Offensive Thinking

Internet Thoughtcrime

How to Add a chrooted Debian to Your ASUS Transformer

Posted: 2011-07-14

Update 30 November 2013

I got a friendly email from someone who found the article on archive.org. I was pretty sure I searched there, but apparently not thoroughly enough. Anyway, I’ve added it back to this post. The information in the next paragraphs is still valid though.


Today is 9 February 2013. This was once an article about how I installed Debian in a chroot environment on my ASUS Transformer back in 2011. Unfortunately, I seem to have accidentally removed this post at some point, so it got lost. I can’t even find it in my git repository, so I guess I must have written the article, forgotten to commit it to git, and then later, when at some point I removed the whole directory on the webserver to upload a clean version of the website, it got lost.

From today’s perspective, the old blog post is outdated anyway. I’m just putting this placeholder here because sometimes, a helpful soul follows an old link (the post was surprisingly popular) and cannot find the article, so they drop me an email.

In the process I also lost the scripts I wrote for running Debian on the Transformer, but luckily, somebody used the scripts as a basis for a more automatic installation and put it on github. I therefore recommend to look at his scripts instead of this blog post, I haven’t checked them myself though. I’m not running Debian on my Transformer any longer, but if I want to know how things like this are done, normally the XDA Developers forum is a great resource, so go and see if you can find some more information there.

Oh, and sorry for the inconvenience.


Ye Olde Article

I bought an Asus Eee Pad Transformer these days. It has a keyboard dock, so I could finally convince myself why I’d need a tablet and that this one could also be used for creating stuff (like e.g. developing), not only consuming.

Of course, having Android (Honeycomb 3.1) running on the tablet is nice for couch surfing, but not for creating anything useful. So before buying the tablet, I at least made sure that it is possible to run Linux in any form on it.

Debian chroot

Fortunately, it is possible to run Linux (e.g. Debian) in a chroot environment. There’s also people working (and succeeding) in running Linux natively over at xda-developers, but that’s for another post if I ever go for the dual boot option (and those guys get all the kinks worked out).

This blog post will therefore describe how I run Debian in a chroot on my Transformer. I do own the keyboard dock, so if you want to follow this using only the tablet, I recommend installing Hacker’s Keyboard. Also, this is written for people with a modicum of Linux knowledge, so don’t expect me to explain what a chroot is.

Root your device

For the chroot to work, you first have to root your Transformer. I’m not going to describe this, as others have already done so, have a look at the xda-developer pages. I did it by first downgrading to a vulnerable Android 3.0 version and then using gingerbreak. After that, I upgraded to 3.1 and later flashed Prime! 1.5. YMMV.

Install a Terminal Emulator

This is easy. I’m using Terminal Emulator, but you may also try e.g. ConnectBot.

Optional: Map the dock’s “Back” key to Escape

This is not a requirement, but for me as a vi(m) user it’s an absolute must: The Transformer’s keyboard dock is not a full keyboard as on your normal netbook, but specifically designed for Android. Fortunately, this post describes how to remap the keys on the dock, so you can have the “back” key on the dock remapped to good ol’ “Escape”:

  1. Open the Terminal Emulator
  2. Become root by typing “su”
  3. Remount the read-only filesystem to be writable:

mount -o rw,remount -t yaffs2 \
      /dev/block/mtdblock /system

  1. Edit the file with the dock’s keymappings:

vi /system/usr/keylayout/asusec.kl

  1. Search for “BACK” and change it to “ESCAPE” (should be key 158)

Add a script to start your chroot environment

This is where all the neat stuff happens. I’ve based my script on the one that comes with Debdroid, as I originally tinkered with it. No need for all the additional stuff that comes with Debdroid though, and on the Transformer, their scripts do not work out of the box, so I had to rewrite them quite a bit to suit me.

Long story short, you can download the full script here.

