My employer graced me with an awesome new flagship Android handset, the AT&T variant (SGH-i747 / d2att ) of Samsung’s Galaxy S III. The hardware is powerful and sleek, but I find Samsung’s Touchwiz UI skin less usable and much less attractive than Google’s AOSP UI. Luckily, there are many AOSP-derived versions of Android available. Let’s switch to one!

In celebration of the stable release of Cyanogenmod 10.0, a popular AOSP-based third-party version of Android, here’s a complete guide to take an unmodified i747 to CM10 without tripping the device’s internal flash counter.

Preparation

Install the Android SDK on your computer. This guide assumes you have the platform-tools directory in your PATH environment variable, such as PATH=$PATH:/Applications/android-sdk-macosx/platform-tools . You will use adb , the Android Debug Bridge, to control and communicate with your handset from your computer over USB.

Enable USB debugging on your handset in System Settings under the Developer Options section. Connect the device to your computer, and you should be able to see your device listed in adb devices .

adb devices List of devices attached 28108e4e device

NVRAM backup

Before continuing, trigger your device’s built-in method to back up the IMEI and carrier identification data stored in NVRAM. This will copy the contents of the modemst1 ( mmcblk0p12 ) partition to fsg ( mmcblk0p21 ) and the contents of modemst2 ( mmcblk0p13 ) to backup ( mmcblk0p20 ). The data in these partitions identifies your device to its mobile network for data service and can be lost as one result of a bad flash.

adb reboot nvbackup

Your device will reboot and display two lines of small blue text momentarily as the backup commenses. The process takes no more than a few seconds. Should you ever need to restore, adb reboot nvrestore . Do not attempt an nvrestore if you haven’t performed your own nvbackup or you will find your IMEI overwritten with the all-zeros factory backup.

Obtain root

Most other SGS3 root guides involve flashing a modified OS image with Samsung’s ODIN flasher. Running ODIN was a fantastic frustration on my Macbook, so I prefer this debugfs method originally covered on XDA-Developers. This exploit works by symbolically linking the /system partition’s block device to a temporary location and editing the filesystem with the debugfs ext filesystem debugger to inject the su binary into that otherwise-protected partition.

Download the archive, extract it, then use adb to move the debugfs and su binaries to the /data/local/ directory on your device.

adb push /Users/nicolereid/Downloads/debugfs_su/debugfs /data/local/ adb push /Users/nicolereid/Downloads/debugfs_su/su /data/local/

Open a shell on your device. Commands executed inside the adb shell run on your handset.

adb shell

Inspect the available block devices to make sure we’re operating on the correct partitions. system should mount from mmcblk0p14 and recovery from mmcblk0p18 .

shell@android:/ $ ls -al /dev/block/platform/msm_sdcc.1/by-name lrwxrwxrwx root root 1970-02-07 01:11 aboot -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 1970-02-07 01:11 backup -> /dev/block/mmcblk0p20 lrwxrwxrwx root root 1970-02-07 01:11 boot -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 1970-02-07 01:11 cache -> /dev/block/mmcblk0p17 lrwxrwxrwx root root 1970-02-07 01:11 efs -> /dev/block/mmcblk0p11 lrwxrwxrwx root root 1970-02-07 01:11 fota -> /dev/block/mmcblk0p19 lrwxrwxrwx root root 1970-02-07 01:11 fsg -> /dev/block/mmcblk0p21 lrwxrwxrwx root root 1970-02-07 01:11 grow -> /dev/block/mmcblk0p23 lrwxrwxrwx root root 1970-02-07 01:11 modem -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 1970-02-07 01:11 modemst1 -> /dev/block/mmcblk0p12 lrwxrwxrwx root root 1970-02-07 01:11 modemst2 -> /dev/block/mmcblk0p13 lrwxrwxrwx root root 1970-02-07 01:11 pad -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 1970-02-07 01:11 param -> /dev/block/mmcblk0p10 lrwxrwxrwx root root 1970-02-07 01:11 persist -> /dev/block/mmcblk0p16 lrwxrwxrwx root root 1970-02-07 01:11 recovery -> /dev/block/mmcblk0p18 lrwxrwxrwx root root 1970-02-07 01:11 rpm -> /dev/block/mmcblk0p6 lrwxrwxrwx root root 1970-02-07 01:11 sbl1 -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 1970-02-07 01:11 sbl2 -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 1970-02-07 01:11 sbl3 -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 1970-02-07 01:11 ssd -> /dev/block/mmcblk0p22 lrwxrwxrwx root root 1970-02-07 01:11 system -> /dev/block/mmcblk0p14 lrwxrwxrwx root root 1970-02-07 01:11 tz -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 1970-02-07 01:11 userdata -> /dev/block/mmcblk0p15

Rename the original tmp directory, then link /system ’s block device there and exit your adb shell.

shell@android:/ $ cd /data/local mv tmp tmp.back ln -s /dev/block/mmcblk0p14 tmp exit

Reboot the device.

adb reboot

Grab another shell on the freshly-booted device. Make the debugfs binary executable, then use it to edit the block device you just linked to tmp .

adb shell

shell@android:/ $ toolbox chmod 755 /data/local/debugfs /data/local/debugfs -w /data/local/tmp

At the debugfs: prompt, enter the xbin directory, remove the dummy su binary, inject the new su , make it executable, and set its ownership to 0:0.

