How I Freed My Android Tablet: A Journey in Reverse Engineering

Slashdot reader ttsiod is an embedded software engineer at the European Space Agency, and shares this story about his quest to "dominate" his new tablet: Just like it's predecessor, I wanted to run a Debian chroot inside it -- that would allow me to apt-get install and run things like Privoxy, SSH SOCKS/VPN tunnels, Flask mini-servers, etc; and in general allow me to stay in control. But there was no open-source way to do this... and I could never trust "one-click roots" that communicate with servers in China... It took me weeks to reverse engineer my tablet -- and finally succeed in becoming root. The journey was quite interesting, and included both hardware and software tinkering. I learned a lot while doing it -- and wanted to share the experience with my fellow Slashdotters...
He writes that "I trust Debian. Far more than I trust the Android ecosystem," and describes everything from how he probed the boot process and created his own boot image to hunting for a way "to tell SELinux to get off my lawn".

you think it won't get worse?

At one point in time every kind of personal computer you could buy would be yours.

Then people started buying locked down devices, which became a bigger and bigger part of the market. Because why not? People buy them, and it's better for the selling company to maintain control of the device so they can exfiltrate your data, lock you into their software store to reap a cut off the top, or disable the device remotely.

But, generally, you could still get past against-the-owner security in various ways. But companies are learning from the holes, and each generation is more difficult to bypass. Even whitebox PCs are moving in this direction.

The ownership-era for general purpose computing devices is drawing to a close. Step back to 1970's someone playing with their Apple II or C= Pet and try to explain to them that someday, their computer will take orders from someone else in preference to theirs. They might not even understand how such a thing would be possible, but a million tiny steps have led us to our cages. The next million tiny steps will throw away the key. At each step, people get to argue, "THAT step didn't cause the problem. Why are you complaining so much??"

Thus ends the potential freedom brought about by the computing revolution.

Re:you think it won't get worse?

[spire3661]

You do realize Stallman has been saying this stuff since the 70s right? Its been a known problem for a VERY long time and we fought the good fight for as long as we could, but pocket computers killed it.

Re:you think it won't get worse?

we fought the good fight for as long as we could, but rampant technical illiteracy killed it.

FTFY.

Re:you think it won't get worse?

I agree to a point; with more technology existing every day, there are also more options to build slow, but still quite fast computers. There already is a market of some kind for open devices and the people having money (for example, you and I) will be able to afford open systems. A billionaire could fund the development of his own free and usable computer, if he/she so desired; something which wasn't possible in the beginning of computing.

Having said all that, it is a sad state of affairs that the mere existence of other monkeys also helps put intelligent people in cages due to economics of scale.

Re:you think it won't get worse?

[Kjella]

You do realize Stallman has been saying this stuff since the 70s right? Its been a known problem for a VERY long time and we fought the good fight for as long as we could, but pocket computers killed it.

Well I think it swings both ways, it's more and more obvious that you don't really control any closed source operating system, you pretty much must have security patches and everything else comes along for the ride and increasingly it can't be configured or disabled. That's the way of iOS, Android, Win10, they're trying to push that model on Win7/8, I'm not sure about OS X but they're probably not far behind. If you want control, you want Linux (or some other open source OS). That said, most people don't felt they were in control at all. By making Apple/Google/Microsoft the gatekeeper, they trust just one source instead of any random exe from the Internet. Same way most people want the CA system instead of messing with peer-to-peer trust. Because when they don't understand - and they won't understand, no matter how much you try to teach them - they end up trusting something or someone.

That said, what I'm mostly disappointed with is how the world has ended up revolving around a few, huge centralized services. Newsgroups, IRC, Email, blogs and really any kind of service that runs on a network or you could run from your own server is toiling in obscurity, you need to be on Facebook and Twitter and YouTube playing by their rules and if they want to wield the ban hammer there's very little you can do. Personally I'm far more concerned about how we've lost control of the human interaction rather than control over the local machine. And for the most part we don't own things in the digital world anymore we license or stream them, it's all permissions that can be revoked or services that can be shut down. That said, it works surprisingly well until one day it doesn't.

