Android Blogging Network

1.2.4 is out, with a number of bugfixes

Get it here

Changelist:

• Fixed an issue when using baksmali on a case insensitive file system, and there are classes with names that only vary by case (thanks phd.dre and Brut.all!)
• Fixed an issue where baksmali still printed out .line and .local directives even when the -d/–no-debug-info option is specified (thanks stari4ek!)
• Fixed an issue in smali when in encountered a field or method that was named “null” (thanks dislam!)
• Fixed an issue in smali when encountering a file that has blank annotation sets (thanks flipz and jjiovani!)
• Fixed an issue when there is a <clinit> method with no corresponding code item

• Comments Off

smali/baksmali v1.2.3 is out, and now includes the ability to deodex odex files from froyo.

You can download the new versions on the downloads page of the googlecode project

In addition to the changes related to supporting froyo, the new version has a new lexer that uses much less static memory. (The old lexer had around 30mb of static data. ugh!). The new lexer is written with jflex instead of ANTLR, but it still hooks in with the ANTLR parser.

There was also a significant change in how “undeodexable” instructions are handled. If you want to read up on the details, go take a look at the comments in issue 29 and issue 33. Thanks to Paul from modaco.com, brut.all, master.homer, flipz and JrEE2kX for the reporting/discussion/testing around this issue.

As usual, there are a number of little performance tweaks here and there, and a few new bug spots on the bottom of my shoes.

• Comments Off

Yet Another Baksmali Bugfix Release. v1.2.2 is out for your disassembling pleasure.

As the title suggests, this is mostly a bugfix release, fixing issues 20, 21 and 22.

I’ve also made some significant performance enhancements to baksmali. You can expect deodexing a full firmware to be roughly 50% faster, while performing certain operations on single files can be over 100% faster (dumping the full register info of a large dex file, for example).

Finally, I’ve added the ability to read the base BOOTCLASSPATH dependencies from odex files directly, so you shouldn’t have to specify the full BOOTCLASSPATH (-c) for roms that use a non-standand BOOTCLASSPATH (like HTC Sense roms). Note however, that you will still need to add the  “extra” dependencies for specific applications that need it, because those dependencies aren’t stored in the odex file.

Get it here.

• Comments Off

Yet Another Baksmali Bugfix Release. v1.2.2 is out for your disassembling pleasure.

As the title suggests, this is mostly a bugfix release, fixing issues 20, 21 and 22.

I’ve also made some significant performance enhancements to baksmali. You can expect deodexing a full firmware to be roughly 50% faster, while performing certain operations on single files can be over 100% faster (dumping the full register info of a large dex file, for example).

Finally, I’ve added the ability to read the base BOOTCLASSPATH dependencies from odex files directly, so you shouldn’t have to specify the full BOOTCLASSPATH (-c) for roms that use a non-standand BOOTCLASSPATH (like HTC Sense roms). Note however, that you will still need to add the  “extra” dependencies for specific applications that need it, because those dependencies aren’t stored in the odex file.

Get it here.

• Comments Off

Everyone has heard about Google’s Device Seeding Program. (Yes, it’s real.) So in the next few weeks (days? months?) lots and lots of people will be getting a nice 2nd-gen Android device. Except… nobody gets to choose their device. Google will send either a Nexus One or a Motorola Droid, at random. That is somewhat bad news – if you have T-mobile and bought a G1 on a 2 year contract, it will cost a hundred bucks to get out. VZW is (reportedly) even higher.
So what is a hardworking dev to do?
Here is Android Device Exchange to the rescue – hook up with other owners, device-seed recipients, etc and buy, sell or trade your devices!

• Leave a comment... (1)

I’ve released v1.2.1, which is mostly a bugfix release to v1.2. There are a few performance improvements and enhancements in there as well.

As usual, you can grab a copy on the googlecode download page

• Comments Off

After lots of hard work over the last month or two, smali/baksmali 1.2 is out!

