A tool to automate the process of preparing an Android OTA image for analysis.
- Unpack kernel images (boot.img, recovery.img).
- Convert system image from sparse/sdat to ext4.
- Extract the ext4 system image.
- Calculate checksums for all the unpacked/extracted files.
- Differentiate checksum files between OTA versions.
- Decompile applications. (android < 8)
- Linux host.
- Python >= 3.7
./install.sh
You can either use the prep
command to use the entire pipeline or use each functionality separately when needed.
usage: candy [-h] {prep,unpack,extract,decompile,checksum} ...
Candy CLI Tools
positional arguments:
{prep,unpack,extract,decompile,checksum}
prep Prepare an OTA update for analysis
unpack Unpack kernel image
extract Convert and extract system images
decompile Decompile applications recursively
checksum Compute and differentiate checksum files
optional arguments:
-h, --help show this help message and exit
python3 candy.py prep -i unzipped_ota_directory -o output_directory
In this case the input directory should look like this
unzipped_ota_directory/
├── boot.img
├── recovery.img
├── system.img (if sparse)
├── system.new.dat (if sdat)
└── system.transfer.list (if sdat)
And the output directory should look like this.
output_directory/
├── apps/ (decompi)
├── boot/
├── recovery/
├── system/
├── checksums.txt
└── system.img
docker build -t "candytools" .
cd unzipped_ota_directory/
docker run -it -v ${PWD}:/ota --rm "candytools" prep -i /ota -o /ota/output -d
- Add comments to the code.
- Add tests.
- Automate the identification of files inside the OTA directory.
- Support split sparse images conversion.
- Support VDEX for decompilation (android >= 8).
- Deodexing by LIEF.
- Kernel image unpacking by AIK.
- Algorithm for converting sdat to ext4 from sdat2img.
- Converting sparse to ext4 by simg2img.
- Decompiling by JADX.
This project is under the GNU GPLv3 licence.
Saif Aziz (@wr3nchsr)