Android Rooting and Rooted Apps

http://global.samsungtomorrow.com/?p=29411">

Rooting may finally come up to an end when device manufacturers beef up security mechanisms.

Samsung is shipping Secure Boot to prevent from loading operating systems which do not have a Samsung-issued cyryptographic signature (X.509 certificate).

QUESTION: Does this mean a network connection is needed to check revocation?

To detect tampering, Samsung has TIMA (TrustZone-based Integrity Measurement Architecture), where TrustZone is an ARM-based hardware.

Samsung trademarked the acronym KNOX (as in Fort Knox, where the US government is supposed to keep its gold) for its container holding secure apps, with a separate home page of secure apps.

SE for Android (Security Enhancements for Android) enforces Mandatory Access Control (MAC) policies to isolate applications and data within the platform.

Rooting Mechanims

Two of the most common exploits to root Android is [18.] Odin and [17.] SuperOneClick. These somehow manage to install a
[2.] su binary in the /system/bin or /system/xbin directory.

The su executable program was written by brit Adam Shanks, aka ChainsDD. To confirm whether a phone has been rooted, look for Superuser's app icon on the desktop/home screen and in Settings > Options > Applications. Text in the cross-bones are hex for "codetolive livetocode".

[3.] the Superuser.apk app in the /system/app directory provides a GUI to approve or deny the use of root access to whitelist other apps and thus enable them to run with impunity. A different version of Superuser is needed for each version of Android (cupcake/donut, eclair/froyo, etc.) so the icon can change.

[4.] Custom Java Android app programs such as APP: Root Checker (by joeykrim), which does not require a rooted phone, but can determine whether the phone has been rooted. It may use this code to see if an exec command returns without error:

Runtime runtime = Runtime.getRuntime();
try {
	runtime.exec("su");
}  catch (Exception e) {
	// Error occurred while executing command, does not have root.
}

Why Root? Capabilities After Rooting

YOUTUBE: Here's Why You Should Root Your Android Phone by pocketnowvideo

YOUTUBE: Android Guy Weekly: To Root, or Not To Root by pocketnowvideo mentions CyanogenMod which replaces firmware on devices. [ Wikipedia]

ARTICLE: The Power of Rooting

ARTICLE: Why Root?

WIKIPEDIA: Rooting_(Android_OS)

Make complete backups of a device, including files which only the root user can read. This is aka Nandroid backup. This should be done before other actions after rooting as it provides a restore point. Backups can be done from an option by entering Recovery Mode.
Conduct Automated Testing
Make GPS work better and faster
Remove carrier-imposed CarrierIQ which spys on users
Remove carrier-imposed bloatware apps consumers cannot delete on their own. These apps continue to consume limited storage space and memory
Download apps larger than 5 MB by relocating downloads to the sdcard
Enable tethering to turn phone networks into a wi-fi router for Windows/Mac clients
Make use of ADB (Android Device Bridge) from the ADT (Android Development Toolkit) as a GUI using QtADB which makes use of Busybox. See this description.
Manage Root certificates using CACertMan by the Guardian Project.
Make wifi faster and block ads
Change home screen, use custom fonts, and other aspects of a theme.
Improve battery life
Access protected hardware features like the camera strobe (to use as a flashlight)
Use the device across various carriers, since root access is required to modify carrier settings.
Use custom fonts. This one is the poster child for what bad can happen with apps that haven't been vetted. One app which is supposed to provide alternate fonts also silently installs another app (from the Amazon store) which can take all data from your phone without notice.

The Trouble with Rooting - an Analogy

The current situation is like buying a car with the hood welded shut. You can't get under the hood to fix an annoying noise. The only mechanic are in blind alleys. You go there and see teenagers wearing hoodies so you can't see their eyes. They talk among themselves in a language you can barely understand.

They ask you questions about your phone you don't know the answer to. They say "each combination of device x modem version x carrier x country requires a different technique such that using an exploit meant to be used for another combo may "brick" a device (render it usable like a mud brick)."

They each contradict one another, so you don't know which one to believe. Each of them holds out a different bottle.

So you pick one -- the bottle with a skull and crossbones on it. As they hand it to you that say that it may blow up your car.