Re:you think it won't get worse?

[nnull]

What I find amazing is to what extent these manufacturers go to stop people from doing anything useful with these locked down devices. Seems to much time and effort is being put into obfuscation (Using even opensource software to do it) than actually making a useful product. My question is, why? Just seems silly and creates a lot more waste. There's so many of these devices out there right now, that doing this is completely pointless and doesn't even guarantee the customer is going to buy your product again.

Re: you think it won't get worse?

Goggle makes it super simple to enable lock down. You think the phone makers have time to spend on security??

Re:you think it won't get worse?

The same was about the smelly NSA laced NIST approved elliptic curve since day -1 and you see what it took to start to get rid of them. https://xkcd.com/743/

Re: you think it won't get worse?

Don't confuse illiteracy with complacency. Thereeven are plenty of capable people out there.
NOBODY CARES.
Why should they?

Re:you think it won't get worse?

[guacamole]

Because 99% of consumers do not even know the difference between locked and unlocked device, and most won't even care, sadly.

Re:you think it won't get worse?

[thygate]

+1000

Re:you think it won't get worse?

[kurkosdr]

To be 100% accurate, Nexus devices are yours. You can load a ROM that is pre-rooted and then do everything you want. Bootloader locks are a side-effect of the way Americans buy their smartphones, which is basically that they do not own them for the first one or two years but instead borrow them from the carrier 'till they pay them off during the course of the contract. So, the device is not yours to tinker with. Even before Android, there were all kinds of locks in the software for the carrier's behest.

Re:you think it won't get worse?

Considering the shit you are spewing out, you should be more conserned about your own hygiene.

Re:you think it won't get worse?

[rtb61]

Cough, cough, they only win, when we stop fighting. Really how much effort does it take to fight. Attack it on forums, every now and again, complain to the government every now and again, join in with consumer rights organisations, join in with personal rights organisation, refuse to buy products that do not serve you, well, do that always, seriously should you allow control over your own life to be treated as an inconvenience.

New actions, fuck up all their surveys, corporations treat me well and I will treat them well, attempt to make use of me and I will not serve you in any way and that includes lying on all surveys, purposefully create misinformation to poison their data bases (http://www.cs.nyu.edu/trackmenot/), it takes little effort. Don't be a fanatic though, just join in, have fun and basically strive to fuck up their schemes and scams. It's not winning or losing that counts, it's how much you make them lose trying to do things to you that you do not appreciate and if they lose more than they gain, then they will stop, one way or another.

Re:you think it won't get worse?

Ah, I see, personal attack. Very clever. That makes you a winner. Well done.

Re:you think it won't get worse?

[tentenone]

To be 100% accurate, Nexus devices are yours.

It's a shame they've taken that away with their new Pixel line.

Re:you think it won't get worse?

[Trogre]

Interesting. Do you judge every philosophy by the personal habits of its founder?

Re:you think it won't get worse?

[ShakaUVM]

>Well I think it swings both ways, it's more and more obvious that you don't really control any closed source operating system, you pretty much must have security patches and everything else comes along for the ride and increasingly it can't be configured or disabled. That's the way of iOS, Android, Win10, they're trying to push that model on Win7/8, I'm not sure about OS X but they're probably not far behind. If you want control, you want Linux (or some other open source OS). That said, most people don't felt they were in control at all. By making Apple/Google/Microsoft the gatekeeper, they trust just one source instead of any random exe from the Internet. Same way most people want the CA system instead of messing with peer-to-peer trust. Because when they don't understand - and they won't understand, no matter how much you try to teach them - they end up trusting something or someone.

True. But there's no connection between getting signed patches from Apple/Microsoft/Google and it being FOSS. You can have both. The only reason to lock down a platform so that users can't mess with it *if they want to* is control and money. Taking control away from users and putting it in the hands of A/M/G instead. On cell phones this was justified by the subsidies that cell phone carriers would pay - a carrier wouldn't want someone to buy a subsidized cell phone from them and then switch carriers (notwithstanding that this could just be enforced by ETFs and the like), so cell phones were locked down to remove root access to them. And because cell phones were, tablets have followed along, since tablets are just cell phones with larger screens.

