Android Developer

With over five hundred smartphones in my collection, I have completed hundreds of projects centered around Android, Windows Mobile and iOS. Before smartphones became widespread, I worked on numerous projects involving flip phones, PDAs, etc.

Each phone in my collection is part of a unique project ranging from anything like acting as a bluetooth File server or acting as a remote IP camera, to serving as a full PHP/SQL/FTP/DHCP server or being the platform for the development of a custom ROM. At very least each phone is rooted and has a ROM I modified for that model specifically flashed to it. In the case a phone can’t be rooted (ZTE has a couple that come to mind), I usually find these phones make great security studies. The ZTE phones, for instance, have a security measure similar to Deep Freeze by storing system critical files in a mounted and temporary RAM drive, leaving the real files always encrypted and hidden.

A bunch of Smartphones in my collection of hacks and projects


Collection of Smartphone Waiting In Line To Be Opened

Some of the major projects include:

Custom ROM builds 

These examples involves major system alterations to the Android build that require rooting, partition resizing and flashing, init.d and kernel modifications, service modifications, apk decompile and recompile events, etc.

  • Motorola Nexus 6 MRA58K Marshmallow
  • LG Nexus 4 MY48M Lollipop
  • Amazon Kindle Fire HD (converted to Google Play Device)
  • Samsung Galaxy S2 GT-I9100 SprintROM
  • Samsung Galaxy S3 JZO54K Jelly Bean
  • Samsung Galaxy Ace s765c Build
  • LG Volt LS720 KOT491 KitKat
  • LG Optimus Zone 3 VS425PP Lollipop
  • LG Optimus Zone 2 VS415PP
  • LG Optimus Zone 1 VS410PP
  • LG Tribute LS660 KVT49I
  • LG Tribute 2 LS665 LMY47V
  • LG Lucky LGL16CB Build
  • LG Sunrise LGL15C Build (Same as Lucky, but GSM)
  • LG Sunset LGL33L Build
  • Pantech Breakout S8995VWCA55F.BB
  • ZTE Paragon Z753G Build
  • ZTE Speed ZTE9130ABB

For example, here is the structure for a custom ROM built for the LG Esteem. In this example, this is deployed in CWM Recovery once the phone is rooted as shown further below.

.android_secure.vfat.tar -- Move2SD Platform 100% Custom
boot.img -- Stock LG Boot Partition
cache.yaffs2.img -- Cache With Modifications for /SDCard Mounting
data.yaffs2.img -- Data Partition 100% Custom
nandroid.md5 -- Md5 Checksum
recovery.img -- CWM Recovery by ClockworkMod
system.yaffs2.img -- LG Stock System Partition with Heavy Modifications (40% Custom)

Rooting Techniques

Rooting can be challenging for some, but as rooting methods have become easier to implement using ADB Debug tools, I always try to look for more challenging root methods. In my collection I have:

  • Successfully rooted over 250 Android smartphones
  • Jailbroken over 50 iOS smartphones
  • Developed new rooting methods based on prior developers work
  • Temp rooted three ZTE models that have never been rooted before
LG VS720 Flash Recovery Tool by David Maiolo

Here I modify an LG Esteem Root script by Dan Rosenberg (@djrbliss) to allow for automatic root flashing…

echo Waiting for device...
adb kill-server
adb wait-for-device

echo Push Zergrush...
adb push zergrush /data/local/tmp/zergrush
adb shell "chmod 755 /data/local/tmp/zergrush"
adb shell "echo exit | /data/local/tmp/zergrush"

echo Install Root Tools...
adb shell /data/local/tmp/sh -c "mount -orw,remount /dev/block/system /system"
adb shell /data/local/tmp/sh -c "mkdir /system/tmp"
adb shell /data/local/tmp/sh -c "chmod 777 /system/tmp"
adb push su /system/tmp/su
adb push busybox /system/tmp/busybox
adb push Superuser.apk /system/tmp/Superuser.apk

echo Installing flash_image... 
adb push flash_image system/tmp/flash_image
adb shell /data/local/tmp/sh -c "mv /system/tmp/flash_image /system/xbin/flash_image"
adb shell /data/local/tmp/sh -c "chmod 777 /system/xbin/flash_image"

echo Installing recovery.img...
adb push recovery.img system/tmp/recovery.img
adb shell /data/local/tmp/sh -c "mv /system/tmp/recovery.img /system/xbin/recovery.img"

echo Installing super user... 
adb shell /data/local/tmp/sh -c "mv /system/tmp/su /system/xbin/su"
adb shell /data/local/tmp/sh -c "mv /system/tmp/Superuser.apk /system/app/Superuser.apk"
adb shell /data/local/tmp/sh -c "mv /system/tmp/busybox /system/xbin/busybox"
adb shell /data/local/tmp/sh -c "chown root /system/xbin/su"
adb shell /data/local/tmp/sh -c "chmod 4755 /system/xbin/su"
adb shell /data/local/tmp/sh -c "ln -s /system/xbin/su /system/bin/su"

echo Installing busybox... 
adb shell /data/local/tmp/sh -c "chmod 755 /system/xbin/busybox"
adb shell /data/local/tmp/sh -c "/system/xbin/busybox --install /system/xbin/"

echo Flashing Recovery to CWM...
adb shell /data/local/tmp/sh -c "/system/xbin/flash_image recovery /system/xbin/recovery.img"

echo Cleaning up...
adb shell /data/local/tmp/sh -c "rmdir /system/tmp"
adb shell /data/local/tmp/sh -c "rm /system/xbin/recovery.img"
adb shell "rm /data/local/tmp/* 2>/dev/null"

echo Rebooting into CWM recovery...
adb reboot recovery

Faraday Cages: Antenna and Chipset Shielding

Communication with vendors and manufactures is a key security requirement on many handsets. By utilizing shielding techniques, I have been able to bypass security measures including:

  • Block Verizon application expiration checking on Samsung Gusto 2 and 3 flip phones
  • Bypass Verizon service checks to allow data and voice on unactivated phones
  • Downgrade LG and ZTE  mandatory security patches

* I have always worked with my collection as a personal challenge, and do not sell or distribute any techniques that comprise the security of a manufacturer or cellular provider, so please don’t ask

Shielding Used to Block Certain Verizon Packets

Client / Server Projects

The tiny chips carried inside our smartphones carry a wealth of untapped power. Throughout the years I have turned these little devices into all sorts of servers, including:

DHCP, UPnP, DNS, Email (POP3 / SMTP), FTP Proxy, FTP, FTPS, FTPES, Load Balancer, MySQL, NFS, PHP, PXE, Port Forwarder, RTMP, Remote Control, SMB/CIFS,  SFTP, SSHTFTP, Telnet, Time, Torrent Client, Torrent TrackerVNC, VPN, Wake On Lan, Web,  X11!

FTP/PHP/SQL/JavaScript Web Hosting On Android

For a time, this very portfolio website was hosted on a single smartphone! Here are some instances of different projects involving servers hosted on Android devices.

PHP Being Served on Android
PHP Being Served on Android


SQL Server Hosted on Android
SQL Server Hosted on Android


MyCollegeExchange Hosted on Android
MyCollegeExchange Hosted on Android


FTP Server Hosted on Nexus 6
FTP Server Hosted on Nexus 6

Here are some random IC shots from various projects:

DSC_3553 DSC00026A


Leave a Comment