You cross your fingers as you pour it in your gas tank. Poof. Your car hood pops open.

As you drive away you realize that now anyone can open your hood and take the battery and alternator from your car.

This is the situation with mobile phones in the US. Most enterprises, especially feduciary banks and health care organizations, are concerned that rooting would expose them to vulnerabilties.

Since the devices operate "in the wild" on the public internet, one feared scenario is for a malware IP scanner to discover a mobile device under test, and somehow cause a virus to infect it. Or if the tester visits a rogue website. See: this.

But are these vulnerabilities there even when devices are not rooted?

Wireless Carrier Anti-Rooting

Capabilities available after rooting, such as tethering to turn phone networks into a wi-fi router for Windows/Mac clients, means less money for wireless carriers. So carriers:

Void warrenties on rooted phones
Not update device to new version OTA (Over The Air)
Add blocks to make rooting more difficult
Patch device firmware to detect rooting

On July 26, 2010, the U.S. Copyright office announced a new exemption making it officially legal to root a device and run unauthorized third-party applications, as well as the ability to unlock any cell phone for use on multiple carriers. In China and some other countries, users need no such ruling.

Recent Motorola phones (Devour, Droid X, Droid 2, Droid Pro, Atrix, etc.) have signed boot partitions, which render them unfriendly for rooting. Motorola's purchase by Google may not change this, as it's an enterprise requirement. A similar secure boot mechanism is being introduced into Windows 8.

Barnes & Noble’s NOOK Tablet has a locked bootloader.

Early roots of Amazon's Kindle Fire for Ice Cream Sandwich had difficulty with sound drivers.

WEBSITE: This HTC portal website lists HTC devices since 2011, and provides (for registered users) a "Begin Unlock Bootloader" button. As this diagram illustrates, a fastbook command requests the device identifier token for submission to HTDdev.com, which after validation emails back an Unlock key for use by the Unlock command on the device. But the Droid DNA from Verizon is not listed.

Ironically, the "cat and mouse" game of ever increasing sophistication in anti-rooting requires ever more invasive rooting techniques. Since Sep 21 2012, Verizon offered a $600 "Developer Edition" S III when it began selling regular Samsung Galaxy S3 with a locked bootloader. This prevents flashing (via Odin) of a custom recovery kernel. So Rootzwiki responded by offering an older bootchain to flash the custom recovery kernel, then continue on by flashed custom recovery by flashing the fully unlocked bootloader. Just another speed bump.

The Google Nexus 4 smartphone running stock Android 4.2 for $299, without a contract, on Amazon. A 16GB Samsung Galaxy S4 with stock Android 4.2 with unlocked bootloader and without bloatware can be purchased on the Google Play store for $649. It has LTE for use on AT&T and T-Mobile.

Is There a Better Way?

It is confusing to read websites and videos on rooting because procedures to obtain root access is different for each model of phone from each manufacturer. US and international versions may also require different methods. Thus, rooting methods change over time. But obsolete methods still clutter the internet, confusing people who have better things to do than keep up with such matters.

The fear with rooting is that it introduces something which has not been adequately vetted for security by corporations such as Symantec or HP Fortify who provide enterprise security services.

But I don't think any legitimate large company is likely to step forward and stand behind any rooting mechanism because the cost of possible lawsuits and hassles with carriers likely won't offset the revenue from selling rooting services.

CAUTION: So rooting is likely to remain in hobbyist hands. This is the most troubling issue to me. On the one hand, since hobbyists are not professionals working with "adult supervision" in corporations, it's less obvious if one of them goes rogue and implants malware. On the other hand, wide variation in device manufacturers, models, and operating systems means the small community of hobbyists cannot produce all root kits for every phone soon after public release.

Thus I call on the professional software developer and testing technical community to help out here, and apply their expertise. What is needed is some group to define a rigorous approach to evaluating root mechanisms ROMs. More open, objective evaluations are needed.

For Windows, Odin Multi Downloader works with USB drivers for Samsung phones.

Odin3 v1.85_intratech.zip (192.32 KB)

ODIN3 v.1.82.exe (415.5 KB)

Adam Outler, an XDA Elite Recognized Developer, came up with a CLOUD approach downloadable
here.

