's going to go into that recovery mode. The reason I'm doing this is because I need a root shell and I don't have my phone rooted. I just have the bootloader unlocked. What we're going to do today is create a rooted device temporarily, although you can do it permanently. So we booted the recovery image to RAM. So what we're doing right now is it's like running a live CD, a Linux live CD. You can pop a CD or a USB drive into a desktop boot to it and not touch the hard drive. That's what we're doing right now. And I can now sudo ADB shell. And you can see I have a root shell on this image. So what I want to do now is I want to pull the initrd file. The initrd file, it's the initial RAM disk file, the image. It's the partition on the phone that when it boots, the bootloader loads this up to RAM. And then it decides what other partitions are mounted and what services are started at boot time. And what we're going to do is we're going to pull that off the phone, the stock one off the phone. And then we're going to take it, extract it with a boot IMG, make some modifications, and then package it back up and load it to the phone, in which case we can load it to the partition overriding the original, which means every time we start the phone, it will start with those changes. But what we're going to do today is just like we're running the recovery right now, I'm going to load it to RAM so that I can boot into it, have myself a root shell. In this case, I'm going to be using Busybox's Telnet Demon. And I'll have that, but then at any point I can reboot and it unroots it. It goes back to how it was before. So let's go ahead and again, hopefully you watched the previous tutorials. There should have been an annotation on the screen or in the playlist to get in the description for the playlist. Let's go ahead and type in parted, device, block, and we're going to type in MMCBLK0 because we want the first device and we will hit enter now and we'll type in print and it should print all of our partitions. And the one we want is the one right a boot IMG or a boot. So this is the image we want right here. It's really small. And so let's go. Oh, actually, sorry, not a boot boot. This is the one we want. It's going to say that was smaller than expected. It should be about 10 megabytes right now. So that's partition 31. So what I'm going to do now, we also look user data is right here. And that's partition 38. So remember 31 and 38 because I'll probably forget that in a minute. I'll quit out of that. We'll check what's mounted and we can see that we have SD card mounted on SD card one. So if I didn't have that, I was going to mount the internal storage, which is right there. Let's go ahead and go to CD forward slash SD card one. Clear the screen with control L. And what I'm going to do here is I'm going to use the DD command, which hopefully you're familiar with. If not, this tutorial is probably a little more advanced for you than you need to. But hopefully most of you have used DD before. I'm going to say DD IF for in file, we're going to say device. Oh, DD won't let me auto complete. So good to have. So I'm going to go list device block M O and we said 31. Pretty sure. Told you I was going to forget. Now I'll say DD IF equals. So that's our in file. And I am going to say out file equals boot dot IMG. And I'm going to hit enter. And it didn't take very long because it's only 10 megabytes. And what I pulled off the phone off the partition to my SD card as an image as a file on the SD card, not overwriting what was there on the SD card, just creating a file. Okay, so now I'm going to exit out of the phone. So now I'm back at my desktop. Again, if I list out here, I have one image. That's the recovery image we're in right now. So what I want to do is I want to do pseudo ADB pool SD card one boot dot IMG. Enter control L to clear the screen. And if I list out here, you can see that I've got two images, the boot IMG and the recovery IMG. And what we need to do is we need to extract that boot IMG and we're going to use a boot for that. So what I'm going to do is I'm going to type in a boot IMG dash X to extract. And actually, let's make a directory to put all this in. We'll make a directory called boot. I'll move into that and I'll say a boot IMG just to keep things clean so it's not in the same directory as everything else. I'm going to say dash X and then I'm going to say dot dot backslash or sorry forward slash to get to our boot IMG file. I'll hit enter and it says right here that it created a IMG config file. It's extracted a the kernel and the initial RAM disk image inside that partition. So now we're going to extract the initial RAM disk. So real quick, we can file our initial RAM disk and here it says that it's a G zip compressed data from Unix or in this case Linux. And if for some reason you don't have file, you can always head one to get the first line of a file. Like so I think I showed this in a previous tutorial. And sometimes you can get information out of there that writes this