The major new functionality in this release is that baksmali now supports deodexing without the help of deodexerant! It also has a new “register info” feature, to show the register types in the disassembly, and numerous minor fixes/changes/enhancements/tweaks/(and probably bugs)

Deodexing

In order to deodex files now, you need to have the boot class path files available for baksmali to use. By default, it looks for the 5 main framework jars in the current directory. You can of course specify additional directories to search in, add additional boot class path files, or change which boot class path files are used altogether.

The DeodexInstructions page has more info on how to deodex with this version. But for a quick primer, you just need to have the 5 main framework files in the current directory (core.jar, ext.jar, framework.jar, android.policy.jar and services.jar), and then specify the -x option for baksmali. For example:

baksmali -x Calculator.odex -o Calculator

Register Info

Another bit of new functionality that can be very helpful is the new “register info” output for baksmali, which can be turned on with the -r parameter. It will analyze the registers and print some register type info before and after each instruction. There are several levels of register info output available, depending on exactly what you want to see. The default is to print the register type for any register that is used by the instruction.

Note that this functionality also requires that baksmali load the boot class path files – so they must be available. Here is an example of what the default register info looks like:

#v0=(Integer);v2=(Integer);
new-array v2, v0, [C
#v2=(Reference,[C);

The register types that are printed just before the instruction are the incoming register types, while the register types that are printed after the instruction show any changes to the registers caused by the instruction.

If you want to see all the register info, you can use -r ALL,FULLMERGE which looks something like this:

#v0=(Integer):merge{0x18:(Null),0x2c:(Integer)}
#v1=(Conflicted):merge{0x18:(Uninit),0x2c:(Integer)}
#v3=(Conflicted):merge{0x18:(Uninit),0x2c:(Char)}
#v2=(Reference,[C);p0=(Reference,Ljava/lang/String;);p1=(Reference,[B);p2=(Integer);p3=(Integer);p4=(Integer);
iget v2, p0, Ljava/lang/String;->count:I
#v0=(Integer);v1=(Conflicted);v2=(Integer);v3=(Conflicted);p0=(Reference,Ljava/lang/String;);p1=(Reference,[B);p2=(Integer);p3=(Integer);p4=(Integer);

Other changes

There are a few other miscellaneous changes as well. Make sure you take a look at the usage info for smali and baksmali. The short parameters for some of the options have changed. In particular some of the options that are mostly for debugging purposes were changed to an uppercase letter, and are now hidden by default. You can use -?? for both smali and baksmali to see the debug options.

baksmali also has a new -f parameter, which adds a comment with the code address before each instruction. This is useful when looking at the FULLMERGE register info, which shows the register info and code addresses for all “incoming” execution paths.

Things to come

With this release, I have added a robust code analyzer/verifier that can infer the register types and validate the instructions. I plan using this to add verification functionality in smali, so that it will optionally verify the code after assembling it. This will let you know there’s a problem with the assembled code without having to push the code to a device and have dalvik complain to you about the invalid code.

I also want to add some way to dump/serialize the results of loading the boot class path files for baksmali, so that it can load the information it needs from the dump file, instead of reading in all 5 boot class path files every time, which should help speed it up.

In the longer term, I would love to be able to debug code on a device at an assembly level. This is just something that is banging around in the back of my head for now.

• Comments Off

As my Christmas present to everyone, I present smali/baksmali v1.1

This version has significant new functionality, and is much better able to handle the larger framework files that are floating around. There are a number of bug fixes as well.

As usual, you can grab the new versions from the googlecode download page

The changes for this version include:

• Added support for a new .locals directive, which can be used instead of the .registers directive, to specify the number of non-parameter registers in the method
• Added support for the --use-locals/-l option in baksmali, to use the .locals directive instead of the .registers directive
• Added support for the --sequential-labels/-q option in baksmali, which causes baksmali to create label names using a sequential numbering scheme, instead of basin it on the bytecode address
• Added support for automatically upgrading const-string to const-string/jumbo when needed and upgrading goto or goto/16 to goto/16 or goto/32 when needed
• Added support for the --no-fix-string-const/-c option in smali, to prevent automatically upgrading const-string instructions to const-string/jumbo
• Added support for the --no-fix-goto/-g option in smali, to prevent automatically upgrading goto and goto/16 instructions
• Added support for the --no-debug-info/-b option in baksmali, to prevent the output of any type of debugging info (.local, .line, .parameter, etc.)
• misc. bugfixes

• Comments Off

Now that the nook softroot is out, I’d like to take a moment to explain the structure of the updates, the nook bootup process in general, and how the softroot came about.

