Howto: create an Android update.zip package
Last weekend, I built an update.zip package with a patched CA certificate store and took me quite some time to figure out the format of the zip file.
It turned out that most documentation still refers to the format that uses the
update-script written in the "Amend" dialect. Since Donut (1.6), Android uses an alternative layout consisting of an
-script and an
update-binary. The binary parses the new script and is included in the zip file. For backward compatibility reasons, it's still possible to also add an
The update scripts and binary should be placed in the folder "
META-INF/com/google/android/", while the content of your package resides in the root of the zip file. This yields the following layout for the update.zip that I created:
Note that the structure of
META-INF is always the same, while the
/system folder can be anything you need for your update (I think you can even mount and write to the sdcard).
After you created your file hierarchy and put your own files in the root, you can populate the
META-INF/com/google/android folder. The ARM
update-binary can be found in a zip-file attached to this article. The
updater-script should be written in Edify, a little scripting language from the Android project. The official README gives some background, but a quite complete description of all the commands is found on Synfulgeek.com.
My little script mounts the
/system partition, copies the files and set the permissions. In Edify:
ui_print("Android Security Enhancements");
ui_print("By: Michiel Fokke - fokke.org/android");
ui_print(" Mounting /system");
mount("MTD", "system", "/system");
ui_print(" Deleting /etc/sysctl.conf");
ui_print(" Deleting /etc/security/cacerts.bks");
ui_print(" Extracting files to /system");
ui_print(" Setting permissions to 0644...");
ui_print(" Unmounting /system");
ui_print("Update complete. Have a safe Android!");
If your code is compatible with Cupcake (1.5) or lower, you might want to also include the legacy
update-script that was written in Amend:
show_progress 0.5 0
copy_dir PACKAGE:system SYSTEM:
set_perm 0 0 00644 SYSTEM:etc/sysctl.conf
set_perm 0 0 00644 SYSTEM:etc/security/cacerts.bks
show_progress 0.1 10
An overview of the Amend command syntax is found on Lorenz's Blog.
At this point the package is complete and you can create the zip-file. In Linux this can be done (while in the root of the package) with:
zip -r ../update.zip *
Android requires you to sign your packages with a digital signature. I included a jar file that can take care of this. It contains an unencrypted sample key, that you could optionally exchange for your own key. Download the jar file and put it in the same folder as the newly created
update.zip. The zip-file is signed with the following command:
java -classpath testsign.jar testsign update.zip update-signed.zip
The signed zip-file contains three additional files, the first two contain hashes of all files in the zip-file and the last one (
CERT.RSA) a digital signature:
At this stage, the file
update-signed.zip can be put on the SD-card of an Android phone and applied to the system from a recovery ROM.