Step 0: Intro
smith.zip. First you need an SD card with 1-4GB capacity depending on what you want to dump. You will need to run a Linux of some sort to open the dumps.
If you just want to dump your firmware and skip the technicals, dowload the dumper-signed.zip, copy it to SD card (or use ADB sideload), reboot to recovery and apply the update.
Step 1: Running code from recovery
First of all you need to boot the recovery. Start by powering off the phone completely. Press and hold the
DPAD UP button and power it on. Keep
DPAD UP pressed. After some seconds you should see the glorious Android recovery in the eyeblistering resolution of 320x400.
update.zip file for Android is basically just a signed script. The folder structure inside the zip is as follows:
[your files go in the root here] META-INF/CERT.RSA # this is generated META-INF/CERT.SF # so is this META-INF/com/google/android/update-binary # this is the same for all META-INF/com/google/android/updater-script # <-- this script copies your files and starts them
You can find a lot more detailed descriptions of the format over on XDA Developers forum.
Step 1.1: Locating the suff we want to dump
We need to print the partition structure on the phone. Let’s start with a small script that prints the directory structure. First we need to create the
ui_print("Running script..."); package_extract_file("recon.sh", "/tmp/recon.sh"); package_extract_file("busybox", "/tmp/busybox"); set_perm(0, 0, 0777, "/tmp/busybox"); run_program("/tmp/busybox", "sh", "/tmp/recon.sh"); wipe_cache(); ui_print("Done.");
The above script assumes two files,
recon.sh. We need busybox to execute
sh scripts and we write our dump script in
The contents of
recon.sh is the following:
#!/tmp/busybox sh /tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard /tmp/busybox ls -R /dev/block > /sdcard/dirlist.txt /tmp/busybox umount /sdcard
The above mounts the SD card, lists everything under
/dev/block recursively and dumps it to a file on the SD card called
dirlist.txt. We need to sign the file before uploading. Generate a certificate (just search for Android signing). I used the
signjar tool from the Ubuntu repositories with some random cert and it worked great. After it’s been signed, copy the zip to the SD card and boot the Nokia in recovery. Use the DPAD to navigate and the POWER button to select. If everything works as intended your SD card will have a file called
dirlist.txt on it.
/dev/block/platform/soc.0/7824900.sdhci/by-name there are a bunch of devices (uninteresting ones omitted for brevity):
boot config recovery ... splash ... system ... userdata
As you can see it resembles the layout of your basic android phone. We want to poke around the OS so let’s take a look at what’s under system.
Step 1.2: Dumping
We utilize the same procedure as above, albeit we alter the shell script a little. We make a new script
dump.sh and alter our updater script:
ui_print("Running script..."); package_extract_file("dump.sh", "/tmp/dump.sh"); package_extract_file("busybox", "/tmp/busybox"); set_perm(0, 0, 0777, "/tmp/busybox"); run_program("/tmp/busybox", "sh", "/tmp/dump.sh"); wipe_cache(); ui_print("Done.");
The contents of
/tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard partitions="boot config recoverysplash ssd system userdata" for part in $partitions do echo "Dumping $part" >> /sdcard/run.log echo $part >> /sdcard/run.log /tmp/busybox sync /tmp/busybox dd if=/dev/block/platform/soc.0/7824900.sdhci/by-name/$part of=/sdcard/$part.bin /tmp/busybox sync done /tmp/busybox umount /sdcard echo "Done"
Same procedure as before, sign, copy to SD and run from recovery.
If everything is working you now have a bunch of
.bin files on your SD card.
Step 1.3: Mounting the system image
The system image is a simple ext4 partition. Just mount it as
mount -t ext4 -o rw,loop system.bin /mnt
Voila! You have your Nokia firmware mounted. If you want to play a game of Snake, navigate to:
/mnt/b2g/webapps/snake.gaiamobile.org and extract the
application.zip. Run the
index.html file in Firefox and enjoy Snake in actual 60fps.
Step 2: Changing the SMS app
Apps are, as the Snake app demonstrate, just zip files with HTML in them. Let’s take our dump of the SMS app and try changing something.
The SMS app is fairly generic. Let’s try chaning a color in it. First locate the app, it’s in the
b2g/webapps/sms.gaiamobile.com folder. Extract application.zip. Locate
style/message.css. Locate the selector
.outgoing .bubble .message-content-body and change the background color.
To package it as a KaiOS app you need to zip it into an
application.zip and replace the SMS app on the phone. For this you need to create an
update.zip with a script that overwrites the app in question.
ui_print("Running script..."); package_extract_file("application.zip", "/tmp/smsapp.zip"); package_extract_file("swap.sh", "/tmp/swap.sh"); package_extract_file("busybox", "/tmp/busybox"); set_perm(0, 0, 0777, "/tmp/busybox"); run_program("/tmp/busybox", "sh", "/tmp/swap.sh"); wipe_cache(); ui_print("Done.");
This is the
/tmp/busybox mount -t ext4 -o rw /dev/block/platform/soc.0/7824900.sdhci/by-name/system /system SOURCE="/tmp/smsapp.zip" DESTINATION="/system/b2g/webapps/sms.gaiamobile.org/application.zip" /tmp/busybox cp $SOURCE $DESTINATION /tmp/busybox umount /system
Now package it, zip it and sign it. Congratulations, you now have a modified SMS app.
KaiOS is a nice little platform and the Android base gives it a lot potential. The built-in apps are no way near optimized for the crappy CPU that is in the Nokia 8110, but one can imagine a more optimized set of apps. Let’s see how far we can push this little piece of hardware. Go download the firmware dumper and start poking around.
Until next time, happy hacking.