APC Australia

Hack your Android

Back up your Android device, unlock the bootloader, capture screen videos — all from your PC. Darren Yates explains using Google’s ADB and Fastboot command-line tools.

Gaining root access or ‘rooting’ your Android device is something of a right of passage for any serious Android user. Sure, it might seriously compromise Android’s security by allowing unfettered access to the root of the operating system; however, the gains usually outweigh the losses. In fact, so much so, plenty of ‘oneclick’ rooting tools have hit the web in recent years. In many cases, they utilise two Google command-line tools that allow you to interact with and control your device direct from your PC. But ADB and Fastboot are far more powerful and feature-capable than just for flashing ROMs.

ADB AND FASTBOOT

Android Debug Bridge (ADB) is a small utility included in the Android Software Developmen­t Kit (SDK) with a big role — it allows the Android Studio IDE (integrated developmen­t environmen­t) to communicat­e with an Android device, whilst running test-builds of apps. ADB streams debug informatio­n back to the IDE, so app developers can see bugs and make correction­s. However, ADB and its Fastboot cousin also operate from the Windows command-line or Linux terminal. The main difference between ADB and Fastboot is that ADB works with your device’s Android OS, while Fastboot gets into your device’s bootloader.

Combined, they’re a powerhouse toolkit for doing a mountain of backroom hacking of your Android device, whether it’s flashing new firmware, sideloadin­g new apps or performing a full backup of your device. Due to variations in Android

releases and firmware changes made by device makers and phone network providers, not all ADB and Fastboot commands will work on every device.

Neverthele­ss, these utilities will add considerab­ly to your hacking firepower — and brick your device if you’re not careful.

INSTALL IN 15 SECONDS

Rather than install the Android SDK, you can just install ADB/Fastboot via the 15-second Windows installer from XDA Developers ( tinyurl.com/apc438fast­boot). It’s a two-step process — first, you install the ADB and Fastboot files, then choose to install an Android device driver, enabling Windows to talk with your device over USB.

DEVELOPER OPTIONS

After that, you must also enable the hidden ‘developer options’ in your device’s Android OS. Select ‘Settings > About phone’ and scroll down to the ‘ build number’ entry. Tap it seven times and you’ll get the message ‘you’re now a developer’. Use the back button to go back to Settings, scroll around until you see ‘Developer options’ and select it. Tap the new ‘On’ button and do likewise for ‘USB debugging’. You should now be ready to fire up ADB.

BASIC ADB COMMANDS

Connect your Android device into your Windows PC, launch a Command Prompt on Windows and enter the command: adb devices If you’re running at least Android 4.4/KitKat, this command will launch a request on your Android device to accept the RSA security key fingerprin­t from your PC in order to enable connectivi­ty between the two. The device will also appear as a serial number and ‘unauthoris­ed’ on the ADB command prompt output. Tap the OK button on the Android panel and run the ADB command again. This time, you should see it change to ‘device’. Each Android device listed on the ADB output has a serial number — you use it to select individual devices if more than one is connected. For most ADB commands, you can start with:

adb –s <serial_ number> <… command…>

This will direct your commands to that particular device. Can’t remember the serial number? Try: adb get-serialno However, you won’t need it if you only have one device connected.

GRABBING A SCREENSHOT

One of the many useful built-in features within ADB is the shell, a Unix-style command prompt that allows you to run commands on your Android device. For example, taking a screenshot of your Android device’s screen can be a complicate­d process, thanks to the various Android difference­s and hardware button combos required. It might also just not be physically possible for one reason or another to operate the button combinatio­n activating the screen grab process. ADB provides a consistent option via a shell command, using:

adb shell screencap / sdcard/pictures/screen.png

If the path doesn’t exist, the command will throw up an error, otherwise, it will grab the screenshot and dump you back to the command prompt. But this only captures the screenshot to your Android device. ADB can download the file to your PC, using the command:

adb pull /sdcard/pictures/ screen.png

The image file is downloaded to the current path shown on the Command Prompt window.

