Introduction
What is rooting actually? How does it work? I tried to figure this out these days. Now, I know how to at least root an Android emulator including creating ROM image. Since I am using emulator only, the following explanation is only applied on emulator. I have not tested on real mobile phone.
Before I begin, the followings are my working environment:
OS: Arch Linux
Packages:
android-2.2 r03-2 – required for the Android platform
android-sdk r16-1 – required for emulator
android-sdk-platform-tools r10-2 – required for adb command
I was trying on Android Froyo (2.2) only.
Superuser (root)
So, to root the Android, first we need to obtain “su” binary for Android. We can get it easily from the internet. Besides that, busybox binary for Android is very useful, this can also be obtained from the internet.
Then, we need to start the emulator by providing extra partition size to /system. This can be done only through command-line, eg
emulator -avd MyAndroid -partition-size 128 -no-snapshot-load
Make sure the AVD “MyAndroid” is already created. The “-no-snapshot-load” option is used if we enabled the snapshot. As a result, we will start the emulator with extra disk space for /system. By this, we can adding extra files to /system later.
Then, we need to use “adb shell” to remount the /system so that we have write access to the /system.
adb shell mount -o rw,remount -t yaffs2 /dev/block/mtdblock0 /system
Then, we can push the su and busybox to the /system/xbin.
adb push su /system/xbin/ adb push busybox /system/xbin/
Now, to actually make the su work properly, we need to chmod it,
adb shell chmod 06755 /system/xbin/su adb shell chmod 06755 /system/xbin/busybox
Now, we need to install Superuser.apk (which you can get together with “su”). We can install it with “adb install” command. It is required when the other apps request for “su”.
We can try our “su” with Root Checker Basic or Stericson Busybox. We should see the following image.
Now, that is rooting. You might feel happy with it. However, if we restart the emulator, without snapshot, all the “su” does not work any more. So, we are going to customise the ROM image. But before this I just want to go through about Android Market first.
Anroid Market
To make the emulator work with Android Market, we need two APKs, Google Services Framework and Market. They are available in internet. The Market package name is com.android.vending and Google Services Framework is com.google.process.gapps
After obtaining the files, then we can push them into /system/app.
adb push GoogleServicesFramework.apk /system/app/ adb push Market.apk /system/app/
Wait a while, then you can see Market app in the emulator.
Besides that, according to this page, we need to remove the /system/app/SdkSetup.apk.
adb shell rm /system/app/SdkSetup.apk
Then, the emulator can run the Android Market, we can sign in with Google Account.
Customise ROM image for emulator
Failures
Now, if we restart the emulator, everything will return to default. No more “su” and Android Market. Why? The reason is because whatever we done to the /system, it will not save to the ROM image.
The /system is actually from the system.img, installed with android-2.2 in my case. This file is mounted in emulator as yaffs2 file system format. In order to customise this ROM image, I have tried several ways.
Using unyaffs, it can only extract the image, but I cannot continue. I can simply pull the /system using adb command without it.
Using yaffs2utils, unyaffs2 produced nothing. And the image built by mkyaffs2 does not allow the emulator to boot.
Using mkyaffsimage, also not work as above.
Some resources mentioned that, we can get the mkyaffs2image utility when building the Android source. But the problem is, to get the source, it requires a lot of disk space and need a long time to download.
So, what is the best way to modify the system.img? I even tried the low level way using dd to extract the /dev/block/mtdblock0, but failed.
Solution
Finally, I tried to solve it with userdata-qemu.img. This is the /data folder that will always modified when we install apps in the emulator. Restarting the emulator does not reset /data. Therefore, we can simply create the ROM image from /data. We can done it simply clean all the /data.
adb shell busybox rm -R /data/*
This will remove everything is /data, except “lost+found” folder.
adb shell busybox ls /data
Check with ls command, make sure only “lost+found” left.
Now, since the /system contains the “su”, “busybox”, Market and Google Services Framework we have done earlier, we need to copy the whole /system to the /data.
adb shell busybox cp -a /system/* /data/ adb shell busybox ls /data
As a result, the /data is identical to the /system.
Now, we have the userdata-qemu.img file in the AVD folder, which is modified. Close the emulator. Then, we can use the userdata-qemu.img file as the system image. We can rename it to system.img, or calling it as the system with “-system” option from the emulator command-line.
Start the emulator with this customised system.img, now, we have busybox by default, and also Android Market.