Google does the minimum to be compliant to the GPL, and Apple and Microsoft barely even pretend. Windows 10 is a disaster for many reasons, but the biggest one to me is that it has finally removed the notion that the owner of a computer is, you know, the owner. Who can modify it to fit his needs as he wishes. Now you're just a user, and even with administrative privileges there are things you will not be allowed to do inside the OS. It's the biggest piece of shit move from the FOSS perspective that the world has ever seen.

The saddest thing that can ever be said is that Stallman was right again.

Re: you think it won't get worse?

[nnull]

Nope, but someone is.

Re:you think it won't get worse?

Been saying it since Trusted Computing was first announced.

If you buy a computer with a TPM in it, it's game over - you hopped compliantly into the cage.

Everything after that is software updates.

Re:you think it won't get worse?

Here's your answer: Incompetence, not malice.

Re:you think it won't get worse?

Nobody owes you hardware that you can do what you like - if that is what you want then it is up to you to buy the appropriate hardware.

Just like the masses, who don't want to be bothered with the hassles of deciding what is safe or not, have elected to buy "safe" locked down hardware.

If there are insufficient people who want open hardware, that isn't the market's fault.

Re:you think it won't get worse?

It's not market demand, it's government mandate and profit motive.

Re:you think it won't get worse?

[MrKaos]

My question is, why?

Sales. Anything that allows users to re-purpose devices is a sale lost. PC's were re-purposed often, so they learned how to fix that mistake.

Even better for them is they avoided costs by using the open source operating system designed to make it open, to close it instead.

Re:you think it won't get worse?

On cell phones this was justified by the subsidies that cell phone carriers would pay - a carrier wouldn't want someone to buy a subsidized cell phone from them and then switch carriers (notwithstanding that this could just be enforced by ETFs and the like), so cell phones were locked down to remove root access to them.

So what about countries with some actual freedom, who aren't stuck on a carriers dick? We don't usually get subsidized phones but they're still not "open" either (though you can switch carriers all you want, but that's far from the same). How is it still "justified" in those cases? It isn't. It never was justified. It is just a dirty game to squeeze more money out of you. After all, if you can't get updates anymore and you're too novice or simply don't trust or care to install custom roms, you will need to upgrade your phone, for many even long before they would have if they would still be able to get (official) updates.
Greed, that's all it is. For consumers there is absolutely no benefit that you could not have with it being (more) open.

Re:you think it won't get worse?

Meanwhile you keep buying locked down hardware because the open stuff has no apps or support. How much good does your slacktivism do then? Companies don't give a shit when the majority of customers keeps buying the locked down stuff. The only way they might even consider opening it up is if they see a significant portion of their customers move to a competitor that is open. Or if they get sued for it being locked down and not owned by the customers, but that will never happen because sadly those things are very legal. Or, well, if the government tells them to open it up, but as long as they have their usual backdoors they will never do that either.
So yea, buy consciously, get others to do it too, make them feel it in their profits, and then, MAYBE, we might see a little bit of change...

(atm there are no or barely no competitors even worth considering switching to for the vast majority of people, even tech enthousiasts (see firefox phone, jolla))

boot security

the problem is rooting more and more today. creating a non gui debian or other linux distro base is not that hard with a console and chroot.

Re:boot security

[93+Escort+Wagon]

... Which is exactly why the author shared this very interesting article - to demonstrate the great lengths he had to go just to root his tablet.

Incidentally, I had no idea Nexus tablets offered a serial console via the headphone jack! Useless for almost everyone; but very cool in an old-school sort of way... and crucial in this case! I wonder how long it'll be before that is removed as well.

Re:boot security

[nnull]

Which is why I'm still hopeful for that Ubuntu phone. Seems they haven't given up on it yet, hopefully the new release will be a lot better than before and not using an older phone model. Supposed to be out this year. I hope they resolve the manufacturing issues keeping people from purchasing it (It seems they've underestimated how many people would buy it).

