Tag Archives: android

Hacking the initrd in Ubuntu Touch

This week I’ve been hacking some of the initrd scripts in Ubuntu Touch and I thought that I’d share some of the things I learned. All of this work is based on using Image Update images, which are flashable by doing phablet-flash ubuntu-system. First, why would you want to do this? Well, the initrd includes a script called “touch” which sets up all of the partitions and does some first boot migration. I wanted to modify how this process works for some experiments on customizing the images.

Before getting started, you need the following packages installed on your dev box: abootimg, android-tools-adb, android-tools-fastboot

Note: I was told after posting this that it won’t work on some devices, including Samsung devices, because they use a non-standard boot.img format.

Getting the initrd

The initrd is inside the boot.img file. I pulled mine from here, but you can also get it by dding it off of the phone. You can find the boot partition on your device with the following scriptlet, taken from flash-touch-initrd:

for i in $BOOT; do                                                              
path=$(find /dev -name "*$i*"|grep disk| head -1)                           
[ -n "$path" ] && break                                                     
echo $path

Once you have the boot.img file by whatever means you used, you need to unpack it. abootimg is the tool to use here, so simply run abootimg -x [boot.img]. This will unpack the initrd, kernel and boot config file.

Unpacking and Hacking the initrd

Now that you have the initrd, you need to unpack it so you can make changes. You can do this with some cpio magic, but unless you have a UNIX-sized beard, just run abootimg-unpack-initrd . This will dump everything into a folder named ramdisk. (UNIX beard guys: mkdir ramdisk; cp initrd ramdisk; cd ramdisk; cat initrd | gzip -d | cpio -i)

To make changes, simply cd into ramdisk and hack away. For this example, I’m going to add a simple line to ramdisk/scriprts/touch. My line is

echo "mfisch: it worked!" > /dev/kmsg || true

This will log a message to /var/log/kern.log which can assist us to make sure it worked. Your change will probably be less trivial.


Repacking the initrd is simple. To repack, just run abootimg-pack-initrd [initrd.img.NEW] Once you do this you’ll notice that the initrd size is quite different, even if you didn’t make any changes. After discussing this with some people, the best I can figure is that the newly packed cpio file has owners and non-zero datestamps, which make it slightly larger. One clue, when compared to mkinitramfs, abootimg-pack does not use the -R 0:0 argument and there are other differences. If you want to do this the hard way, you can also repack by doing: cd ramdisk; find . | cpio -o -H newc | gzip -9 > ../initrd.img.NEW

Rebuilding the boot image

The size change we discussed above can be an issue that you need to fix. In the file bootimg.cfg, which you extracted with abootimg -x, there is a line called bootsize. This line needs to be >= the size of the boot.img (not initrd). If the initrd file jumped by 4k or so, like mine did, be sure to bump this as well. I bumped mine from 0x837000 to 0x839000 and it worked. If you don’t do this step, you will wind up with a non-booting image. Once you correct this, rebuild the image with abootimg:

abootimg --create saucy-new.img -f bootimg.cfg -k zImage -r initrd.img.NEW

I’ve found that if your size is off, it will sometimes complain during this step, but not always. It’s best to check the size of saucy-new.img with the line you changed in bootimg.cfg at this point.

Flashing and testing

To flash the new boot image, reboot the device and use fastboot.

adb reboot bootloader
fastboot flash boot saucy-new.img

Use the power button to boot the device now.

Once booted you can go check out the kern.log and see if your change worked.

Aug 13 16:11:04 ubuntu-phablet kernel: [    3.798412] mfisch: it worked!

Looks good to me!

Thanks to Stephane Graber and Oliver Grawart for helping me discover this process.

Tagged , , ,

How to Unroot a Samsung Galaxy Nexus (CDMA) Without USB

This weekend the USB port on my Galaxy Nexus died. I could get it to charge, if I plugged it in about 10 times and wiggled it some, but no USB. Before I could take it back to Verizon, I needed to unroot it, reflash the stock ROM, and relock the boot loader. After digging around on various forums, here are the steps I used that worked for me.


  • You can brick your phone by doing this, so if you don’t know much about rooting, I don’t recommend these steps.
  • If USB works fine, follow these steps instead.
  • I’ve only tried this on a Verizon phone. You will certainly need a different tarball if you have a GSM device.
  • This will erase all files, texts, apps, pictures, EVERYTHING, from your phone.

Re-lock the Bootloader

If you skip this step, there is a tell-tale unlocked icon when the phone boots, so I considered this critical. Fortunately in late June 2012 there was an app published called BootUnlocker for the Galaxy Nexus posted in the app store (discussion thread).
So download and install the app, and run it. The options are simple, Lock and Unlock. You want to click Lock. Do NOT reboot at this point. I don’t know if the next steps will work if you reboot with a locked boot loader.

Install Mobile Odin Pro

From the Play Store on your phone, install Mobile Odin Pro. It costs $5, but a denied warranty on your Galaxy Nexus will cost far more.

Download the Tarball

You need to download the Mobile Odin compatible tar file. Use the PDA link for the tar file from this thread. The tar file is about 470 MB and is called VzW-PDA-ODIN-I515EL03_ICL53F_signed.tar. This tarball includes all the files you need to flash back to stock. Note: I could not get it to download directly from my phone, if this happens to you also, skip to “Wirelessly Copying ROM to Phone”

Wirelessly Copying Tarball to Phone

If you were able to download the ODIN ROM directly to your phone, you can skip this step.

Go into Settings->Developer Options and enable Remote ADB. You will need to be on wi-fi. Noting the IP of your phone, run this on your PC:

adb connect [IP of phone]

If it doesn’t connect, try a few more times. You may need to run adb kill-server and try to connect again if you still cannot connect. Once connected, you should be able to use adb push to copy the VzW tar file over. Note: It took over an hour for the copy to work for me.

There are other options for copying the file if this doesn’t work for you, uploading it to Box.net or Dropbox, samba, etc.

Flashing Back to Stock

Open Mobile ODIN Pro. Scroll down to “Open file…” and select the tarball you just copied over. It should then load a bunch of info for different components to be flashed. I also checked the Wipe Data and Wipe Dalvik cache options. You do NOT want everroot enabled! Then, just flick Flash Firmware. Your phone will flash itself back to stock. This takes about 5 minutes.

Note: “Open file…” is not shown on the screen shots

Final Update

Once the phone comes back up, sign-in and do setup as usual. Then go to Settings->About Phone->System Updates and check for an update. There is one system update you will be missing at this point (as of July 2012). I also went to the Play Store, signed-in, and retrieved my apps. While the apps were downloading the system update showed up. This was either due to a delay after checking for the system update or because I had not signed into Play. If the system update doesn’t start within 5 minutes of checking for updates, sign into the Play store, I think that will fix it. This final update takes about 5 more minutes to flash.


You now have an unrooted, stock, locked bootloader phone and are ready for warranty service.

Tagged , ,