  1. Put it under /system/bin/ to have it in your path. See the optional section about mapping Escape above on how to make the system partition writable.
  2. Set the permissions:

chmod 700 /system/bin/debdroid

You also need the Debian image to mount. I just took one from the Debdroid website, but can of course use any other image prepared for being used in a chroot, or you can even prepare your own. In its default state, the script mounts it from /sdcard/debian/debian.img. Edit the config variables at the beginning to whatever you need.

First run of the chroot

Now it’s time to run the script for the first time. It will complain about the script “mnt_home” which it can’t find, but that’s ok for now. If everything went well, you’ll now have a root bash prompt before you. Welcome to your new Debian chroot :).

Next, we want to add a new user, as it is dangerous to always work as root, don’t we all know it:


adduser username
addgroup --gid 003 inet
usermod -G inet -a username

Why the new group? Well, Android seems to allow socket access only to users in the inet (gid 003) group. As we don’t have that group in our chroot yet, we have to add it manually. Then we need to add our user to it. ICMP (e.g., ping) will still not work, as you need raw sockets for that. But normal TCP connections should work now. I found out about this by reading this blog post. Root will of course still be able to do everything.

Optional but recommended: Encrypted home for your user

Honeycomb allows you to encrypt your tablet (see Settings → Location and security → Encrypt tablet). That functionality is currently broken, but as it uses dm-crypt, the kernel modules are there and fortunately functional. As I did not want my GPG and SSH keys I’m using in my chroot to lie around on an unencrypted hard drive, I worked around it by mounting an encrypted file as my home directory. Not very good performance-wise, but I gladly accept that for the added security.

Creating the encrypted file

First, we need a file that will hold the home dir. We start by creating a new file with dd. I recommend creating the file on another system, as it seems awfully slow on the Transformer, especially if you want to create a file not only containing zeroes, but with arbitrary content from /dev/urandom (for the really paranoid):


dd if=/dev/zero of=/home/home.img bs=1M count=500

The command above will create a 500MB file containing only zeroes under /home. Put the file where you want to, I think /home is fitting. Next, we mount this file to a loopback device:


mknod /dev/loop21 b 7 21
losetup /dev/loop21 /home/home.img

We need to create the loopback device first with “mknod”. Choose whatever number you want to, it doesn’t have to be 21. Just don’t try to recreate 255, that’s what we already use for the Debian image. Now we want to create a new crypted device with cryptsetup. First, install cryptsetup:


aptitude install cryptsetup

Let’s format our new device:


cryptsetup luksFormat /dev/loop21
cryptsetup luksOpen /dev/loop21 home-crypto
mkfs.ext4 /dev/mapper/home-crypto

Now you should have a new crypted device that you can mount on /home/username. My script mnt_home can do that for you automatically. Put it under /usr/local/bin to work out of the box with the debdroid-script from earlier (this is what caused the error message in the beginning, as we didn’t have that script yet). It’ll also unmount your home directory when you exit the chroot. Please edit the variables at the top of the script to suit your needs.

You should now be able to exit the chroot with everything being cleanly unmounted, and to enter it again by opening your terminal emulator and running “debdroid”. To use your new user, just do a “su username”.

Optional: Install tmux and tweak its config to allow usage of normal user

I’m a huge tmux fan, so I use it in my chroot. The only problem is, once I su to my new user, tmux won’t start in the su environment. There may be a better solution to this, but my current workaround is to start tmux as root and use the following extra directive in my .tmux.conf:


set -g default-command "su username"

This’ll automatically su to my user in every new window I create. Please contact me if you have a better way and I’ll add it to this blog post.

Optional: Add inputrc

I also had the very odd bug that after su’ing to my user, I couldn’t type the numbers “2” and “0” anymore. What fixed the problem was to add my favourite .inputrc (see the dotfiles section). Don’t ask me why, but it helped.

Conclusion

I hope the instructions I gave helped you to set up your own chroot environment. If you find any mistakes, please contact me so I can fix them.