Missing Market apps problem (added 2012-03-14)
But if we look into the Android Market, we will discover that, a lot of apps are not available, only a few apps are available. To show most of the apps (not all the apps), we need to customise the boot image, namely ramdisk.img. We can get this file from android-2.2 package. It is together with default system.img.
Unlike system.img, ramdisk.img is actually a cpio gzip file. So, we can extract it with,
mkdir temp #make a folder cd temp #change to the folder "temp" gunzip -c ../ramdisk.img | cpio -i #extract the ramdisk.img, # where it is located at the parent directory of temp
This will extract all the files to the temp/ folder.
Now, edit the default.prop, modify lines as following,
ro.secure=1 ro.allow.mock.location=0
Optionally, we can also modify ro.build.fingerprint key in /system/build.prop, to bypass regional restriction. But I am not sure what are the value should be used.
After customisation, we need to re-compile the ramdisk.img. In the temp/,
find . | cpio -o -H newc | gzip > ../new-ramdisk.img
This will make a new-ramdisk.img. We can rename it as “ramdisk.img” and put it in AVD folder, so that the emulator will use it be default.
Now, if we find out the apps are still missing after customisation, then we need to stop and clear both cache and data for Google Services Framework and Market. Then restart the emulator (several times), then it can work.
Blogarious 
what do you get for rooting? that’s the thing that i just don’t understand…
same as iphone/ipod, have jailbreak before, but don’t see the point leh!
Fully usage of the phone. We can hack into apps. For example, installing some apps which are not allowed from Android Market. That is why this will void the warranty, because we can damage the OS also.
the thing is, worth all these trouble meh?
i read your “rooting” process, also want to pengsan lo!
though troublesome, still have people going to root the phone so that can enjoy the full functionality of the phone’s hardware, not limited to OS
For mkyaffs2 of yaffs2utils, would you try to modify the default OOB layout in the source!?
The OOB layout is different between the native Linux and Android system.
Sorry, I don’t have any idea bout OOB layout.
from where can i download the busybox files to push?
Hi, thanks for your info. I tried your steps and got the market to run and show apps, but I cannot download any apps. It always says Download Unsuccessful.
Were you able to download and install any apps from Market?
The apps such as File Expert and ASTRO File Manager can install without any problem. But all the games show the message “Your device isn’t compatible with this item”.
Thanks. My market download problem was because I didn’t get rid of SdkSetup.apk. Afterwards, I need to rm userdata-qemu.img to “wipe data”.
Small problem now is that the Home button (and others) don’t work in the emulator anymore. It is acceptable, but I want to make sure you have the same problem.
Yes, I have the same problem for Home button, it does not work.
use -skin (your prefered resolution) e.g 480×740 in emulator command and use keyboard button shortcut as it as the developer.android.com about emulator.
regards
i have not function boot-able images with gzip, but i did all root and make new system.img with mkfs.yaffs2 tools.
Problem i have rite now they’re still boot to first state of system.img. there is no way, i think, to make em more dynamic (/system mount were more customizable ). cos when the Android OS booted, the partition of system is at full erase, not like locked partition as we could remount em. check at emulator -verbose command when boot em.
Other problem was the market keep saying “your device isn’t compatible with this item” that preventing us to download app from Google play (v 3.4.7) or Market (v3.4.4).
# I’m kinda desperate with emulator.
In Eclipse i’ve tried it with some projects but resulting same output. always looping from the start.
Android OS i’ve Tried was Donut, Froyo, GBX, HCB, and ICS. same output all the way. gonna trying the vm version of Android : AndroBox tomorrow 😀
Hope, we find it another way to get inside of it.
Regards, lmnmst
I have no problem with the custom system.img. But I have the problem with mkfs.yaffs2 tools.
Yes, I also have the market apps incompatible problem. But I think that they are mostly games. Even I tried to instal the APK file from adb, the games are still not playable. I think they are really incompatible to the emulator.
this is just a thought.. build.prop in ro.sf.lcd_density must be default : 240 dpi..
i forgot to say, “Your Device blablabla” shows when i boot ICS platform. before i trying the GBX it should work.. tested on ‘HTC Touch Diamond (Diam100) and 2.3.3 emulator platform..
about the games.. logically, we just need the game min requirements to run in the emulator. as the OpenGLes should be work..
ro.sf.lcd_density is 240 by default in my emulator
Hi there.,
I have done all the above stuffs, Despite, My android emulator is not rooting. How could i determine whether my emulator is rooted or not..? I installed some apk files in the emulator, It says need rooting..?
How could i solve this issue.
There was no error while rooting..!
