| Selection | Install | Features | Apps | Hacking | Top |
suBinary and Superuser App
The first step for everything is to gain root access. There is a script (for Windows) to root this class of phones in one click. Link #1 for root exploit (by Dan Rosenberg, 2011-08-25) (this exploit is confirmed to also work on the Droid X, Droid X2, Droid Cliq, Droid Cliq 2, Droid 2, and Droid Bionic.) Link #2 for a howto and script (by Kellex, 2011-08-25). The latter runs on Windows and uses Visual Basic to send the commands making up the exploit.
I'm going to copy and paste the commands in the exploit. Preliminary:
(Credit for this reminder to Kellex's howto.)
Settings -> Applications -> Development -> USB Debugging, which
enables you to use ADB, although you can also type the commands into the
terminal emulator. Jimc thinks it will also be helpful to select
Stay Awake
, at least while doing the exploit.
Stay with Charge Only
when connecting USB; you want
the SD cards to stay mounted.
Note: The root privilege only lasts a limited time, probably just through one reboot. Evidently /data/local.prop is rebuilt at boot time.
OK, my pocket computer is now rooted. Thanks to Dan Rosenberg. I actually modified the procedure slightly: brought /data/local.prop back to my laptop, modified it there, copied it back as /data/local.prop.new, and renamed it (after saving the original). The umask is 0, and the deposited file ends up owned by shell:shell mode 666. After the final reboot, though, the boot scripts apparently fix the owner and mode to system:system 644.
suBinary and Superuser App
To install the Superuser app you first need the Superuser app to be
installed, or at least the su
binary that comes with it. If you tried
and failed to install Superuser already, first uninstall what you have.
Look on ChainsDD's site; he's the developer. Links and MD5 sums are on this page. Download Superuser-3.0.7-efgh-signed.zip (for Android-2.x) or whatever the current version is. This is a zip file which is to be installed by Recovery. However, it is not signed with Motorola keys (yeah, sure) and so the stock Recovery refuses to read it. We need to use the root exploit to do by hand what Recovery would have done.
Installation howto by xeronuro dated 2010-12-31. Unpack your zip file; you'll find system/app/Superuser.apk and system/bin/su inside. Jimc has modified the procedure somewhat below to work on the stock image of the Droid 3. I'm running Linux on my laptop; for Windows, the commands in the first section are similar. First do the root exploit from the previous section. After you reboot, connect the Droid to the laptop by the USB cable and make sure that ADB is executing as root. Then do the following:
--executing on your laptop--
mkdir subin
cd subin
unzip ../Superuser-3.0.7-efgh-signed.zip
adb shell # needs to run as root, needs root exploit.
--executing on Droid--
cat /proc/mounts # find out which device is mounted on /system
mount -o rw,remount -t ext3 /dev/block/system /system
--in another window on the laptop--
adb push ./system/bin/su /system/bin/su
adb push ./system/app/Superuser.apk /system/app/Superuser.apk
--back to command window executing on Droid--
chmod 6755 /system/bin/su
ls -l /system/bin/su # Verify -rwsr-sr-x root root
ln -s ../bin/su /system/xbin/su # Installer script wants this to be done
sync
reboot
Your root exploit is now gone -- the prompt for adb shell
says
shell@cdma_solana
. But you can do su root
and you actually
become root. You have now rooted your phone, permanently (until something
gets messed up). In the step where you did adb push Superuser.apk
you also installed the Superuser app.
If you start the Superuser app, hit menu -> preferences ->
su
version, and it says vnull, you don't have /system/bin/su
installed, probably because you installed Superuser from the market
without having it installed already. Uninstall it and follow the instructions
in this section.
The stock image lacks most UNIX utilities, and the Safestrap installation
procedure depends on them. The normal
way to provide them is through
Busybox. This
forum post about a missing Busybox by crpeck on RootzWiki dated
2011-12-02 revealed what I had done wrong, namely assuming that I didn't
really need Busybox.
According to xeronuro's howto (see above), there is an app, BusyBox by
Stephen (Stericson), available in the Market.