Re: boot security

totally agree. i was not arguing the points just another aknowledgement of what is.

Re:boot security

[guacamole]

Interestingly, based on the tutorial, it appears that this device is bootloader unlockable, which means that in theory, if someone built a TWRP recovery for this device, then rooting it would be a matter of flashing SuperSU from TWRP. The problem with this specific device appears not that it is locked down (it's not) but the lack of developer support for TWRP. Hence the need to root device via a "hard way".

Re:boot security

[MrKaos]

I wonder how long it'll be before that is removed as well.

Well Apple...

Well done

[kanweg]

Very very impressive. But of course, now we know you can do this, landing some more expensive stuff than a tablet on Mars without breaking it should be on your To Do list...

Bert
(You probably saw that one coming, didn't you?)

Excellent

[Virtucon]

Great read.

OMG

Good job achieving what millions did already. Just buy a noname tablet from China, they don't care if you root it, and there are probably dozens of ROMs to choose from.

Re:OMG

"Good job achieving what millions did already. Just buy a noname tablet from China, they don't care if you root it, and there are probably dozens of ROMs to choose from."

Could you list some names/provide some links?

This guy wasted his time, although it a good read

Dirty COW can be used in every Android kernel except the very latest versions, and can root the device easily.

https://en.wikipedia.org/wiki/Dirty_COW

Re:Hillary for jail 2016

It was Flavor-Aid, not Kool-Aid!

http://www.theatlantic.com/hea...

Reading comprehension is not really your thing, is it? I didn't write Kool-Aid.

Thanks for playing though. We have some lovely parting gifts for you.

Impressive

[JustAnotherOldGuy]

Gotta give this guy credit for doing some serious detective and reverse-engineering work. Good job.

Re:Impressive

Gotta give this guy credit for doing some serious detective and reverse-engineering work. Good job.

Agreed. +1

android makes me sad too

From the articles conclusion:

There were many points during this journey that I felt really sad.

Congrats on getting past it all to sort of gain some control back of the thing you nominally own.

Less than a year ago, I replaced my trusty n900 with an android device. A co-worker asked how I liked my new phone, and I answered, "Android makes me sad."

I tried the same thing as you (same ultimate goal, to have a working Debian chroot), but I failed.

Thanks for writing this up. SElinux (assumed this, but didn't figure out how to kill it) and caps must have been my issues, since I did get root. Maybe will re-visit this with some insights from your writeup.

Wow...

[XSportSeeker]

This is pretty awesome, and something I wish I could do.... just far too complex and involved for me.

I just kinda gave up, have plans to use an offline Android tablet, but for online stuff falling back to laptops with something like Qubes, Tails and whatnot.

I know there are some alternatives out there, but they are usually either very expensive or hard to get, and you end up in the same situation where you have to trust the guys who did it (stuff like Aquaris M10 Ubuntu tablet, Copperhead OS, BlackPhone 2).

In any case, kudos to ttsiodras(?).

Re:Wow...

[ttsiod]

> In any case, kudos to ttsiodras(?)

Thanks - that is indeed my handle nowadays. Though when I opened my Slashdot account back in my Uni days I went with 'ttsiod' - our mainframe (I believe it was called "Cyber"?) could only accommodate a maximum of 6 or 7 letter login names :-)

Re:Wow...

[MrKaos]

Thank you ttsoid! Suddenly all my old knowledge about serial became relevant again. Seeing you blog about serial ports, stty, was really nostalgic, I didn't realize it would be useful in the android domain. I'd say the tablet has a lot more computing power than those old machines had.

Coincidentally this article came when I am upgrading phone and tablet, which is also an asus, so I am set up to try some of the hacks you have described. I'm keen to see if the serial ports are on the headphone ports of the phone also. Perhaps they're used as a diagnostic port in the factory? I think that behind the battery of the smartphone the pads you can sometimes see are serial ports. I only ever considered them to be used as a way to access the AT command set to use features of the phone like a modem. But a serial console, of course, it's been mocking me the whole time.

