Flashing an OS image to your Android device

DISCLAIMER: You follow this guide at your own discretion. If you have an Android phone other than a OnePlus or Nexus, there’s a high chance you may brick your device unless you really know what you’re doing. Performing any of the actions described may void your phone's warranty. It’s best to try this only on an old or expendable device.

Introduction

I've recently started learning about the Android ecosystem from an architecture and security perspective. One of the first steps I took was to buy an old, used phone that I could root easily. I chose the OnePlus 7T, which came with Android 12 installed. Interestingly, the last official software release for this model was on August 12, 2022, with Android 11. I’m not sure why mine has Android 12, but since I plan to experiment with the system extensively (and will likely break it multiple times), it’s important to set up a baseline that I can reliably restore. Given that the Android 11 image is the latest official release available on the OnePlus website, it will serve as my baseline.

Initially, I wasn’t sure how to set up this baseline. Although the process is relatively straightforward, being new to this and finding most of the information aimed at more experienced users, I struggled at first.

The goal of this blog post is to provide a step-by-step guide on installing Android on the OnePlus 7T, in case you need to recover your device during your own exploration of Android architecture and security. While I’ll use the OnePlus 7T, I’ll try to present the instructions in a way that can be adapted for other devices. The focus will be on understanding the steps and their purpose, rather than just following a checklist.

Here’s what I’ll cover in this article:

  • Downloading the software image
  • Enabling OEM unlock
  • Rebooting to the bootloader
  • Unlocking the bootloader
  • Flashing the software image

Get the right software

Depending on your phone model, there’s a good chance the build will be available on the vendor's website. For OnePlus devices, you can find the builds here.

After downloading the build, we’ll need to extract the boot.img file. To do this, you’ll first need a tool called payload-dumper-go, which you can download from this link.

payload-dumper-go payload.bin

This will extract all files into a new folder in the current directory, including the boot.img. The extracted boot.img is the image we’ll be flashing.

This step may vary depending on your phone model. For example, with the Samsung S9, you can use an application called Frija instead. Once started, we need to provide information about the model, CSC, and IMEI. This will then allow us to download the correct firmware for a specific Samsung phone.

The downloaded zip will contain a list of files which we'll then use to flash our Samsung S9 phone.

Avoid running any of these tools (except for Android Platform Tools) on your main OS. Instead, run them in a virtual machine (VM), as I can’t guarantee their safety. As with any application downloaded from the internet, exercise caution.

Unlock OEM

Warning: This will erase all data on your phone.

To flash a new OS image onto a device, we first need to unlock the bootloader. Historically, this has been challenging, as OEM vendors use it as a security measure to prevent modifications like the ones we’re attempting. However, this has changed over time, and many vendors now provide an option to unlock the bootloader.

The first step is to go to Settings > About Phone and tap the Build Number field several times. Note that this process may vary depending on your phone model or Android version. Below are some example screenshots from the OnePlus 7T.

In my case, OEM Unlocking was already enabled, and the bootloader was unlocked, so the option appears grayed out.

While we’re here, let’s also enable USB debugging:

This may look slightly different on other Android phones, but the process should be quite similar.

Reboot to bootloader

Before flashing the image, we need to reboot into the bootloader. On OnePlus devices, this is called Fastboot Mode. We can do this using adb:

adb reboot bootloader

The commands should look like follows:

On the phone, you should see something like this:

Note that not all Android phones have Fastboot mode. For example, my Samsung S9 has something called Download Mode, where you can simply drag and drop files. The Download mode on Samsung should look like this:

Unlock the bootloader

Warning: This will erase all data on your phone.

Once in Fastboot mode, we can proceed to unlock the bootloader:

fastboot oem unlock

You should see a prompt on the phone screen with the option to lock or unlock the bootloader.

Once you confirm your choice, the bootloader unlock will proceed. The command should look like follows:

On the Samsung S9, to remove that check, you’ll first need to flash TWRP and then use RMM State Bypass Mesa.

When downloading TWRP, make sure you select the version that is compatible with your device. You can find relevant references at the end of this article.

Flash the software image

To flash the image, run the following command:

fastboot flash boot boot.img

The command should look like this:

For the Samsung S9, instead of using Fastboot, you'll need to use a tool called Odin to flash both TWRP (as described above) and the stock firmware. Below you can see how this will look like with Odin for Samsung S9. As already mentioned, you can find relevant references for Samsung S9/S9+ at the end of this article.

And that’s it! We’ve successfully flashed an Android OS onto our phone.

Conclusions

As we've seen throughout this article, installing an Android system on your device can vary depending on the phone model. However, the process generally follows these universal steps:

  • Get the software image
  • Unlock the OEM
  • Reboot to the bootloader
  • Unlock the bootloader
  • Flash the software image

Now that we have a way to recover our system to its original state, let's go ahead and try to break it.

Resources

Samsung S9/S9+ Guide