Run Hooker on Real Devices

January 6, 2015 ยท View on GitHub

This is the README file if you want to run Hooker experiments on a physical Android device. You can refer to the general README file to get a big picture of the Hooker project

Disclaimer: Use Hooker on real device AT YOUR OWN RISK.

Install TWRP recovery

In order to backup and restore your filesystem and applications of your Android device, Hooker uses the TWRP recovery (official site is here: http://teamw.in/project/twrp2). Once you have downloaded the version corresponding to your device, you can flash the new recovery this way:

  • boot into fastboot mode: $adb reboot bootloader

  • flash the TWRP recovery: $fastboot flash recovery openrecovery-twrp.img

Your custom recovery is now ready to go.

Backup a clean&ready state of the device

The next step is to backup a "clean and ready" state of your device, from which you will start from scratch after every experiments. To get this clean state, you need to install everything you need for an experiment. This means:

  • the Substrate application,
  • the APK-instrumenter application,
  • SuperSU,
  • busybox,
  • and any personnal stuff you need (additionnal contacts, SMS, etc.).

Please refer to main README to install the first two. Browse the web to install the rest.

Before continuing further, be sure you can execute commands like: su and busybox cp /sdcard/Alarms /sdcard/Alarms-test. If these commands don't run now, Hooker won't work.

Next mandatory step is to create a backup of your SD card:

$adb pull /sdcard ~/twrp-backup/sdcard/

You can then make a backup using TWRP recovery:

  • reboot into recovery mode : $adb reboot recovery

  • select Backup option, and chose every partition you want to backup (keep the default if you don't know what to chose). At minimal, chose System, Data and Boot.

  • launch the backup.

Once the backup process is finish, reboot and save the builded backup to your local system:

$adb pull /sdcard/TWRP/BACKUPS/ ~/twrp-backup/.

If you want Hooker to use this backup, you need to store the files generated by TWRP in a specific directory. This directory must be specified to hooker_xp through the configuration file (see next step). In order to keep a safe backup, it is recommanded to backup your ~/twrp-backup folder to another one which will be used by Hooker:

$ mkdir /tmp/backup && mkdir /tmp/backup/partitions && mkdir /tmp/backup/sdcard
$ cp -r ~/twrp-backup/$DEVICE-ID/DATE/* /tmp/backup/partitions
$ cp -r ~/twrp-backup/sdcard/* /tmp/backup/sdcard

Run Hooker

Launch experiments

To properly run Hooker on a physical Android device, you need to set the following specific parameters (sample file is available in hooker_xp/sampleAutomaticAnalysisOnRealDevice.conf):

  • in the [main] section: device=real,
  • in the [main] section: deviceid=your_device_id,
  • in the [analysis] section: type=automatic,
  • in the [analysis] section: backupLocation=directory/where/you/put/your/TWRP/backup,

And your done! You should be ready to play with hooker_xp script.

Remarks: when running Hooker on a real device:

  • you won't be able to simulate any external interactions (SMS, phone calls receiving, etc.), which means you cannot specify the scenario order "externalStimulation". This is because we (yet) cannot simulate this kind of actions with a real device (sadly)...
  • obviously, you won't be able to execute several experiments in parallel.