RECORDING A SCREEN VIDEO

PC training videos are common and relatively easy to do, thanks to a myriad of apps, from Camtasia to CamStudio. On Android, screen-video apps are harder to come by. But provided your device has at least Android 4.4/KitKat, you don’t need them. Again, using the shell, you can issue a command to fire up Android’s on-board ‘screenreco­rd’ utility — it’ll capture screen video using H.264

(AVC) video compressio­n into an MP4 file. The app also has command switches for setting the video bit rate (default is 4Mbps), the capture resolution (1,280 x 720, if possible) and maximum recording time in seconds (180).

The one thing to remember is that it’s your Android device capturing the video — depending on its CPU and whatever you’re capturing, it may not have enough horsepower to both capture at native screen resolution (always the desired option) and do whatever it is you want recorded. In this case, Google recommends lowering the resolution to give your device a chance. Two possible commands are:

adb shell screenreco­rd --verbose /sdcard/promo.mp4 or adb shell screenreco­rd --verbose --size 640x480 –bitrate 6000000 /sdcard/promo.mp4

The ‘--verbose’ switch delivers output on your PC’s command prompt window, so you can see what’s going on. The size option is in pixels, the bit rate in bits per second (bps). Recording begins as soon as you issue the command and stops when you press ‘Ctrl-C’ on your PC’s keyboard.

Interestin­gly, from looking at the file output specs, screenreco­rd appears to vary the frame rate based on the source, so app-screen videos record fewer frames, while motion videos are captured at roughly original frame rates. For more informatio­n, read Google’s developer page ( tinyurl.com/apc438-dev).

CREATE A FULL BACKUP

If you’re about to muck around with your device’s firmware, you’d be nuts not to capture a full backup of your device first. That way, should anything go wrong, you can restore the ROM separately, then the backup and continue. While there are plenty of decent apps for doing this, ADB provides a simple alternativ­e. Just issue the command: adb backup –all This initiates the Android ‘full backup’ system on your device, but before it begins, your device will ask you to confirm the backup, as well as offer the option to encrypt it with a password. Once confirmed, the backup will proceed, again to the current filepath shown in the Command Prompt window, but as the file ‘ backup. ab’. However, be warned — if you have a ‘ backup.ab’ file already in that folder, it’ll be overwritte­n. The better option is to name the backup file initially. You do that using the command:

adb backup –all –f backup2016_ Dec_ 21.ab

Now again, this assumes you want the file stored in the current Command Prompt filepath. If not, add the full filepath to the filename and add double-quote marks (“”) around it if it contains any spaces.

However, somewhat confusingl­y, ‘all’ doesn’t really mean ‘all’ — for instance, it doesn’t include installed APK packages (your apps). You might assume you can download any APKs you don’t back up, but you can’t always guarantee they’ll be around, particular­ly the versions you’re using now, in which case, you need:

adb backup -all -apk -f backup2016_ Dec_ 21.ab

You can also add a ‘-shared’ switch to backup data located on the SD card. This overall method doesn’t need

root-access, but if you have data lurking behind root privileges, it likely won’t work. In that case, Titanium Backup ( tinyurl.com/78v2sg6) is your best bet.

RESTORE A FULL BACKUP

And, of course, once you’ve recorded a backup, you want to be able to restore it. To do that, you enter the command:

adb restore backup2016_ Dec_ 21.ab

This restores the backup, but we found front-page launcher icons were missing. One final warning — according to reports, what doesn’t get backed up using this method are your SMSs, so you may want to back up those separately if they matter to you.

CONTROLLIN­G YOUR BOOTLOADER

Every operating system has a bootloader — it’s usually the first piece of software that launches after the hardware wakes up and tells the operating system how to load. To ensure the bootloader only loads the genuine Android operating system originally installed on your device, device makers will lock the bootloader — not only that, many also encrypt it, so it can’t be tampered with.

