In this post we will go through a full cycle of building a custom AOSP image, flashing it on a Pixel phone, and then restoring to original stock image. We will use Pixel 4 (codenamed as “flame”) as the device example. We will walk through in a succinct manner without detailed explanations.
Prepare the Device
- Note the Android build number
- Click “Settings”/”About Phone”.
- In my case it is “QQ3A.200805.001”
- Enable developer options
- click on “Build Number” row 7 times to enable developer options
- Enable “OEM unlocking”
- Toggle “Settings”/”System”/”Advanced”/”Developer Options”/”OEM unlocking”
Build AOSP Image
Prepare the host
My host is Ubuntu 20.04. Generally we are following this guide from Google. Below is a quick gist.
sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfig sudo apt install python2 #repo needs python sudo usermod -aG plugdev $LOGNAME apt-get install android-sdk-platform-tools-common # install udev rules and adb
Download AOSP source
Generally we are following this guide from Google. Below are some specific steps.
- Find exact branch/tag that matches device current build.
- Go to the Android build tag page
- Search for the build number noted at the previous step
- Find corresponding AOSP tag. In my case, it is “android-10.0.0_r41”
- Check out this branch
mkdir android-10.0.0_r41-shallow cd android-10.0.0_r41-shallow repo init --depth=1 -u https://android.googlesource.com/platform/manifest -b android-10.0.0_r41 repo sync --force-sync --no-clone-bundle --no-tags -j$(nproc)
Fetch Proprietary Binaries
- Go to Google proprietary binary page
- Find the section corresponding to your device (Pixel 4 in my case) and the build number (“QQ3A.200805.001”)
- Download tarballs from Google and Qualcomm
- Untar them under the root directory of AOSP source tree
cd ~/work/android/android-10.0.0_r41-shallow tar xzf ~/Downloads/google_devices-flame-qq3a.200805.001-a7a5499d.tgz tar xzf ~/Downloads/qcom-flame-rp1a.200720.009-1157dde5.tgz ./extract-google_devices-flame.sh ./extract-qcom-flame.sh
source build/envsetup.sh lunch aosp_flame-userdebug m
Note “flame” is the codename for Pixel 4. If you have a different device, you should use a different target. See Pixel factory image page for device codenames.
Command ‘m’ starts the build process, which can take very long. My laptop has AMD Ryzen™ 7 Pro 4750U Processor (1.70 GHz, up to 4.10 GHz Max Boost, 8 Cores, 16 Threads, 8 MB Cache) and has a fast NVME SSD disk. It takes about 2.5 hours to finish the build.
Flash AOSP Built Image
- On the phone, enable OEM unlocking and USB debugging
- Toggle “Settings”/”System”/”Advanced”/”Developer options”/”USB debugging”
- Toggle “Settings”/”System”/”Advanced”/”Developer options”/”OEM unlocking”
- On the PC in the same terminal where you just build the AOSP image
adb devices # it should show the phone device attached over ADB adb reboot bootloader # reboot to fastboot fastboot devices # it should show the phone device attached over ADB fastboot flashing unlock fastboot flashall -w
During “fastboot flashing unlock” step, you need to following instruction on the screen, press up/down volume button to select “unlock bootloader”, and press power button to commit.
If things go smoothly, phone will reboot a couple of times and eventually boots into the freshly built AOSP image with root access.
Restore to Stock ROM Image
After you played enough with the AOSP image, you may want to return to the original retail state. Google has made it easy recently.
- Open Chrome browser and go to “https://flash.android.com”
- Allow browser to connect to the device
- Go to Pixel 4 factory image page and find the desired build number to flash
- Just for fun, I’m selecting Android 11, build number RQ1A.210205.004.
- Select “Wipe device” and “Lock bootloader”
- Click “Confirm” to start the process.
What If Things Go Wrong?
Things can go wrong when phone does not boot up anymore. It can be due to build AOSP build, or something due to mismatch between AOSP image and baseban/firmware version (BTW, this is the reason why this guide asks you to download the same version of AOSP that matches existing build).
- Go to Pixel 4 factory image page and download a version of your choice
- Power up phone and go to fastboot or bootloader mode
- Your phone may automatically go to this mode if AOSP image fails to boot up
- Untar the the image and flash from terminal
- Make using recent or latest fastboot program
- Go to the downloaded factory image directory, “./flash-all.sh”
unzip flame-qq3a.200805.001-factory-d93c74e6.zip cd flame-qq3a.200805.001/ fastboot devices # make sure phone is connected ./flash-all.sh
(Bonus) How to Add a System Privileged App
Before Android 10, you simply re-mount /system as rw and push apk into /system/priv-app/
adb root adb shell remount -orw,remount /system adb push my-app.apk /system/priv-app adb reboot # to complete the app installation
Since Android 10, /system is mounted as root and cannot be re-mounted as rw. Instead you will need to use “adb remount” to enable overlay FS for any modification.
adb root adb remount # if this is first time, "adb reboot" to disable verity first adb push my-app.apk /system/priv-app adb reboot # to complete the app installation
Often times you need to assign PivilegedOrSystem level permissions to system apps (which is why you want to install system app at the first place). Starting from Android 8.1, you will need to explicitly whitelist these permissions in system xml files.
For example, to give READ_PRIVILEGED_PHONE_STATE permission to a testing app,
net.junsun.idattestation, you need to create the following file on phone, /etc/permissions/priv-app/privapp-permissions-idattestation.xml
<?xml version="1.0" encoding="utf-8"?> <!-- This XML file declares which signature|privileged permissions should be granted to privileged applications that come with the platform --> <permissions> <privapp-permissions package="net.junsun.idattestation"> <permission name="android.permission.READ_PRIVILEGED_PHONE_STATE"/> </privapp-permissions> </permissions>