Hacker News new | past | comments | ask | show | jobs | submit login
Freeing my tablet: Android hacking, software and hardware (thanassis.space)
208 points by jscholes on Nov 6, 2016 | hide | past | favorite | 57 comments

Impressive work on the rooting procedure, but...

>For the TL;DR crowd: I wanted to run a Debian chroot in my tablet;

I'm sad that there aren't more people looking to run a mainline kernel + Linux distro on their tablets. It's definitely possible but a lot more difficult.

Not quite the same, but this guy describes a way to install Debian as the main OS (but using the kernel from the original firmware) and then running the Android system as a chroot within Debian:


Thank you so much! Your link and this article are just what I needed to take back control of my sony compact camera. I will try it soon now.

Please blog and document the process. I'd love to read it.

With pleasure but only if it's a success.. I want to be very careful so it may takes time.

There is work in progress for sony camera on android (mine is too old): http://www.personal-view.com/faqs/sony-hack/hack-development

That is fantastic, thank you. It'd be interesting to see something like MaruOS [1] implemented that way.

[1] maruos.com

I just got a Mi5, and I had to jump through Xiaomi's unlocking hoops. What an ordeal.

You have to register for a Mi account and a Miui forum account and then request unlocking privileges for it. This is apparently a manual process: approval can take anywhere from two days to several weeks. Having more internet points on their forum[1] may or may not speed up the process. Approved Mi accounts can unlock 1 device per 30 days.

Once you've got the unlocking privs, you can download a Windows (and only Windows) executable that performs the unlocking process (it comes bundled with the fastboot/adb executables). It checks that your phone is logged into the same Mi account as one part of a completely opaque validation.

The official documentation, as it were, says you need their "global development" OS running on the phone, but I'm pretty sure it worked with the non-development version, which is good because updating to development failed with a non-descript error.

Once I unlocked the phone -- using a friend's Mi account which had unlocking privs, unbeknownst to him since he never got the notification -- I had to install TWRP (the most popular alternate recovery image). The official versions did not work (either crashing or nonfunctional). After about a dozen recovery images from various file hosters -- exactly where I want to acquire core system software -- I stumbled on one that worked, albeit defaulting to Chinese.

I suppose the fact that I did not brick the device speaks to the robustness of Android's bootloader/recovery/system separation.

[1] A forum which goes to ridiculous lengths to feature these points. Points for replying, points for getting replies, bounties, etc etc. Users posting useful files restrict the link visibility to people who have answered in the thread, which leads to threads with hundreds or thousands of one-word "Thanks" posts, each taking up 200px of vertical space due to the amount of "badges" the forum has. It's insane. Is that a Chinese thing? Or just how the kids do it these days?

It has been over a decade since Torvalds rejected GPLv3 licensing for Linux (https://lkml.org/lkml/2006/1/25/273) and it turns out that Stallman was right.

Right about what? The Linux Kernel has gained tons of work back by vendors using it for products that would be replaced with functionally identical non-GPL3 components.

Torvalds' decision was extremely practical and has lead to huge gains for Linux users even if (ahem) not every company gives back.

Hence why Google is happily replacing every GPL component left in Android with MIT BSD ones in each Android release, GCC has already been shown the door.

In Fuchsia, they are even replacing Linux by their own micro-kernel, BSD licensed.

How much contributions has Sony given back to BSD from their PS4 BSD distribution?

They've made a handful of contributions back. Arguably, a lot of the changes they've made they couldn't share anyways (AMD licensing agreements) or were built on top of it as applications.

FWIW: I, for sure, appreciate the GPL3 and copy-left licenses.

> Right about what?

About companies using GPLv2 software in computers and devices and you being unable to change the software the computers run. In case you did not read the linked article, it is a very long story about someone trying to use Linux on a tablet that was shipped with Linux.

That email only involves Linus Torvalds and Chase Venters. I don't see anything about stallman and what he is supposed to be right about.

RMS is the author of the GPL, so the mere existance of a GPLv3 means that he wasn't happy with v2. It's also a basic assmption that RMS thinks projects using GNU licensing should use GPLv3 when applicable.

See for instance https://en.wikipedia.org/wiki/GNU_General_Public_License#Ver....

Sorry, I should have included more context: http://gplv3.fsf.org/rms-why.html/

> Golly gee, Mr Google, that's a lot of partitions

More like Qualcomm. They like this mess of partitions, not Google.

> I am NOT a bad guy!... I just want to remain in full control of my OWN hardware...

Yeah, they don't want to respect that. And if you care about that, your choices of hardware become pretty limited. Let alone if you want to have open drivers for key components like GPU and the rest. In practice, Google's Nexus devices tend to be one of the best choices (i.e. such as Nexus 5 and Nexus 7). Not sure what the situation with Pixels is.

>> I am NOT a bad guy!... I just want to remain in full control of my OWN hardware...

>Yeah, they don't want to respect that.