Assuming you have a working su
, just execute the app and it will do
all the work.
no thanks).
Problem with Core Utilities;
There seems to be a problem with some of the utilities needed to install Busybox. Sadly, I cannot fix this problem and the installer probably will not work . . .
I tried BusyBox Installer by jrummy16 in the Market. This is v2.0 and has versions of BusyBox up to 1.19.3.
forgetthe app in Superuser. I did so (click on item, hit garbage can icon at bottom). Perhaps it got confused because the other
BusyBox Installerhas a similar name but is not the identical app.
lsis a symlink (/system/xbin/ls) to busybox, and this command will only work if busybox is functional.
Safestrap by Hashcode includes a Recovery image which will read and install zip files signed with hackers' keys, like CyanogenMod, or other hacked images. This is based on Koush's Clockwork Recovery but with a very cool twist: it installs the hacked system image in the /preinstall partition, not overwriting your main system image, and it can interchange the main and preinstall partitions (i.e. exchange which one is mounted where). The containing package is an app to install this Recovery image. The benefit is, if you mess up your CyanogenMod installation you can revert to stock, and clean up the mess at your leisure. Here's how to install Safestrap:
Before installing Safestrap you need the Superuser.apk package and /system/bin/su that is setUID. And Busybox. See the previous sections for how to install them.
Hashcode's instructions for installing Safestrap followed by installation of CyanogenMod. [Updated to the new howto dated about 2012-03-09.]
Hashcode's
Safestrap Downloads link, from which you should download
Safestrap 1.08 (or latest version) for installation.
Get the one for the Droid 3, not
the Droid Bionic or RAZR (unless that's the hardware you have).
I'm going to download it using the
web browser on the Droid, rather than adb install
.
Size 4Mb, but it takes about 30 secs to download. Open your notification list
and click on the item. It asks if you want to install Safestrap.
Select Install. It installs. Select Open. Grrr, gets a forced close.
Because my Superuser installation was defective. Reinstall Superuser
per instructions in the previous section. Try again, start
Safestrap app from the main menu.
Install Recovery. It shows a progress bar and no error messages. Grrr, the headline
Recovery Statestill says
Not Installed. Reason: Busybox was not installed. Follow instructions in the previous section to install it. Execute Safestrap again.
Recovery State: Installed.
Test your work: do a normal reboot (not rebooting into
recovery). The Motorola logo appears for about 8 seconds, then it will
show the Safestrap splash screen, titled Android Boot Loader
.
Within 10 seconds hit Menu, and it will drop you into the Safestrap
action menu, which is basically ClockworkMod Recovery augmented with
the Safe Boot Menu
near the end of the list.
Note on Safe System
: this is really the unsafe
system, i.e. CyanogenMod. When the Safe System
is not
active, you are using the stock image.
Note on disc space: Safestrap makes a backup of /data when it switches from the unsafe to the safe system, and another one when it switches back. Eventually you could end up with more than just these two backups. Most of the content is APK files of your applications; on the stock image I have 470Mb in /data. Make sure you have disc space. This will be on ...
To investigate: SBF debrick ; backup strategies.
Follow this link for the not exactly original copy of the SBF Debrick Procedure, originally by ikithme. According to the post, this is what people at a Verizon store use to debrick phones; they don't have JTAG, and so if you mess it up, nobody knows any recourse short of soldering a JTAG connector onto your phone (assuming the connections are even known for Droid 3, which I doubt).
This will put a pristine Motorola image onto the phone, replacing all
user hacks, packages and data.
The user area of the SD card(s) is not wiped.
You will need to reactivate the phone afterward.
How to reactivate on Verizon (other mobile operators have their own procedure):
dial *228 and select option 1.
They mention while the phone is booting, hold up on the DPAD.
Subsequent comments suggest that this is for a Droid model with a physical
directional pad with 4 arrow keys and possibly a central OK
button.
It is possible (I hope never to have to test this) that up-arrow on the
physical keyboard of the Droid 3 is equivalent.