The “softroot” that was released is simply an unsigned update file that copies a custom init.rc to the device that enables adb (only over wifi, for now). Unsigned update, you ask? Yes. The nook accepts unsigned updates. The structure of an update is fairly simple. Basically, it’s a .tar.gz file that contains at least 3 files: Firmware_Update/update.script, Firmware_Update/md5sums and Firmware_Update/sha1sums.

The update.script file is a script that is run by turboboot – a proprietary bootloader/recovery environment that is used in the nook. Documentation for turboboot can be found easily with $favorite_search_engine. The turboboot environment is a minimal linux+busybox environment. It allows you to run arbitrary system commands from the update.script, so you can really do just about anything you want in an update.

For the md5sums and sha1sums file, the only requirement is that running md5sum -c md5sums and sha1sum -c sha1sums from the Firmware_Update  directory will succeed. So you need to have at least 1 valid checksum in each file.

That’s basically it for the update. You can add whatever else the update needs of course. To run the update, place the .tar.gz file on the root of the external sdcard, named bravo_update.dat, power off the nook, and then after powering it back on, immediately press the page up/page down buttons. It should then check for the update file, unpack it, validate the md5sums and sha1sums files, and then run the update.

If you’ve already taken a look at the 1.1.0 or 1.1.1 update files that have been released recently, you’ve probably noticed that they aren’t just a plain .tar.gz, but they have what appears to be a signature header at the beginning of the file. As far as I can tell, when a new update is available, the nook system software will download the signed update to the 3rd partition of the internal sdcard, verify it and then strip off the signature header and place the plain .tar.gz in the root of the 2rd partition of the internal sdcard. It then sets a value in a specific place on the sdcard that tells turboboot to check the internal sdcard instead of the external sdcard for the update. And then when the nook reboots, turboboot finds the unsigned update file and applies it.

If you want to poke around in the 1.1.1 update, the file is available for download from Barnes and Noble’s Nook FAQ page. Once you download the update, you’ll need to strip off the signature header before extracting it:

tail -c +174 signed_bravo_update.dat > signed_bravo_update.tar.gz

Finally, a bit more about the nook’s start-up in general. The nook appears to boot directly from the sdcard. There is around 200mb of space at the end of the sdcard, past the end of the last partition, where various things are stored: bootloader, kernel, etc. These all appear to be stored at specific locations relative to the end of the sdcard.

The primary bootloader is stored at an offset relative to the end of the sdcard. For non-sdhc cards, this is at endofsd-9k. And there is additional bootloader code stored at endofsd-281k.

The kernel is stored at endofsd-4377k, and interestingly, the last full firmware update that was applied on the nook is stored at endofsd-135449k. And finally the kernel and ramdisk for the turboboot environment is stored at endofsd-139545k.

The ramdisk for the turboboot environment contains an interesting script named initboot.script that handles the update process. One of it’s features is that if the nook fails to successfully boot 3 times in a row, then it will perform a “fallback”, and will wipe out the OS partition and re-apply the full update that is stored in the ending area of the sdcard.

It was when I was first looking at the initboot.script file that I realized that the nook accepted unsigned updates. Once I realized that, I pinged fellow nookdev robbiet480 (because he has a nook, and I don’t yet :/) and after a few tries, was able to build an initial proof-of-concept update that he ran on his nook and proved that we could in fact get an unsigned update to run.

From there, the other nookdev members took it from the proof-of-concept that I did to the actual softroot that is available now. Great job guys!

• Comments Off