Chapter 4: Rooting and Installing a Custom Recovery

In this chapter:

• Exploits and how to use them

• Hacking utilities

• Recovery mode

• Using the ClockworkMod recovery application

• Backup and disaster recovery

An exploit takes advantage of a known vulnerability to allow the Android user the ability to increase his or her level of privilege and access root. Most exploits are found during the bootstrap process covered in Chapter 1. They are discovered by experienced Android or Linux developers and programmers who dream in binary and live on energy drinks alone. When they find a crack in the lockdown that original equipment manufacturers (OEMs) and carriers place on devices, they release the knowledge of the vulnerability and, possibly, an exploit that enables less experienced or less skilled hackers and developers to utilize the vulnerability.

How to Use Exploits

Many of these benevolent hackers release their aids on the XDA forums or other Android community sites. This enables the next level of Android hacker to play with the process for freeing devices from OEM and carrier tyranny. An exploit might be packaged and released by a developer.

One of my arguments for low-touch or one-click rooting methods is that they are just a continuation of this thought process. Most of the people who disdain the one-click root method would be totally lost if asked to exploit the ASHMEM vulnerability that enables many of the root processes that are available today. Luckily for the scoffers, Scott Walker created the psneuter utility that enables us to take advantage of that vulnerability. Just because something is outside your skill set doesn’t mean you shouldn’t have access to the benefits and freedoms it brings.

Exploits can be released to the Android community as scripts, utilities, applications or image files depending on the type of vulnerability being exploited. I consider each of these types of release in this section.

Exploit Scripts

A script is a set of commands that can be run with a single command. A script can be composed of commands and parameters or native code.

An Android developer or hacker who finds a vulnerability or loophole in a device configuration can package up the commands and procedures necessary to exploit it in a script. Using scripts from other Android hackers and developers makes the process of hacking into an Android system much easier. Most OEM-locked devices are eventually hacked with some sort of script or application to exploit a known vulnerability.

Scripts are useful far beyond just hacking. You can create scripts and run them from the ADB shell or an Android terminal application.

A terminal application allows you access to the Android command shell from the phone itself. Terminal applications can be difficult to use because of soft keyboard idiosyncrasies.

Creating a Script

The script shown here is a simple example for demonstration purposes. It may work only if you are already rooted and have superuser permissions.

1. Enter the commands in Listing 4-1 into a simple text editor, such as Notepad. (Note that these commands are explained in Chapter 3.)

2. Save the file as backup.script on your local computer.

3. From a command prompt, enter the following command to move the script to your device:

adb push backup.script /data/local/tmp/backup.script

4. Enter the following command to make the script executable:

adb shell chmod 0775 /data/local/tmp/backup.script

Listing 4-1 A simple script

mkdir /sdcard/mybackups

cp /data/* /sdcard/mybackups

cat /system > /sdcard/mybackups/system.img

echo Data and System partitions are backed up

Running a Script

1. Open the ADB shell and navigate to the /data/local/tmp folder.

2. Run the script by entering the following command:

./backup.script

The commands in the backup.script file run sequentially and carry out the following actions:

a. Creates a backup folder on the SD card.

b. Copies everything from the data folder to the mybackups folder.

c. Concatenates the system folder to an image file in the mybackups folder.

d. Tells the user that it has finished running its commands.

Exploit Applications

An application is a program created from native code and compiled to run on the Android platform. Creating clean, effective and safe exploits that run as native applications is significantly more difficult than creating scripts. The developer must clearly understand the vulnerability being exploited, and must also be sure that the exploit does not have undesired results. Because users cannot read the code to see what it does, a good deal of faith must be placed in the developer’s abilities. The Android community of hackers are a close-knit and friendly group but nobody likes having their toaster explode from running a rogue exploit on their phone.

You can see by looking at Listing 4-2 that exploit applications are significantly more complex than scripts. The code in Listing 4-2 is from the psneuter utility by Scott Walker, which has been used to gain temporary root access to the Droid Pro and many other devices. There are more than a hundred such lines of code in the utility. It is written in native C code and thus it is more of a full, although very small, application than a script. The temporary root access provided by this script is all the toehold needed to run BusyBox commands and write to privileged areas of the Android file system.

