Valid HTML 4.01 Transitional

HTC G1 Cellphone
Hacking the G1

Jim Carter, 2009-03-30


This Page Contents:

Other hacking pages:

Web Links:

R00t Your Phone

Cellphone carriers want to maintain control of the product; particularly they want you to use their billable services rather than some competing service for which they do not get paid. Although Android is an open source project, apparently it is legal for the carriers to distribute a not-exactly-open derivative work on their retail phones. However, it is also legal for you to treat their restrictions with the respect they deserve.

This wiki page is the straight poop on how to break into a retail phone. It's arcane. Basically, revert to the original OS image, version 1.0 RC29, which has a gaping security hole, and do the simple 'sploit. (It looks like the developers put in a backdoor at the very beginning of Android development, and forgot to turn it off for the production release.) From there your best move is to turn a retail phone into a developer phone. You will then be able to apply subsequent updates to return to the current version, but you will still have root access.

This looks like a useful collection of howtos. Including jailbreak instructions.

I'm sure the right way is to create and install a custom image, which is what the hackers have done.

However, I bought a developer phone, which gives me a (nearly) free ticket to r00t heaven. See the section on software development for what to install: the SDK includes the program adb. You connect your G1 via USB, run adb, start a shell on the G1, and then su root without a password.

Note: Rooting your phone does not break a retail phone's lock to the carrier's SIMs, nor does it relieve you of your obligation to pay under a calling plan contract. These issues can be broken, but it will cost you money.

What to Hack as Root

Now that I have root access, what am I going to hack with it?

OTA Updates

On my phone, as delivered, this is what I see in Settings - About Phone:

After installing the Cupcake upgrade (Android v1.5):

This news article announces OTA updates to version RC33 starting approximately 2009-02-06. It adds Latitude to Google Maps (share your location with friends through the Google cloud), and Search by Voice (I think this is for Google Search, not the contact list). Plus, of course, bug fixes. There was a prior update to RC30 during 2009-01-xx.

Look on for how to install this update on a rooted phone. Kron2 says: (with some instructions merged by jimc from a subsequent post)

Here are three more threads about updating.

The next full version of the OS is code-named Cupcake. It is / will be / may be called version 1.5. It has kernel 2.6.27. It is expected to have complete (?) Bluetooth A2DP support (stereo audio at 22kHz for music), plus limited (command line) support for HID, PAN and DUN. Rumor has it that Cupcake will be out in 2009-04-xx. Look for ADP1 firmware update, which may be out a little after the retail release; this is the update for the developer phone. Or install a hacked version.

Android System Recovery Utility

This posting by Living_Sword (forum administrator) on 2008-12-07 describes the Android System Recovery Utility. It gives a screenshot of how to back up your Android before installing a new image. To make it happen, turn off the phone, then hold down Home+Power and it will boot into recovery mode. The screen shows a list:

The backup is stored in /sdcard/nandroid/* -- so how do you restore it?

This posting by Living_Sword (forum administrator) also on 2008-12-07 describes how to get a developer booter onto a retail phone. When booting, Power+Camera drops it into the bootloader. When you connect the USB cable it shows FASTBOOT. When in the booter, to get it to boot normally you need to remove the battery. It may also work to press green-menu-red all together (suggestion: in that order) -- try that first.

Local Files on the G1

I have extensive local HTML content on my Nokia N810 and I would like to use it similarly on the G1 whether or not I have a network connection, e.g. on an airplane or when data roaming charges make online use unattractive. In this list of content categories, (*) indicates that I do not do this item personally but, according to forum postings, this category is a major use of the handheld device for other people.

So how can the web browser display the local content?

file:/// URL

A normal web browser accesses such content using a URL such as file:///sdcard/homepage.html. But not on Android! In numerous forum postings, users complain endlessly about the absence of file:/// URLs. Here is one complaint about file:/// by Luca Belluccini (2008-08-24). In that thread Megha Joshi says that file:/// was formerly supported but was killed for security reasons. I haven't come across exactly what the threat is, but I assume it has to do with a hacker's page using Javascript to open a file:/// URL for a file containing personal information such as the Gmail password or the contact list, and then sending it as a POST form to the mother ship.

In jimc's opinion the baby has been thrown out with the bathwater: the file:/// URL is too useful to just be made illegal in Android. There are extensive entanglements involving UNIX file permissions that would prevent the described exploit, although the actual threat may have been something else entirely. But the response should be to fix the security hole, not to declare that the file:/// URL is the hole and fix that.