BusyBox by Stericson (Stephen Erickson) enable scripting operation.

$2 Samsung OdinMaker

ClockworkMod Recovery (CWM):

from ClockworkMod Recovery (CWM)

clockworkmod.com

Koushik Dutta

ROM Manager

Cyanomod by developer Cyanogen (Steve Kondik) ( WIKIPEDIA) ironically requires a hack to establish a more secure VPN client connection, as well as purported higher reliability than official firmware.

Using Windows, download from MultiUpload I777UCKH7 OCD Root No BL.exe the Return/Unbrick to Stock, Kernel + Rooted System Package plus stock modem (Contains stock zImage, factoryfs.img with root, and modem.bin.) by Entropy512 (Andrew Dodd). Double-click on it to start the Odin3 One-Click Downloader program.

From Apple Mac or Linux, download Heimdall rooting files (by clicking "CLICK HERE to Download", not the big Download button).

SAMMobile.com/firmwares/ provides firmware of devices. For the Verizon Galaxay S3 SCH-I535, http://www.sammobile.com/firmwares/3/?download=14741

chainfire.eu
phonerebel.com

Rooting Just for Testing?

How about rooting devices only during testing, not during productive (production) use?

fastboot oem unlock

[34.] Root-friendly devices such as the Google-branded Nexus line of devices, HTC, and some other manufacturers allow rooting without the need for an exploit by running the fastboot program within Google Android SDK for Windows.

Make the Windows PATH environment variable should include two folders: tools and platform-tools. So if you installed it to the C: root folder, your PATH should have "C:\android-sdk\tools;C:\android-sdk\platform-tools".

Open a Windows Run command window. cd to the Android-SDK tools folder.

Plug in the USB cable between the phone and Windows.

Prove that your PC has a good channel to the phone. The phone's serial number should appear after typing this on the command prompt:

Enter boot-loader mode.

Unlock the boot-loader from a computer connected to the device while it is in boot-loader mode by command:

Enter Recovery Mode

Once in recovery mode, on Nexus phones, with a command prompt connection:

z4mode

Rooting HTC Phones

FreeyourAndroid.com

Sprint EVO 4G (HTC Supersonic)
Droid Incredible (HTC Incredible)
Droid Eris (HTC DesireC)
HTC Desire GSM
HTC Desire CDMA (HTC BravoC)
HTC Aria
HTC Wildfire (HTC Buzz)

[5.] On Windows clients, first make the phone install its USB HBOOT driver on your Windows machine by using an alternate power-up mode:

Power off the phone
Keep holding down the volume down button and power button at the same time until the menu appears.
- FASTBOOT
- RECOVERY
- CLEAR STORAGE
- SIMLOCK
- HBOOT USB

On EVO 4G phones, at the menu press volume down to option "HBOOT USB" and then presss the power button to select it.
TEST: "S-ON" at the top of the screen indicates that the phone lock is active.
Connect the USB cable between the Windows PC and phone. This causes default USB drivers from the phone to be installed on Windows.
In Windows Start > Control Panel > Device Manager > Other devices > Android 1.0 should now appear.

[7.] Update USB drivers:

Using [6.] an internet browser, download and unzip android-usb-driver.zip to a temp folder so it contains android_winusb.inf.
Right-click on "Android 1.0" to Update Driver Software. Choose Browse my computer, the location where you unzipped folder Android USB Driver. Check Include subfolders. Windows Device Manager should now have an Android Phone category containing Android Bootloader Interface

Obtain and run rooting programs:

On the device, uninstall apps which might interfere with reflash, such as DoubleTwist, anti-virus, HTC Sync.

WEBSITE: Unrevoked.com offers an approach that bypasses "NAND locks" (whatever that is) with:
TOOL: Unrevoked3 to root Android 2.2 wireless smartphones from HTC:

Download and run the [9.] rooting program reflash.package.exe. Don't touch anything until it says done.
Some rooting programs changes what [10.] manufacturers "flashed" onto [11.] an area of the stock ROM to a [12.] Custom ROM which the [13.] Boot Loader now loads into device RAM upon [14.] normal power-up.
TEST: After the phone reboots on its own, a [3.] "Superuser Permissions" app should display in the app tray.

