You are on page 1of 6

The easiest way to think of a kernel - is that its the piece of software that allows Android to

communicate with the hardware/phone itself. It controls the charging and the power flow
to the phone.

Stock kernels are pretty boring/safe, they provide a constant steady flow of power to the
device whether its being used or not - this is why most rooted phones running a custom
kernel get much higher battery lives, they are customized to control the flow of power when

The kernel also controls the voltage/clocking of the CPU. With a custom kernel you can
overclock/undervolt your CPU. You can use CPU Profiles that are built into the custom
kernel which allow things like a min/max CPU to be set. For instance, when my phone isn't in
use I have it set to drop to 350MHz and when I touch it the CPU jumps to 1400MHz. This
allows me to greatly improve battery life as well.

The Kernel 1.
This low-level code contains the instructions that tell a device how to start up and find the
system kernel. The bootloader usually lives on the system board in non-volatile memory.
Every time your phone starts up, that bootloader code is telling your device what to do in
order to get you to the home screen.

Most of them also have their own debugging or modification environment.

Since it is the first code to run on your device, extremely processor specific and every
motherboard has its own bootloader.

This is one reason that all Android phones have different custom ROMS developed due to
high variance of processing hardware present on the device.

Bootloaders are locked by manufacturers to make it virtually impossible to flash a Custom

ROM ( and let the user stick to the Android version they have prepared for that particular
device. This is simply to avoid providing support to the hacked phones. ).

On most Android devices, the primary bootloader cannot be replaced. This is because the
primary bootloader is hardcoded into an application-specific integrated circuit (ASIC) in the
device. These hardcoded instructions load the secondary bootloader into memory and tell it
where the memory, CPU and operating system are located and how they can be accessed.

Step 1 - Special code in the boot read-only memory (ROM) locates the first-stage
bootloader and loads it into memory. The boot ROM is an ASIC that has its code
permanently programmed.

Step 2 - The first-stage bootloader loads the second-stage bootloader after initializing
some memory and getting the hardware ready.

The bootloader checks to see if the security flag is on (S - ON). If it is on, then the
bootloader will load only signed (official) kernels. If the security flag is off (S-OFF),
then the bootloader no longer checks for signatures. Setting S-OFF also releases other
security lock downs, making the entire file system writable and enabling other
goodies, such as allowing you to install a custom recovery process on the device.

This is the step in which you want your custom bootloader to be loaded. The holy grail
of hacking a manufacturer's handset is to load a custom bootloader so that a custom
Bootloader 2.
Thursday, March 7, 2013 11:07 AM
Android Page 1
of hacking a manufacturer's handset is to load a custom bootloader so that a custom
kernel can be loaded.
Fastboot :
Is a protocol that allows low-level commands to be sent to a device
to do such things as write files (such as custom bootloaders, recoveries and ROMs) to
the operating system. Most manufacturers, therefore, disable the Fastboot protocol
at the factory. Because the second-stage bootloader is the step in the boot process
where the Fastboot protocol is enabled or disabled, this part of the code is frequently
encrypted or otherwise locked down by OEMs.
The bootloader loads a Linux kernel and customizations into memory and hands off
control of the hardware to the Linux kernel.

The Linux kernel and any software or firmware customizations are usually all
packaged together. On some devices, they are called a ROM. The name ROM is a
slight misnomer because NAND storage is not truly read-only. Other devices require
custom images (in IMG format) to be written to memory; still others have the kernel
package written from an RUU file. However the kernel package is placed on the
device, the bootloader must know where it is located and how to hand over the reins
to it.
The last step is the initialization (INIT) process. The INIT process is the mother of all
other processes that run on your device. It initializes all of the processes necessary for
basic hardware access and device functionality. It also starts up the Dalvik virtual
machine processes where most applications are executed.

The process for doing this will vary by phone, and even by the version of the software you
are running.

Many root tools will let you unlock the bootloader at the same time, but you may need to
downgrade your software version to get a vulnerable bootloader. Manufacturers will push
updates that block bootloader modification just like root exploits get patched.

HTC also uses NAND lock which prevents root, and in turn bootloader access. Although, this
is usually defeated on a per-handset basis.

Some devices that are intended as a development unit have a leg up on the competition,
though. The Nexus One, Nexus S, and possibly the Motorola Xoom have user unlockable
bootloaders by design. In these cases, all you need to do is install the Android SDK, plug in
the phone, and boot into the bootloader. Issuing the 'fastboot oem unlock' command will
unlock your bootloader. Even these sanctioned methods take the security aspect into
account. Unlocking the bootloader will cause the device to be factory reset to protect user

Over time, the community has developed workarounds to get some lower-level control of
these phones. With a recovery bootstrap, users can jump into a custom recovery, but the
process comes with additional risks. Bricking a phone is easier to do when dealing with
encrypted bootloaders.

