刷机原理-初步

package test;

import java.awt.Color;
import java.awt.Font;
import java.awt.Graphics;
import java.awt.image.BufferedImage;
import java.io.OutputStream;
import java.util.Random;

import javax.imageio.ImageIO;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


publicclass ImageGeneratorextends HttpServlet...{
/** *//**
*
*/
privatestaticfinallong serialVersionUID= -3938318741402322164L;

privatestatic Color getRandColor(int fc,int bc)...{
Random random= new Random();
if (fc> 255)
fc= 255;
if (bc> 255)
bc= 255;
int r= fc + random.nextInt(bc- fc);
int g= fc + random.nextInt(bc- fc);
int b= fc + random.nextInt(bc- fc);
returnnew Color(r, g, b);
}

privatestatic String charsLong= "23456789abcdefghjklmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ";

privatestatic String charsShort= "0123456789";

privatestatic String chars= charsLong;

@Override
publicvoid doGet(HttpServletRequest request, HttpServletResponse response)...{
try...{
int charsLength= chars.length();

response.setHeader("Pragma","No-cache");
response.setHeader("Cache-Control","no-cache");
response.setDateHeader("Expires",0);

int width= 70, height = 20;
BufferedImage image= new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);

Graphics g= image.getGraphics();

Random random= new Random();

g.setColor(getRandColor(200,250));
g.fillRect(0,0, width, height);

g.setFont(new Font("Times New Roman", Font.ITALIC, height));

g.setColor(getRandColor(160,200));
for (int i= 0; i < 35; i++)...{
int x= random.nextInt(width);
int y= random.nextInt(height);
int xl= random.nextInt(12);
int yl= random.nextInt(12);
g.drawLine(x, y, x+ xl, y+ yl);
}

StringBuilder sRand= new StringBuilder();
String[] fontNames =...{"Times New Roman","Arial","Book antiqua","" };

for (int i= 0; i < 4; i++)...{
g.setFont(new Font(fontNames[random.nextInt(3)], Font.ITALIC, height));
char rand= chars.charAt(random.nextInt(charsLength));
sRand.append(rand);

g.setColor(new Color(20+ random.nextInt(110),20 + random.nextInt(110),20 + random.nextInt(110)));
g.drawString(String.valueOf(rand),16 * i + random.nextInt(6)+ 3, height - random.nextInt(4));
}

g.setColor(getRandColor(160,200));
for (int i= 0; i < 30; i++)...{
int x= random.nextInt(width);
int y= random.nextInt(height);
int xl= random.nextInt(width);
int yl= random.nextInt(width);
g.drawLine(x, y, x+ xl, y+ yl);
}

request.getSession().setAttribute("Login_Image_Code", sRand.toString());

g.dispose();

try...{
Thread.sleep(100);
} catch (Exception ex)...{
}
OutputStream os= response.getOutputStream();
ImageIO.write(image,"JPEG", os);
os.flush();
os.close();
} catch (Exception ex)...{

}
}
}

背景：    2月购入Onyx Boox M92S电子书一台，2030。linux系统，支持刷机，但查看刷机的zip文件，发现是加密的。尝试暴力破解，发现时间需要的太长了，遂弃之。曾想过查看其开发的源码里面看是不是包含密码，但由于其他事的阻碍，此计划一直搁置。也曾想过弄清楚linux系统刷机的原理。。。

    3月小姨子让推荐一款手机，考虑到android的机器现在很多，就在其中找了找。意外收获是了解了写卡机，刷机，Root，各种Rom，电信5码局端等等知识。由于android也是linux系统，而且之前学习过android编程。所以决定彻底的弄清楚android和linux系统刷机的原理。

    最近看严蔚敏的《数据结构》一书，看到动态内存分配一章时，有冲动去把linux的内存管理机制彻底弄懂。准备把《高数》《离散数学》《数据结构》《算法导论》复习完后就开始学习《linux内核分析》。

以下资料来源于网络：

__________________________________________________________________________________________________

快速学刷机 ROM刷机原理及制作教程

想刷机，首先要知道什么是刷机，原理是什么？然后再刷。本文，笔者从ROM刷机原理讲起，让你轻松快速学会刷机。

1、刷机原理

记得第一次刷机，哪个心理紧张啊。其实紧张什么呢？就是因为不明白原理啊，只看到一堆的教程来依葫芦画瓢，生怕错了一步将手机变砖。

说起来，刷机就是两种方法：

一 是recovery方法，就是我们平时将update.zip入到SD卡，然后alt-s的方法，这种方法是调用了recovery的方法将各种img或 文件进行复制等操作。想了解recovery的工作原理吗？我也没找到好的资料，就在这看了看recovery的一些源码：点击查看

二是fastboot方法，这个方法其实是比较酷的方法，说白点，fastboot就是将已有的各分区映象文件（img文件，意义上类似我们对光盘做的映象文件）直接覆盖写到指定分区中，有点暴力，也有点类似我们平时操作系统的Ghost还原。

