Sunday, February 08, 2009

How To: Hack Android For Multitouch Web Browsing on the T-Mobile G1 [How-to]

Source: http://feeds.gawker.com/~r/gizmodo/full/~3/NrXsHaU6Fqc/how-to-hack-android-for-multitouch-web-browsing-on-the-t+mobile-g1

Android's new 1.1 update doesn't include multitouch because Google is scared of Apple. We are not, however, and nor should you be-follow our guide to get iPhone-like multitouch browsing on your G1 right now.

As teased yesterday, this update will also give you all the new Android 1.1 firmware features, so if you haven't received your over-the-air update from T-Mobile yet, wait no more and follow our guide. And on top of the added multitouch features, the hacked ROM you're going to install will also include handy root access to your G1 for further hacking.

Many thanks in particular to the folks at the xda-developers forum, the #1 hangout for HTC phone tweakers on the web.

What You'll Need:
• Your G1
• USB cord
JFv1.41_RC33.zip-an Android RC33 ROM With Multitouch assembled by a nice chap that goes by the name of JesusFreke.
• An old RC29 ROM (with root access bug)
• An Android recovery image
• A micro-SD card reader (maybe, if you mess things up)
• The Android SDK (for installing more multitouch demos)

Let's get started:

Downgrade Your Android Software to Gain Root Access
Even though Android is open source, access to the root user is disabled by default, so you still have to work to get root access. To do that you have to exploit a well publicized bug in an earlier Android build that easily allows you to slip into root access easily.

Note: In doing this, you will lose everything you have saved to your phone. Your synced Google Account info will of course! stay pu t, but you'll lose your installed apps, text messages, and anything you have on your SD card. Searching "backup" in the Android Market will lead you to apps that can backup your SMS messages and other files.

1. Your phone is likely running either the RC30 (1.0) or the new RC33 (1.1) version of the Android software (you can check under Settings -> About phone -> Build number). RC29 is the one with the bug, so you'll need to download that file here (grab this one if you're in the UK, and perhaps seek out a UK-specific guide, as we're talking North American language here and I don't want you to hurt your phone).

2. Reformat your phone's SD card to the FAT32 format.

3. Rename the downloaded file to exactly this: DREAIMG.NBH in all caps for the extension and the filename. It matters. It will still show up with a lowercase extension in the bootloader, but that's OK, as long as the file you dropped on your SD card was named properly, you won't get a FAIL.

4. Drop the downloaded and renamed RC29 file onto your SD card via USB, power your phone off, and then power it back on while holding down the camera button. This will bring you into the bootloader. Press the power button to start the update, which will wipe your phone and install the old software.

5. When it's done you should get a declaration of success. After that, hit the trackball button (known as the "action button" in the darker recesses of the G1's bootloader) and then press Call, Menu and End simultaneously to reboot into your downgraded G1. You'll see that you're starting from scratch.

6. Sign in to your Google account and then grab the "Telnet" app ! from the market. You'll need this to exploit your newly gained root access.

Update Your G1 With a Multitouch-Enabled ROM
Now that you have not only the permission but the impetus to do naughty things with root access, it's time to install the updated Android files.

These are assembled by a nice chap that goes by the name of JesusFreke on various phone-hacking forums. He's the one, primarily, who made all this multi-touching on the G1 possible.

1. Grab Le Freke's RC33 v1.41 ROM (the one with multitouch goodness baked in) and rename it from "JFv1.41_RC33.zip" to "update.zip"-all lowercase-and copy it to your SD card.

2. Also grab this tweaked "recovery.img" file and also copy it to your SD card. Eject your SD card from your desktop and unplug the USB cable when you're done.

3. Now that you're in the exploit-y RC29 version, your phone will start responding to various Linux commands you type on the keyboard no matter what you happen to be doing in Android at the time. Fun! What you need to type to get root access is:

telnetd

You may find yourself in some odd place in the OS, but it doesn't matter-if done correctly, a telnet server should be running in the background on your phone.

4. Open up the Telnet app you downloaded from the Market, type in "localhost" in the box if it's not there already, and tap "Connect to server." You'll see some weird ASCII characters, but all should be well. To test, type this in at the prompt (make sure you've ejected your SD card from your computer and detached! the USB cable):

ls /sdcard

You should see the names of the files you copied (if you don't, try step 3 and 4 again).

5. Now it's time for some more command line magic. You'll need to type four more commands to mount the file system in a writeable state, change to the system directory, copy the recovery.img file from your SD card to your phone's /system directory, and flash the recovery image, in that order:

mount -o remount,rw /dev/block/mtdblock3 /system

cd /system

cat /sdcard/recovery.img > recovery.img

flash_image recovery recovery.img

You won't get any response from any of these commands other than a slight pause before the next prompt appears-that means you've done everything correctly. If you get any error messages, check for typos and try again.

6. Power down your phone, then power it back on again. One power cycle is required to complete the magic.

7. Power down your phone AGAIN. And now, while off, start it up by holding the Home button along with Power; your phone will enter into recovery mode, which normally shows a caution icon with a phone, but will in this case stream a bunch of Linux code on the screen. Wait for that to calm down, and you will reach the ROM flashing screen of Mr. Freke's design. If all looks good, press Alt+S to flash your ROM, then press Home+Back when prompted to restart into your multitouch-enabled G1.

8. Open up the browser, and try the ol' pinch-to-zoom gesture. Hey, what's that? Zooming! It's not lighting fast at the moment, but I'd say it still beats pressing plus and minus buttons to zoom.

While Mr. JesusFreke is responsible for packaging this up for consumption, we can thank Mr. Luke Hutchison for the actual multitouch coding. His blog sheds more insight on the state of the multitouch implementation you're now playing with, and illustrates how it will so! on impro ve. But let's play some more.

Download More Multitouch-Enabled Apps
In the flashed ROM you just installed, only the WebKit browser has been tweaked to accept multitouch input. But your fun shan't stop there. Hutchison has provided a few more demo apps-including a simple Google Maps app, photo browser and fun Multitouch visualizer. You can download them all in .apk package format from his site.

To install an APK package via the Android SDK, make sure you've enabled "Unknown sources" under Settings -> Applications, then follow these instructions for Windows or, for Mac:

1. Open the Terminal and navigate to the directory where you unzipped the Android SDK (you can auto-fill the Unix path to any file or directory in Finder by dragging it to the cursor point in Terminal):

cd

2. Then, with your phone plugged in via USB, type:

./tools/adb install

3. After the "Success" message, voila, the app is now on your phone.

And that's about it! Enjoy multitouch browsing, and for more Android hacking on the G1, check out these sites:

References
AndroidWiki
XDA Developers Wiki
XDA Developers Forum