mehmedbasic.dk

Nokia 8110 4G firmware dumping

Step 0: Intro

Earlier this year I bought a Nokia 8110 4G phone. Hoping this was a return to glory for the brand, I quickly realized that the new KaiOS (fork of Mozilla’s Firefox OS) is laggy, slow and kind of shitty. Being a developer I started digging in the docs and source code of KaiOS. I found out that it is loosely based on Android, but running a gecko browser where the entire UI is HTML5 and JavaScript. That sounds hackable indeed. After some websearching I found a guide to get to the recovery and enable developer mode using an update zip called smith.zip. First you need an SD card with 1-4GB capacity depending on what you want to dump. You will need to run a Linux of some sort to open the dumps.

If you just want to dump your firmware and skip the technicals, dowload the dumper-signed.zip, copy it to SD card (or use ADB sideload), reboot to recovery and apply the update.

Step 1: Running code from recovery

First of all you need to boot the recovery. Start by powering off the phone completely. Press and hold the DPAD UP button and power it on. Keep DPAD UP pressed. After some seconds you should see the glorious Android recovery in the eyeblistering resolution of 320x400.

Nokia 8110 bootloader

An update.zip file for Android is basically just a signed script. The folder structure inside the zip is as follows:

[your files go in the root here]

META-INF/CERT.RSA  # this is generated
META-INF/CERT.SF   # so is this
META-INF/com/google/android/update-binary  # this is the same for all
META-INF/com/google/android/updater-script # <-- this script copies your files and starts them

You can find a lot more detailed descriptions of the format over on XDA Developers forum.

Step 1.1: Locating the suff we want to dump

We need to print the partition structure on the phone. Let’s start with a small script that prints the directory structure. First we need to create the updater-script:

ui_print("Running script...");

package_extract_file("recon.sh", "/tmp/recon.sh");
package_extract_file("busybox", "/tmp/busybox");

set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/recon.sh");

wipe_cache();
ui_print("Done.");

The above script assumes two files, busybox and recon.sh. We need busybox to execute sh scripts and we write our dump script in recon.sh. The contents of recon.sh is the following:

#!/tmp/busybox sh

/tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard
/tmp/busybox ls -R /dev/block > /sdcard/dirlist.txt
/tmp/busybox umount /sdcard

The above mounts the SD card, lists everything under /dev/block recursively and dumps it to a file on the SD card called dirlist.txt. We need to sign the file before uploading. Generate a certificate (just search for Android signing). I used the signjar tool from the Ubuntu repositories with some random cert and it worked great. After it’s been signed, copy the zip to the SD card and boot the Nokia in recovery. Use the DPAD to navigate and the POWER button to select. If everything works as intended your SD card will have a file called dirlist.txt on it.

Notice under /dev/block/platform/soc.0/7824900.sdhci/by-name there are a bunch of devices (uninteresting ones omitted for brevity):

boot
config
recovery
...
splash
...
system
...
userdata

As you can see it resembles the layout of your basic android phone. We want to poke around the OS so let’s take a look at what’s under system.

Step 1.2: Dumping /system

We utilize the same procedure as above, albeit we alter the shell script a little. We make a new script dump.sh and alter our updater script:

ui_print("Running script...");

package_extract_file("dump.sh", "/tmp/dump.sh");
package_extract_file("busybox", "/tmp/busybox");

set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/dump.sh");

wipe_cache();
ui_print("Done.");

The contents of dump.sh:

/tmp/busybox mount -t vfat -o rw /dev/block/mmcblk1p1 /sdcard

partitions="boot config recoverysplash ssd system userdata" 

for part in $partitions
do 
    echo "Dumping $part" >> /sdcard/run.log
    echo $part >> /sdcard/run.log
    /tmp/busybox sync
    /tmp/busybox dd if=/dev/block/platform/soc.0/7824900.sdhci/by-name/$part of=/sdcard/$part.bin
    /tmp/busybox sync
done

/tmp/busybox umount /sdcard

echo "Done"

Same procedure as before, sign, copy to SD and run from recovery. If everything is working you now have a bunch of .bin files on your SD card.

Step 1.3: Mounting the system image

The system image is a simple ext4 partition. Just mount it as rw:

mount -t ext4 -o rw,loop system.bin /mnt

Voila! You have your Nokia firmware mounted. If you want to play a game of Snake, navigate to: /mnt/b2g/webapps/snake.gaiamobile.org and extract the application.zip. Run the index.html file in Firefox and enjoy Snake in actual 60fps.

Step 2: Changing the SMS app

Apps are, as the Snake app demonstrate, just zip files with HTML in them. Let’s take our dump of the SMS app and try changing something. The SMS app is fairly generic. Let’s try chaning a color in it. First locate the app, it’s in the b2g/webapps/sms.gaiamobile.com folder. Extract application.zip. Locate style/message.css. Locate the selector .outgoing .bubble .message-content-body and change the background color.

To package it as a KaiOS app you need to zip it into an application.zip and replace the SMS app on the phone. For this you need to create an update.zip with a script that overwrites the app in question.

The updater-script:

ui_print("Running script...");
package_extract_file("application.zip", "/tmp/smsapp.zip");
package_extract_file("swap.sh", "/tmp/swap.sh");

package_extract_file("busybox", "/tmp/busybox");
set_perm(0, 0, 0777, "/tmp/busybox");
run_program("/tmp/busybox", "sh", "/tmp/swap.sh");
wipe_cache();

ui_print("Done.");

This is the swap.sh script:

/tmp/busybox mount -t ext4 -o rw /dev/block/platform/soc.0/7824900.sdhci/by-name/system /system

SOURCE="/tmp/smsapp.zip"
DESTINATION="/system/b2g/webapps/sms.gaiamobile.org/application.zip"

/tmp/busybox cp $SOURCE $DESTINATION
/tmp/busybox umount /system

Now package it, zip it and sign it. Congratulations, you now have a modified SMS app.

What now?

KaiOS is a nice little platform and the Android base gives it a lot potential. The built-in apps are no way near optimized for the crappy CPU that is in the Nokia 8110, but one can imagine a more optimized set of apps. Let’s see how far we can push this little piece of hardware. Go download the firmware dumper and start poking around.

Until next time, happy hacking.

© 2020 Jesenko Mehmedbasic - this is a footer.