Listing 4-2 Part of the psneuter Utility

fdStr = workspace;

if(strstr(workspace, “,”))

    *(strstr(workspace, “,”)) = 0;

else

{

    fprintf(stderr, “Incorrect format of

      ANDROID_PROPERTY_WORKSPACE environment

      variable? ”);

    exit(1);

}

szStr = fdStr + strlen(fdStr) + 1;

fd = atoi(fdStr);

sz = atol(szStr);

if((ppage = mmap(0, sz, PROT_READ, MAP_SHARED,

fd, 0)) == MAP_FAILED)

Custom scripts and code can also apply themes and interface customizations that developers put together for the community of Android users.

Using a Script or Application on a Device

Any time you see someone refer to a file as a script or say that a file should be executed from the device, you will follow these steps:

1. Push the file to an area of the file system, such as /data/local/, that can run privileged scripts.

2. Change the permissions on the file to make it executable, using the following command:

chmod 0775 <file name>

3. Run the executable from the ADB shell or a terminal window with the following command:

./<path>/<file name>

These steps will almost always remain the same, though the location that the file should be pushed to and run from may change.

Z4Root, shown in Figure 4-1, is an example of an application that actually roots while being installed on the device it is rooting. It is a clever and useful piece of programming that does all of the hard work in rooting a device. After installing the Z4root application on your Android device, you run it, click the Root button and all the rooting happens automatically.

Figure 4-1: The Z4Root application

As with any hacking activity, you take a great deal of responsibility on your own head when you run scripts or applications. Make sure that you either know and trust the developer or that you are willing to accept the consequences of doing damage to your device. You can also lose privacy if the application or script is rogue and harvests passwords from your device.

Hacking Utilities

Developers in the Android community frequently compile or create applications that can run on your local computer. They either make hacking your Android device easier or are central to a particular exploit. Sometimes the utility is coded up and created by a skilled developer and sometimes it is “scrounged up” from “leaked” sources at the OEM.

OEM Tools

OEM tools are developed by the manufacturer or by a third party for the manufacturer. These tools are used in service centers. For example, RSD Lite is used worldwide at Motorola service centers to install Motorola-signed images on specific Motorola devices.

OEM tools are usually software utilities that can take a complete system image or disk image and write it to the boot loader or file system across the USB cable connection. Examples of such utilities are the NVFlash utility for most devices using NVIDIA’s Tegra system on a chip and the RSD Lite utility for some Motorola devices. Using an OEM tool usually requires looking up the instructions on the XDA forums or another Android community site and following them to the letter. Most of the time, the tools have fairly crude interfaces and little or no documentation.

Developer Utilities

Custom utilities from the Android developer community are of mixed quality and ease of use. Some of them are veritable one-click solutions while others perform a single function, such as replacing the user interface or adding other customizations.

Image Files

An image file is a bit-by-bit copy of a partition (the operating system with kernel, bootloader, recovery, and so on). An image file allows the state, files, permissions and structure to be written to a piece of memory or file system and perfectly replicate the system from which it was taken. One of the uses of image files is to restore a device to the state it was in when it left the factory. In the case of a bricked device, flashing with a known compatible image file is usually the only way back to a fully functional device (see the “Backup and Disaster Recovery” section).

Sometimes the only way to root a locked device is to grab an image of a rooted developer device (one released to an OEM partner for early development) and write it to the locked device’s file system. On some devices, the developer does the difficult work in the Android system, changing permissions and installing a different Linux kernel. The developer then wraps this creation in an image file that can be flashed to a non-developer device using an OEM utility or an Android SDK tool, such as Fastboot. In one fell swoop, the device is rooted and prepared for customization.

The Xoom is an example of an (unlocked) device that requires this method. The Xoom was quickly rooted by Koushik Dutta and the boot image file that he released to the community quickly became the basis of much customization and other Xoom root tools and methods. Because the Xoom was unlocked, its bootloader was easily overwritten with the custom image file using the Android SDK Fastboot tool.

Much of the really difficult work in hacking and rooting a device is done by developers and released to the community in the form of scripts, utilities, applications and image files. All the average user needs then is the skill set to apply those tools.

Recovery Mode

When your Android device starts its boot-up process, it pulls the bootloader from its storage area and starts the process of loading the Android operating system. By pressing a combination of buttons during the boot process, you can divert the boot into recovery mode. The buttons used to boot into recovery mode vary among devices but the combination of the power button and one of the volume buttons usually forces the device into recovery mode.

What Is Recovery Mode?