Make any user-level backups that you're going to. I'm going to make a separate copy of all the Verizon apps because I may want to reinstall one or two and try them out, like the office app or the games. I very carefully avoided investing any time in customizing the Verizon image, importing contacts and bookmarks, etc. because I knew I would be wiping user data. Actually I'm going to pack up the entire /data even though Safestrap will also make a backup of it. Backup procedure (requires Busybox):
adb shell #Executing on Droid3
su root #Shell account lacks permission to read /data
cd /data
tar cf /sdcard-ext/data-20111210-jimc.tar . #Took 100 secs
--In separate window on laptop--
adb pull /sdcard-ext/data-20111210-jimc.tar ./data-20111210-jimc.tar #Took 85 secs
--Back to command window--
rm /sdcard-ext/data-20111210-jimc.tar
exit #Backup is finished
A problem with backups is, in a major upgrade like CM7 to CM9, apps tend to change the database table schemas. Some can recognize an old-style database and convert it, but not all. It's best to go through all apps where you have significant content, specifically contacts, calendar, bookmarks, and X.509 certificates, and either sync them into the cloud (if your security rules allow) or induce the app to write a semantic backup, e.g. vCard (RFC 2425/2445) format for contacts.
Then-current version numbers, from Settings -> About Phone:
I'm pretty sure that the PRL (Preferred Roaming List) is what locks the phone to Verizon; this is going to have to be replaced.
In reality I attempted to install CyanogenMod over the phone as described in the previous section, and got a bootloop. In response to my query, both eww245 and Hashcode recommend updating to system version 5.6.890.XT862.Verizon.en.US, since CyanogenMod and (most) other hacked system images include kernel modules compiled with and for its kernel. Android turns on module version magic (vermagic) including the eentsy version, so an exactly exact match between modules and the kernel is required.
I obtained the 5.6.890 update from
a posting by sic4672 dated 3 months ago
which would be 2011-09-xx,
when this update was newly coming out OTA. I usually don't install software,
particularly exceedingly critical software, from sources I'm not familiar with,
but this was the only one that my search terms turned up, and I'll be using
the locked Motorola Recovery to install it, so any damage will be detected
and the image will be rejected if so. The sha1sum of my instance of the
file is e5681532bcd74d70d507f3463d6dcecb7f0a49b5; with Busybox you can run
the command on the phone.
All relevant data and backups have been copied off the phone, so I have maximum flexibility for screwup recovery.
A vital first step is to de-install Safestrap.
Procedure:
Copy the update file to /sdcard-ext/update.zip using adb push
.
(60.5Mb / 57.5Mib in 16 secs.) The stock recovery will mount the
external SD card as /sdcard and expects to find the update
file there. It actually can handle any name, unlike older versions
which could only recognize update.zip.
In Safestrap, you should be running on the unsafe
(stock)
system already (Safe System Not Active). Hit the button to un-install
Recovery. (Top line: Recovery State Not Installed.) Exit, and
un-install the app entirely.
Unplug the phone from USB. On the HTC Dream, doing updates on USB power is bad mojo, and I'm going to continue that rule whether or not actually needed for the Droid 3. Make sure the battery is nearly fully charged because losing power in the middle of an update can really mess you up.
Power off (and wait 10 secs). Hold down X on the keyboard while pressing the power button. Within 2 secs the Motorola logo should appear, and in about 10 secs you should see the stock Recovery logo, a triangle, exclamation point, and android. Hit volume-up and volume-down at the same time, which should elicit its action menu.
Use volume-down to scroll down 1 step
to Apply Update from SDcard
. (Volume-up to scroll upward.)
Use the keyboard enter key to select this item.
It shows a list of files in the root directory of the SD card.
Scroll down to update.zip (or whatever name you used). Use keyboard
enter to select this file. The update starts. (It trashes /preinstall
so your safe system
is gone, if you had one.)
GLONASS NMEA 6790
, I wonder what that is, that was updated.
Refers to a standard for communicating between a GPS unit and other
electronics in a marine context.
The update took 345 secs (almost 6 minutes).
It drops you back in the main menu. Use keyboard enter to select
Reboot System Now
.
