Extract Android ROM for reverse-engineering 3

 

Hi mates :)

I will list the manufacturer from which I’ve managed to extract ROM so far, and the methodology to do it. Then in the last part, if you doesn’t have readable sources, I ll tell you how to get .java files (it’s not always 100% of the time the same code as the original sources, it can be altered sometimes).

Disclaimer : I do not take any responsability and I’m not liable of any actions done with the sources obtained. I only provide a way to read sources from official ROM for few brands, but use it at your own risk.

That said, I’m not the only one providing this kind of information but I’ve ran across some issues that can be blocking so that’s mainly a reminder. If any link become dead, leave me a comment and I ‘ll try to fix this as fast as possible.

Huawei

Huawei stock ROM are often packaged in a .app file. It’s a custom archive, containing images files (.img), wrapped in some layers. The format is not readable by 7zip or WinRar, so before you can read sources from this manufacturer, it will be a bit of pain :

  1. Download ActivePerl or PERL for your OS : http://www.activestate.com/activeperl OR  https://www.perl.org/get.html
  2. Then download the script split_updata.pl here : https://github.com/JoeyJiao/split_updata.pl (thanks to McSpoon, ZeBadger and JoeyJiao for their work)
  3. Execute the script with PERL command line :
    perl <path to split_updata.pl> <path to update.app>

     

  4. Fix step (optionnal): for Windows users like me, be careful to execute the 64bits version of PERL, with the 32bit version you’ll have issues with over 2 GB ROMs. (I though by default I was using 64bit version in CLI, but it was not the case)
  5. It will create an output folder, containing unknown.x files.
  6. Then download a batch file named HuaweiFinder.bat, here : https://docs.google.com/file/d/0B5LJgOGBjYOBd19ldGRsUF9meUU/edit
  7. Place the script into the output folder created, and run it.
  8. It should take a while, and then transform unknown files to .img files !
  9. Now, the ROM is contained into system.img, but the format is still unextractable !!
  10. So you have to download ext4_unpacker tool, it will let your smoothly extract the files from the image. Go here for download: https://sourceforge.net/projects/androidicsjbext/
  11. Launch ext4_unpacker.exe, then chose « Open » and browse to your system.img. You will see the contained files.
  12. Select all the files and folders, then right click and chose « Extract ». Chose your wanted output folder and click ok !
  13. You should be done and have your files into the wanted folder !

Now, you have odex and .jar or .apk files. It’s at the moment unreadable, but we will baksmali and smali all this and then we should be able to view sources ! Go to the second part of my article to make the magic happen !

 

Sony

Sony stock ROMs are a bit much easier to unpack. Normally you should have  a .ftf archive file format. Do the following :

  1. Unzip the files with 7zip or WinRar.
  2. You should get a bunch of .sin files. These sin files can be Extracted with a tool named Flashtool, you can download it here : http://www.flashtool.net
  3. When you got the tool installed, just run it and click on the top menu on the label « Tools », then click on « Sin editor ».
  4. Select in your previously extracted files the « system.sin’ one, and click on « Extract ». you should get in the same directory a file named « system.ext4″
  5. This file is a linux formatted archive, and if the ROM is recent, it will have a larger header than older ext4 files (32bits rather than 28 if my memory serves me well). So you will not be able to unpack it with ext4_unpacker. No luck. Try ext2explore tool instead : https://sourceforge.net/projects/ext2read/files/Ext2Read%20ver%202.0/ext2explore%202.0%20beta/   (this version is a bit old, if it doesn’t work try to search for a newer, I’ll post mine later on my site to be downloaded if needed)
  6. You can then normally open the ext4 file with this software, and one it’s done, save it. You will get your complete ROM files extracted

As I said for Huawei, your files are still unreadable, but I’ll cover this part, which is the same for all manufacturer, in the second part of this article.

 

Samsung

Samsung is harsh ! (And they have some native app really badly coded lol, I’ll not report what because I want to live long) The common format for Samsung stock ROMs is .tar.md5 files. Here’s the step to follow to extract :