Rooting Samsung Phones Option 1 with SuperOneClick

For the most popular devices:
TOOL: Samsung Galaxy S2 4G
TOOL: Samsung Infuse 4G
TOOL: Samsung Tablet

On Samsung phones, establish USB connection so [16.] adb can interact with the device.

[18.] Odin conflicts with [15.] Samsung Kies, so right-click on the PC Windows time in the task bar and open Task Manager. Select Processes tab, click on Image Name to sort, right-click on KiesTrayAgent.exe and select End Process Tree. Confirm.

Samsung Kies software uses MTP (Media Transfer Protocol) mode via USB cable to talk to Android devices. This is why a "MTP connected" notification appears.

Enabling USB Debugging changes the android device to use USB transfer mode. This causes Kies to issue error "Reconnect the device in Samsung Kies (PC Studio) mode. Current connection Mode not supported by Kies".

Install on your PC .NET Framework 3.5 SP1 or later from Microsoft if it is not already installed.
Using IE, DOWNLOAD: [17.] SuperOneClick.exe in a zip from
WEBSITE: ShortFuse.org. version 2.3.3 was 10.14 MB from http://depositfiles.com/files/n0dcxce3t.
Invoke the exe to install to a temp folder (C:\Installers) and close the unzip program. Early versions publish .7z rather than .zip files. If so, download and invoke the 7-zip installer from
TOOL: 7-zip

Unplug the USB cable between the device and Windows.
To enable SuperOneClick to use adb, on phone Menu > Settings > Applications > USB Settings > Development > check USB Debugging (on).
On phone Menu > Settings > SD card & phone storage > Unmount/eject SD card.
Press the Home button to return to the home screen.
Plug the USB cable between the device and Windows.
Select Mass Storage.

In Windows Task Manager > Processes, end any adb.exe processes running.
Invoke SuperOneClick.exe.
Click Update Check. This will auto open a browser window. v2.3.1.0 has a bug. Change https to http.
Click Root.
In Windows Task Manager, two adb.exe entries will show.This is part of the exploit.
At "Automatic version check failed" click Yes for Is your version 2.0 or higher?
At "Device properties cannot be read!", restart.

Android OS

Android uses a fork of Linux for its security and drivers for many common devices.

Rooting Android devices involves use of Linux conventions.

Rather than use the standard copyleft Linux LibC, Android created its own BSD closed-source faster, smaller GLibC, called Bionic C (which uses 4-byte rather than 12-byte mutexes). Whereas POSIX SHM cannot, Android's reference-counted Ashmem (Anonymous SHared MEMory) can be freed automatically by a mmap() call after a ashmem_create_region() call. To allocate process memory shared between userspace and kernel drivers (for DSP, GPU, etc.), a pmem() call is made after ashmem_create_region().

NOTE: Unlike other Linux OS (such as Centos and Unbutu running in PCs), the Android installer does not include X11 windowing and related utilities.

Making Use of Exploits

(such as "rage against the cage")

Linux ROM, PIT, Backups

TIP: Look for these features in rooting offerings:

Provide a temporary unlock option
Ways for both Windows and Mac/Linux environments, such as a root.bat for Windows and root.sh for Mac/Linux.
Current versions of components such as Odin, Superuser, etc.

[13] When users hold down just the power button, a connection is made from the battery to the Boot Loader which loads binary executable resources (the operating system kernel) from firmware into dynamic RAM memory where programs are executed.

The Boot Loader senses what keys were pressed to determine what to boot (normal boot, recovery mode, download mode).

Firmware is also (incorrectly) call "ROM". By definition, ROM (Read-only memory) cannot be written to or modified. So in the context of Android devices, "ROM" is a contraction of EEPROM -- NAND type of WIKIPEDIA: Flash Memory, in which "flash" is an analogy of a camera flash imprinting new patterns on memory logic (as if it actually can).