Note: expect a “File not found by ext2_lookup while trying to resolve filename” error when removing the dummy su. Just continue.

debugfs: cd xbin rm su write /data/local/su su set_inode_field su mode 0106755 set_inode_field su uid 0 set_inode_field su gid 0 quit

With that done, remove the block device symlink, restore the original tmp , and reboot the device.

shell@android: $ cd /data/local rm tmp mv tmp.back tmp exit

adb reboot

Grab a shell on the rebooted device and run the su binary we injected.

adb shell

shell@android:/ $ /system/xbin/su

You should get a root user shell. Run id to check.

root@android:/ # id

Are you uid=0 / gid=0 ? Success!

Install Superuser from the Play Store and use it to update the copy of su we just injected.

Custom Recovery

“Recovery” in the Android world refers to a bootable partition separate from the main OS providing functionality such as backups and backup restoration, installing system updates, and wiping user data. Replacing Samsung’s recovery with a third-party version allows you to install update archives not signed by the manufacturer, including Cyanogenmod.

Download the latest d2att version of TWRP and push it to your device with adb .

adb push /Users/nicolereid/Downloads/openrecovery-twrp-2.3.1.0-d2att.img /sdcard/

Copy the custom recovery image over the recovery partition’s block device with dd , then reboot to your new recovery. Exercise caution with dd , and double-check your command before accidentally overwriting an incorrect partition.

shell@android:/ $ su dd if=/sdcard/recoveryfilename.img of=/dev/block/mmcblk0p18

Reboot to your newly-installed recovery.

shell@android:/ $ reboot recovery

Create a complete (OS, apps, user data) backup of your stock Samsung firmware in recovery by tapping “Backup”, and swiping to start. This backup contains the entire Android operating system, all installed applications, and all user data. You can restore this backup at any time if you find yourself dissatisfied with CM10.

Return to the main menu of TWRP and touch “Reboot” then “System” to exit recovery and boot Android.

Note: You may see ClockworkMod Recovery (CWM) mentioned elsewhere around the web. CWM is another extremely popular third-party recovery for Android devices and is functionally equivalent to TWRP.

User data backup

With superuser access you can now install TitaniumBackup and use it to back up your applications and settings individually for later restoration in CM.

Back up (“App+Data”) any application you want to save along with “Accounts” (your Google account information), saved Wi-Fi passwords, SMS/call history, and anything else that catches your eye. The paid version of the application, pictured here, supports batch backup.

:files:

Fetch the newest stable release of Cyanogenmod for d2att. That’s 10.0 at the time of this writing, cm-10.0.0-d2att.zip . This is the base Android operating system.

Grab the newest Google Apps (“gapps”) package matching your Android version. CM10 is based on Android 4.1, “Jelly Bean”, so download the latest jb gapps package compatible with that version. At the time of this writing it’s gapps-jb-20121011-signed.zip . This contains the Play Store, Google accounts support, and other proprietary Google applications not included in Cyanogenmod.

Note: Check the release notes for the gapps package you’re downloading. Versions build for Android 4.2.x or newer will break the Android 4.1.2-based CM10 in catastrophic ways.

Download TitaniumBackup_latest.apk from the Titanium Backup site. You’ll side-load this to restore your Google account information in CM, since you can’t install TB from the Play Store without a logged-in Google account.

Optionally, download any additional flashable zips you want to include. I use the KT747 kernel and the flashable version of the excellent Cerberus mobile device management package.

Push these files to your device in an accessible location.

adb push /Users/nicolereid/Downloads/cm-10.0.0-d2att.zip /sdcard/ adb push /Users/nicolereid/Downloads/gapps-jb-20121011-signed.zip /sdcard/ adb push /Users/nicolereid/Downloads/KT747-Kernel-AOSP-JB-ATT-11-13-2012.zip /sdcard/ adb push /Users/nicolereid/Downloads/cerberus-ICS.zip /sdcard/ adb push /Users/nicolereid/Downloads/TitaniumBackup_latest.apk /sdcard/

Erase and Flash

Reboot to recovery using the SDK.

adb reboot recovery

Clear out the remnants of the stock OS by tapping Wipe -> Factory Reset. This will erase the /data and cache partitions containing your user data and installed applications. Be sure not to erase your internal faux-SD storage or your external SD cards if you have one.

Once erased, tap “Install” at the main menu and browse to the update archives you pushed in the previous step. Flash CM itself first, then gapps, then any extras.

Restore

Reboot to your freshly-flashed CM. The Android first-run wizard will prompt for your Google account credentials. Hit “Skip” if you wish to restore your accounts through Titanium Backup.

Enable side-loading of APKs in System Settings under Security, then open CM’s included File Manager and browse to your TitaniumBackup APK. Install it, then open the application and use it to restore Accounts, applications, and anything else you backed up from the stock OS.

Miscellany

The only bit of functionality I missed from Touchwiz is Smart Stay, a feature that keeps the screen on if it detects a face with the front-facing camera. You can duplicate this functionality on AOSP by installing ISeeYou or SmartStay EX.

Conclusion

That’s it! You’re done! You may now enjoy the best of the excellent Samsung hardware, the beautiful AOSP Android interface, and the enhancements of Cyanogenmod 10.