Learning about Android - Modify application data without root with Candy Crush

A few weekends ago, I went out to eat with my mom on a Sunday afternoon; while waiting to get seated she started to play the famous candy crush game on her phone. Within a few minutes I had it on my phone and was soon addicted.

If you have ever played the game you soon realize that the game can be fairly frustrating.  I started wondering if it would be possible to change the saved game file.

However, I did not want to root my phone.  Every phone I have ever rooted has ended up giving my unrecoverable problems once the phone has become unpopular and the developer community quits supporting it.


*** Disclaimer: All the information provided in this blog is for educational purposes only. The blog author is no way responsible for any misuse of the information. I wanted share what I have learned over the past few days because it was not as clear as it could have been. ***

The following is an overview of what I did on my Sprint Galaxy III using a Windows 7 machine.  This first post is a general overview; and I will fill in the details with other posts to follow.

 

1) Find save gave via SD Card ... fail

Once I arrived home, I plugged in my phone to my computer via USB to check to see if I could spot a saved file on my SD Card. There was nothing.

2) Find save game via internal memory through USB ... fail

The Galaxy has internal memory, so I tried to gain access to the phone data that way.  This caused some problems because when my phone was plugged into the computer via USB, the phone only asked me if I wanted to connect via "Media Device (MTP)" or "Camera (PTP)"; neither of which I wanted. Neither of which gave me access to internal memory of programs.

3) Use ADB Shell ... fail

Android Debug Bridge (ADB) is the tool developers use to connect to the phone to perform tasks.  ADB Shell allows you to run shell commands.  My first pitfall was just getting ADB to access my phone.  You simply cannot just plug in your phone to USB.

1. Download the Android SDK to get ADB.  Don't mess around with just getting the ADB binary; I had a lot of troubles with that approach and you simply cannot guarantee the origins of the binary or if someone put a virus in it.  It is simply cleaner and safer to download from google. http://developer.android.com/sdk
2. Get the USB driver for your phone.  I struggled for a long time getting ADB to use my phone because no one spoke about getting the correct driver for your phone.  In my case, I went to samsung.com, viewed products, found the model number under the phone's battery, and downloaded the driver directly from Samsung.
3. Put the phone into debug mode.  Yes, if the phone is not in debug mode you will not get anywhere...this took me way to long to figure out.  For my phone, I went to settings, developer options, enable USB debugging.
4. Plug the phone into USB.
5. Launch ADB from a console. Open up command prompt, type ADB {enter} to make sure it resolves.  If you get a file not found error, setup your path environment variable. If ADB was called successfully, then type "ADB devices" {enter}.  It should return a serial number stating that your device was connected.  If not, then retrace your steps. Maybe run ADB as administrator, check USB, drivers, etc.
6. Launch ADB Shell.  Type "adb shell".  This launches a terminal like interface with your phone.  Now we can navigate around with "ls" and "cd" commands.  
7. Navigate to data. Programs on android save data in the data directory.  However, when I tried to list the directory using "ls", I received an access denied error.  Looks like a dead end.

 

4) Use ADB backup/restore ... pass

I ran into this great post about using the backup and restore functionality to backup application data to get it off of your phone.  It was this HERE.  Using those techniques and two weeks of fighting, I was able to successfully backup the candy crush save game, modify the backup, and restore the new data onto the phone.  I will write future articles explaining this in greater detail; however, the summary is the following steps:

The Backup:

1. abd shell
2. Get the app name. "pm list packages king" - search for all programs with the name King.  King is the developer of the Candy Crush game.  PM is the android package manager.  I am using it to request the program namespace.  This returns me "com.king.candycrushsaga"
3. Get the data off the phone. "adb backup -f data.ab -noapk com.king.candycrushsaga" - this backs up just the data for the game to the file data.ab in the same directory that we launched adb from.  Yes, you can backup and restore a single application, you do not need to do your entire phone. The no apk flag allows us to backup only the data and not the program itself.  
4. Agree to the popup on the phone asking if you can backup.  Do not enable encryption.
5. Install cygwin to use the next commands: openssl, dd, tar, zlib, etc.
6. Decrypt backup. "dd if=data.ab bs=24 skip=1 | openssl zlib -d > data.tar" - I hope to do an entire article on these commands; but basically we are removing the backup header from the original data.ab file, taking everything else and running it through an SSL decryptor to generate the data.tar file.
7. Unzip backup. "tar -xvf data.tar"
8. Create an exact list of files so you have a framework to repackage later. "tar -tf data.tar > fileList.txt"

The Restore:

1. repackage tar. "cat fileList.txt | pax -wd > new.tar"  Grabs everything described in the list and rebuilds a new tar file
2. put old header on the new file. "dd if=data.tar bs=24 count=1 of=new.ab"  Takes the header from the originally data.tar file (the first 24 bytes) and puts them in a new file named new.ab.
3. Encrypt Restore. "openssl zlib -in new.tar >> new.ab"  appends the data in new.tar after the header on new.ab
4. Restore back to phone. "adb shell" and then "adb restore new.ab"  the header will tell the phone what to restore and where
5. Check the logs. "adb logcat"  Logcat is your friend in adb. This will give you all the log messages on the phone; it is a lot to take in; however, it is your only tool to find what could be going wrong.  When I first tried this, I was getting errors about the header; that is when I realized that I needed to copy the first 24 bytes off the original tar and onto the new one.

Now What?
Once I had the backup on my system, I was able to dig through the extracted files and use a hex editor.  I originally was going to post more information about this, but I decided it would be borderline unethical, so I removed the content.  After all, this is meant as an educational post.


Links:
http://blog.shvetsov.com/2013/02/access-android-app-data-without-root.html
http://www.linuxquestions.org/linux/answers/Applications_GUI_Multimedia/How_To_Do_Eveything_With_DD
http://sourceforge.net/projects/adbextractor/files/perl/
http://developer.android.com/tools/help/logcat.html
http://www.angrybirdsnest.com/how-to-back-up-angry-birds-progress-on-android-rooted-and-non-rooted/#backup-new
http://gphonefans.net/forum.php?mod=viewthread&tid=158418
http://www.openssl.org/docs/apps/enc.html

First Post

Wow, you found the first post! I am starting a series of blogs in an attempt to share information I have learned from tedious tasks. I have many hobbies and posting information about all of them in one blog would confuse many, many people; therefore, I am creating separate "Johnny" blogs to highlight coding, music, housework, video, etc. I am a professional software developer since 2006. I do not claim to be an expert, that is not what this blog is about. This blog is about over coming obstacles and sharing my insight because I did not find a clear understanding already published. Many topics are well written about in great detail; I am not competing with those articles. I am mainly concerned with the topics that get little discussion or topics where everyone just assumes you should know the answer. I am a C# developer at heart; however, I have no fear to dive into any code.