Take control over Android recovery mode with a file insertion
Sideloading an OTA (Over-the-air) update, factory data reset, those are only a few of many functions of Recovery mode. A minimized system that works outside Android OS and allows to ‘recover’ the device in case of emergency. All software updates go through Recovery and as it turns out despite being separate sub-system, there is an easy way of communication between it and Android OS.
After rebooting into Recovery the first thing that is being expected is ‘commands’. We can easily exploit this by planting a file in the expected location.
First, let’s create a file called ‘command‘. In this file we can use the following arguments:
--wipe_data -> erase userdata (and cache) and then reboots into Android OS (no argument)
--wipe_cache -> erase cache (but no userdata) and then reboots into Android OS (no argument)
--update_package=<path>/ota_file.zip -> performs OTA update and then reboots into Android OS (argument required)
--set_encrypted_filesystem=on|off -> sets the encrypted fs (argument required)
--show_text -> displays text information in recovery (no argument)
--locale=en_GB -> display text in following language (argument required)
--just_exit -> do nothing and reboots into Android OS
There is another command specific for RockChip devices:
--update_rkimage=<path>/update.img -> performs firmware update to image specified in path (argument required)
Once we decide what it is expected from recovery the ‘command’ file can be pushed to /cache/recovery/command via ADB:
adb push ./command /cache/recovery/command
Then we can reboot into recovery:
adb reboot recovery
Once in recovery, the device will check for the command file content and execute ‘commands’ accordingly.