Recovery mode is an external micro operating system that is used to apply official updates. The default recovery mode looks on the SD card for a file called update.zip. When the file is found, it is (usually) checked for a signature to see if it is an update that can be safely applied to the Android operating system. If the signature matches that of the manufacturer, then the file system changes contained in update.zip are applied and the phone is rebooted.

Some default recovery modes also provide the added option of booting into a maintenance mode for clearing the data cache or resetting the device to factory condition.

The recovery system is sometimes contained in its own NAND file system; on other devices, it is just a partitioned location in the overall NAND memory that stores the Android file system. The difference is negligible as writing to the recovery system requires root level access and sometimes it can only be replaced with an external flash process. For most recent devices however, a custom recovery can be installed from the Android operating system once root status is attained.

Make It All So Easy: Get A Custom Recovery!

Custom recovery processes go far, far beyond the capability of the default recovery mode. They remove the need for signed or verified updates, so you can install unofficial updates that are released long before OEMs and carriers release updates. Custom recovery processes also provide the ability to completely overwrite the existing Android operating system and firmware. This allows for a custom Android installation and updating or upgrading radio firmware to eliminate OEM bugs or increase capability.

One of the single greatest capabilities provided by a custom recovery process is the ability to do a complete or partial system backup. Backing up the applications, application data and Android file system gives a huge insurance policy to the Android hacker.

External complete backups are often called NANDroid backups because NAND memory is used to store the files that contain the Android file system.

The two most popular custom recovery applications are ClockworkMod and Amon Ra, but they are by no means the only recovery applications available.

There are several ways that a recovery application can be installed. Most devices will accept installation by RomManager or by an update file. You should look up your particular device on the XDA forum to see what others have determined as the best way to install a custom recovery application.

Installation via RomManager

ClockworkMod recovery is installed most easily using the RomManager application by Koushik Dutta. The RomManager application detects the device on which it is installed and decides where and how the recovery can be written. The ease of installing ClockworkMod has made it one of the most widely used recovery applications.

You can also use RomManager to install Amon Ra recovery by selecting the “alternate recoveries” option. You can use any downloaded recovery as an update and use ClockworkMod to select the downloaded zip file as an update.

Installation via update file

Some devices recognize a specially named zip file placed in the root of the SD card. When they are rebooted, they automatically install the update contained in that file. After downloading the desired recovery application, you can rename its zip file and place it on the SD card to be recognized as an update.

Using ClockworkMod Recovery

This section discusses the functions available in the ClockworkMod recovery. Familiarity with these functions will allow you to manage your device with greater peace of mind.

The initial screen of ClockworkMod is shown in Figure 4-2. You can highlight the functions by navigating up and down using the volume up and down keys. On most devices, the power button is used to select a highlighted item (on the Nexus One, you click the control ball). To navigate back from a submenu, the back arrow button or softkey is usual. A few seconds’ experimentation usually reveals the navigation buttons.

The following sections discuss each option shown in Figure 4-2. Those with a submenu are discussed in more detail.

On certain devices, ClockworkMod has a +++Go Back+++ option at the bottom of each submenu.

Figure 4-2: Initial screen of the ClockworkMod custom recovery

Rebooting the Device

When the “reboot system now” function is selected, the system performs a normal reboot.

Updating a Device from the SD Card

When an official update is released for an Android device, it usually comes as an update.zip file that is automatically applied when the device is rebooted. Some devices can only apply updates in this way.

The “apply update from sdcard” function looks on the SD card for a file called update.zip and applies it. You can apply any update to the file system by renaming the file to update.zip and selecting this option. Instructions for using this method are often specified with updates from the XDA forum.

When you select this function, you are presented with ClockworkMod’s safety selection feature (see Figure 4-3). You have to scroll down through a series of “No” options before you get to the “Yes” option. This makes sure that you do not do something dangerous or potentially destructive to your device without being aware of what you are doing. There is little possibility of accidentally selecting a destructive option.

Figure 4-3: The ClockworkMod safety screen

To complete the action, you navigate to the “Yes” option and then press the selector key.

Resetting a Device to Factory Condition

The “wipe data/factory reset” function (Figure 4-2) completely wipes the /data and /cache partitions of the device. This is destructive: it removes all user applications and data and changes the options back to factory settings. All customizations and data are removed from the device. This is the last resort for use in cases where a device is exhibiting consistent failures, force closes or is stuck in some kind of error loop. However, contrary to what the name implies, resetting a device does not restore the /system partition to its original state. This can only be accomplished by flashing an update.zip or executing a NANDroid restore.

