Autostart Android devices - it's easy! We reverse, patch the bootloader and force the smartphone to turn on itself

This is an Android smartphone, don't be surprised 🙂

Typically, Android devices are considered “useless” 5-10 years after their release. This is especially true for budget models that cannot handle modern services or those devices that, for some reason, have been physically damaged during their life. But while some throw out smartphones and tablets, considering them electronic trash and littering the world, others are trying to find a use for everything and it turns out that Android devices can still be useful. However, sometimes it is necessary to automatically turn on the device when connected to charging, and this is where many people get confused – after all, closing the power button is often not enough! In today’s material I will tell you my cases of powering devices from power supplies, as well as the implementation of auto-on on different chipsets. Interesting? Then welcome to the cut!

❯ How and why?

The reader will probably ask, “Why might 10-year-old Android devices be needed?” And if you think about it a little, you can come to the conclusion that indeed the gadgets of yesteryear can be quite useful in many areas, not only tablets, but also Android smartphones. And in addition to implementing something “standard” in the manner of a beautiful Android watch with an alarm clock or, for example, a multimedia station a la iPod, there are many more interesting cases in which such devices can be used. I personally collected a few for myself:

HMI panel: These are smart programmable display modules that can display certain information from microcontrollers or any other devices on the screen. Thanks to the 10-inch tablet, you can make it very convenient to switch operating modes of some devices, or display information from various sensors in the room in real time. Nobody bothers you to put such a tablet in your car to collect information about the engine.
Android devices have a huge advantage over classic HMI displays: the presence of a 3D accelerator and the ability to display beautiful visualizations and graphics, as well as animation. In a future project with my car – VAZ 2110, I will show how to use a tablet for such purposes in practice.
Data collection: microcontrollers have too little built-in Flash memory to store any large datasets and build statistics from them. Of course, you can connect a MicroSD… but you won’t be able to connect a separate flash drive to everyone at once, and MicroSD is by no means durable when constantly overwriting data – and this is where such a tablet comes to the rescue. eMMC is usually much more durable via MicroSD, you can get data from it (in the absence of encryption), and the tablet’s powerful processor can also process the incoming data and send it somewhere. Quite useful!
Use as single payer: I wrote an article about this recently. Many budget tablets have a UART on the board, which can be accessed from the user environment and even Java applications! Thus, you can communicate with microcontrollers via a wired interface, or directly pull the legs of the microcontroller by implementing a firmware layer for the MK.
Non-standard applications: well, here I just wanted to show off my project of turning a tablet into a game console using an external microcontroller 🙂

So, as you and I can see, the devices of yesteryear are by no means useless, and with some ingenuity we can give them a second life and adapt them to work at some facility. It’s clear that no one will hang anything serious on them, but for example, a panel for ordering yums in a cheburechka or something like a GU in a car – why not?

However, sometimes the task arises of implementing auto-start of the device when connecting the smartphone to a charger or even implementing an autonomous power supply circuit. An autonomous power supply circuit is relatively easy to implement: sometimes you can throw 5V from the power supply to VBat (the positive and negative contacts of the battery) directly. MediaTek CPs have a threshold battery voltage of up to 5.5-5.6V and do not burn out. But this is risky, if the power supply is bad and a surge occurs – there is a chance that the harness/gearbox/keys will be broken (the input from the USB side is usually protected from this). It is best to use a ~4.2V DC-DC converter with a current of 1.5-2A.

But with auto-start the question is more interesting. It all depends on the implementation of this very power button and on the chipset: for example, on Sony smartphones with Qualcomm chips, sometimes you just need to blow off the power button and close its contacts with a jumper: everything will work without any problems. But on some smartphones, pressing the power button will force the device into a cyclic reboot every 10 seconds, which may be unacceptable.

A few months ago, a reader under the nickname @A1f fitted me with a Chinese iPhone 7 Plus on Android – just the way I like it 🙂 The device was working, but after the reader gave it to the service, for some reason it lost a couple of screws , the power button on the cable turned out to be broken, and the smartphone was not charging…

Well, I quickly resolved the charging issue: Chinese iPhones sometimes use their own “Lighting” devices, which are incompatible with the original and which cannot charge the original iPhone. Fortunately, the kit included a withered original cable, which I disassembled and soldered everything back. Now both USB and charging work fine!

