Nexus 7 Hacking

Subtitle: Things I don't do enough to remember exactly how they work... (inspired by the original instructions I followed with great difficulty and much googling for missing info in this xda thread).

• SDK
• USB Debugging
• adb
• fastboot
• Bootloader
• Recovery
• Re-Root
• Useful Links

SDK

You can download the SDK (Software Development Kit) tools you will need from the google Android SDK web site and then read about Installing the SDK.

If you just want to do the sort of hacking described in here, you definitely do not need to install eclipse. You also don't need any of the different android version APIs or sample programs, etc. What you do need is the platform-tools package in addition to the basic SDK.

The Using Hardware Devices page describes some things you might need to do with udev rules on a linux system to get adb to talk to your Nexus 7 over USB when you don't want to run adb as root (which is probably the safest way to go :-). On my Fedora 17 system, it turned out I didn't need to do this (perhaps Google already has the right permissions built into the installed udev), but if I had needed to fix the permissions, I think this is the /etc/udev/rules.d/51-android.rules file I'd need:

SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", MODE="0666", GROUP="plugdev"

Aside from possible udev rules, you also need to enable USB debugging:

USB Debugging

Pretty much nothing will work when it comes to android hacking unless you first enable USB debugging. Do that from the Settings screen:

Dive into the Developer options and enable USB Debugging:

ABSURD NOTE: If you have gotten the android 4.2 update, you won't see the developer options choice in the settings screen until you first go to the About Tablet item and tap on the build number item seven times in a row. (This is not a rumor copied from The Onion, it is really true.)

What is USB debugging?

Basically, this enables a special service on the Nexus 7 which can communicate with the adb tool from the SDK to do debugging operations. Most of the hacking you'll do involves things classified as debugging operations, so you gotta have this turned on.

adb

Adb is the Android Debug Bridge and is handy for many things, but for the purposes of this web page, it is mainly useful to simply verify that the USB connection is working. If you plug in the Nexus 7 and type adb devices you should see it spit out a line with the serial number of your Nexus 7. If that works, it means you have all the nonsense above setup and installed correctly.

Don't forget that you need the SDK tools and platform-tools both in your PATH. For instance, I have the SDK installed on my Fedora 17 system in /zooty/andy/android-sdk-linux/, and I have /zooty/andy/android-sdk-linux/tools:/zooty/andy/android-sdk-linux/platform-tools: in my PATH environment to get access to all the tools.

One of the more obscure adb commands you might want to use is:

adb reboot bootloader

That will get you out of the android system on the Nexus 7 and into the Nexus 7 bootloader which you can talk to with the fastboot command:

fastboot

The fastboot command is similar to adb, but it talks to the bootloader, and it is the tool you need use for hacky stuff like installing a different recovery.

Warning: I have to run this command as root. All I get is a waiting for device message if I run it as an ordinary user (though perhaps those udev rules I didn't think I needed could help?).

Once, and only once (unless you reverse the process), you'll need to do this:

fastboot oem unlock

That unlocks the Nexus 7. I have no idea what locking actually is as far as the innards of the Nexus 7 goes, but you can only do most of this hacking if you are unlocked, so you really need to unlock it.

The side effects of unlocking are kind of drastic: Anything you added to the sdcard will disappear. Any apps you installed will be gone. Any settings you configured will revert to default. You will have to run setup again and tell it who you are. Basically it will be reset to the state it came out of the factory. The sooner you unlock it, the less work you lose. (Of course, anything stored in the cloud like the free Transformers movie reappears once you setup the device and identify yourself once more).

Fortunately, once unlocked, you stay unlocked. No updates or anything will lock it again.

The other major use for the fastboot command is installing a recovery image. These come as files typically named with a .img suffix. You'll want to download the .img file for the recovery system you want to use (and for gosh sakes make sure you get a recovery built specifically for the Nexus 7 — the recovery images are highly device specific). Then you type:

fastboot flash recovery path-to-recovery.img

For the TWRP recovery I installed, I clicked on the Get TWRP for your device button on the TWRP home page and typed in Nexus 7 in the search dialog, which led to the download of the file openrecovery-twrp-2.3.1.0-grouper.img

Having loaded the recovery image, you can now use the bootloader you are sitting in to boot it:

Bootloader

How to get here:

There are at least a couple of ways:

• Power off your Nexus 7 (hold down power key, select power off from menu, wait till screen goes black). Then hold down both the power button and the volume down button simultaneously till the screen comes on. The Nexus 7 will say “Google” for a bit then the screen above will appear.
• With the USB cable plugged into your computer and the SDK tools installed so you can run adb, type: adb reboot bootloader

What is the bootloader?

The bootloader is the first step in getting android loaded and running, but it can load and run other things as well (such as the recovery image).

It is analogous to grub on a linux desktop system.

What can you do here?

The fastboot tool from the SDK can talk to the bootloader. So to run a fastboot command (to do things like unlock or flash a recovery image), you need to have the Nexus 7 in this bootloader screen.