Wiping the Cache

Wiping the cache is less destructive than wiping the data and can usually be done without any damage to installed applications or user data. However, you should back up your file system before running the “wipe cache partition” function (Figure 4-2). If your phone seems slow and buggy, try this function before resetting the device to factory condition. Sometimes, removing cache data resolves an error state or issues with forcible closing.

This function presents you with the safety selector screen (see Figure 4-3). Select the “Yes” option to wipe the cache.

Installing a Zip File from the SD Card

The “install zip from sdcard” function (Figure 4-2) is similar to the “apply update from sdcard” function. The update function always looks for a file named update.zip in the root of the SD card. The “install zip from sdcard” function enables you to select any zip file and specify how it is applied.

When you select this function, a submenu appears, as shown in Figure 4-4.

Apply <Zip File>

The file named in the apply option depends on the zip file you select using the navigation function. The default file name is /sdcard/update.zip. If you navigate to a file called myupdate.zip, the first item on this menu becomes apply /sdcard/myupdate.zip.

Figure 4-4: The ClockworkMod install from SD card options

Choose Zip

The “choose zip from sdcard” option allows you to navigate through the file and folder structure on your SD card to locate a zip file. Custom themes and device customizations frequently come as zip files. You use this option to select the file and the “apply” option to apply it.

Toggle Signature Verification

The “toggle signature verification” option allows you to specify that the device should check the selected zip file for a “signature”. Most zip files from the OEM or carrier will be signed, as will many ROMs. You should leave signature verification enabled as sometimes this will stop corrupted ROMs from flashing.

Toggle Script Asserts

The “toggle script asserts” option is seldom utilized. It allows or prevents the execution of script commands embedded in a zip file. Most zip files simply update or replace files in the file system. A zip file with embedded scripting can change or alter device settings. Turning off script asserts disables scripting embedded in the zip file.

Backing Up and Restoring a Device

The “backup and restore” function of ClockworkMod (Figure 4-2) is perhaps the most useful and desired item. Backing up data from inside the Android operating system, even on a rooted device, is a complex operation. ClockworkMod can back up all files, applications, settings and data in one operation. The backup file is stored on the SD card where it is mostly safe from any customizations or hacks. This makes for a safety net that is of great value. Periodically backing up using ClockworkMod is a good idea even if you are not an active customizer and hacker. Corruption or data loss from misbehaving applications can be fixed by restoring from a known good backup.

When you select the “backup and restore” option, a submenu appears, as shown at the top of Figure 4-5.

Backup

Selecting the backup option immediately starts backing up your device. While the backup process is running, a progress list is displayed (see Figure 4-6).

The backup file is placed on the SD card in the /sdcard/clockworkmod/backups folder with the date as the file name. This enables you to distinguish among multiple backup files.

Figure 4-5: The ClockworkMod backup and restore options

It is important that you remove older backup files from time to time. Having too many backup files on your SD card can quickly use up available space. Backup files can be deleted using any file explorer utility, such as ES File Explorer or Root Explorer.

When the backup is complete, you are returned to the “backup and restore” submenu.

Figure 4-6: A ClockworkMod backup in progress

Restore

When you select the restore option, you are presented with a list of all the backup files in the /sdcard/clockworkmod/backups folder. Use the selection keys to navigate to the file from the desired date and select it to start the restore process. ClockworkMod shows a progress bar while the process is running and a completed message when it ends.

Advanced Restore

The “advanced restore” option allows you to select a particular backup file, again based on the date, and then restore only certain parts of the backup. When you have selected a backup file, you can choose to restore any of the boot partition, the system partition, the data partition, the cache or the sd-ext partition.

Be careful about restoring just one partition unless you know why you are doing it. Partitions usually have related and dependent data. If you restore a data partition that refers to content in the system partition that doesn’t exist, it can cause flaky behavior or can lock up your device. In that case, you would need to boot to your recovery partition using the hardware key combination and restore a complete backup.

Mounting Partitions and Managing Storage

The “mounts and storage” function (Figure 4-2) allows you to manage the mounting of the partitions for various hacking activities, such as copying files to and from the SD card or data folder via your USB cable. You will not generally mount or unmount partitions but it allows you to access the SD card while in ClockworkMod and can be very useful.