time, not so much. File is a better option to go. I was just trying to show you another way to go if for some reason you didn't have file in your system, but you should. Okay. So now at this point, we list out here again, we have those three files and we want to unzip. As we said, it's a G zip file. So we're going to say G unzip dash C because it's a compressed file. You know what I'm about to do? I forgot again. Let's make another folder. Make DER RAM disk because this is our initial RAM disk. I'll move into that folder again so that everything is, you definitely want this in the separate folder because you're going to recompile everything in this folder. If you extract everything to the folder we just in, you're going to compile the image with the original image and kernel in it. It just will get messy and your file will get too big to put back onto your phone if you wanted to write to the partition. So anyway, create a new directory, move into the directory. Then G unzip dash C because it's compressed going back up. So dot dot backslash to the file. And then we're going to pipe that output into CPIO dash I. I've shown this in previous tutorials as far as extracting certain images from live CDs. I'll hit enter. And if I list out now, you can see all these files. This is your initial RAM disk. Everything in this folder right now, our RAM disk folder is what loads to RAM when the phone starts up. And it starts by running this init binary file here. And that will run pretty much all of these other script files, which we're going to modify one right now. And these will load up all your partitions, load up all your scripts and startup services. So I am just going to create my own script. And I'll just put it here as well. I'll call it VIM init my.sh. And then in here we're going to, this is where we're going to create some stuff. So our shebang line telling what interpreter should be used. I'm going to say system bin sh because there's no bash on the phone. So we're using whatever the default shell is here. And on Android it's under system bin sh. Next we're going to say, I'm going to say sleep 30. I'm going to have it sleep for 30 seconds because I just want to make sure the phone is completely done and loaded when we try to start this service. So it doesn't crash because other things aren't loaded. That isn't really necessary probably, but I'll just do it for sure because the phone is going to take at least 30 seconds to boot anyway. So next we're going to say sbin busybox telnet d-p for port. And we'll give it a port. I'll just say 9, 9, 9, 9. Whatever port you want, but remember what it is. Dash L saying login. And we're going to run this script as root so this login will run as root and that's how we're going to accomplish root. We're going to say system when you log in run as root and start the shell and looking at my notes here. Oh, and then if you want, you're going to probably want to put dash B to 127.0.0.1. Okay. If you leave this part out, what's going to happen is you just opened up a root shell unencrypted on the network on port 9, 9, 9, meaning anyone on your local network can telnet into your phone and have root access. That's if you leave this out. That obviously is going to be a bad idea. Dash B 127.0.0.1 means loop back only. The only device that can telnet into your device is the device itself. So if you got a malicious script or program on your phone and it knows you're doing this, it will get root access, but that's no different than people who just have SU on their phone where it's going to look for SU. So anyway, we're going to start up the service and there's other ways that you can add more protection, passwords and stuff like that and start up the service when you want and not have it running all the time. But right now we're just going to start it up at boot time and say obviously log in as root, but only for the current device. And that is going to be our script. And we will save that. And now we are going to obviously make that executable. I'm going to change models. I'm going to say 777. My.nitmy.sh. So it's executable now, but it doesn't automatically start. We need to add that to our startup processes. So what I'm going to do is I'm going to go into VIM and I'm going to go into the init.rc, which is our main startup script. Now this is not a shell script. Don't think you can run shell script commands in here. There are some things you can do and some things you can't. There are a list of commands you can find online. Mainly you can make directories, change permissions, mount stuff, write to files. But you're not going to be able to, I mean, I could, if this was just a shell script, I could put in here that one busy box command and not have to have a separate file. But what I'm going to do here is I am going to make sure I'm at the bottom. Oops. And I am going to now add my own service. So what I'm going to do, I'm just going to copy and paste this for my notes to save some time. And I'll do my best to explain it. So we're going to start a