Regarding the same origin policy followed by sane browsers including Android's, the rule is that scripting languages may refer only to URLs having the same protocol (URI schema), hostname and port as the script itself. Clearly the same origin policy can and should be applied unmodified to a file:/// URL, which will compare unequal to the signature of every hacker script. It is certainly true that Firefox has a seemingly unending stream of violations of the same origin policy, and we have to assume that MSIE is no better, but in jimc's opinion this is no reason to make file:/// illegal; better is to declare Javascript to be spawn of the Devil (or all web scripting languages) and suppress them instead.

In theory I could locate the patches by which file:/// was suppressed, revert them, and build my own custom browser and/or compiled infrastructure (libraries). But that would be a lot of work, and would cut me off from future security updates, which are particularly important for a web browser. Also, I have about two weeks to get something working before going on a trip. So let's look at further solutions.

The Jetty Webserver

This is a port of the Jetty webserver (written in Java) for Android. It would appear that *.apk is a known mime-type for an Android java-esque package file. Here is how to install one -- much of this would be taken care of automatically by the Market app.

Jetty itself: you get an app called Manage Jetty. Launch it, configure (I changed the lameass console password), then hit Start. It starts the server, and puts up a notification, which is a link to the Manage Jetty app. It's OK to clear notifications. Here's what I found out when trying out Jetty:

Custom Content Provider

A URL of the form data:text/html:(the content) (URL-encoded, limited to 8Kb) will be shown by the web engine. The Linda File Manager actually does this when opening a HTML file, but in the one case I tried it didn't work too well; the browser claimed that the page did not exist.

If an application has been written to open a local file and send out its contents, it can be invoked by the browser through a URL of the form content://$path/android_asset/$file.html, where $path is the D-bus path of the content provider application. This blog posting shows how to open and send back the local content. It looks fairly simple, but I'll need to learn how to use my copy of Eclipse and the SDK to build an application that can actually be installed and invoked by the browser.

Gears: What Is It and Why Do I Care?

This blog posting describes Gears and why it is important (by David Berlind dated 2008-09-12). To summarize: Gears is a plug-in to a web browser, factory-installed in Google's Chrome and in the Android browser, but also available for Firefox, Safari and MSIE and possibly others. The purpose of Gears is to make a local cache of active content so that the user can interact with it even when there is no network connection. For example, if you edit a document using Google's cloud-based office suite, the content will be cached locally, you can continue to edit minus the net, and it will be synced when feasible. (And I'll bet this saves a lot of load on the server, and also improves the user experience when the net is running but slow.) The author's main point is that things like document editors become platform independent, to the detriment of vendors of platform-specific locally installed software.

It sounds like this may be what I'm looking for, at least for the issue of reading journal articles.

Google Gears sample application page: their ResourceStore Demo looks relevant. I performed the demo, and it works. The cache is located in /data/data/, i.e. in the main flash memory, so only a few megabytes of content can be accomodated -- unless it will not balk at a symbolic link into the SD card.

There are two addditional major classes (each with a demo): ManagedResourceStore expects to find a list of URLs (relative to the list file, per the same origin rule); all the content will be cached, and the infrastructure can recognize and download new versions. The Database class creates a local database file and can execute SQL queries on it; the demo lets you type arbitrary queries on the web form. Both of these look like they could solve different problems of mine.

Testing Gears on the SD card: I tried but failed to copy /data/data/ to my laptop using adb pull, because the adb daemon does not have read permission for this file. My plan was to then copy it to the SD card using adb push. As a fallback I renamed the directory and newly created an empty one on the card, with a symlink. The original gears directory has mode 700 owned by app17:app17, but the VFAT filesystem on the SD card is not capable of setting either the mode or the owner of individual files. Nonetheless, the local infrastructure created the same directories on the card as it did in main flash memory. Unfortunately both the ResourceStore and ManagedResourceStore demos did not capture and store the data, but the Database demo did create its database, which persisted through clearing the browser cache and rebooting.

Whatever the issue was with the demo apps, the underlying plugin library works. I wrote a script that installs the needed infrastructure in an arbitrary web directory, and with that I am able to make and use a local cache of my Science Magazine issues, e-books and reference material, independent of the network connection.

See Android bug 2454 for my report on the file:/// URL issue.

Developing on Android

The start point for developers is the Developing on a Device page. That page has a list of steps for configuring your application (software being developed) and the phone for debugging, including installing Windows drivers, or a udev rule to make the USB device writable.

However, the provided udev rule did not work for me; I had to do something different. On OpenSuSE 11.1 I have a group sbox, of which I am a member, for the Maemo SDK, which I'm re-using for Android. I created /etc/udev/rules.d/51-android.rules saying:

ENV{DEVTYPE}=="usb_device", SYSFS{idVendor}=="0bb4", MODE="0660", GROUP="sbox"

When the G1 is connected to the laptop by USB, the relevant USB devices are created: in my case, /dev/bus/usb/005/(whatever). The above rule will cause them to be writable by my group. In my distro there are default rules in 50-udev-default.rules, so I needed my rule to be later in lexical order. I was unable to get SUBSYSTEM=="usb" to work.