The question with the button was more interesting: although finding one on the cable and throwing jumpers from it took 5 minutes, I didn’t look for easy ways and decided to make an autostart when connected to the charger – just like on the original iPhone 🙂

And, as you already understood, just put a jumper on the contact Power and you won’t get a lot – the smartphone will constantly go into reboot. So I dumped the bootloader with SP Flash Tool and started tinkering with it in IDA Pro, since the device does not require unlocking this same bootloader. The method works for many devices on MediaTek, including some 67xx (you may have to unlock the bootloader), and on devices with other chipsets the algorithm may be +- similar, but if it is not possible to directly interfere with the bootloader, you can make auto-booting a patch boot.img.

❯ Reversing and patching

To implement autoloading, you need to patch the bootloader. There are two of them in devices based on MediaTek chipsets – the first Preloaderwhich deals with the primary initialization of peripherals and RAM, and the second – lk, which initializes the display, loads the Linux kernel and transfers control to it. The merged source code of both Preloader and lk has been on the network for a long time, so there will be no problems studying them, the idea is common for all devices.

So, what happens when you turn on your smartphone? lk defines the so-called boot mode, depending on which the partition from which the kernel is loaded (boot or recovery) changes, and the parameters are passed to the kernel (atags). During lk operation and before loading the kernel, before showing the charging animation, the bootloader checks whether the power button is pressed – and if so, it quickly reboots the device into normal mode.

Yes, it's that easy! Thus, all we have to do is patch the condition with checking the power button, so that the smartphone considers that the button is pressed when it is in fact not pressed. In IDA Pro, lk is loaded with a memory offset of 0x0, and a clue in the form of a debug line will help us find the required instruction. IDA Pro immediately builds all xrefs and row accesses, so finding the necessary data is not difficult. Are looking for “[%s] PowerKey Pressed in Kernel Charging Mode Before Jumping to Kernel, Reboot Os” and look at all accesses to the memory address from which the line begins.

Just above the printf call method, you can find our condition, which begins with the instruction CMP R0, #0. Immediately after it comes instructions BNE, which runs the code and continues booting the system in “charging” mode. All we have to do is replace it with NOP in a hex editor in the same IDA Pro and the system, immediately after trying to turn on in charging mode, will go into reboot and reboot in normal mode, as if we just turned on the smartphone with a button!

Flashing our new lk:

And we see that everything works! 🙂

❯ Second method

If there is no way to patch the bootloader, the second method comes into play, which consists of patching boot.img – the section with the device kernel and ramdisk, which contains scripts for initializing the device (*.rc). The thing is that even when charging, the smartphone loads the Linux kernel, the initial ramdisk and, depending on the boot mode, launches either app_process (the main process in Android), starting the system boot, or a special program, which is often called charger and is located in /system/bin/ (sometimes in boot.img itself).

On smartphones with different chipsets, the implementation of this method may vary greatly, but I will give an example with Sony Erisson smartphones from 2011 (I have an Xperia Play with a broken power button). There the device starts executing the init.rc script, which in turn launches init.semc.rc and at the initialization stage launches the program chargemon, which displays a charging animation, turns off the smartphone if the cable is pulled out and listens for pressing the power button, continuing the boot process if the user holds down the power button. Accordingly, the whole fix is to comment out this line 🙂


#exec /system/bin/chargemon

In the case of MTK, you can also try patching init.rc so that it continues to boot the system even if the cable is connected in charging mode. There are many ways, the main thing is to be smart and not be afraid to understand something strange 🙂

❯ Conclusion

As you can see, there is nothing complicated in implementing automatic start of the device. Somewhere you can get by with a jumper on the power button, somewhere with a boot.img patch, and somewhere with a bootloader patch. But nevertheless, this is quite possible in practice and allows you to do such fun things as I did with my Chinese iPhone 🙂

I hope you found the material interesting and useful! Write if you needed to implement something similar and how you did it in the comments!

Friends, if you have similar Chinese ones and you don’t share the desire to try to breathe life into them, but it’s a pity to throw them away, you can donate them to me 🙂 As you can see, the devices are in good hands. More recently, I took a non-working, recessed Chinese copy of the 14 Pro Max from under the SC as my main smartphone. I also have a channel on Telegram, where I post backstage articles, various notes about repairs, modding, programming and reverse engineering and my thoughts, as well as links to my new articles and videos. If anyone is interested, come and see us!