I was also considering your predicament from the SELinux perspective and hierarchy of privileges. Busybox includes getty. Back in the day this was used to spawn a login on serial ports for serial terminals. It was common practice to spawn them from init, using inittab. I noticed you could get logins appearing before the rc process was finished. It also controlled where root could log in from and whilst generally restricted to the console, you could allow it on a serial port.

Obviously, this depends on if the SELinux policy allows init to read an /etc/inittab file - but there is only one way to find out. If it does, you maybe able to get the same privileges in the hierarchy as rc by simply bypassing it. This also leads to considering spawning the telnetd (or even sshd) directly from inittab, however I suspect that the SELinux policy might react in a different way to them than getty spawning the shell.

Frankly, I've only just got interested in android and your submission could not have been more timely. You triggered a cascade of memories and a bunch of stuff I want to try on the gear I have for the same motivation, I want all of the functionality of the device I own. I also see it's time to stop ignoring SELinux and get better at manipulating policies.

Thank you once again.

Found the LUDDITE!

Only LUDDITES would ever think of installing LUDDITE Debian on an app apping device!

Apps!

Re:Found the LUDDITE!

Only LUDDITES would ever think of installing LUDDITE Debian on an app apping device!

Apps!

Your AC post should be marked "-1: TROLL"

Re:Found the LUDDITE!

The hell it should. App apper guy is almost as good as the COWS guy. We need them more than life itself. Get with the program.

Wow. A true hacker. Great job!

[Qbertino]

The tenacity is noteworthy. This guy did a very good job at getting to the bottom of things and enabling total control over his tablet.
Well done!

Why Debian chroot

[guacamole]

I have an Android tablet for which root and TWRP are available as is without any trouble (thanks Samsung). The thing I am wondering about is why I'd need to install Debian chroot on it? Aren't Linux apps mostly optimized for computers with keyboards and all. What is its killer app?

Re:Why Debian chroot

The killer 'app' is getting away from 'apps' and running applications on a general purpose capable device. Rather than being stopped from doing so, for no reason.

  "Linux apps mostly optimized" I don't even know what that means.

Re:Why Debian chroot

I have an Android tablet for which root and TWRP are available as is without any trouble (thanks Samsung). The thing I am wondering about is why I'd need to install Debian chroot on it? Aren't Linux apps mostly optimized for computers with keyboards and all. What is its killer app?

No MOST linux apps are not optimised for keyboards. They are mainly optimised to run as headless services (and the userland that support them).

The top 5 most common apps run on linux (last time I looked about 2009) were apache, samba, mysql, php and squid proxy.

Re:Why Debian chroot

[unixisc]

I have an Android tablet for which root and TWRP are available as is without any trouble (thanks Samsung). The thing I am wondering about is why I'd need to install Debian chroot on it? Aren't Linux apps mostly optimized for computers with keyboards and all. What is its killer app?

You mean there are no libre-linux ways to chroot that tablet?

Re:Why Debian chroot

[guacamole]

And an Android tablet is hardly bought to be a headless server..

Re:Why Debian chroot

The tablet as a whole is not a headless server, but the Linux services you can install in the background happily run without a user interface, because they are designed to run on headless servers.

Re:Why Debian chroot

[guacamole]

And? You see I am trying to understand what's the point of running those unix services on a tablet or smartphone.

Re:Why Debian chroot

[dbIII]

The thing I am wondering about is why I'd need to install Debian chroot on it?

For when you want something that doesn't work with the version of Android that came with the device. The Debian portion can be updated but for a lot of Android devices you are stuck with the version that came with it.
The killer app will be something coming out in a year or two that you can't run without getting a new tablet or running different software on the one you've got. It could even be something like a new ereader file format that you could open in a normal PC web browser but your Android browser stuck at purchase date cannot.

Re:Why Debian chroot

[dbIII]

One amusing application of a tablet as a server is an offline wikipedia implementation.
It's done by dumping the wikipedia files to your tablet and then when you do not have a network connection it runs a lean web server application so that you can browse wikipedia on your tablet via the tablets web browser.