Partition	Image ID	Description	Size	/dev/block
PBL	boot.bin	Primary Boot Loader	0.256MB	-
EFS	efs.rfs	contains the IMEI	5.9MB	-
SBL	Sbl.bin	Secondary Boot Loader	1.25MB	-
SBL2	Sbl.bin	Backup Secondary Boot Loader	1.25MB	-
KERNEL	zImage	Primary (Linux) Kernel	7.5MB	bml8
RECOVERY	zImage	Backup Kernel	7.5MB	bml6
FACTORYFS	factoryfs.rfs	Android /system partition Size depends on pit file specified/used.	276.3MB 297.5MB 287.5MB	-
DBDATAFS	dbdata.rfs	where app data gets stored app choices, passwords, email, web history, etc Size depends on pit file specified/used.	126.7MB 107.2MB 117.2MB	stl14
CACHE	cache.rfs	Dalvik VM cache	30.1MB	-
MODEM	modem.bin	wireless modem	12MB	-
PIT	.pit	Partition Information Table (size inferred)	*256KB	-
PARAM	param.lfs	The images shown when something is wrong Size inferred.	*640KB	-

PIT (Partition Information Table)

TIP: Backup the EFS partition which holds the device's IMEI, MAC address, etc.

adb shell
su
dd if=/dev/block/stl4 of=/sdcard/efs.rfs

TIP: Backup the user data partition which holds passwords, emails, etc.

adb shell
su
# dd if=/dev/block/stl14 of=/sdcard/userdata bs=4096

Verify the /dev/block ???

CAUTION: The concern is that people are blindly installing software from those they don't really know. So far, hobbyists creating ROMs have not created malware. But who knows what the future holds.

TIP: Rather than executables which are difficult to examine, prefer rooting tools using open mechanisms such as shell scripts (.bat files for Windows and .sh for Mac/Linux). This provides a way to see what exactly is being changed and how it is being done, even if it's not examined unless there is a problem.

CSC (Customer Software Customization) area which stores the packages, APN settings, and branding specific to each geographical region and carrier/service provider.

There are several rules which custom ROMs need to follow (and cause problems if not), such as PIT files being in little-endian format (where hex numbers are read backward); and each image needs to fit within the partition size defined for it in the PIT (Partition Information Table) used.

Odin needs the tar files to be in the USTAR format. I haven't seen a free program that can write these other than the gnu linux tools - hence why I use Cygwin.

TIP: Prefer Odin for Windows and Heimdall for Mac. It does not specify which PIT because they just send the files along with an ID that tells the device WHAT will be flashed. The device decides according to its PIT WHERE it will be flashed.

Rooting Samsung Phones Option 2 with Odin

Before starting this, do a full backup.

Because large files are loaded, begin with a fully charged device.

Enter Samsung Download Mode

At the Home screen, press the Options key to enter Settings.
Tap Storage (on older devices "SD card" and "Phone settings"), then Unmount SD Card.
In Developer options, switch to ON (on older versions, Applications > Development) and check USB Debugging (on).

How to Root AT&T Galaxy S2
shows to press all 3 buttons
(Vol Up/ Vol Down / Power)
without first powering down.

Download

Power off the phone by holding down the power button and selecting "Power off", then OK.
Unplug the usb cable if it is connected to a Windows/Mac client machine.
Take out the battery. Wait for a minute, and put it back in.
While holding both vol up and vol down buttons at the same time (but not the power button),
plug the connected usb cable into the phone.

Either way, The warning screen should appear to say:

Press the Volume up button to continue into download mode.

If you are NOT flashing, remove the usb cable, and hold down the power button until the phone begins to reboot. Otherwise...

WARNING: Samsung and AT&T added to their Galaxy S II phones a way to detect whether rooting has occured. When a device is returned for service or other reason, AT&T technicans check for If "CUSTOM BINARY DOWNLOAD: YES" shown with a yellow warning triangle.

Hackers found that a micro-usb jig plug with 301,000 ohms of resistance connected across pins 4 and 5 forces the phone into Download Mode used to reset the flash counter. Make one.

The flag is triggered by a counter which is set to YES when a non-stock binary (kernel/ROM) is flashed. But hackers noticed that the flag is not triggered if Download Mode was entered by another method (by using adb or the power menu).