Even in the best of circumstances, a locked bootloader will prevent the wholesale alteration
of the system kernel. Full-scale ROMs are not really possible. Still, users have managed a lot
of impressive things even with locked bootloaders on phones like the Droid X.

Unlocking boot loader - general process 3.

A popular custom recovery for Android phones and tablets developed by Koushik Dutta
(Koush) ( , a well-known name in the Android dev

It allows you to perform several advanced recovery, restoration, installation and

ClockworkMOD aka CWG 4.
Android Page 2
It allows you to perform several advanced recovery, restoration, installation and
maintenance operations on your Android device that arent possible with the stock
recovery, and is one of the most common ways used to gain root access, back up device
data, install a custom ROMs, kernels, themes, mods and more.

All Android devices ship with a recovery console that is basically a partition on the devices
internal memory and d.

The stock recovery of almost all Android devices provides a few basic yet handy options that
allow you to factory reset your device and also to recover its operating system using an
official ROM in zip format, but thats all you can do with it. Thats where a custom recovery
comes handy.

A custom Android recovery basically replaces the stock recovery with one that lets you do all
you can do with the stock recovery, plus a plethora of more options to give you a lot more
control on your device. With a custom recovery, you can install official and unofficial ROMs
as well as other updates including apps, themes, kernels etc. using zip files, wipe not just
user data but pretty much every partition on your device, mount the storage card for USB
mass storage access without leaving recovery, partition your SD card, wipe Dalvik cache and
battery stats, fix permissions, perform, manage and restore backups and so on.

Android Recovery 5.
Combination of persistent memory and program code and data stored in it. So it is a
permanent software programmed into a read-only memory.

Firmware is held in non-volatile memory devices such as ROM, EPROM, or flash memory.
Changing the firmware of a device may rarely or never be done during its economic lifetime;
some firmware memory devices are permanently installed and cannot be changed after
manufacture. Common reasons for updating firmware include fixing bugs or adding features
to the device. This may require physically changing ROM integrated circuits[citation
needed], or reprogramming flash memory with a special procedure.

The logic written in firmware may vary in function and scope from device to device. For
example on PCs, the de facto firmware is BIOS whose function is to initialize, test, configure
the PC.

For Android devices it is the whole Android OS (Froyo,Gingerbread, ICS, Jelly Bean etc.)
installed on ROMs.

Firmware 6.
Means installing new firmware, i.e. overwriting of existing data on ROM modules present in
an electronic device with new data.

ROM - kernel matching

This may be done to change from one mobile phone service provider to another or installing
a new operating system.

While flashing, use kernels designed for the same main release version of Android. For
instance, you can use an Android 4.0.4 kernel on Android 4.1 - it just wont be optimized for

However, you cannot use an Android 2.3.6 kernel on an Android 4+ ROM. All ROMs come
with their own kernel, or use the stock one. However you can flash a new kernel after you
flash the ROM - which is highly recommended.

For the same reason, as long as the kernel is made for the type of ROM you have installed,
you can flash new kernels anytime you want.

Flashing 7.
Is the user name or account that by default has access to all commands and files on a Linux
or other Unix-like operating system.

Aka the root account, root user and the superuser.

Root 8.
Android Page 3
Aka the root account, root user and the superuser.
The Root directory (/) - the top level directory in a Linux system
primary repository of a user's files, including that user's configuration files, and
it is usually the directory in which a user finds itself when it logs into a system.

/root means root user's home directory (/root) is nested in root directory (/).
The root user's home directory (/root) -
Do not mis-interprete with:
The term root comes from the hierarchical nature of the file system and permissions in UNIX
and Linux operating systems. The branches of the file system and users resemble an
inverted tree. The root of a file system is the beginning of all the files and directories. The
root of the permissions system is the beginning of all permissions and, thereby, the most
powerful and privileged. Thus, the highest goal for any hacker is to obtain the ability to log
into a Linux device as root.

A process that allows users of smartphones, tablets or other devices running on

Android to gain superuser access to the software. This will allow the user to perform
administrative tasks such as writing to locations normally restricted by the system which in
turn will allow for deeper customization.
The process of rooting varies widely by device, but usually includes exploiting a security
weakness in the firmware of the device, and then copying the su binary to a location in the
current process's PATH (e.g. /system/xbin/su) and granting it executable permissions with
the chmod command.

A supervisor application like SuperUser or SuperSU can regulate and log elevated permission
requests from other applications.

Often, rooting a phone or Android device sets the phone back to factory defaults, resulting
in data (including contact information) being wiped from the phone.