It was certainly not obvious to me when first encountering this screen that the random squiggles and boxes meant anything, but in fact, the arrow like squiggles being displayed next to the volume buttons is not random. They are supposed to convey the idea that you can press volume up and down to change the currently selected action, like so:

The words in the box (which is located next to the power button) change when you fiddle with the volume buttons and (you guessed it), you make the bootloader actually perform the current specified action by pressing the power button.

Recovery

I have no idea what the stock recovery looks like (because I've never been there), but this is the TWRP recovery screen:

How to get here:

As you might expect from above, one way is to press the power button when the selected bootloader action is recovery mode.

Once you are fully rooted, if you install an app like GooManager, you can tell it to boot your Nexus 7 directly into recovery mode.

What is recovery mode?

Basically recovery mode is a special operating system you can boot instead of the normal android system in order to get access to bits of android which are normally protected. You can do anything from installing an app such as SuperSU in order to root your Nexus 7 to replacing the entire android system with a different version (i.e. a new ROM).

The key point here is that the recovery mode image on the Nexus 7 is entirely separate from the normal android image (and from the bootloader), so if you screw one up, you can usually get into the other one (screwing them both up, or worse yet, screwing up the bootloader is the dreaded bricked state).

This is similar to booting your desktop system with a Live CD so you can get into the system on the hard disk and repair things that are dangerous to touch when the system is running from the hard disk.

Just as many different Live CD images are available, different recovery images are available. The recovery shown here is TWRP. One of the other popular ones is ClockworkMod Recovery (but you can't use the touchscreen with it like you can with TWRP :-).

What can you do here?

A popular button to press here is Install. That will bring up a file browser and let you select a .zip file from the sdcard to be installed. Note that these need to be specially formatted zip archives with the proper structure containing scripts that guide the install process, etc. This is how you typically get the device rooted, by installing a package that adds the su binary and gives it setuid root access.

I also just used it to install the Jelly Bean 4.1.2 update (which arrives as one of these .zip files) since for some unknown reason the over the air install failed.

Typically, once you are running recovery, adb will work again, and you can use adb shell to poke around on the system (possibly after mounting various filesystems using the recovery mount feature).

One thing you might need to do on the very first run of recovery is make recovery permanent by renaming a file which apparently has the effect of disabling recovery. (There are conflicting reports about the necessity of this, but if you don't do it and recovery disappears on you, you can go through the recovery install process again and do this the next time :-). You need to mount the system parition, then run adb shell and execute these commands:

cd /system
mv recovery-from-boot.p recovery-from-boot.bak

Re-Root

All these hacks are primarily useful for re-rooting my Nexus 7 after a new android update has removed root access. So this is a good place to summarize the procedure to remind me of things that have bit me previously:

You will need a .zip file of Super SU to install below once you get recovery running. You should search on google for something like "Super Su .zip" to find the xda-developer forum announcement of the latest release of Super SU with the link to the .zip archive suitable for installing from recovery. Go ahead and put this on the so-called sdcard on the Nexus 7 (not that it has a real sdcard, but that's what it calls the storage that is pretending to be an sdcard).

Note that this sequence only works for re-rooting. Rooting for the very first time will require the unlock step which will erase the sdcard storage. Wait till after the unlock to copy the .zip archive if you are doing a first time root.

For some reason the fastboot commands I'm going to use below only work if I'm running as root. So you need to first make sure the adb server is definitely not running by typing:

adb kill-server

In the Jellybean 4.2.2 update, they added some weird new security features to adb, so before trying to re-root, it is a good idea to run the sdk android tool and download any updates to make sure the adb on the host is compatible with the (possibly) new adb support on the Nexus 7. (Killing the server before doing updates is also a good idea).

Now you can either power off and power back on holding the volume down button to get into the bootloader, or (if adb is actually working) you can plug in the USB cable and type:

adb reboot bootloader

I find that sometimes the recovery I previously installed is no longer working after an android update (or maybe something killed it even before that). This is a good time to go ahead and install the latest TWRP by searching for Nexus 7 on their web page. Once you download the latest .img file, you can install it by making sure the USB cable is connected, and you are sitting in the bootloader and typing (as root):

fastboot flash recovery path-to-recovery.img

Now you can hit the volume down button a few times to bring up the boot recovery option and boot into your newly installed recovery image. Once in recovery, you can select the install option and search for and install the Super SU .zip file (which may be a little hard to find because of the weird storage renaming they did in the 4.2 update - you may have to search in a directory with a weird name like "0" to find the sdcard contents).

Now you can reboot and you have root acess. One last thing you might want to do is run Super SU and go through the settings to pick the option to cleanup so you can reinstall from the play store so you'll get updates when they are released. (This seems to work better if you reboot after the cleanup and before the play store install).

Useful Links

I don't think there is anything original in here. Great gobs of information was extracted (sometimes painfully :-) from the Nexus 7 forums, particularly the All Things Root sub-forum.

Hard core hacking info (that can be hard core confusing :-) can be found in the xda developers forums.

I might as well toss in a link to my home page.

Well, that's it for now. Keep in mind that everything in here may very well be wrong :-). This is just my attempt to record this stuff in enough detail that I'll be able to remember what to do the next time I need to hack my Nexus 7.