1 of 20

Hacking the Android Emulator from the Command Line�or �what to do when you are to cheap to pay for wi-fi in the airport.

John F. Davis

johndavi@us.ibm.com

davisjf@gmail.com

2 of 20

Overview

Android Emulator is a virtual device which runs on your pc

Typically used with eclipse

However, it can also be used from the command line

Here are some things you can try

3 of 20

Setup your Environment

  • c:\Users\davis> type andenv.bat

echo off

set ANDHOME=c:\prg\android\android-sdk

echo ANDHOME= %ANDHOME%

set PATH=%PATH%;%ANDHOME%\platform-tools

set PATH=%PATH%;%ANDHOME%\tools

4 of 20

Create an Emulator

  • Creating a emulator from the available preset targets

  • List available targets

c:\users\davis> android list targets

  • Create a VM which is 2.2 API Level 8 (target 7) with a 64MB sdcard.

c:\users\davis> android create avd -n emulator2.2-api-8 -t 7 -c 64M

  • It is possible to create an custom emulator

5 of 20

Listing the emulators

  • List available emulators (as disk images)

c:\users\davis> android list avd

  • The emulators disk images are kept here:

c:\users\davis\.android\avd

6 of 20

Starting the Emulator

  • Starts the 2.2 API Level 8 emulator

c:\Users\davis> emulator -avd emulator2.2-api-8

  • Shows attached devices and running emulators

c:\users\davis> adb devices

7 of 20

The Shell

  • Using adb to get a shell allows root access with the emulator. It does not provide root access on a real device.

  • Gets a login to the underlying Linux OS. If you have real hardware you can connect by replacing the -e with -d. If you only have one running, you can omit the -d or -d.

c:\users\davis> adb -e shell

8 of 20

Exploring the Filesystem

  • From the shell use the set command to see the path for executables

# set

  • Use the ls command to list the available commands

# ls /system/bin

  • Looks like linux doesn't it? Try these commands:

# df

# dmesg

# showslab

9 of 20

Examine the proc filesystem

  • List the files and directories in /proc

# ls /proc

  • Dump some of the proc fs entries

# cat /proc/version

# cat /proc/cpuinfo

# cat /proc/meminfo

# cat /proc/loadavg

10 of 20

Examine the proc filesystem

  • The number entries: 1, 2, … 110, 158, etc correspond to process ids. They are directories with the same set of info for each.

# cat 36/cmdline

/system/bin/sh /system/etc/init.goldfish.sh

# cat init.goldfish.sh

11 of 20

The Accounts Database

  • So lets use the shell to examine the accounts database
  • Steps

1. Use the VM GUI to enter your account

2. Verify you can read your email

3. Use the shell to examine the accounts.db

4. How does the database store your password?

12 of 20

Setup a Gmail Account

  • From the emulator GUI add your gmail account. On this version it says “exchange”
  • Use these settings
  • Username is \davisjf
  • Server is m.google.com
  • Enable the bottom check box which accepts certificates. It is disabled by default.

13 of 20

Verify your Gmail Account

  • If your desktop is connected to the network, it will sync to gmail automatically.
  • Use the email application to verify you can fetch your email.
  • FWIW, these settings will persist between boots of your virtual machine.

14 of 20

Locate the Account Database

  • Back at the emulator shell
  • # cd /data/system
  • # sqlite3 accounts.db

This will give the sqlite database admin interface

15 of 20

Examine the Account Database

  • Within the sqlite CLI
  • Sqlite> .help
  • Sqlite>.tables
  • Sqlite>select * from accounts;

No leading period since this is a sql command. This works on 2.2 and 2.3.3. Not sure if it was fixed in 3.x.

  • 1|davisjf@gmail.com|com.android.exchange|<passhere>

*A real phone will not have permission to read this db.

  • sqlite> .exit quits

16 of 20

Bootanimation

  • /system/bin/bootanimation is the program which runs the second stage splash screen.
  • Since it can be run after the fact, it is good for experimentation.
  • If you run it manually, it will not end.
  • You can connect to the shell with a second cmd window and use ps to find the bootanimation program and then kill it to restore your normal gui window.

17 of 20

Bootanimation

  • The filesystem is read-only so you can not simply delete it to see dmesg output during boot. Perhaps building a custom firmware without it will help.
  • Upon booting the vm you can get a shell as soon as you see this logo. With the shell, you can kill it, but it still does not show boot messages. Instead it shows a blank screen and then just the top bar before the final UI appears.

18 of 20

Listing Installed Packages

  • # Cat /data/system/packages.list will show the installed packages.
  • The output looks similar to the Android API

List<PackageInfo> packs = theContext.getPackageManager().getInstalledPackages(0);

for(int i=0;i<packs.size();i++) {

PackageInfo p = packs.get(i);

if ((!getSysPackages) && (p.versionName == null)) {

continue ;

}

PInfo newInfo = new PInfo();

newInfo.appname = p.applicationInfo.loadLabel(

theContext.getPackageManager()).toString();

19 of 20

Push/Pull files and SD Card

  • Pull a program from a real device and then put it on the emulators writeable flash filesystem.
  • c:\users\davis> adb -d pull /system/bin/bootanimation
  • c:\users\davis> adb -e push bootanimation /mnt/sdcard

20 of 20

But Can You Run from the SDCARD?

  • C:\Users\davis> adb -e shell
  • # /mnt/sdcard/bootanimation

permission denied

  • # mount

Shows /mnt/sdcard is mounted noexec ;-(