Be patient during the first reboot. The Droid
boot
animation starts playing after about 40 secs (normally 22 secs).
The UI is ready 117 secs (2 minutes) after you pressed reboot.
Version numbers after updating, from Settings -> About Phone:
Now you have to go back to the beginning and re-do all the steps to root your phone, install Busybox, etc.
Continuing in Hashcode's instructions for installing Safestrap and CM7 dated 2011-10-04; it's the last post on this page: (
Follow the download link on the
main blog page. Follow through Choose Device: Droid 3
,
CM9
, then pick the image you will use, generally the most
recent one.
The old blog's download page (now retired) had links for CyanogenMod-7 with Droid3
hacks (103Mb) and GApps (Google's separately packaged apps, 6.5Mb),
and CyanogenMod-9. It's recommended to go with CM9 rather than CM7,
because that's where the development attention is going.
Note, CyanogenMod-9 (2011-12-24) has a safe
subset of GApps
included, until missing support is worked out; keep an eye on the
instructions for which GApps (if any) you should install.
You need to obtain the zip files
and deposit them on /sdcard-ext (which is referred to as /sdcard in
Recovery). Machines with only one SD card mount it on /sdcard, but the
Droid 3 (and likely other recent Droid models) use NOR flash for the
main system storage but mount it on /mnt/sdcard, and the removeable
card goes on /mnt/sdcard-ext (with symlinks from /sdcard and
/sdcard-ext to these mount points).
On the HTC Dream it's bad mojo to be connected to USB (even just charging) when flashing, and I've followed that policy whether or not necessary on Droid 3. Make sure your battery is fully charged, or at least won't run out in the middle of intensive use, which is even worse mojo, and disconnect the USB cable.
Make backups and then switch to the safe system
(the future
CyanogenMod) like this: Reboot the phone in the
normal way. Within 8 secs it shows the Safestrap splash screen, titled
Android Boot Menu
. Hit Menu (the screen button with 4 squares)
within 10 seconds. It takes about 10 secs to start up, then shows
the Safestrap Recovery action menu.
Back up the data partition of the unsafe
image (Verizon).
Scroll down (volume down button, or Menu) to backup and restore
.
Press Search (magnifying glass) to select it. The menu is labelled
Nandroid
. Select Backup
. Select Internal vs. External
SD card; I'm short of space on the external card so I picked Internal.
The backup begins, and takes about 4.5 minutes to finish. It backs up
/systemorig /system /data /.android_secure /cache (why?) and makes a
checksum of all of this. It deposits you back in the main menu.
The file appears in a subdirectory of /sdcard/safestrap/backup .
Example dirname with date and time appended: nonsafe-2011-12-10.21.32.22 .
The files are owned by system:sdcard_rw, and adb pull
can read
them off the card. Total about 1Gb in 5 files (in my case); a well-used
pocket computer will be bigger. The partitions dumped are:
systemorig system data cache.
In the main menu, scroll to and select safe boot
menu
. You're currently DISABLED
. Select Toggle Safe
System
(not Quick . . .
) Confirm the action,
scroll down to Toggle Safe System
and select it. It makes another
backup of /data and then swaps image partitions (takes 70 secs).
Navigate back to the main menu.
The backup files are in /sdcard/safestrap/orig/data.ext3.tar (418Mb for me) and /sdcard/safestrap/safe/data.ext3.tar (0.1Mb since I have not yet successfully booted the safe system or installed any apps). The same files are overwritten when you switch between the safe and original systems.
In the main menu, scroll to and
select the mounts and storage
item. Scroll to and select
Format /system
. Confirm as before, scroll to and select Yes,
Format
. (Takes 20 secs.) Get back to the main menu.
Wipe data and cache. In the main menu select wipe data/factory
reset
. Confirm. It takes 40 secs and says it's formatting /data,
/cache, /sd-ext, /sdcard/.android_secure. (It is not wiping your external
SD card; I'm not sure what /sd-ext is.) It drops you back in the main
menu.
