Guide: use adb & fastboot on Fedora for installing custom Android OS

I had problems but got adb and fastboot to work, including a successful GrapheneOS install.

adb and fastboot are needed for installing custom operating systems and bootloaders on Android phones.

On Linux, you need to have the executables, but also udev rules, which allow you to connect to a phone without root.

NOTE: This increases your attack surface! So I will add a guide on how to disable it at the end.

To use the rules, your user needs to be in the plugdev group:

# add group when needed
sudo groupadd plugdev

# add user to group
sudo usermod -aG plugdev $USER

Install to system

The easy way, assuming fastboot is not broken (which it was for me), you can get adb, fastboot and the needed udev rules like this

# on traditional Fedora
sudo dnf install -y android-tools

# or on Atomic Desktops
rpm-ostree install android-tools

For whatever reason the udev rules are not active, even after installing the package. You need to link them to the correct location:

sudo ln -s /usr/share/doc/android-tools/51-android.rules /etc/udev/rules.d

Without installing to system

If

  • A: the fedora packages are broken for you, like it at least was the case with fastboot, or
  • B: you want to avoid installing stuff to your system

you can get the binaries from Google and the android udev rules from this external Github repo.

cd ~/.local/bin

# download the Google binary archive, enforce TLSv1.2

curl -O --proto '=https' --tlsv1.2 https://dl.google.com/android/repository/platform-tools_r35.0.0-linux.zip

# verify the checksum
echo '62fc977c1b7622ef8dbd6fe1312987d9b139aa8a0b06e88573c1b60129399d49  platform-tools_r35.0.0-linux.zip' | sha256sum -c
unzip platform-tools_r35.0.0-linux.zip

# move the binaries one dir up and remove the directory
mv platform-tools_r35.0.0-linux/* . && rm platform-tools_r35.0.0-linux

# remove the archive
rm platform-tools_r35.0.0-linux.zip

uBlue has a fork of the “android udev rules” Github project, which I would use for additional trust. But please make sure it is safe anyways.

# install the udev rules to the system
curl -fsSL https://raw.githubusercontent.com/ublue-os/android-udev-rules/main/51-android.rules | sudo tee /etc/udev/rules.d/51-android.rules

# reload the udev rules
sudo udevadm control --reload

Now you should be able to use the binaries from Google directly, make sure ~/.local/bin is in your $PATH!

cat ~/.bashrc | grep .local/bin

#or when using fish shell
cat ~/.config/fish/config.fish | grep .local/bin

#or when using zsh shell
cat ~/.zshrc | grep .local/bin

If this is empty, add it to your path

echo "PATH=$PATH:$HOME/.local/bin" >> ~/.bashrc

#or when using fish shell
fish_add_path -m ~/.local/bin

#or when using zsh
echo "PATH=$PATH:$HOME/.local/bin" >> ~/.zshrc

If this is not set, or if you dont want to change the PATH, you can run the binaries directly.

# instead of 
adb dosomething

# you use
~/.local/bin/adb dosomething

Disabling the rules again

An easier way of having usev rules ready, but not active, is simply to rename them.

# rename rule to disabled
sudo mv /etc/udev/rules.d/51-android.rules /etc/udev/rules.d/51-android.rules.disabled

sudo udevadm control --reload

To activate them again

sudo mv /etc/udev/rules.d/51-android.rules.disabled /etc/udev/rules.d/51-android.rules

sudo udevadm control --reload

sudo usermod -aG plugdev $USER

harden the adb service

The adb service can be ran as a dedicated user for improved security, thanks @vgaetera

sudo rm -f /etc/udev/rules.d/51-android.rules
sudo sed -r -e '/^(#|$)/d
s/\sTAG\+=\S+,\sENV\S+=\S+$/ GROUP="plugdev"/' \
/usr/share/doc/android-tools/51-android.rules \
| sudo tee /etc/udev/rules.d/51-android.rules > /dev/null
sudo groupadd -r plugdev
sudo useradd -r -g plugdev -d /var/lib/adb -s $(type -P nologin) adb
sudo chown -R adb:plugdev /var/lib/adb
sudo mkdir -p /etc/systemd/system/adb.service.d
sudo tee /etc/systemd/system/adb.service.d/override.conf << EOF > /dev/null
[Service]
User=adb
Environment=
EOF
sudo systemctl daemon-reload
sudo systemctl --now enable adb.service

this belongs to the set of “wheel-less” things that need manual config

1 Like

I can confirm this. I usually worked around this by chowning the USB device file manually.

