My friend give me an android phone (Samsung Galaxy S4 I9505XXUHPK2) because he didn't want to use it any more. It was a perfectly working modern device with only one problem: it's screen was broken. It usually happens to big touch screen phone, that their screen get crashes somehow, but their other functionalities keep working fine. So i was happy, that i got a fully functionalling phone, until he describe that broken screen means it's totally broken: no touch detection and no display! But unless this small drawback, it seem to be all right: it automatically connented to a known wifi and it's alarm clock also turned on sometimes. But yet the only response from it was a status led in the top-left corner (witch helped to detect if it's currently booting); the backlight of the menu and the back button (witch was the only way to find out, if i just turned on or off the screen); and the vibration (witch was also indicated a boot start (, or a new message to his facebook account)).
The first try was to access it with ADB through usb. I downloaded the adb binary (it's a stand-alone executable, the other files from the zip are not needed for this), turned on the phone and connected it with usb, and looked what can i see. Well, the USB debugging seemed NOT to be enabled, the ADB can't see the device:
$ ./adb devices
List of devices attached
$
However it's appeared in the usb port (not with it's real name, but something similar):
$ lsusb
...
Bus 001 Device 006: ID 04e8:6860 Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II], GT-I9300 Phone [Galaxy S III], GT-P7500 [Galaxy Tab 10.1]
...
And i can see it as a MTP device, and somehow can copy the public files from it (like photos and downloaded documents). (The files didn't appeared immediatelly, i plugged the usb in and out some times, and after ~5 minute the android changed something in itself and show me the files. Maybe there was a confirm message or something similar on the screen, what i can't see...)
For the next step, i tried to search if there's a hack to get access on the phone. I found a Samsung a bug, which allow us to send AT commands (MODEM commands, usually for GSM), and can turn on the USB debugging. But unfortunately i can't get it work for this device. (I think it successfully switched to the secondary USB configuration, but i can't get any response for AT commands.)
The next option was to install some custom softwer which running at boot time. After some searching, i choose Clockworkmod (CWM) recovery, and planned to install it with Odin. (One additional challenge was that my host OS is linux, and Odin runs under windows, so i setted up a virtualbox, and pass through the usb bus. For that, i needed to add the VirtualBox Extension Pack (install it from command line as root: vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-VERSION.vbox-extpack), and add my user to vboxusers group: usermod -a -G vboxusers myusername, then logout and login to take effect.)
Download Odin and CWM wasn't as obviously as i espected. There are a lot of versions and recomendations in different blogs, no trustable clear source, most of them are several years old, so i download some of them, and started to try different combinations.
Turn the phone into recovery boot or download mode was also exciting, since the screen was totally dark all the time. So i searched youtube videos about booting into non-standard mode, and try to do it syncronously with the video, hoping my screen would look like something similar. (My experiences: To boot into download mode: hold the volume down and the home button, while pressing the power button; after 3sec it will vibrate; wait still 1sec then release all the 3 buttons; wait 1sec; press the volume up button once. To boot into recovery: hold the volume up and the home button, while pressing the power button; after 6sec release the power button; wait still 7sec, then release all buttons; wait 3sec (maybe press the power button if nothing happen).)
For the first few times, it stuck at SetupConnection..., but after restarting the whole procedure, it finally show the PASS! message. After that i tried to boot the phone into this new recovery, and see if ADB can connect to it. It took a while to get a successfully install and boot into recovery that seems works. Some of them was invisible for the ADB, some of them didn't even show up in the usb list, so i tried out a lot of combinations (other Odin version, other CWM). (There was one, whitch the ADB showed as 'unauthorized'. There was also an issue with the udev rules.)
So finally my working combination was Odin v3.10.6 (from here) and GalaxyS4-CWM-6.0.4.4-GT-i9505.tar(from here) (selected the .tar as 'AP' in Odin).
$ lsusb
...
Bus 001 Device 025: ID 18d1:d001 Google Inc.
...