For Android power users, that’s a problem — if the bootloader is locked, it means you can’t install custom ROMs. So before anything else, the first thing you need to do in order to flash a new ROM is unlock the bootloader. The ADB tool is great once you’re inside your device’s Android operating system, but since the bootloader operates before Android, ADB is no good. To hack into your bootloader, you need Fastboot — but be warned: Fastboot is extremely powerful, meaning you only have to sneeze and it’ll wipe your phone clean. And it’s probably needless to say at this point, but we’ll say it anyway, unlocking your bootloader is usually a rock-solid way of voiding your device’s warranty.

Now with that out of the way, for Fastboot to do anything, you first have to boot your device into bootloader mode. This you can do with ADB, using the command: adb reboot-bootloader Once the device has entered bootloader mode, you then use Fastboot in a similar way to ADB. For example, you can list devices and their status using: fastboot devices The next step is unlocking the bootloader itself, but before we get there, you need to know that doing so will wipe your device, so make sure you’ve completed a full backup of everything first, because it won’t be there after the unlock. Google forces a ‘factory reset’ as a security precaution against unauthoris­ed access to your personal data. While some devices require added software for this, Google Nexus devices can unlock their bootloader with just Fastboot alone, with the command: fastboot oem unlock This works with Lollipop/Android 5.1 or older Nexus devices, but late-model Nexus 5X and 6P phones require: fastboot flashing unlock It reportedly should also work for the Pixel and Pixel XL, provided you bought them from Telstra or the Google store. Reports are that Australian-retail Pixel devices come with unlockable bootloader­s ( tinyurl.com/ apc438-pixel).

At the moment, it’s certain UK and US versions that have non-unlockable bootloader­s requiring a hack to force-unlock them. HTC and Motorola devices also require unlock keys (read more at tinyurl.com/apc438-unlock).

FLASH RECOVERY ROM

Recovery ROMs allow you to flash updates, wipe the internal cache and clean-reboot your phone when it’s not running properly. But installing a custom recovery ROM also allows you to install custom Android ROMs more easily. Once you’ve unlocked the bootloader, you can install a recovery ROM designed for your specific device using the fastboot command:

fastboot flash recovery recovery.img

The assumption again is that you launch the Command Prompt at the folder location of your recovery image file. Once flashed, your phone should reboot, but you’ll need to reboot into recovery mode to see the change. We tested this on an Alcatel Pixi 3 (4.5) and it worked — eventually.

TROUBLESHO­OTING BOOTLOOPS

While many online guides give the impression unlocking your device’s bootloader is fairly much ‘smooth sailing’, sometimes, it’s anything but. If your device is already rooted and has a recovery ROM installed, attempting to unlock the bootloader may well push it into a continual boot cycle called a ‘ bootloop’. We tried this all out on an Alcatel Pixi 3 (4.5) phone, which I’d forgotten had already been rooted. Sure enough, the unlock process finished and the phone wouldn’t boot. What’s more, we couldn’t get into recovery or bootloader modes to fix it.

The only solution was Alcatel’s own Mobile Upgrade S utility, which cleverly flashed the phone without powering it up. The download is sizeable, but 20 minutes after the update and ten minutes into the first boot, the phone was back up and running. We then confirmed the phone was back to original condition (sans root) and re-ran the fastboot oem unlock command. This time, it worked and we were able to flash TWRP recovery ROM.

TREAD CAREFULLY

This is only a taste of what ADB and Fastboot can do and we recommend you research more before attempting to use them, especially Fastboot. You can still get into mischief using ADB, but Fastboot is on a different plain in terms of its potential to cause complete mayhem if you’re not careful with it. They’re definitely not to be taken lightly — but together, they can do a heck of a lot.

“Unlocking your bootloader is usually a rock-solid way of of voiding your device’s warranty.”