-
Last weekend, I built an update.zip package with a patch CA certificate store and took me quite some time to figure out the format of the zip file.
It turned out that most documentation still refers to the format that uses theupdate-scriptwritten in the "Amend" dialect. Since Donut (1.6), Android uses an alternative layout consisting of anupdater-scriptand anupdate-binary. The binary parses the new script and is included in the zip file. For backward compatibility reasons, it's still possible to also add anupdate-scriptfile.The update scripts and binary should be placed in the folder "
META-INF/com/google/android/", while the content of your package resides in the root of the zip file. This yields the following layout for the update.zip that I created:META-INF/
+- com/
+- google/
+- android/
+- update-script
+- update-binary
+- updater-script
system/
+- etc/
+- sysctl.conf
+- security/
+- cacerts.bksNote that the structure of
META-INFis always the same, while the/systemfolder can be anything you need for your update (I think you can even mount and write to the sdcard).After you created your file hierarchy and put your own files in the root, you can populate the
META-INF/com/google/androidfolder. The ARMupdate-binarycan be found in a zip-file attached to this article. Theupdater-scriptshould be written in Edify, a little scripting language from the Android project. The official README gives some background, but a quite complete description of all the commands is found on Synfulgeek.com.My little script mounts the
/systempartition, copies the files and set the permissions. In Edify:
ui_print("Android Security Enhancements");
ui_print("By: Michiel Fokke - fokke.org/android");
show_progress(1.000000, 0);
ui_print(" Mounting /system");
mount("MTD", "system", "/system");
set_progress(0.100000);
ui_print(" Deleting /etc/sysctl.conf");
delete("/system/etc/sysctl.conf");
set_progress(0.200000);
ui_print(" Deleting /etc/security/cacerts.bks");
delete("/system/etc/security/cacerts.bks");
set_progress(0.300000);
ui_print(" Extracting files to /system");
package_extract_dir("system", "/system");
set_progress(0.400000);
ui_print(" Setting permissions to 0644...");
set_perm(0,0,0644,"/system/etc/sysctl.conf","/system/etc/security/cacerts.bks");
set_progress(0.500000);
ui_print(" Unmounting /system");
unmount("/system");
set_progress(0.900000);
ui_print("Update complete. Have a safe Android!");
set_progress(1.000000);If your code is compatible with Cupcake (1.5) or lower, you might want to also include the legacy
update-scriptthat was written in Amend:
show_progress 0.5 0
delete SYSTEM:etc/sysctl.conf
delete SYSTEM:etc/security/cacerts.bks
copy_dir PACKAGE:system SYSTEM:
set_perm 0 0 00644 SYSTEM:etc/sysctl.conf
set_perm 0 0 00644 SYSTEM:etc/security/cacerts.bks
show_progress 0.1 10An overview of the Amend command syntax is found on documentationLorenz's Blog
At this point the package is complete and you can create the zip-file. In Linux this can be done (while in the root of the package) with:
zip -r ../update.zip *Android requires you to sign your packages with a digital signature. I included a jar file that can take care of this. It contains an unencrypted sample key, that you could optionally exchange for your own key. Download the jar file and put it in the same folder as the newly created
update.zip. The zip-file is signed with the following command:
java -classpath testsign.jar testsign update.zip update-signed.zipThe signed zip-file contains three additional files, the first two contain hashes of all files in the zip-file and the last one (
CERT.RSA) a digital signature:
META-INF/
+- MANIFEST.MF
+- CERT.SF
+- CERT.RSA
+- com/
+- google/
+- android/
+- update-script
+- update-binary
+- updater-script
system/
+- etc/
+- sysctl.conf
+- security/
+- cacerts.bksAt this stage, the file
update-signed.zipcan be put on the SD-card of an Android phone and applied to the system from a recovery ROM.Attachment Size update-binary.zip 153.63 KB testsign.jar 13.16 KB - Add new comment
- 4136 reads
fokke.org
Thank you for sharing this info. I've been looking all over and have found a lot on the subject - but it's utterly confusing and you're the first I've come across who has delivered a concise and lucid recitation on the matter; along with all the necessary materials. :-)