Oukitel C8 Boot Modification

Although this is for a Oukitel C8 it is fairly generic and will likely work fine on most android phones.

Get the stock firmware from Oukitel

• http://oukitel.com/latest-software-rom-for-all-oukitel-devices-48.html

There is a way to get to it via their site but it did not work for me I had to use a search engine to find the correct page.

Direct Link, if you trust me ;-)

• https://mega.nz/#!WxVl1BhB!Jz4NIOVYrAZF-gnyVm38ohkDykFBtzXIRV2YdRCtT6A

Extract the archive (it is just a ZIP file).

Extract the Kernel and Ramdisk Image from the img file

Get the tools from CyanogenMod:

git clone https://github.com/CyanogenMod/android_system_core.git

Use them to extract the files:

android_system_core/mkbootimg/unpackbootimg ../MP_mt6580n_wd393b_s40b-c8_ouqi_cc_128gbitp16d3_n0_wcdma_mul_20180116-215429_songlixin_PC/boot.img

Make a new directory called ramdisk and extract the contents of the cpio archive to it (these commands should be executed from the ramdisk directory:

If you have a boot.img-ramdisk.gz then do this

gzip -dc ../boot.img-ramdisk.gz | cpio -imd

otherwise:

lz4 -d ../boot.img-ramdisk.lz4 | cpio -imd

You can now create/delete/edit the files as you like.

Create boot.img-ramdisk.gz

Now you have written your custom executables you will need to pack them back up into a ramdisk file.

find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | gzip > ../new-boot.img-ramdisk.gz

Or for an lz4 compressed image:

find . ! -name . | LC_ALL=C sort | cpio -o -H newc -R root:root | lz4 > ../new-boot.img-ramdisk.lz4

These commands must be run from the ramdisk directory.

Create boot.img

mkbootimg --kernel ./boot.img-zImage \
--ramdisk ./new-boot.img-ramdisk.gz \
--second ./boot.img-second \
--cmdline "$(cat ./boot.img-cmdline)" \
--base "0x$(cat ./boot.img-base)" \
--pagesize "$(cat ./boot.img-pagesize)" \
--dt ./boot.img-dt \
--ramdisk_offset "0x$(cat ./boot.img-ramdisk_offset)" \
--second_offset "0x$(cat ./boot.img-second_offset)" \
--tags_offset "0x$(cat ./boot.img-tags_offset)" \
--output ./new-boot.img

Write to the boot partiton with fastboot

Put your device into fastboot mode and write the newly created image:

fastboot flash boot new-boot.img

Extracting and Re-packing system.img

The system.img file is a sparse compressed ext4 file system which once changed into raw format can be edited with a normal Linux filesystem driver. To change the image to raw format will require two tools that are included with the full AOSP distribution but that is very large so you can download just one part of it:

git clone https://android.googlesource.com/platform/system/core

This contains the libsparse source code that we will use to create the two tools of interest simg2img and img2simg... I wonder if you can tell what each one does?

From core/base:

g++ -c -I include/ strings.cpp file.cpp chrono_utils.cpp \
errors_unix.cpp stringprintf.cpp parsenetaddress.cpp \
test_utils.cpp logging.cpp quick_exit.cpp

From core/libsparse:

gcc -c -I include/ backed_block.c output_file.c sparse.c \
sparse_crc32.c sparse_err.c img2simg.c simg2img.c

to build simg2img:

g++ -I ../base/include/ -I include/ simg2img.c \
append2simg.o backed_block.o output_file.o sparse.o \
sparse_crc32.o sparse_err.o sparse_read.cpp \
../base/stringprintf.o ../base/strings.o \
../base/errors_unix.o -lz -o simg2img

to build img2simg:

g++ -I ../base/include/ -I include/ img2simg.c \
append2simg.o backed_block.o output_file.o sparse.o \
sparse_crc32.o sparse_err.o sparse_read.cpp \
../base/stringprintf.o ../base/strings.o \
../base/errors_unix.o -lz -o img2simg

...and strip them if you like. You will notice that I have used -lz or libz this must be present on your system along with the headers and so on.

• Repacking system.img

Changing System Files

Simply adding a file to the file system once mounted will not be enough to execute it from the debug terminal. Unless the extended attributes are set SELinux will prevent the file being listed propely.

Remember my aim is root access to my device. I wrote a simple programme called sume it is just like sudo except simpler available here.

attr (available in sys-apps/attr on Gentoo) should be able to set the extended attributes of a file. For some reason it did not work on my machine with the error Operation not supported. I tried writing a simple programme using setxattr but that did not work. Finally I tried using an Alpine Linux VM and a stock Gentoo genkernel-based image. Both my custom programme and attr worked fine.

attr does not seem to properly support xattr for selinux, at least not in Alpine. I wrote a little programme listxattr.c and setxattr.c which compile fine in Alpine and Gentoo allowing listing and alteration of extended attributes for security.selinux. Although the two programmes setxattr and listxattr are simple they are available in the sume repository.

# ~/setxattr bin/sume security.selinux u:object_r:system_file:s0
# ~/listxattr bin/sume
security.selinux: u:object_r:system_file:s0

The executable sume will be listable and executable from the adb shell it is completely useless, of course, as selinux will stop it from elevating it's privileges.

Reference

• android stack exchange: unpack and repack boot.img
• sume Repository on GitHub