Install the CyanogenMod zip file. Scroll to and select install
zip from sdcard
. In that menu, select choose zip from sdcard
.
Pick the card where it's found (for me, external). Scroll to and select
the right zip file: with my version, CM4D3-nightly-20111116-1445.zip .
Confirm installation. Takes only 55 secs. You can stay in the
apply update
menu.
Install Google Apps. (Skip this step for early versions of
CyanogenMod-9; eventually Hashcode will tell us to go back to installing
the complete GApps.) Starting from install zip from
sdcard
/apply update
, select choose zip from sdcard
.
Pick the card where it's found (for me, external). Scroll to and select
the Google Apps file: with my version it's gapps-gb-20110828-signed.zip .
Confirm installation. Takes 5 secs. Return to the main menu.
Installation is complete. Select reboot
(the first item)
from the main menu and let CyanogenMod boot up, which takes longer than
usual on the first boot. It took 50 secs to the boot animation and 45 secs
until Setup started, total 95 secs.
Since I didn't have working cellular data I needed to skip most of Setup.
You now have a working CyanogenMod installation.
[Move this section elsewhere.] How to get into fastboot, Droidforums post by Scott240 (2011-10-11). Power off the machine. Now hold M and Power for 1 to 2 seconds. Fastboot will appear within 2 seconds, with an action menu. This from svicstc (2011-10-11, same thread): Hold down both volume buttons and power; this will take you direct to recovery; the Motorola logo will appear first.
Fastboot won't wait forever for you to make a selection; you have 25 to 30 seconds. It says, volume up selects, volume down scrolls. The first menu choice is a normal reboot; second is recovery. Scroll to it and select it with the volume up button. The Motorola logo will appear, then after about 15 secs Recovery will start.
The logo of stock recovery is a triangle, exclamation point and android.
Press up and down volume at the same time, which will elicit another menu.
Use volume down to scroll to Apply Update from SD Card
.
Hit Return on the keyboard to select an item.
Now you can flash a zip file on the external SD card: scroll down to it, hit return.
But it has to be signed with Motorola keys; CyanogenMod isn't, of course,
which is why you use Safestrap (or another Recovery image) instead.
The first time around I was using system 5.5.959, and the installed CyanogenMod image had kernel modules (and likely other important stuff) for 5.6.890, so when I rebooted it bootlooped, i.e. got to where it should have shown the boot animation, but rebooted, again and again. Cure: update to 5.6.890, using the instructions given previously. For historical interest, here is documentation of the struggle.
Of course it's boot looping.
Select Power Off. Power on again. Still boot loops. Battery pull.
Still boot loops. I used the safe boot menu
to switch back to the
unsafe system
, which then booted. Yay!
From the mounts and storage
submenu I formatted /cache
/system /data, then from advanced
I wiped the Dalvik cache (which
produced a message E:unknown volume for path [/sd-ext]
(which does
not exist on the stock image). Then I re-did wipe data/factory
reset
. Then flash CM4D3 and gapps (in that order). Then
wipe data/factory reset
again. Then power off. Then power on
with volume down (supposed to have the same effect as a battery pull).
When you release the power button it shows the AP Flash Menu (from
Fastboot main menu). Hit the power button to turn it off. Then power
button with no modifiers. Still boot loops. Reverted to unsafe system
(successfully).
Using Safestrap app, I uninstalled then installed the Recovery image. Timeline for unsafe system: power button, 0 sec, Motorola logo, 8 sec, Safestrap, 10 sec, (screen gray), 8 (?) sec, "Droid" animation, (?) secs, UI ready. Unsafe system: Power button, 1 , Motorola logo, 8 , Safestrap, 10 , (screen gray), 21 , "Droid" animation, 23 , UI ready. Takes 8 secs after you press Menu to get the Safestrap main menu. Safe system: Power button, 1 , Motorola logo, 8 , Safestrap, 10 , (screen gray), 22, (screen black), 5 , Motorola logo (bootloop).
Now I'm going to install Motoblur as my safe system, and see if it boots. Still bootloops.
| Selection | Install | Features | Apps | Hacking | Top |