Could you elaborate here? I restored a Nexus 5x to factory OS recently without any issues. The process involved using fastboot, too.

We build them from Google sources. Please open a bug report with steps to reproduce.

Please open a bug report saying that as well and add me to Cc. I might be able to help draft a PR with a fix.

1 Like

The rules are already packaged, you can enable them like this:

sudo ln -s /usr/share/doc/android-tools/51-android.rules /etc/udev/rules.d

See also: Is ADB supported out of the box? - #2 by vgaetera

5 Likes

Thanks, why is this not by default? Afaik it is the correct location for the udev rules?

@rathann I already reported such a bug, but I could not explain how the build process is broken.

Also the version is one too old. Maybe that fixes it?

1 Like

Perhaps the maintainers want to minimize security threat from ADB by forcing the user to explicitly enable only specific rules to reduce the attack surface.

It should be and it works for me.

android-tools (adb & fastboot) from fedora work fine here.

this is what i did:
sudo ln -s /usr/share/doc/android-tools/51-android.rules /etc/udev/rules.d/
sudo udevadm control --reload
sudo systemctl enable adb.service
sudo systemctl start adb.service

notes:
fastboot must use sudo or root (sudo su).
meanwhile adb can work without sudo.

2 Likes

fastboot should not need to use sudo. This has to be a polkit permission problem. I would be happy for help fixing that.

@vgaetera why would adding the Android udev rules be a security problem?

1 Like

The rules trigger the ADB service increasing the attack surface which may result in arbitrary code execution by connecting a compromised USB device.

Either enable the rules or the service, using both is redundant.

2 Likes

okay so symlinking the rules did something, using the GrapheneOS webinstaller (which unfortunately is not verbose at all) I was able to brick the OS until it hangs. Probably Brave Browser using the systems fastboot which is broken, maybe something else.

If you enable the service, the rules are redundant.
If you use the rules, there’s no need to enable and start the service.

ah, you are right

Have you ever tried this method? I can use fastboot commands without sudo.

or you can install android-udev-rules from copr
https://copr.fedorainfracloud.org/coprs/fulltext/?fulltext=android-udev-rules

1 Like

Cool! I will try that.

Also I will use the cli installer to get an idea of what was happening

soo, some update. I linked that udev rule which is pretty big, and tried to install GrapheneOS through Chromium. Added my user to the plugdev group too.

on Web installer | Install | GrapheneOS it doesnt detect my phone.

The Chromium is hardened with policies, which may be a problem.

Added adb, fastboot, udev-rules

Enabling the service will not make fastboot work, right? Otherwise it would be better for usability, as you can just disable or even mask the service

Since I would only have to do this once, instead of disabling the rules, could I just uninstall the android-tools packages and everything will be undone? In other words,

Add to Group
sudo groupadd plugdev
sudo usermod -aG plugdev $USER
Install android-tools
sudo dnf install android-tools
Link udev rules
sudo ln -s /usr/share/doc/android-tools/51-android.rules /etc/udev/rules.d
Flash ROM (Follow ROM instructions)
Uninstall android-tools
sudo dnf remove android-tools (sorry if this is wrong, I’m new to Fedora)

Only thing I don’t understand is, does the sudo groupadd plugdev create a group called plugdev then you add your user to it with sudo usermod -aG plugdev $USER?

Added grapheneos

Added lineageos

Question for the Docs people. Could this be added as a Doc page? I would do that but unsure if the “install Google binaries” is allowed there.

Fastboot is still broken for me so this was needed. I would like to make Fedora a possible OS for installing custom Androids, which it is.

The open issue on fastboot kinda got no results as I also dont know the problem.

I’ve flashed LineageOS fine on an older OnePlus 6 with adb and fastboot through Fedora’s (F39) android-tools and no udev stuff; fastboot needed root/sudo but adb was fine normal user.

I keep a link to Google’s latest platform-tools (linux, windows, macos) on-hand and temporarily extract it, use it, and then delete it when needed.

1 Like