DOWNLOAD: GalaxyS2ATTRootZedomax.zip
Unzip it to a temp or installers folder so that the Odin3 v1.85.exe can read its ini file and tar file.
Heimdall is Odin's equivalent for Mac/Linux.

In Windows Start > Run > cmd > OK > cd to the folder
Invoke Odin3 v1.85.exe. The "Epic 4G" is specified in odin's ini text file.
There should be a yellow. "0:[COM11]"
Click the PDA icon and specify the full file path to the tar file. It contains a zImage binary file.
Press Start.

If all is good, delete the zip file to return disk space.

CAUTION: Obtain programs directly from those who created them because download utility sites such as wupload.com and filesonic.com may offer obsolete or even malware-infused copies. Such sites obtain revenue from selling subscriptions for faster download speed and clicks on their pop-up windows. Those who make their files available can get a comission from such subscriptions. This is a way authors can monitize their work. So don't click thru, but do reward the author with a donation. It's only fair.

CAUTION: APK files must be converted to a flashable zip format file before being flashed on the device.

TIP: Create flashable zip files from original APK packages on the device so that you can revert back to untouched state.

Un-rooting brings the device back to conditions under warranty.

Telnet Connect

To transfer files, a telnet program is needed on each end.

On the Android:

A successful connection will show # the root prompt.

Stock ROM (Read Only Memory) Packages

It's a good idea to backup original ROM so that one can return to it.

These apps is the operating system that manage 7) custom apps downloaded from Android Market or other store.

[6.] On new devices, resources are flashed onto the "ROM" by device manufacturers. Such versions are nicknamed stock ROMs, versus custom ROMs created by hobbyists.

Who has them?

The Froyo version of Android has its ROM resources at:
* /system/framework/framework-res.apk

The file extension APK (Android Package File) contains a set of files Android can execute.

Gingerbread version phones have two ROMs files:
* /system/framework/framework-res.apk
* /system/app/SystemUI.apk

Additionally, manufacturers add their own resources:

Samsung Froyo has a ROM at:
* /system/framework/twframework-res.apk

TOOL: apktool can be used to pull framework resources needed to build APKs for those phones.

$ apktool if com.htc.resources.apk
I: Framework installed to: /home/brutall/apktool/framework/2.apk

Custom ROM (Read Only Memory) Packages

miuiandroid.com WEBSITE: en.miui.com provides the US translations of ROMs coded in Simplified Chinese for users in the mainland China locale. It sports iOS (iPhone) look and feel.

The original target was Nexus One and HTC Desire, but Cyanomod and others have ports to Droid X, Evo 4G and others.

Adding Back Google Android Apps

Due to licensing, AOSP ROMS not created by Google itself does not contain
APP: Google apps (GApps) such as Gmail, Android Market, Maps, and Voice Search. So they must be downloaded separately. Different version of WEBSITE: CyanogenMod and dpi resolution supported by each device (from High to Medium to Tiny). http://wiki.rootzwiki.com/index.php/Google_Apps

Entering Recovery Mode

APP: Root Booter from well-regarded Speed Software, for $.99, boots rooted devices into recovery mode without the finger gymnastics described below.

To put the older G1 phone into recovery mode, hold down the home button and press power.

To put a Samsung S2 (GT-I9100) phone (as SGH-I777 on ATT and SGH-T989 on T-Mobile) into
Recovery mode:

If present, unplug the usb cable connected to a Windows/Mac client machine.
Keep holding both vol up and vol down buttons at the same time AND the power button
until the Recovery screen appears.

Recovery Menu

The stock Samsung Galaxy S2 phone offers this recovery menu:

Apply update from sdcard

If you are just visiting, when "reboot system now" is selected, press the power button to reboot to the screen normally seen.

Modified phones have more options and keys to navigate. In the CWM (ClockworkMod) Recovery menu, go back with the power button and select using home button. Added menu options include:

install zip from sdcard

Full Backup

Backups should be done before other actions after rooting as it provides a restore point.

Backups can be done from an option of entering Recovery Mode.

Complete backups of all files from a device, including files which only the root user can read, is aka a Nandroid backup.