  1. Use Winrar or 7zip to open the archive (it will prompt an error modal, saying that there is no correct record at the end of the file, ignore it and continue)
  2. Once the archive is opened, just select the 3 important files : system.img.ext4, cache.img.ext4 and hidden.img.ext4 (or all *.img.ext4 files that you have).
  3. Extract only these files
  4. Once you get them, create a folder named « system » and put the files in.
  5. Now, you will have to download sgs2toext4 tool: http://forum.xda-developers.com/attachment.php?attachmentid=645320, it’s a easy to use JAR.
  6. Open the JAR (you’ll need Java on your machine, of course) and then drag and drop, one by one, the 3 files you’ve put in the « system » folder ». (Be sure that the task is finished for a file before dropping another one into the application window).
  7. Once you’ve done this, you should have *.img.ext4.img files. « WOWO », you’ll say, « are u retarded ? ». Maybe. But if you don’t do this, you will not be able to browse or extract your files. TOO BAD !
  8. So just download https://sourceforge.net/projects/ext2read/files/Ext2Read%20ver%202.0/ext2explore%202.0%20beta/  (this version is a bit old, if it doesn’t work try to search for a newer, I’ll post mine later on my site to be downloaded if needed) and open the linux file explorer app.
  9. You can then normally open the img.ext4.img file with this software, and one it’s done, save it. You will get your complete ROM files extracted

Finally, you should have *.odex.xz files along with apk and jar. The sources files contained will be obtained a bit differently : I give you a little secret, to save a lot of your precious time : use JoelDroidLollipopBatchDeodexer tool, it will process a directory and convert odex.xz files and their respective apk and jar to class sources.

 

When you get odex files

Now it’s pretty simple, you will have to use 2 tools, called baksmali and smali, part of the smali tool set. The project is here : https://github.com/JesusFreke/smali. I downloaded JARs here : https://bitbucket.org/JesusFreke/smali/downloads. (Sounds like he only store his releases on Bitbucket).

Now that you have both Smali and Baksmali tools, you will then chose the sources you want to deodex, and run the following command :

java -jar path_to\baksmali.jar -d path_to\rom\system\frameworks -x path_to\file.odex

For sure you have to replace the paths with the one you have to access your files. -d just define a Class Path for baksmali to be used to read sources. This class path is (for all ROMs I have dissassembled at least) the framework directory in system. -x refer to an .odex file. You have to have in the same directory the same file name but with a .jar or .apk extension ! (example: weather_forecast.odex and weather_forecast.apk).

Once you’ve done that, you should have a « out » folder created. This out folder is containing smali files. Now we will use smali to transform these files into a dex file ! You will namethis file classes.dex. Let’s do it :

java -jar path_to\smali.jar path_to\out -o classes.dex

You have now a classes.dex file ! The last steps are the following. Open the .apk with an archive explorer like 7zip or winrar. Then copy into the archive, your classes.dex file freshly generated. The apk contain all it needs, it just need the final touch to reveal it’s sources !!

This final touch is called jaxd ! Download jaxd here: https://github.com/skylot/jadx. Go on the download section of Skylot jadx project main page, he list here different download sites. Just grab the latest stable version (I didn’t used the GUI one, I’ve took the CLI version).

If you have the Android SDK, you should have in the directory a zipalign tool. As an optional step, if you got issues with the archive apk containing your classes.dex file you can used zipalign to « clean » your .apk:

zipalign weather_forecast.apk zip_weather_forecast.apk

The very last thing to do is call in a command line interface the tool like this :

jadx path_to\your_apk_with_dex.apk

The only argument is the location of the apk containing it’s ‘classes.dex‘ file. If you barely understood the process and followed my steps, you should have now the source of the apk !

Then again, don’t forget it’s forbidden to modify something, recompile the whole app, put it back into the framework and recompile the stock ROM to distribute it. Illegal, bad ! No ! There is enough Spyware, keylogger and trackers yet for you to add one to official Roms ;)

 

 

 

3 thoughts on “Extract Android ROM for reverse-engineering

  1. Répondre Ivan Bellard nov 23, 2016 6 h 11 min

    Ok. Very nice articles. On the Samsung part, you explained how to obtain the source file and modify it as you like. And after that you have made any change, hot to put it back and flash it back? Waiting for your prompt reply.
    Tks.

    • Répondre Alexandre nov 25, 2016 9 h 38 min

      Hi Ivan, I didn’t flashed the extracted ROM, I only add to do research on things to see if it was implemented.
      But if you want to do so, I guess you can easily install a custom recovery (like TWRP) and to use this tool to flash the ROM.
      To install one of these, you must select a compatible custom recovery for your phone, unlock your phone, enable USB debugging, installing the custom recovery on the phone,
      then access to the bootloader, flash TWRP via the bootloader menu, and then, restart in recovery mode. You have now a lot of options, one of these let you install another rom.
      Hope it helps :) regards

  2. Répondre Braulio avr 30, 2017 22 h 02 min

    Hi. Hope your fine. Do you know where to find ROMs for AOC devices (like TVs)?

Laisser un commentaire