Rooting 9.
Some Android devices, such as the Nook Color and WonderMedia tablets, require a custom
SO card for rooting. A special file system and update script is written to an SO card using a
PC. The SD card is then inserted into the device and the device is rebooted. The device boots
from the SO card and flashes custom firmware and bootloaders.
If you find out from the XOA forum that your device needs to boot from an SO card, it is best
to use a separate SO card on which you have not stored data. Most methods of making an
SO card bootable will completely erase the data from it.
Rooting using custom SD card 10.
Gaining root access is sometimes compared to jailbreaking devices running the Apple iOS
perating system. However, these are distinct concepts.
installing or booting into a modified or new operating system (a "locked bootloader"
prevents this),
sideloading unsigned applications onto the device is prevented and user-installed apps
prevented from root permission and run in a secure sandbox. iii.
In secured iOS world, restrictions prevent b.
Bypassing all these restrictions together constitute the expansive term "jailbreaking" of
Apple devices, overcoming several types of iOS security features.
By contrast, while many Android devices have locked bootloaders, the ability to sideload
apps is common and usually permissible without root permissions. Thus, it is primarily the
third aspect of iOS jailbreaking relating to superuser privileges that correlates to Android
Android rooting vs iOS jailbreaking 11.
Android Page 4
Stands for Read Only Memory. It includes the kernel, the OS, and the core apps. The OS
itself(Android) is just a UI for a custom built Java VM called Dalvik.

ROM 12.
The version of the phone's operating system that comes with your phone when you buy it.
Stock ROM 13.
Is a fully standalone version of the OS, including the kernel (which makes everything run),
apps, services, etc - everything you need to operate the device, except it's customized by
someone in some way.

Since Android is open source, developers are free to take stock ROMs, modify them, strip
them of garbage, optimize them, add things, and pretty much do whatever their imagination
and skills allow.

Custom ROM 14.

According to Google "Android Debug Bridge (adb) is a versatile tool lets you manage the
state of an emulator instance or Android-powered device."

It actually is two different applications -- one running on your computer (Windows, Linux or
Mac) and one running on your phone. When your phone is connected, and USB debugging is
enabled, you can issue commands and communicate with the phone using your computer
screen and keyboard.

Android Debug Bridge (ADB) 15.

Is the Radio or Modem version depending upon the Phone Model, Carrier and Android
Software Stack version. The Radio/Modem file is flashed via Recovery tool (other options
are ADB/ODIN).

The mismatched Radio/Modem and ROM will lead to things not working. You need to find
the matching Radio/Modem for the particular ROM you are running.

The radio firmware controls basic low-level functions like network connectivity, Wi-Fi, and

Upgrading Radio firmware will fix connectivity issues, increase range or performance,
decrease battery usage, etc. Incorrect Radio frimware can disable some functions in your
phone such as MMS, 3G Data, VM Notifications, etc.

Baseband 16.
Stands for Android Open Source Project.
When you see an AOSP ROM, it means its as basic as it gets. No Sense, no nothing. It runs
generally faster than a sense based ROM.

AOSP ROMs are not based on any specific release or particular phone programming. Vanilla,
cupcake, eclair, froyo, (AND SOON!!) gingerbread, were all built from coding off the AOSP

Doesn't make any AOSP ROMs lesser (or better) than any other ROM. Just means the dev
built the ROM"from scratch," if you will. It's not a modded existing ROM, it's completely

You just don't get any of the visual flash. So basically, if you use the emulator fromthe SDK,
you see AOSP android.

AOSP 17.
OEM Flash Software 18.
On some devices, the first time you acquire root, you must use the native OEM diagnostic or flash
software. After flashing the firmware and accessing root, you will usually use a custom recovery
for further firmware changes. Root can often only be achieved by flashing a complete signed
Android Page 5
for further firmware changes. Root can often only be achieved by flashing a complete signed
firmware package with OEM tools. If your device requires an external program (other than the
native Android SDK tools-Android Debug Bridge (ADB) and Fastboot) to write the new firmware
the first time, then it will need a complete signed firmware package. For example, the first root
method available for the Droid I involved using Motorola's RSDLite technician tool to flash a
custom bootloader to the boot section of the file system. Similarly, many devices featuring the
Tegra 2 processor require the use ofNVFlash and Samsung devices often make use of ODIN.
Sometimes the only way to recover a bricked device is to use OEM flash software.
It is usually fairly safe and straightforward to attempt.
There are relatively few, uncomplicated steps in the process.
The advantages of using OEM flash software are that:
It is sometimes difficult to use or understand. At best, the interface is sparse; at worse, it
can be in language that you do not understand.

OEMdebugging software can be difficult to find and keep updated.

The disadvantages of using OEM flash software are that:
Android Page 6