Those who get the eebee jeebies while doing finger gymnastics prefer the comforts of an app for rooted phones:

Titanium Backup

apps

pro version key

ARTICLE: How to make a Comprehensive Backup of IMEI/EFS recommends that to backup the "fsg" and "backup" block devices of IMEI to use command adb reboot nvbackup.

QPST (Qualcomm Product Support Tool) is a Windows PC program used by service centre personnel to configure phones with Qualcomm chips connected via a data cable. It can be used to change the Carrier Banner, tweak the phone's speaker to make it louder, etc.

Commanding Phone via Terminal Access

To issue commands to an Android device, one first has to connect from a Windows client machine to the phone, using a terminal app. There are several options.

irssi connectbot

Once installed, invoke it for its blue screen terminal view.
Type in su, then press the Enter (crooked arrow) symbol on your keypad.
Confirm the "Root access from the Super user Application".
Tap on “Allow to Proceed”.

Make GPS Work Better

GPS receivers can be slow -- as much as 12.5 minutes to acquire a location fix, even though the GPS system is designed to have several satellites visible from an unobstructed location. Being among large buildings (in Manhattan, New York) can cause GPS to lose their way.

To help in quickly determining a position, GPS devices also have Assisted-GPS (A-GPS), which use satellite acquisition information obtained via mobile data and/or WiFi connections. BTW, A-GPS data is obtained via the Secure User Plane Location (SUPL) protocol, on default port 7276 from host supl.google.com.

A-GPS data can become incorrect or corrupted somehow. This may be the case after large earthquakes which can move whole areas several meters.

To reset (flush) and re-download AGPS data, make sure wi-fi in available, then install:

GPS Status & Toolbox

After installation, launch the app. Hit the Settings button > Tools, and Manage A-GPS state. Tap Reset, then "Download". When done, exit the app and see if Google Maps (or whatever GPS app you use) gets a quicker GPS lock.

If resetting data doesn't do it, try rooting the device to run cm7, which enables access to /system/etc/gps.conf to remove SUPL_HOST and SUPL_PORT specifications.

Redefine Symlink Location to Download Apps Larger Than 5 MB

The symlink "download" used to receive downloads from Android Market can be changed from the default /cache/download folder.

After root access to the phone is establish via a Terminal app:
define a new folder on the SD card:
mkdir /mnt/sdcard/market-cache
Then su to get root access and define the new symlink:
ln -s /mnt/sdcard/market-cache download
Confirm the new symlink value and its access rights:
ls -ahl

Remove Stock (Default) Apps

Settings > Applications > Manage applications
does not list system and stock default apps not installed by the device user.

After root access to the phone is establish via a Terminal app:
Type these commands (subsituting your-app-name for the name of your app):

mount -o remount,rw -t yaffs2 /dev/block/mtdblk3 /system
ls   /system/app
rm /system/app/your-app-name
mount -o remount,ro /dev/mtdblock3 /system

Detecting and Removing CarrierIQ

CarrierIQ is a rootkit. Devices are automatically entered into using Carrier IQ.

Apple iPhone 5 provides a Settings menu to switch off Carrier IQ (under Diagnostics).

HTC android devices have no off switch.

Samsung android devices have an on off switch that is not easily accessible and not made known to users that it’s there.

APP: Logging Checker by TrevE detects logging

APP: $1 Logging TestApp Pro Key - ROOT by TrevE () installs busybox for more automated operation and removal

Tethering

APP: $5 per month ClockworkMod Tether (no root) from ClockworkMod does not require rooting but costs.

Windows: http://download.clockworkmod.com/tether/TetherWindowsSetup.msi
Mac: http://download.clockworkmod.com/tether/tether-mac.zip
Linux: http://download.clockworkmod.com/tether/tether-linux.tgz

Carriers put limitations on this. But once rooted, cellphone wireless signals can pass thru to a PC or Mac workstation.

android-wifi-tether

barnacle app ???

For tethering, the Linux kernel needs to have features CONFIG_NETFILTER, CONFIG_IP_NF_IPTABLES, and CONFIG_NETFILETR_XT_MATCH_MAC).

Networking Tweaks

APP: MasquedCrusader from rooted app specialist Soapbox Apps improves network speed by locally caching nameserver data and forcing the use of Google's fast DNS servers.
APP: MasquedCrusader Pro, for $4.99, also blocks ads and enable use of OpenDNS.