The next step is to download and install the SDK (link to download page). (269Mb installed.) They recommend that you also use the Eclipse IDE versions 3.3 or 3.4, Sun Java JDK version 5 or 6 (not 4), and the Android Development Tools plugin. It doesn't work with Gnu Compiler for Java (gcj).

Jimc needed to install:

Here is a link to the Android Development Guide. Under Tools (in the left panel) you can find specific instructions about adb, the Android Debug Bridge.

Now, assuming you have taken the writeup's advice and added the SDK's tools directory to your path, you can do adb shell and get a shell on the G1. The resources are very limited, for example you can do ls or ls -l, but not ls -ld. This is not a root shell; the user appears to be shell. However, you can do su root and you become root, without a password.

Additional useful adb commands (see the writeup for a complete list):

File Structure: /data/data/ is a directory (read-write) belonging to that package. All (or almost all) packages have such a directory, named after the package in the style of a dbus path. In the browser's case (and likely for all of them), there is a loginID and group assigned; in this case it's app_17:app17. I don't know, but suspect, that the suffix number is created when the package is installed. Most data files are owned by this loginID and group (except, for the browser, an empty directory called lib, owned by system:system). Permissions vary but 775 is the most common, followed by 700 (all are directories in this case).

I'm going to have to look at /system/app/Browser.apk which is probably the biggest app on the device: 1Mb. No, it's second biggest; Launcher.apk is bigger (1.4Mb).

An apk file is a zip archive. To unpack:

mkdir /tmp/dir
cd /tmp/dir


Here are some games I came across in my research:

This is a list of files on (someone's) Android installation. Amazing: /system/media/audio/alarms/Alarm_Rooster_02.ogg: all the alarms, notification beeps and ringtones are compressed as Ogg. There is also /system/sounds/test.mid, if one has a Midi app. It would appear that the CPU chip includes a DSP even though not mentioned on the specs page.

Howto move /data/app and /data/app-private to the SD card. You would want to do this if you run out of space in main flash and want to install more apps or expand application storage, i.e. databases. The valuable item here is a link to an ARM version of Busybox, and instructions how to populate your system with symlinks from command names to busybox.

Lameass! /system/lib/modules/wlan.ko exists. That's all. Until we get a module for ext2/ext3, there won't be any reformtting of SD cards.

Here are Pavel Machek's instructions to install Debian on your SD card.

Wallpaper: In this forum post about wallpaper (2008-10-24), mikef1182 asks what is the correct size for a wallpaper image, and PunkZanyj and Emjei respond that 640x480 works for them.

Copy your wallpaper image onto the memory card. With the home screen visible, hit Menu and pick Wallpaper, then Pictures. The picture viewer should find your image; select it. The wallpaper app will show a crop rectangle. You can resize the rectangle by putting your finger on the edge, or move it using your finger in the middle, but if you have specially created a 640x480 image your goal will be to cover the whole thing with the rectangle. Hit save, and the wallpaper will be applied (after scaling to 640x480 if needed).

With the display closed you see the left, central or right 320x480 portion of the image, i.e. half of it horizontally. With the display open you get a horizontal band 320px high minus 80px top and bottom, while from side to side you see the central 480px minus 80px on the sides, shifting left or right according to the icon pane being used.

Home screen and icons: I have 34 apps with icons on my machine, and the main icon page can be intimidating. Compare to my laptop which has 114 items in the two-level menu, i.e. the main menu has a few key apps and a bunch of category sub-menus. While I like the two-level menu, I have also found out how to use the features of the Android menu generator to make a nice icon collection. A flick gesture (motion with the finger) in any of the four directions has a different effect: up produces the all icons page (which can be scrolled, but a down flick on the control tab dismisses it). Left or right brings into view a separate page of icons. Down shows the current notifications (if any); you need to start your flick gesture touching the status bar.

You can populate the left, main or right icon page with up to 16 icons each. You could also put up a round clock (the time is shown in the status bar too), a Google search box, a picture viewer, or a shortcut that launches an app with a particular argument: URL, folder, hostname, etc. To do this, do a long touch on the background, and open the appropriate dropdown list. To move an icon do a long touch on it and it will swell up. Then drag it where you want; icons are aligned on a grid. To remove an icon drag it onto the bottom tab, which has morphed into a garbage can. You cannot drag an icon from one page to another. The icon is still present in the all icons page.