This function also allows you to format the system partition, the data partition, the cache, the boot partition, the sd-ext partition and the SD card. Formatting involves completely wiping the partition or card and should not be done unless you have a specific reason. If you format any of the partitions and do not restore the contents of that partition, your device will not boot.

Advanced Functions

When you select the “advanced” menu item from the main ClockworkMod screen (Figure 4-2), a submenu appears, as shown in Figure 4-7. These functions are generally unused except for specialized activities.

Figure 4-7: The advanced options from the ClockworkMod main menu

Reboot Recovery

This option allows you to reboot the device and return to the recovery process.

Wipe Dalvik Cache

This option allows you to wipe only the virtual machine cache. This can be useful if you have an application that works fine for a while and then suddenly refuses to work at all, closes constantly or exhibits other odd behavior. This is a fairly low-risk option.

Wipe Battery Stats

The “wipe battery stats” option allows you to clear the statistics about battery usage and charge. There is some belief that this can help Android accurately judge recharge and usage control mechanisms. This is generally not true—it only removes historical data from your device. Unless a thread in the XDA forum gives a good reason for removing them from your device, the battery statistics should be left alone.

Report Error

If you get an error while using ClockworkMod, you can use this function to write the error to a log file stored at /sdcard/clockworkmod/recovery.log. You can then send the log to Koushik Dutta’s team for troubleshooting. When ClockworkMod opens and detects that an error has occurred in a previous recovery session, you receive a pop-up notification asking if you want to report the error.

Partition SD Card

This option allows you to divide your SD card into different partitions. This is a destructive activity that erases all of the contents of your SD card. Only use this option as the result of direct instructions from a how-to guide for your device. For example, some devices can experience a performance boost if they have a large swap partition on the SD card.

Fix Permissions

Every Android application runs as its own user ID. In order to make sure that each application cannot modify any other application’s data, the appropriate permissions must be set for each application’s space in the /data partition. The “fix permissions” function reads through /data/system/packages.xml and sets the permissions accordingly.

However, this option does not always yield the intended results and may in fact cause the very application force close problems it is intended to fix. Only run the “fix permissions” option as a result of specific instructions to resolve specific issues. Some how-to guides refer to “running a permissions fix”— this is the option that achieves it.

Backup and Disaster Recovery

In the course of hacking an Android device, it is entirely possible that at some point you will have a moment of panic as a device does not reboot correctly or it appears that you have lost all your data.

Most of the user-created data, such as pictures, documents and downloaded files, are stored on the SD card and are relatively safe from hacking activities that write to and from the system partition. However, you should assume that any hacking or exploration activities could result in the loss of all data.

It’s a good idea to connect your device to your computer and copy all the data on the SD card to your computer before starting hacking or exploration. Most recent devices default to “mass storage mode” when connected to a computer. In other words, the SD card is mounted as an accessible drive from your computer’s file system manager (for example, Windows Explorer). Copying the contents of your SD card to a folder on your computer will make sure that you don’t lose those cute pictures of the kids or the applications you have downloaded from the Web.

To restore such a backup, simply connect your device to your PC and copy all the files and folders back to the SD card.

Precautions for Success and Data Recovery

The best activity to ensure success when hacking is to read more and do less:

• Before starting a process, read the entire thread dedicated to it on the XDA forum.

• Read all of the instructions in a rooting or flashing procedure before plugging in your phone and then read them all again.

• If instructions from a developer mention tools or commands with which you are not familiar, read up on those commands and tools by searching the XDA forums and Google.

• Take special note of people who have messed up before you and what their recovery options or successes were.

Once you have achieved root and installed a custom recovery application, make regular backups using a reliable backup application and the custom recovery application.

The Internet is full of Android geeks willing to assist you if they think you have tried to educate yourself first by reading and searching. It is always better to ask “How do I do X with Y tool on a device that is like Z?” rather than to ask “How do I root my phone?” Having a thick skin is helpful on the Internet as well. Not all geeks have the best social skills and it can show in brusque answers to questions. Maintain your cool, ask your questions intelligently and you will undoubtedly receive the help you need.

Backing Up Applications

Applications that you downloaded from Google Play are automatically restored when you select the “My Apps” button and individually restore the applications. This function is somewhat finicky—most, but not all, purchased apps auto restore, as do certain free ones.