This we need because Comcast hijacks invalid DNS lookups by sending users to the Comcast search site rather than returning an error. This fools Chrome into thinking a valid webpage is being visited, and thus caches it in the browser's history.

Home Screen Changes

APP: GDE home screens which are selectable as a spinning cube. Some say it's more stable than PandaHome and OpenHome.

APP: LMT Launcher illustrated has pie controls invoked by long-pressing the side of the screen as an additional layer above the Android menu.

Theme Files

CAUTION: Due to differences in ROMs, theme files must be associated with a specific ROM.

WEBSITE: Ultimate Online Theme Kitchen provides a cafeteria-like approach to assemblying a custom flashable zip compatible with Clockworkmod 3.

Other Apps for Rooted Phones

ES File Explorer File Manager

APP: File Expert reads as well as list files, even within zip folders.

APP: Root Explorer, for $3.99, provides readers of files as well as listing them.

APP: Android Optimizer has several utilities, including file explorer.

APP: SetCPU

APP: Spare Parts is like PowerTools for Windows, making it easier to tweak hidden settings.

MSL Codes

Unlock GSM phone

This page summarizes Brian's page and
Sprint MSL code list

An Master Subsidy Lock (MSL) code (such as ##868021# entered in the dialer instead of a phone number) accesses carriers' back-end functions in carrier's EPST: (Equipment Performance Support Tools).

To ensure that Voltage: value is at least 3800 (mV), Without plugging in the USB cable, in the phone dialer type *#0228#.

Each carrier uses a different algorithm to create the MSL code based on each phone's ESN. So a different code is assigned to every customer/device. Sprint uses a 8-digit code. BlackBerry uses a 16-digit code.

CDMA phones also have a one-time Service Programming Code (SPC) to activiate new phones.
Verizon uses CDMA.
T-mobile USA uses UMTS 3G data frequencies 1700/2100.
AT+T uses GSM 3G band on 850/1900.

MSL codes are kept from consumers because they want to recoup the subsidy for charging a lower cost for the phone at activation.

Carriers won't release the MSL nor activate a phone if that account has an outstanding balance. So before buying a second-hand phone, get the ESN and make sure it's clear.

ROM Manager

Premium

Device Hard Reset

Mistakes in rooting may require a hard reset of the device.

CAUTION: This wipes out everything on the device, which is why we do it.

Each device model has a different approach:

For the Samsung Galaxy S2, type this in your phone dialer: *2767*3855#

For the Nexus One:
1. Switch the phone off by holding down on the power button.
2. With the phone off, hold the Volume Down button, and while still holding the Volume Down button, firmly press and release the Power button.
3. You'll boot into a menu with a white background, small text and the little skateboarding Android guys.
4. Press the Volume Down button until you reach the Clear Storage option.
5. Press the Power button to select Clear Storage.
6. Press Volume Up to confirm the selection.Sit back while your phone reboots in its virgin state.

Android Rooting and Rooted Apps

Why Root? Access to Root Folders

Device Locks

Rooting Mechanims

Why Root? Capabilities After Rooting

The Trouble with Rooting - an Analogy

Wireless Carrier Anti-Rooting

Is There a Better Way?

Exploit Developers' Sites

Rooting Just for Testing?

fastboot oem unlock

Rooting HTC Phones

Rooting Samsung Phones Option 1 with SuperOneClick

Android OS

Making Use of Exploits

Linux ROM, PIT, Backups

Rooting Samsung Phones Option 2 with Odin

Enter Samsung Download Mode

Telnet Connect

Stock ROM (Read Only Memory) Packages

Custom ROM (Read Only Memory) Packages

Adding Back Google Android Apps

Entering Recovery Mode

Recovery Menu

Full Backup

Commanding Phone via Terminal Access

Make GPS Work Better

Redefine Symlink Location to Download Apps Larger Than 5 MB

Remove Stock (Default) Apps

Detecting and Removing CarrierIQ

Tethering

Networking Tweaks

Home Screen Changes

Theme Files

Other Apps for Rooted Phones

MSL Codes

Device Hard Reset