service. What service? We're going to call the service my initmy. But where is it? It's a script in our root directory because we just created it. That's the name of the file. Classes. Mainly you can put things in different classes so you can kill classes. But the important parts here is the user's root and group is root. Because you can start up as different users. We want to start as root so that we have root access. I'm going to save that. And now I'm going to move back out of that directory. And what I want to do is now I want to create a new image. So what I'm going to do is I'm going to say a boot. Let me clear the screen here. A boot. IMG pack initial RAM disk. And now we want to tell it what we want to call the file. So I'm going to put it in the directory above this. I'm going to call it boot2.img. And then I'm going to say, oh I'm sorry. No, no, no. I'm skipping a step here. This I want to just say init. I want to call it something else. I'm not going to overwrite the original RAM disk. And where is all the files? All the files, the file system is going to be under that folder. We just created RAM disk. If I list out now, you can see we have our boot config. IMG, which we're going to edit here in a second. We have our initial RAM disk image. That's our original, our stock one. We have our new image. We have our RAM disk folder, which we can delete at this point. But we might want to make more changes. So we'll just leave that there. And our kernel. Now, if you try it as is, it's not going to work because of Secure Linux. Secure Linux is not going to let that run as root. So what we need to do is we need to change our Secure Linux settings to allow permissive behavior, basically. When I was originally trying to figure this out, I tried disabling Secure Linux altogether and Android did not like that. It just did not like it. So instead of disabling altogether, we're saying permissive. So what this is going to do is it's going to throw a bunch of errors into your error log, but it's going to let stuff happen anyway. So we're going to go into our boot IMG config. And we're going to change our command line. This is the command that runs when you load your kernel. It's passed to the kernel. And we're going to add to the end of that here Android boot. Secure Linux permissive. And let's make sure that we have our E at the end there. And so like I said, that's just going to let us do what we're doing. Otherwise, Android does not let you run things like this as root. We're going to save that. Okay, now that's saved. And sorry for this is a little complex. You might be a little lost. Luckily, and I'll mention again at the end, in the description of this video, I'll have a link to a shell script that should pretty much automate this entire process for you. You run the script, it will get the stock image, recompile it for you, make the changes, and then load it to your phone all with just one command. Obviously, this trials on how to do it manually. Okay, so now that we have those files, we've made our change here, which changes the commands sent to our kernel. This is our kernel here. And then we have our new image disk. So what we're going to do now is we're going to use a boot again, a boot IMG dash dash create. Now I'm going to create in the directory above us a boot to IMG dash F for the config file that we just modified. So you could have created a whole new one. I modified the one that was there. We didn't make any changes to the kernel, so we'll just use the kernel that we already have and our RAM disk instead of the original. We're going to use our new image. Okay. And that didn't take long at all because it's relatively small. If I move up a directory and I list out here, you can see that it's the same size as the other one. Use a change because we pulled that one with root, but it doesn't matter. And now let's load that to the phone. So the first thing I need to do on my phone is reboot to the bootloader. So I'm going to sudo adb reboot bootloader just like we did at the beginning. I'm looking at my phone. It's restarting. I'm at my bootloader screen. Now, just like we did at the very beginning of the tutorial with the recovery image, we're going to fast boot and we're going to boot. Although, again, you can write this image, although it doesn't hurt to test it first. But we're just going to boot it to RAM. So I'm going to say boot2.img. And my phone is now restarting. And it will take a little bit for it to restart. And hopefully if we did everything correctly, if not, I've got to start the tutorial over again if I typed something wrong. It's restarting. Okay, my startup logo is animations going. It gets there. I'm going to have to unlock my phone because I do have a pin lock and you can't adb into the shell without unlocking the phone. Okay, give me a second here. Phone's loading. And luckily if we did screw something up. Okay, phone's loaded. I can always restart the phone because we loaded stuff to RAM. We didn't make any changes to the actual phone, at least