Normally the Android emulator does not need to root, unless you mean to install the superuser.apk into it.
To make sure whether your Android emulator is rooted or not, when you “adb shell”, you will see # instead of $. If it is not “#”, then you are not root. But in my experience, it is always “#” for the the emulator.
Then the application mentioned that need rooting, I think because you haven’t installed the superuser.apk. Install it, then should solve your problem.
hi
good work with this artile
but what if i need to uninstall a system app?
how do i do that?
You can delete the APK file in the /system/app/ using “adb shell”.
After delete the APK file, the application will disappear.
i was trying to find “Maps” app, but couldn’t find it
found “phone” though, and deleted it successfully.
any ideas?
I have no idea bout the app name. But I know that, the APK file might have different name from the app itself.
HI, Thanks for the post.
I installed the market app. It is shown on the app menu, but upon clicking it ask to login with an account. On clicking yes the application closes. However I can log in to gmail with a user account. Any ideas?
Is the application close with any error? If you already installed GoogleServicesFramework and also the Market, then I have no idea how to solve it. I don’t know whether it is related to the Android version or not.
No the application dosen’t close with an error. It just quits! As I said before I can login to gmail, however dev tools -> google login service crashes. Is there any relation between the market app and gls craching? I tried this with a 2.3 emulator as well, but the results are the same..
The DDMS error I got is this,
05-03 14:42:32.026: D/AccountManagerService(61): bind attempt failed for Session: expectLaunch true, connected false, stats (0/0/0), lifetime 0.001, addAccount, accountType com.google, requiredFeatures null
kanishka, sorry, this is beyond my knowledge. I have no idea how to solve this problem.
Thanks Allen for the reply..
i was able to root the emulator, installed the default application using “titanium” app, but when i come to the part when i have to save the rooted file, cmd is showing error, not accepting the command
am i writing the commands wrong?
“Rooted file”, do you mean the modified image, after installing default application?
What is the command you are using, and in what environment? And what is the error message?
by “rooted file” i do mean the modifies system image
and i meant “uninstalling the default (maps) application”, not installing (typo).
anyways, when i type this command
” adb shell busybox rm -R /data/*”
it says busybox not found
do i have to install busybox app?
or download some other file?
i tried 4 types of busybox files, still shows same error.
can you give me a link to your busybox file?
using xp, on api level 10 (2.3.3)
Okay. The busybox I installed is from http://benno.id.au/blog/2007/11/14/android-busybox
You need to
adb push busybox /system/xbin/
adb shell chmod 06755 /system/xbin/busybox
to make busybox work.
(Please refer to the Superuser part for detail)
Actually it is not necessary, if you know how to use other basic commands from “adb shell”. But it will be very helpful if you install it.
To uninstall the default apps from the system, you need to remove the file in the /system/app/
(Please refer to the Android Market part for detail).
hey…nice post.
Have you or anyone here tried rooting an Android API 4.0.3 on emulator?
I need it urgently and even with this post I was not able to jailbreak it.
Or if you guys have little clue on this, does anyone of you know how to redirect all (or a specific) app traffic (on an android phone ) through a proxy?
Does just providing the proxy address in the android browser settings suffice? is there any way to make sure that my app traffic is going through that proxy only?
I’ll appreciate your help on this.
I don’t want any post with exact links specifically (don’t want to bother you all for that), but just your ideas/comments on this.(Though any useful link will help)
Sorry, never try about Android API 4.0.3 on emulator.
hi….
i have desire hd with android 2.3.5 i just bought it…..
when i bought it the man told me not to root it nor to install a rom because it might burn the Processor….
so just tell me how safe is it to install ICS. caus i really like it…..
please help…
thanks…..
Hi ALI, I personally don’t have any experience of upgrading the OS or install a rom.
Because I afraid that the hardware cannot support the advancement of the OS.
So, I would not recommend to upgrade the OS.
However, if you really like, you can try to learn about installing a rom by rooting them.
For upgrading to ICS, you may ask an advice from other advanced android users.
please explain more on the solution step. i renamed userdata-qemu.img to system.img and it didnt work please expliain more and explain what to do for calling it as the system with “-system” option from the emulator command-line
Please in the command-line, enter “emulator -help-disk-images”. This will tell you why it is “system.img” and what is the option “-system”. In summary, using the system.img or -system allows you to use a custom system.img, not the default system.img installed by Platform for Google Android SDK package.
Instructions do not work on Android 4.4+ emulator due to space limitation.
I have the same problem 😦