In essence, Google Play keeps track of your purchases and restores automatically at least those applications. On some devices, all of my applications, including free applications downloaded from Google Play, have been restored automatically after a factory reset

If you connect your device to a computer and back up the SD card, it does not necessarily copy the application data. Most productivity applications, such as text editors, office applications and art or media applications, store created files on the SD card in a documents folder or in a folder of their own. Copying everything on the SD card including folders will back up the data from these applications.

You lose all of your application data when an application is removed and replaced. In other words, your progress through “Angry Birds” is not restored even if the application is automatically restored after a device wipe. Backing up user data is one of the primary reasons that root access is so desirable.

Backing Up Through a Recovery Process

When you first achieve root and are able to install a custom recovery application (whether ClockworkMod or another recovery application), you should immediately boot into that recovery process and do a complete backup of your device.

A backup created by a recovery process is a point-in-time backup—it captures the state and data of your device at a particular time. All the applications, application data, user data and system files are backed up. This is the best option for backing up to protect against disaster with hacking.

However, there may be items you want to back up or restore without completely reverting your entire device to a particular point in time. Application-level backups and restores are one of the benefits of being rooted.

Backing Up Through an Application

Applications such as Titanium Backup allow you to specify an application to be backed up. The application can be backed up along with any related data. This allows for specific applications to be restored in the case of them being accidentally removed or having an issue.

When a particular application stops working, you may not want to revert all of your applications to the latest system-level backup. Titanium Backup, and other such applications, allow for individual management of applications. They also allow for nifty manipulation, such as moving applications to the SD card, removing applications completely and cleanly, and scheduling backups. Having a scheduled process that regularly backs up applications, application data and system data will save you a headache when you eventually brick your device.

What Happens if It Goes Really Wrong?

In the process of attempting to obtain root, it is possible that at some point you will make a mistake and your phone will not boot correctly. There are two generic categories of “broken” when it comes to Android devices:

• Softbrick means that the device will not boot completely into the Android operating system but will boot to recovery or bootloader and Fastboot. Any condition that keeps the device from booting correctly but leaves it with the possibility of being flashed and recovered with correct image files is a “softbrick” condition. The most common symptom of a softbricked device is known as a bootloop (a condition in which the device partially boots over and over).

• Hardbrick, on the other hand, refers to an incapacitated device that is unrecoverable through normal means. Generally, hardbricked devices require specialized hardware methods available only to the OEM to fix, and are characterized by the device not booting at all or bootlooping in a way that prevents commands being sent via ADB or Fastboot.

How your device behaves in each case is very dependent on the device. The procedure to follow in those blind-panic-stricken moments following something going wrong is as follows:

1. Don’t panic. Seriously, don’t panic. Panic can induce you to attempt the same flawed procedure that bricked your device in the first place. Generally stop and walk away from the device for a minute or two then proceed to the next step.

2. Remove the battery, if possible. Pull the battery out carefully, replace it and see if the device gets any further in the boot process.

On some tablet devices, pulling the battery out is not possible. There is generally a physical key combination (for example, the power button and the volume up and down buttons) that simulates pulling the battery. Press and hold the buttons for a few seconds to see if the device resets and starts booting correctly.

3. Attempt to force the device into recovery or bootloader mode. Look up the key combination for resets and recovery mode.

4. Use the XDA forums and Google to educate yourself on unbricking procedures for your device. If you can find no reference to unbricking your device, post a non-panic-stricken message in the XDA device forum that lets developers know what you were doing when the disaster occurred.

The recovery options available differ depending on what the bricked device will do and to which commands it will respond. If the device can boot into recovery mode, an update.zip file or a complete image file can be used to rewrite all the system partitions. In this case, a backup of the device could also be restored. This is why the first step after installing a custom recovery process should be to do a full backup from the recovery.

If the device can boot into bootloader, it may be possible to use Fastboot commands to reflash the system and boot partitions. Search on the XDA forum for posts that contain the required files and instructions. Generally speaking, if a device can be made to boot into Fastboot, it can be recovered.

Some devices can be recovered using OEM or developer tools (for example, RSD Lite for older Motorola phones and ODIN for Samsung devices) to flash image files to the correct partitions. Instructions for using these tools and the files for flashing will be found in the appropriate XDA forum for the device.