$ ./adb kill-server && ./adb devices
List of devices attached
* daemon not running. starting it now at tcp:5037 *
* daemon started successfully *
8fc67154 recovery
And with adb shell, i got a root shell!
After this, the first thing was to get the contacts out of the phone, since they're the most valuable. It was easily done by some command:
$ ./adb shell
~ # mount data
~ # ls /data/data/com.android.providers.contacts/databases/
contacts2.db contacts2.db-wal profile.db-shm
contacts2.db-shm profile.db profile.db-wal
~ # exit
$ ./adb pull /data/data/com.android.providers.contacts/databases/contacts2.db ./
Next step, to turn on USB debugging in the standard running mode. The file /data/property/persist.sys.usb.config didn't exist, so i created it:
$ ./adb shell
~ # mount data
~ # echo 'mtp,adb' > /data/property/persist.sys.usb.config
~ # umount data
Rebooted the phone to the standart android, hoping that now i can connect it with ADB, but it did not work.
So i added the following lines to /system/build.prop (found here):
persist.service.adb.enable=1
persist.service.debuggable=1
persist.sys.usb.config=mtp,adb
Rebooted to see if this works. Well, at least i tried to reboot, i think it wasn't booted into android but stuck somewhere before, the led at the top-left corner wasn't show anything (it supposed to be blue). I restored the original build.prop (i made a backup before modified), and now it rebooted into android (still no ADB, but fortunately i didn't destroy the device with that).
Following this solution, i changed some records in /data/data/com.android.providers.settings/databases/settings.db global table:
adb_enabled to 1, and created (because there didn't exist) development_settings_enabled with value 1, verifier_verify_adb_installs with value 1,
in secure table adb_notify with value 1 and adb_port with value-1. Then hopefully rebooted the phone.
And the ADB still saw nothing...
After searching and trying for hours, i found this solution (it
try to change the settings database, witch didn't worked for me). (I copied the adbkey.pub file to the device, as described; i don't know if it helped.) And it pointed out an important detail, that file permissions may matter. Because when i push a file with adb, it set it's
permissions to rw-rw-rw- root:root, but the original permissions for the /system/build.prop was rw-r--r--. After i corrected that:
$ ./adb shell
~ # mount system
~ # chmod 644 /system/build.prop
~ # ls -l system/build.prop
-rw-r--r-- 1 root root 7893 Oct 3 18:41 system/build.prop
~ # umount system
~ # reboot system
And it booted up and adb can access it!!!
$ lsusb && ./adb devices
...
Bus 002 Device 019: ID 04e8:6860 Samsung Electronics Co., Ltd GT-I9100 Phone [Galaxy S II], GT-I9300 Phone [Galaxy S III], GT-P7500 [Galaxy Tab 10.1]
...
List of devices attached
8fc67154 device
For continuosly capture the screen as an image:
#!/bin/bash
while true
do
./adb shell screencap -p | perl -pe 's/\x0D\x0A/\x0A/g' > screen.png.tmp
mv screen.png.tmp screen.png
sleep 0.1
done
Screen stream to vlc:
./adb shell screenrecord --size 720x1280 --time-limit 180 --output-format=h264 - | vlc --demux h264 -
Remove screen lock (from recovery):
~ # cd /data/system/
/data/system # mv gesture.key gesture.key.orig
/data/system # mv locksettings.db locksettings.db.orig
/data/system # mv locksettings.db-shm locksettings.db-shm.orig
/data/system # mv locksettings.db-wal locksettings.db-wal.orig
/data/system # cd /
~ # umount data
~ # reboot system
Unlock screen (simple swipe on 1080x1920 screen (get the size with wm size))
$./adb shell input swipe 200 1500 800 1500
I wrote a minimal webpage to controll the touch screen (but only use it if you fully understand what are you doing): https://gist.github.com/tovask/f487a1dde8bec50d148ba37c3e10f6ff
Awesome. I do same things with exynos version, but i cant open adb :(