这两种方法哪种更好，这就不好比高低了，总的来说：

Recovery 方法更简单，只需要傻瓜式的将update.zip放到SD卡的要目录下，然后进入Recovery模式alt-s就可以了，但和任何傻瓜式东西一样，他 的灵活度就很小了，而且出错了也都不知道如何解决。一般来说做Rom的高手为了保证Rom的可靠性，在安装程序中都会对一些安装环境进行一些确定，而各位 的手机环境又是千变万化的，Rom高手也很难考虑周全，另外，Recovery程序本身也有一些环境验证。

fastboot方法更灵活，功能也更强大，fastboot方法不需要依赖于recovery，甚至linux底层刷坏了recovery模式都进不了 的情况下也可以通过fastboot方工刷回来。fastboot模式其实是调用spl进行刷机的，所以如果刷spl坏了，fastboot模式应该也进 不了，也就是砖了。fastboot方法需要各位电脑上有fastboot程序，同时手机要进入fastboot模式才可以操作，关于这些知识，请参见Google。

2、回头再来说说Android系统中的各分区（可能分区这个说法不太准确）

我了解到的Android系统中的分区有：

hboot（我们刷的SPL就是这玩意），这个分区是最基本的引导分区（类似电脑中的BIOS），这个区坏了，差不多就变砖了，所以我们刷SPL时才要如此小心啊。

boot，这个分区应该是linux操作系统的引导分区。

radio，这个分区是手机的一些底层设备相关的驱动或功能程序吧，如打电话和发短信等，不同的系统版本会有不同的radio配套，我们平时刷了高版本的ROM后，如果不刷高版本的Radio就有可能导致打电话不正常之类的。

recovery，这个分区装的就是前面提到的recovery程序了，这个刷不同的recovery版本可以带来不同的功能，有兴趣的同学可以基于 recovery的源码自己编译出一个自己的recovery出来。但一般来说，刷recovery最主要的就是提Root权限。

system，是一般发布的ROM的主要功能程序分区了，我们说的ROM功能和自带程序的定制应该就是基于这个分区的修改和编译了。

userdata，用户数据，不说了。

cache，缓存，一般是用来OTA升级时的缓存，我们说刷SPL可以增加程序区的空间大小就是主要将这个区的大小缩水了然后加大了程序区的分区大小。

3、一个典型ROM的剖析

我们平时升级的Rom都是打包成适合Recovery方式刷机的包。能够被Recovery程序识别并处理的包应该有一个固定的格式，我理解的一些重要的约束如下：

1）必须是标准的zip压缩包；

2）recovery脚本必须存入在META-INF\com\google\android\update-script；

3）其它的一些证书和签名信息应该都放在\META-INF\下。

4、我们有没有可能自己定制ROM呢

理论上我们是可以自己定制的。

最简单的定制应该就是拿一个现有的认为还不错的基础ROM，替换一些资源，加一些系统自带程序，然后打包发布；

再玩高级一点，就应该自己去修改一些系统自带的程序，如汉化一些系统原始程序；

还玩高级一点，就应该自己到android官方站点去下载android系统的源码来编译，并基于系统级的定制和移植了，如现在火热的android2.0源码编译系统移植。

如果是简单一点的自制ROM，主要应该会要解决如下几个问题：

1）选定一个比较好和稳定的内核和基础，就是update.zip包中的哪个boot.img，另外，system目录中大部分也是直接可用的，就可以作为自定义Rom的基础。

2） 修改系统。例如可以这样来定制的东西：system\etc\apns-conf.xml，这是设置APN接入点的；system\etc\hosts， 这是设置Host文件的，现在有很多人用的包绑定不了GMail，就可以在这个Host文件中增加一条：74.125.93.113 android.clients.google.com （当然，这个地址能用多久也不好说）...还有什么东西要自己去定制就自己去翻看瞧瞧。

3）Rom 的重新打包签名。前文已经介绍了一个Rom包的基本结构，但完全按照这个结构打包还是不能被Recovery安装的，因为没有签名！Rom签名可以下载一 个自动签名工具Auto-sign，具体到哪下，请Google。（注：Rom签名工具需要Java1.6支持，所以系统还得有JRE1.6的环境）。

再往下就有点高深了，目前只留心一下这些基础的东西，错误在所难免，欢迎指正。

——————————————————————————————————————————————————————————————————————————————————————————————

Fastboot

Fastboot is protocol used to update the flash filesystem in Android devices from a host over USB. It allows flashing of unsigned partition images. It is disabled in the production G1 devices since USB support is disabled in thebootloader[1]. This can be changed if you get root on the device. See also [2]