not permanently. Okay. So now I've unlocked my phone as in the pin lock adb shell. And as you can see here, we still have just a regular shell. And you can't su because we don't have an su command. So what I want to do is I want to use busybox and a telnet to our self on port 9999. And I did that wrong. Oh no, P connection refused. And so our service did not start. And I think I might know why. Yes, I do know why. I know exactly why. Okay, luckily we did not remove our initial RAM disk image. I forgot one step, a very important step. Let's go CD back into our boot folder. Back into our RAM disk folder. List here. Sorry about this. Should have gotten this right the first time. What I'm going to do is I'm going to move into our Espin folder here. Okay. And our script starts up busybox. And it's telnet service. Well, our image doesn't have busybox installed. So we want to do that. So what I'm going to do here, I got a URL here. You can compile your own busybox, pull it off something else. Here's a link. It's that I have to the project that I have the script on again. That's in the description to a pre compiled version of busybox. I did not compile this. I got it from someone else. So, you know, take that as it is. And we're going to output that to a busybox file. And let's change mod 777, busybox. That just pretty much gives everyone permission to everything on that. Probably not the best way to do that. But we have open root on our phone. So we're not making sense anyway. So let's again, pseudo reboots into our bootloader on our phone. While that's rebooting, I'm going to back out to our image here. And what I'm going to do is I'm going to run the same command I did before. So we're going to a boot package initial Ramdisk into our new Ramdisk image. Oh, if you're going to do this, you need to let me don't try to overwrite a Ramdisk that already exists. It does not like that. So let's remove that Ramdisk we created and right here. So we're going to package the initial Ramdisk from the Ramdisk folder. And now we're going to create our image. Move out here and we are going to ADB, no, sorry, fast boot, boot our new boot image. So sorry about that. Phones restarting. And if this doesn't work, then I really did something wrong. But I'm pretty sure that was probably a problem. We could have checked our log files on the phone to see what the error was, which probably wouldn't have been a bad idea. But it's okay. When I screw up, I skip the step there and a lot of steps in here. Again, I'm showing you this here. So you have the video, but the link in the description is a script that will show you how to do all this. And hopefully this works. If not, I'm going to have to record this whole video over again, which is not a short video. So that's not fun. Phone is booting. Phone is booting. Phone is booted. Phone. And I am going to ADB shell. Again, we don't have a root shell. SU does not work, but I should be able to busy box, tell net 127.0.0.1 and 9999 for the port. And we got a root shell list. And so now we can do things like I can go into the storage on my phone, SD card one. I can go, I can say, busy box, mount. And I can mount my Debian arm image to my Debian folder here if I wanted. Give it a second. Okay, let's clear the screen. And I can CD into my Debian screen. Let's clear the screen. So here's my Debian image. So now I can say, obviously, there's other things you want to mount when you're churrooting. But just for now, I'll just say bash, busy box, churroof bash, bin bash. There we go. And now I'm in my Debian system. You can see I got a aptitude installed. And right now I do get this error with a lot of commands, but it's just a warning. It doesn't really do anything. It's kind of annoying. I haven't looked into how to remove that. And that has to do with files on the Android side of it. But I have a working churroot now. So I have Debian running on my phone. And anything else I want to do as far as root. I can always exit out of that. And again, if I exit out of that, well, real quick, let me, busy box, I have config here. I can see, okay. I just want to show you that if I try to telnet, I don't have telnet installed. I'll use netcat to that 9999. Yep. Connection refused. Not that it's not there. Connection refused. So people can't remotely log into your phone this way. Again, if you were to leave off that dash B127.0.0.1 on our startup script for the telnet command, I could log into my phone this way. But so could anybody else without any password having root. So that's not really a good idea. The script I created gives you the option when you're booting on whether you want remote access or not. So that's it for this tutorial. But just for fun, let me sudo remove everything from this folder. So I just deleted everything. And what I'm going to do is I am going to get my script that I have up on GitHub. I'm going to W get that file. And I'm going to change mod plus X, telnet local. I call it telnet local because, so you know it's local, although you have the option. And