Re:Why Debian chroot

[Jesus_666]

The ereader format wouldn't be much of a problem. Android allows you to install alternative browsers and those usually support fairly old OS versions. For example, Firefox for Android supports everything down to 4.0, which is five years old now and probably will remain the baseline for what everyone must support for a few more years as some cheap low-end devices are still released with it AFAIK.

Re:Why Debian chroot

[dbIII]

I've got an Android 4 device and a lot of applications will not install.

Re:Why Debian chroot

Which, amusingly, is something that Thanassis did back in 2007 - https://www.thanassis.space/buildWikipediaOffline.html

Case closed :-)

Re:Why Debian chroot

[fard69]

Or use Kiwix without rooting...

Re:Why Debian chroot

[guacamole]

That's an argument with many flaws.

First of all, the Debian Linux applications for the most part are not meant to be convenient replacements for true touch-oriented Android apps. So this is basically about replacing a native touch-GUI optimized by outdated Android app with a relatively clunky Linux equivalent.

Second, a whole lot of Android devices can get updates by the means of third party ROMs. First of all, the big ROM projects like Cyanogenmod or OmniROM, etc, can cover quite a bit of hardware. Another source of more recent ROMs is the XDA developers forums. Basically, when it comes to popular devices there is quite a bit of ROMs out there. For example, Nexus 5 updates ended at 6.x, but there are 7.x community ROMs. I have LG G2 smartphone whose last official ROM was Lollipop 5.0.x, but there are community supported 6.x ROMs for it, and even 7.x ROMs by now. Any of those alternative Android ROM routes is a better way to get access to more recent applications on outdated Android hardware, then running a Linux distribution.

Re:Why Debian chroot

[guacamole]

Sadly, it's going to take a bit more to amuse me. In this age of ubiquitous wifi and smartphone tethering, I am not sure why I'd need to amuse myself with an off-line copy of a web site. Ok, maybe it could work out for a long flight or something.

Re: Hillary for jail 2016

i guess the future readers will never know....

Always connected Internet made securing your machi

Always-connected Internet made securing your machine impossible. This was the innovation that took away permanent control over your machine. After all, you "need" to install security patches so *other* programs or people on the Internet can't take over your machine, right? This means you can never "fix" your machine to a set configuration. You trust someone else to update your machine, and these updates keep control over you.

Hacking an Android tablet

But why? There cant be a need for that.

Apple iPads are the locked down devices. The "walled garden" devices.

Android devices are the open devices.

I'm sure of it. Slashdot told me so.

Repeatedly.

Re: Hillary for jail 2016

I always thought Hillary's pantsuits looked like inmate uniforms. Guess she was trying to tell us something.

Sell me that tablet

Great job. Sell me a tablet with the process done? Then crowd source the next one...?

Re:Hillary for jail 2016

[red+crab]

There ain't any good humor left on Slashdot these days. I guess the biggest casualty of this election is, no matter who wins, is the death of genuine wit in a large section of population - namely Trump supporters.

Can you reverse engineer that apostrophe?

It's means it is.

Ehm...

"It was as if Android creators absolutely HATED people like me, and did their best to make us suffer; because they group us together with malware authors; and add multiple layers of checks that don't distinguish between the owner of the machine and the developers of applications that run in the machine."

Android it's there and supported boards are not so painful to setup.
The point is OEM want to protect their IP and avoid thinkering.
In some case they even don't know themselves how to make some stuff work and put in place awful workarounds (e.g. china tablets roms, Samsung :D ...) because the provided BSP is already a mess.

You dont have to go through all that...

I used the one clivk root that talks to china. I then used the permisions to the file system to rewrite the boot sector and recovery. Then used unlocked boot and recovery to rewrite the device with the rom of my choosing with an open source root. Then booted and scanned to ensure the one click rooter was no longer present, remove any potential reminant and your done.

Re: You dont have to go through all that...

That process. Twrp and supersu. Done.