个人分析，从这段话来看，能得到几个信息：

1. fastboot是在bootloader之后才进行的。
2. fastboot是可以修改的，但需要根用户权限。

3. fastboot虽然前面的资料说和Bios类似，但实际和Bios差着远呢。就是一个相当于Ghost的程序而已

根据[2]我们可以得到如下信息

void 为了折叠(){/*So, in digging through the dump (just by strings, haven't broken out anything more awesome yet), I noticed the following block:reboot-bootloaderrebootpowerdowngetvar:CMD:getvar: %sdownload:CMD:download: %sFAILdata too largerecv data addr=%x size=%xDATAstatus: %serase:flash:security=0x%xverified by test keyverified by engineering keyFAILsignature did not verifybootsignatureFAILsignature not 256 bytes longSetFlag:ClearFlag:oemThese are the commands from the Android part of the bootloader, specifically the USB part. The source code for that is here:http://android.git.kernel.org/?p=platform/bootloader/legacy.git;a=blob_plain;f=usbloader/usbloader.cUnfortunately, supposedly this is off inside of the production G1 shipments:http://groups.google.com/group/android-porting/browse_thread/thread/4990ffe551844860However, as I hear that some people have engineering builds of the bootloader, this still might be useful to look at.The code is a little out of date, but weirdly enough the strings we have better match the documentation from here:http://android.git.kernel.org/?p=platform/bootloader/legacy.git;a=blob_plain;f=fastboot_protocol.txtThe documentation mentions two commands that are not present in the dump: "verify:", and "continue". Meanwhile, the dump has the following commands not in our copy of the code: "reboot-bootloader", "powerdown", and maybe "SetFlag:", "ClearFlag:" (capital letters indicate device-specific extensions).What I'm most interested in, though, is flash:. It has a security= string near it, and mentions a "test key". Here's the code we have:    452 #if REQUIRE_SIGNATURE    453         {    454             unsigned char digest[DIGEST_SIZE];    455             compute_digest((void*) kernel_addr, kernel_size, digest);    456             if (is_signature_okay(digest, signature, key_engineering)) {    457                 dprintf("verified by engineering key\n");    458             } else {    459                 tx_status("FAILsignature did not verify");    460                 rx_cmd();    461                 return;    462             }    463         }    464 #endifNote that it only mentions engineering key. Maybe the bootloader was changed to make it easier to install test files on it? (I still haven't had a chance to really read any code, just look at strings output.)*/}

Fastboot prerequisites

To be able to use fastboot, you need to be running either an ADP1 or the Engineering Bootloader on your G1.

If you are developing on a linux host, you may need to tweak UDEV to recognize the phone in fastboot mode. You may already have done this to get the phone recognized in Eclipse, but you need to do it again for fastboot, since fastboot uses a different device ID: 0bb4:0c01. The warning sign is that fastboot says "< waiting for device >" forever, even when you have the "FASTBOOT" message on the phone; if this happens, try adding the device ID 0bb4:0c01 to your UDEV configuration for Android.

For Opensuse 11.1 or Fedora 16, the following config file, saved to '/etc/udev/rules.d/11-android.rules' works:

SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0c01", MODE="0666", OWNER="mylogname"SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bb4", ATTRS{idProduct}=="0c02", MODE="0666", OWNER="mylogname"

NOTE: change "mylogname" to your Linux login ID. Also note that the product ID bit is optional (probably easier to leave it out), and you need to change "0bb4" to the vendor ID for your phone if it isn't made by HTC (whose vendor ID is 0bb4). You can find the vendor id using 'lsusb'. An alternative to this is just to run fastboot as root, using sudo.

Starting Fastboot

On the G1: To start fastboot, first get to the bootloader: turn off your phone and hold down the "camera" button while powering it back on. You will see a white screen with skateboarding bugdroids. If you just see the normal multicolored bootloader screen, you need to get the device side of fastboot working as noted above. Plug your phone into the usb and if you see "serial0" hit the "back" key. You should now see "fastboot" on the screen.

On the Samsung Galaxy: power down the phone, then long-press the two Call buttons. Beware that fastboot mode will continue to reboot the phone after ~30 seconds of inactivity.

Fastboot Binary

To make use of fastboot, you also need the fastboot program compiled for your host computer. If you have already built Android, you will have this file already. Its location should be:

<android source location>/out/host/{os}_{arch}/bin/fastboot

If you do not have fastboot built, you can either compile the Android source or try DarkriftX's precompiled fastboot (compiled on kubuntu x86)

Fastboot Commands

Here are the commands you can run on your host after fastboot has been started on a device connected via USB. This is a paste directly from the fastboot binary's "--help" command:

usage: fastboot [ <option> ] <command>commands: update <filename>                        reflash device from update.zip flashall                                 'flash boot' + 'flash system' flash <partition> [ <filename> ]         write a file to a flash partition erase <partition>                        erase a flash partition getvar <variable>                        display a bootloader variable boot <kernel> [ <ramdisk> ]              download and boot kernel flash:raw boot <kernel> [ <ramdisk> ]    create bootimage and flash it devices                                  list all connected devices reboot                                   reboot device normally reboot-bootloader                        reboot device into bootloaderoptions: -w                                       erase userdata and cache -s <serial number>                       specify device serial number -p <product>                             specify product name -c <cmdline>                             override kernel commandline

Forcing fastboot to load on every boot

Developers who are creating new images to try out very often can remove their boot and recovery images which will force the phone to enter bootloader mode every time you boot. To fix this, you would reflash the boot and recovery images back allowing the phone to boot normally.

$ fastboot erase boot$ fastboot erase recovery