Checking the checksum on a Nexus factory image (and why you should)

Take a few easy steps to verify that the file you downloaded is the file you wanted

Having a Nexus means you're provided with factory restore images should you want to revert anything you might have done to the system software. It's a failsafe, and the easiest way to return everything to the way it's "supposed" to be. More than a few people with Nexus phones use them — both for their intended purpose and as a way to get an update without waiting.

What we need to remember is that means one more thing that can (and eventually will) go wrong. You're downloading a large and intricate set of bits and bytes. You should take a few minutes and verify the bits and bytes you downloaded are an exact copy of the bits and bytes that were uploaded.

The easiest way to do this is to verify the file checksum.

What is a file checksum?

Simply put, it's a digital signature for the file. If the copy you have (the one you downloaded) has the same signature as is provided by the people hosting the file (in this case, Google) you have an exact copy of the file.

Google provides both the MD5 checksum and the SHA-1 checksum for Nexus factory images. It's worth noting that neither of these signatures is 100 percent "secure" — they can be manipulated after the fact by people wth plenty of time and dedication. If you're in need of a way to verify something important that more than one person had access to before it landed in your hands, use a stronger algorithm. But to verify a download that you downloaded directly, either MD5 or SHA-1 is more than sufficient.

Why use a checksum at all?


In our case, we're using the checksum to verify that the file we downloaded is a bit-for-bit copy of the file provided by Google. Downloads can become corrupt for various reasons, and it only takes a second or two to verify that your download is good.

Chances are that a corrupt file simply wouldn't flash, and no harm will come to your phone or tablet. But — there's always a but — when dealing with bootloader files and device radio firmware, you always want the file to be good before you try to flash it. A Nexus phone or tablet is very hard to brick, but flashing a bad radio or bootloader is the best way to brick one.

An unlocked bootloader that will flash anything means that you can flash anything — even files that will ruin your device. Take the time to verify the checksum of the file you've downloaded using the instructions below. If the vaules match, you know your download is good. If the values do not match, try downloading the file again.

How to check the file integrity using a checksum

MD5 sums check out!

It's actually pretty easy to check that the file you downloaded is "good." Folks using (most modern versions) Linux or OS X have a tool built in to check either the MD5 or the SHA-1 sum. Windows users can download a great free tool that checks both via an easy to use interface.

Download the archive file conatining the factory image for your device. Place it in a folder that's easy to get to, but don't uncompress it.

To check the file on OS X

  • Open the terminal app and navigate to the folder where you stored the downloaded file.
  • To check the MD5 type: md5 "name-of-file"
  • To check the SHA-1 type: openssl sha1 "name-of-file"
  • Compare the output to the values provided.

To check the file on Linux

  • Open the terminal app and navigate to the folder where you stored the downloaded file.
  • To check the MD5 type: md5sum "name-of-file"
  • To check the SHA-1 type: sha1sum "name-of-file"
  • Compare the output to the values provided.

To check the file on Windows

These methods will work for any file you've downloaded from the Internet, not just Nexus factory restore images. Hopefully, this little bit of knowledge and a few easy tools will help make sure you don't go from a fancy Nexus phone or tablet to a fancy brick.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • I remember back in the C=64 days, we'd copy code from magazines for hours. At the end of each line, we would check the checksum provided. At 300 or 1200 baud rates, that wasn't unreasonable at all!
  • Yeah, and you'd often spend more time typing the code than playing the actual game :p fun times. Wubba lubba dub dub!
  • Ha! I remember that. I spent weeks typing in some game in the back of some magazine. Issue after issue, the game became better and better... in my mind. Never did get it running. Bee-Line... that's what it was called. I can't believe I still remember the name! As for checking checksums, I'm afraid I almost never do it if the files are archived in some way. I used to play around with hex editors, and even a 1 character change will make a zip file fail to open, so as long as the archive opens, I figure it's a safe bet the file downloaded without issue. Unlikely that the integrity of a file within an archive could be compromised without compromising the integrity of the archive itself.
  • I try to always check them. I hate to say it but I probably forget more often than not. Wubba lubba dub dub!
  • I remember the same... Pages upon pages of machine language. Only to play the game for an afternoon! .
  • How often do corrupted ROM downloads actually cause a problem? Is it the kind of thing where people get scared about needles in Halloween candy, even though that kind of thing pretty much never actually happens in reality?
  • Pfffh if you get images from Google site you don't need to do this Posted via the Android Central App
  • ^^Ummm....lemme think. Get Nexus flash from Google direct, save time and hassle...orrrrrrrr other sites... Posted via the Android Central App
  • Thats what I'm saying Posted via the Android Central App
  • One thing I'd change on Googles flash. Concerning the lock screen, I'd put the phone icon in the center and put the unlock icon in the left corner, I'm so tired of unlocking my phone in to the phone app. My thumb just naturally wants to slide from the left up and over. Ya I know, eventually I'll get used to it. 1st worlprollems. Posted via "enter" on a keyboard.
  • Wrong. You are assuming you have a perfect net connection (and all the networks inbetween) and a perfect computer with a perfect OS and a perfect storage system. None of those assumptions are true. Many factors can cause one or more bits in the downloaded data to change and that results in a damaged image. Even just a stray energetic particle flying through the air has the potential to change data. It is not just a matter of worrying about the security of the data. Now, would that damage actually cause issues? Who knows- but it COULD. So it is always a good idea to check your md5sum on anything important..... especially when it only takes a short time to do so. This is standard procedure when downloading Linux distros, before burning to DVD or copying to a USB key for installation.
  • OK if download a image off of Googles site and the bits of data are messed up I'll post a video of me eating my moto 360 Posted via the Android Central App
  • Wrong account Posted via the Android Central App
  • "You are assuming you have a perfect......" While that is true, at some point, you have to just take it on faith that it'll work. You could have a perfect download, saved perfectly to your disk, and have a file become corrupted as you're extracting it from the archive, or during the transfer to your phone... or on the phone itself as it's being written to the internal storage. I just checked with a hex editor - changing a single 0 to a 1 will result in an archive that won't successfully uncompress. Since virtually all images are compressed into an archive of some sort (zip, gzip, tar/gzip), it's pretty safe to say that if you can extract all the files, they're all ok. Is it beyond all possibility that the files could be corrupted? No, surly not, but the odds are probably about the same as an image being corrupted as it's being flashed, so it borders on pointless to worry about.
  • Good point. However, I have *never* seen a compressed Linux ISO image. The image already contains compressed files. So you wouldn't know something was wrong until after you have started the installation and then hit a problem and possibly have no working computer anymore. As for becoming corrupt while fiashing... I don't think is not the same odds at all. There are many more steps of far less reliable transfer involved with getting and storing the image. But yes, it is possible it can be corrupt while flashing it... or even using it afterwards. Again, it is a quick thing to do so it is probably always a good idea to check the MD5sum... but especially so on something not compressed. I have had downloads fail a checksum before... and more than once, too.
  • Captain EXTREME CIRCUMSTANCES to the RESCUE! ..RESCUE... ESCue... cue.. Q..q...(that was an echo folks) Posted via "enter" on a keyboard.
  • Good article, more people need to understand the importance of this. I had mismatch md5 for the OTA lollipop that was driving me nuts but figured out how to work around it. Posted via the Android Central App
  • I used to always check but it always checked out fine so I stopped
  • I use hashtab on windows.
  • Mispelling conatining instead of containing.