Honest question: if you were responsible for platform security, how would you tell apart the bad guys from the legitimate owner asserting control over their hardware? My imagination might be failing me, but I can't see a scenario where making it easy for the owner to get root doesn't also make it easier for malicious third parties to subversively add rootkits.

The only workable solution I could think of is to sell factory-rooted models for the advanced users and a locked-down version for everyone else, but I suspect the market is not large enough to support an additional SKU.

edit: fastboot oem unlock is also fairly reasonable compromise, when available, but I don't think many users would know what a unlocked padlock icon when booting means in any case, and would happily use the device

>The only workable solution I could think of is to sell factory-rooted models for the advanced users and a locked-down version for everyone else

How about Google's hardware "dev switch?" Originally they hid it inside the Kensington lock, but now it's purely a software switch.


When the switch is on it also displays a scary warning for 30 seconds when the computer boots that "this software cannot be trusted."

The article's "Conclusion" section clearly describes a way; one that Google used in its Chromebooks, the HW switch for "developer mode".

It could just be like any Linux distribution where you have a root user you can 'su' with?

I'm intrigued by this line of thinking though - for the most part, you're not buying hardware per se, you're buying a product, which is a function of hardware and software. As much as I'd love everything to be open and easy to tinker with and change as you see fit, just because it's a physical item doesn't mean you have any extra right to use it any differently to the way the product was intended.

Obviously a tutorial online shows at least a small fraction of demand for open hardware, but as you say, the choices become limited if you care about it, probably as a result of such a small number actually caring enough to vocalise/put money where their mouths are.

If you mention rights, who said they have a right to dictate you, to use it only in the way it was "intended for"? Actually this line of thinking is unnatural, not the other way around. In my case I don't buy "products". I buy hardware and I prefer an ability to install other OSes on it (besides the preinstalled one), whether it's desktop or mobile computers. We are lucky PCs are actually open like that. It's the mobile hardware that is sick closed.

But this isn't really about attacking rights necessarily. Most of the time they simply cut costs. To make hardware respect freedom requires some extra effort, and the likes of Qualcomm and Asus simply don't care. It's easier for them to lock it up.

I still believe you're opting into buying the product. That's an active choice on your behalf - noone is forcing you to buy something that is created within a certain set of parameters. Expecting those parameters to be different to those of the creator just because it's a physical product is somewhat illogical to me.

I fully agree, we're lucky PCs are open in that regard, I'd love hardware to be separated from software and we can do as we wish, but that's not what's being sold to us, or what the mass market they're targeting is demanding. They are creating and selling a product, not just hardware.

Edit: and again, I'm not saying it's right, definitely not, and certainly not saying don't kick up a fuss and show the companies what you want, just that buying an item that makes no claims to openness and just expecting it to be open "because", is naive.

To my mind they don't have a right to dictate to you what you do with it once you bought it. From then on, it's yours.

Conversely, beyond consumer protection legislation you don't have any right to tell manufacturers what products they must sell and what the features of those products must be. If a manufacturer decides that the optimum solution for them is to lock down the system as they believe that's the best way to protect customers from their devices being subverted maliciously, that's for them to decide. If you don't agree, just don't buy the product.

I agree if we're talking about product support or warranties, but if someone accepts they're not going to get support and they're going to void the warranty I don't get why the manufacturer can decide how the product is used.

Because with end user consumer electronics you're buying the thing the manufacturer decided to produce, and most of the time, they've decided to produce an end product to fulfill a use case, rather than just hardware.

I'm sure there will be pure-play hardware companies out there in the "non-PC component" space at some point, but at present most are making end-to-end products.

> I started looking at the various offerings, and being a nerd of a frugal nature, decided to only look at the best HW bang for the buck, completely ignoring the SW aspects.

I think this is a very important point that people tend to overlook. One that I've definitely stated to appreciate in recent years.

For a similar example, sometimes people talk about the cost of ownership of a PC. Whenever you bring that up, someone will mention how it's really cheap to build your own PC. And although they're technically correct, since it's really cheap to build your own PC, it usually means you're left on your own for maintaining it as well.

I can't shake the feeling that this case is similar. Although I certainly enjoy tinkering with stuff, I think there's a strong argument to be made for things that "just work", or things that can be easily hacked. I have a hard time imagining that the real cost of ownership of this device for the owner ended up being higher than if they had purchased a more open device.

With all of that being said, I found this to be a very interesting read, and I'm thankful that the author took the time to write up their experience.

Is there a phone or tablet you can buy which comes fully unlocked and rooted by default?

Something I can install KDE Neon to?

Isn't all versions of Android are now rootable with Dirty COW?



on the minimally secure ones (unlike the author's tablet that didn't even erase his data after 'oem unlock') you cannot make root permanent after dirty c0w.

unless you can pad your new image to get a hash colision and make the bootloading chain thinks it is a signed image. good luck with that.

