Step 0: Intro
Earlier this year I bought a Nokia 8110 4G phone. Hoping this was a return to glory for the brand, I quickly realized that the new KaiOS (fork of Mozilla’s Firefox OS) is laggy, slow and kind of shitty. Being a developer I started digging in the docs and source code of KaiOS. I found out that it is loosely based on Android, but running a gecko browser where the entire UI is HTML5 and JavaScript. That sounds hackable indeed. After some websearching I found a guide to get to the recovery and enable developer mode using an update zip called smith.zip
. First you need an SD card with 1-4GB capacity depending on what you want to dump. You will need to run a Linux of some sort to open the dumps.
If you just want to dump your firmware and skip the technicals, dowload the dumper-signed.zip, copy it to SD card (or use ADB sideload), reboot to recovery and apply the update.
Step 1: Running code from recovery
First of all you need to boot the recovery. Start by powering off the phone completely. Press and hold the DPAD UP
button and power it on. Keep DPAD UP
pressed. After some seconds you should see the glorious Android recovery in the eyeblistering resolution of 320x400.
An update.zip
file for Android is basically just a signed script. The folder structure inside the zip is as follows:
[your files go in the root here]
META-INF/CERT.RSA # this is generated
META-INF/CERT.SF # so is this
META-INF/com/google/android/update-binary # this is the same for all
META-INF/com/google/android/updater-script # <-- this script copies your files and starts them
You can find a lot more detailed descriptions of the format over on XDA Developers forum.
Step 1.1: Locating the suff we want to dump
We need to print the partition structure on the phone. Let’s start with a small script that prints the directory structure. First we need to create the updater-script
:
ui_print("Running script...");
package_extract_file("recon.sh", "/tmp/recon.sh");
package_extract_file("busybox", "/tmp/busybox");
set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/recon.sh");
wipe_cache();
ui_print("Done.");
The above script assumes two files, busybox
and recon.sh
. We need busybox to execute sh
scripts and we write our dump script in recon.sh
.
The contents of recon.sh
is the following:
#!/tmp/busybox sh
/tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard
/tmp/busybox ls -R /dev/block > /sdcard/dirlist.txt
/tmp/busybox umount /sdcard
The above mounts the SD card, lists everything under /dev/block
recursively and dumps it to a file on the SD card called dirlist.txt
. We need to sign the file before uploading. Generate a certificate (just search for Android signing). I used the signjar
tool from the Ubuntu repositories with some random cert and it worked great. After it’s been signed, copy the zip to the SD card and boot the Nokia in recovery. Use the DPAD to navigate and the POWER button to select. If everything works as intended your SD card will have a file called dirlist.txt
on it.
Notice under /dev/block/platform/soc.0/7824900.sdhci/by-name
there are a bunch of devices (uninteresting ones omitted for brevity):
boot
config
recovery
...
splash
...
system
...
userdata
As you can see it resembles the layout of your basic android phone. We want to poke around the OS so let’s take a look at what’s under system.
Step 1.2: Dumping /system
We utilize the same procedure as above, albeit we alter the shell script a little. We make a new script dump.sh
and alter our updater script:
ui_print("Running script...");
package_extract_file("dump.sh", "/tmp/dump.sh");
package_extract_file("busybox", "/tmp/busybox");
set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/dump.sh");
wipe_cache();
ui_print("Done.");
The contents of dump.sh
:
/tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard
partitions="boot config recoverysplash ssd system userdata"
for part in $partitions
do
echo "Dumping $part" >> /sdcard/run.log
echo $part >> /sdcard/run.log
/tmp/busybox sync
/tmp/busybox dd if=/dev/block/platform/soc.0/7824900.sdhci/by-name/$part of=/sdcard/$part.bin
/tmp/busybox sync
done
/tmp/busybox umount /sdcard
echo "Done"
Same procedure as before, sign, copy to SD and run from recovery.
If everything is working you now have a bunch of .bin
files on your SD card.
Step 1.3: Mounting the system image
The system image is a simple ext4 partition. Just mount it as rw
:
mount -t ext4 -o rw,loop system.bin /mnt
Voila! You have your Nokia firmware mounted. If you want to play a game of Snake, navigate to: /mnt/b2g/webapps/snake.gaiamobile.org
and extract the application.zip
. Run the index.html
file in Firefox and enjoy Snake in actual 60fps.
Step 2: Changing the SMS app
Apps are, as the Snake app demonstrate, just zip files with HTML in them. Let’s take our dump of the SMS app and try changing something.
The SMS app is fairly generic. Let’s try chaning a color in it. First locate the app, it’s in the b2g/webapps/sms.gaiamobile.com
folder. Extract application.zip. Locate style/message.css
. Locate the selector .outgoing .bubble .message-content-body
and change the background color.
To package it as a KaiOS app you need to zip it into an application.zip
and replace the SMS app on the phone. For this you need to create an update.zip
with a script that overwrites the app in question.
The updater-script
:
ui_print("Running script...");
package_extract_file("application.zip", "/tmp/smsapp.zip");
package_extract_file("swap.sh", "/tmp/swap.sh");
package_extract_file("busybox", "/tmp/busybox");
set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/swap.sh");
wipe_cache();
ui_print("Done.");
This is the swap.sh
script:
/tmp/busybox mount -t ext4 -o rw /dev/block/platform/soc.0/7824900.sdhci/by-name/system /system
SOURCE="/tmp/smsapp.zip"
DESTINATION="/system/b2g/webapps/sms.gaiamobile.org/application.zip"
/tmp/busybox cp $SOURCE $DESTINATION
/tmp/busybox umount /system
Now package it, zip it and sign it. Congratulations, you now have a modified SMS app.
What now?
KaiOS is a nice little platform and the Android base gives it a lot potential. The built-in apps are no way near optimized for the crappy CPU that is in the Nokia 8110, but one can imagine a more optimized set of apps. Let’s see how far we can push this little piece of hardware. Go download the firmware dumper and start poking around.
Until next time, happy hacking.