what I'm going to do now is I'm going to run that script. So it's going to tell me it automatically started as root. Actually, I'm going to clear that out. Let me show you. By default, it's going to do it as local only. Let's remove this work folder sudo. But if I want remote access sudo, I don't know why I did that slash sudo telnet.sh. And what I'm going to do here is I'm going to type in, what did I, that's right, remote. If I do that, my script gives you a warning saying this is not safe that you're doing this. And it's downloading the image. It's downloading busy box. It's restarting my phone. It uncompressed everything already. Oh, no, it didn't uncompress. Yeah, it did uncompress. Downloaded the stock initial RAM disk image. It uncompressed it, made the changes, added the script, added busy box, recompiled the package, the initial RAM disk, repackaged the image, and restarted my phone and loaded up. My phone is rebooting now. So that's my script. My script does all that. Also, if you don't have a boot IMG, Android debugging bridge or fast boot installed, my script will try to install those for you if you're on a Debian based system. Ubuntu, Linux Mint, Debian, that sort of stuff. So my phone just rebooted. Let me unlock it. So just like before, I can go into it and I can busy box, telnet, Ubuntu. You might be able to do local host. No, that doesn't work. All depends on how you have your system set up. So I'll go into that. And you can see, again, we have our root shell. But since I did it as the remote way, I can telnet or netcat. And here I have a root shell networked into my phone. Again, you don't really want to do this unless like right now I'm on my network. I kind of live out middle of nowhere and my network is encrypted and I'm the only one home. So hopefully nobody else's on my system decides to scan port 9999 on my phone and realize that it's telnet and that they can log in. But yeah, I'm logged in as root. If I do, what is the command? Oh, I think it's echo dollar sign. At least on a desktop this works. Nope, that didn't work. Let's try uname dash a. Yeah, I don't know what it is. Also using netcat instead of telnet is not as convenient because you can't up arrow or autocomplete stuff. So you want to use an actual telnet program to log in. But worst case scenario, you can use netcat like this. It's the same just without the special features. So again, that's my script and my script. Again, you saw I ran it. I can run it automatically. It will restart itself as root. It will ask you for a password because you need to be root for some of this. Obviously look over my code before you run it as root. You should never run a script as root that you haven't looked over. It's not very long. Again, here I'll show you vim telnet local sh. So this is my script. It grabs a stock boot image that I pulled from my phone. I don't see why that wouldn't work on other phones. It creates some directories, checks if you're root, tries to restart a pseudo if not, removes any previously created directories. It gives you a warning if you're trying to run it as remote. Here this is checking if those packages you need are installed, if not, tries to app to get them. It will try to pull down the stock image here. It extracts the image, checks the image. It doesn't really check. It displays that it's an image. It removes the boot config, downloads the one with changes, makes the RAM disk folder, moves into it, extracts our image to there, adds to our RC file, creates our script, changes its permission, gets busybox, moves out of all that, removes any RAM disk image you may have already created, packages it up, creates our image, reboots your phone, and then boots that image. So that's my script in a nutshell. Again, you can get that up on GitHub. Here's the project. It has that file as well as the image file there. You can pull down if you want to pull that down yourself rather than DD, the change in the config file there, and bin has busybox in there again. I did not compile that somebody else did. So that is my project. I might add some other stuff. I most likely will add other scripts to there in the future. This tutorial is getting pretty long. There's a lot there. Again, luckily it's a video you can rewind or you can look over the script. And as always, please visit my website, filmsbychrist.com. That's Chris at the K. There should be a link in the description. If you like this video, be sure to like it, share it, subscribe, comment below, let me know. If you have any questions, I'll do my best to help you. Again, my script is obviously written for the Motorola G, but should in theory, well, only use my phone with the Motorola G because it uses the initial RAM disk file from my phone. And again, we're booting to RAM, so you're not going to hurt your phone if you try to run my script. It just may not work. Although it may. It all depends. Anyway, I'm getting off on stuff now. You can at least look over the script and modify it for your phone. I hope that you have a great day.