Nexus devices are the closest you'll get - can be unlocked by a vendor supported, fully reversible ADB command.

From what I've read and seen, nexus devices are in general best supported for development (ie: custom software). I've had some success running custom roms on an old HTC phone, various Samsung devices (the original i9000 Galaxy, a Note2 and 3).

After looking for a while into various phones, I ended up getting a Sony Z3+ -- as it combines many things I want (water proof, memory card slot) with a pretty strong commitment from Sony:


Ironically, I've yet to actually experiment with different roms and other software on my Sony phone, but there it is.

What happens when one day http://developer.sonymobile.com/unlockbootloader/ isn't available any more? (see also similar pages for Xiaomi and Motorola)

The code "protecting" the bootloader is good enough that it could be very, very difficult to unlock your bootloader without official support.

I'm not particularly happy with Android as a platform in general - it is way too "open on paper, closed in practice" - and I agree abandonware is a real concern. However, if you just bought a device, it seems a bit less likely the unlock page will disappear before you manage to unlock your device. And once unlocked, it'll stay unlocked?

I feel this is a little bit different from the "zune drm hole" where you "buy" (rent) content, but might loose all access once the provider goes under/closes shop. (See also: the case of Amazon recalling copies of "1984" it had sold as an e-book without a proper license).

> However, if you just bought a device, it seems a bit less likely the unlock page will disappear before you manage to unlock your device. And once unlocked, it'll stay unlocked?

What if I buy it from eBay 5 years later?

I agree that it leads to a new kind of "planned obsolescence", and would prefer something more open.

I have a Nexus 7 II (2013).

I can reversibly root it?!

I mean, I'm pretty sure you can lock the bootloader again after you've unlocked it.

Canonical have been trying to offer some phones and tablets with their Ubuntu Touch preinstalled. But i don't know the status of root on them, nor how easy it would be to get something other than Unity going on them.

Has anyone tried GNURoot? As I understand it's a Linux chroot without needing your device to be rooted:


I've used it. It's a reasonable solution for a subset of the things you'd want to use a Debian chroot for.

It's an interesting approach until you want to create a symlink.

What would be the feasibility of making a Snapdragon based phone and running mainline Linux + freedreno on it?

Not profitable at the least. You need to think like the average consumer: "Why should I pay $800 for this ugly 'open source' phone (whatever that means) when this nice, attractive looking Samsung phone is only $50 plus $20 a month?"

Sorry, I wasn't clear enough. I wasn't asking about selling the thing. Just building it.

This is why I still come to HN

+1. Fantastic read.

Great write up, thanks for that.

I like having small devices, and I like Linux. My solution was to buy a small HP stream 11, and just put Linux on it. Not impressive technically, like the author's work on his tablet, but an easy way to get Linux on a $190 small device. I like to travel with my Linux stream: fully capable for work, using the web, and cheap enough that I don't worry about losing it.

Good article. I'm also in the process of getting control of my tablet, by building a custom ROM for it. However, it's not possible to unlock the bootloader as described in the article as Lenovo has decided that it should not be that easy, so I need to take care of that first.

It would have been fantastic if the tablet in the article had a locked bootloader, because I really want to learn how to unlock these bootloaders from scratch. I'm just not comfortable by downloading random binaries from questionable filelockers and loading them on my tablet, I want to know how they are produced so I can do it myself.

I'm reading everything I can find, but the information on this subject is very limited and consists most of "flash these files" and absolutely no informtion how they were created.

Does anyone have good resources on the process of unlocking bootloaders from scratch?

Is there some kind of authentication for the serial port in the headphone jack? It sounds like a security risk to me.

Generally speaking, if you have physical access to device, all bets are off. Which when you think about it is the point of the whole article.

People are a bit more squeamish about applying this logic to mobile devices. After all, iPhones remain attack-resistant with physical access.

"Secure against physical access by all but extremely determined attackers" is worth aiming for. Even if it's just a measure against the resale of stolen devices.

Just as an aside: I have a Ubuntu chroot running on the Ubuntu Touch/Phone. It's running mutt, taskwarrior, vim, git, ledger and a few other bits nicely. Still a work in progress, but it's nice to be able to do that instead of make the whole device writable. That's the other option and it breaks OTA updates and potentially more.

Some more resources for Debian on mobile devices:

https://wiki.debian.org/ChrootOnAndroid https://wiki.debian.org/Mobile

mobile wise when they started doing that i quit there was no point in using android. there is always sec testing but it is not as modular as it was. there is security and then there is economic security.

Most of author's difficulties simply stemmed from not understanding how modern android works and boots. Easily fixable by reading more about it.

And no, nobody hates guys like you. Problem is that what you want to do is very similar to what malware might want to, and since malware is more common than guys like you, choices are made that way.

Read the Conclusion section of the article. He uses Chromebooks as an example, to argue - quite convincingly - that we could have both security and freedom to tinker.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact