Anyone have or know where I can download the telnetd binary for Android? I think I might have a way to get root privileges on the Samsung Moment...and if it works, I see no reason why it wouldn't work on the Hero.
Just need that darn telnetd binary and any of the support files so I can install it into my phone (as long as the root exploit works.) It's running Android 1.5 btw if that makes a difference.
Why not ssh?
Download dropbear
telnet is an open invitation to get hacked, since the connection is not encrypted.
I know telnet is not encrypted...that's why I'll turn off the radio and enable wifi when I do this.
I was on the IRC (#android-root on freenode) and was pointed in the direction of JesusFreke's build environment, in which (s)he has built a veritable ****-ton of ARM binaries that are *extremely* useful.
http://jf.andblogs.net/2009/05/24/jfv151-images-are-out/
I found JFV1.51 CRB43 US BuildEnvironment (1324) to be particularly useful. Once extracted, I found binaries for a very full busybox, and a few dozen other useful goodies, including telnetd.
From the extracted tar, the binaries are under 'Build/System/ModifiedFiles/xbin'. adb push them to /data/local on the device, then call them via adb shell.
Example:
With device connected, and with the Android SDK installed and in your PATH:
Code:
# tar xvf JFv1.51_CRB43-US_BuildEnvironment.tar.gz
# cd Build/System/ModifiedFiles/xbin
# adb push <program of your choice> /data/local
# adb shell
# /data/local/<program of your choice>
Just out of curiosity...what is your hunch for getting root on the Moment?
@gargarxp - Thanks for the info!
gargarxp said:
Just out of curiosity...what is your hunch for getting root on the Moment?
Click to expand...
Click to collapse
I was looking through all of the recent kernel privilege level escalation reports, and ran across this one:
http://seclists.org/fulldisclosure/2009/Nov/105
It works on kernels up to 2.6.31...which the Moment runs 2.6.27. My plan is to use an Android app to execute this exploit contained in a native executable (which I have confirmed I can execute native code), which will then trigger a shell script I will write to copy the telnetd files into the proper places and start the service as root. From there, I'll telnet in...see if the root user has a password...and go from there.
Actually, if you get this to execute as root, the procedure from there is fairly simple.
From my understanding, the other root exploits have a singular goal: to gain a root shell for the purpose of creating a suid su for the system to use to gain root in the future. From the CDMA Hero process, once a root shell is gained:
Code:
# mount -o remount,rw -t rfs [COLOR="Red"]/dev/stl5[/COLOR] /system
# cd /system/bin
# cat sh > su
# chmod 4775 su
They:
Remount the /system fs as read-write
Go to the /system/bin directory
Copy sh to (a new) su
Set the permissions on that to 4 (SetUID) 775 (User-Group: RWX, Other: RX)
* The bit in red is what I observed the device mounted to /system to be on my Moment. I obtained this information by running adb shell mount and seeing what /dev device was next to /system. Should be the same for every Moment, but the procedure is useful for any Android (or Linux for that matter) device.
Once this is done, any user executing this su will do so as the user/group that the owns executable, which in this case is root:shell.
So, via this method, if you can manage to get a root shell on *any* Android device, bada bing bada boom: rooted.
...At least that is my understanding of it all.
Well...the problem is I can't get my Moment connected to my computer to run adb. I'm on Windows 7 64-bit...and the drivers won't load...and Samsung's PC Studio won't install properly. So, I found source code online for executing native code via an Android app...which should work to execute the native exploit.
And you'll have to excuse me...I've been using Linux for the past 10 years...programmed some projects on the platform...but this is pretty much my first time developing on Android.
Oh no problem at all. Frankly, I'm being overtly descriptive so as to make this post useful to the community in general and not be Moment-specific. I don't wish to encouter the ire of the XDA mods Just trying to do a public service.
So, do you have an ARM binary of the exploit built already (ImpelDown.c)? And if so, could you post a link to download it? I've never cross-compiled before and am currently going 10 rounds with gcc and the android-2.6.27 source tree.
Thank you! I know...it's kinda risky for me posting stuff about the Moment in an XDA forum...but I figure this could help the Hero efforts as well...and XDA was so good to me back when I was using my DIAM500...I wanted to contribute something back.
I'm still trying to get my cross-compiler built. I initially started out with Cygwin and a tool for building a cross-compiler...but that went horribly wrong...tons of compiler errors. I attempted to use Scratchbox on OpenSuse 11.2...but Scratchbox wants to run on a Debian system...ugh...haha.
And as I was typing my response to you...I decided to Google for "arm compiler windows" and found http://www.gnuarm.com/
But rest assured...once there's a working binary...I'll upload it here.
From the Gnash project's dev wiki....
http://wiki.gnashdev.org/Building_for_Android
They raise some issues with using a standard cross-compiler (GNUARM uses Newlib, which isn't the Android libc implementation Bionic...which is apparently a problem)
I grabbed the toolchain they link to on the page and am trying that.
Yeah...I found that out as well after I installed gnuarm...
I also just loaded the native toolkit.
Well gargarxp...I compiled it...ran it...didn't work. I'm going to try another one tomorrow.
This is a thread that will allow you to ask specific questions and get some help with any dev work you may be attempting.
This will be a community effort between enewman17, loserskater, stratatak7, and myself. It would be great if other devs want to join in.
Acceptable questions
"I am trying to recompile X using APK Tool and I get this error. What am I doing wrong?".
"I am trying to flash the ROM I just built and I keep getting a status 0 error. Any thoughts?".
Unacceptable questions
"How do I compile/decompile apks?"
"How do I mod a kernel"
Theming questions go here.
Thread Rules
Do not post unless you have searched the thread.
Only post specific questions.
Only post long sections of code using the code or hide tags.
Your question may not be answered immediately. Be patient.
Use the thanks button (even if you don't get the answer you want).
Many thanks to kennyglass123 for the sticky!
Re: So you want to be a dev?
Just wanted to comment about questions.
The more info the better!
Bad comment: "I can't get X mod to work."
Better: "I'm trying to get X mod to work, and settings keeps FCing. Here's my modified files and a logcat."
Sent from my SAMSUNG-SGH-I747
Anyone feel free to PM me and I'll help you get the ball rolling if you feel your question does not meet thread criteria and you're looking to start development. I realize everyone has to start somewhere. Just be prepared for work.
mine
Now that we have thoroughly thanked each other, maybe someone will stop by with some questions. :silly:
upndwn4par said:
Now that we have thoroughly thanked each other, maybe someone will stop by with some questions. :silly:
Click to expand...
Click to collapse
LOL. I sure hope so.
For those of you reading this, feel free to ask any questions you have about Android development-related modification. I'm sure between the four of us and anyone else who wants to help out that knows what they are doing will know. I'm happy to help out with anything I can.
How do you double the hours in a day so you have enough time to actually do this stuff
Seriously though, this is a great thread and nice to see 4 of the top devs working together and willing to help.
If I ever do find the time I'm sure I'll be back.
Sent from my SGH-I747 using xda premium
jde984 said:
How do you double the hours in a day so you have enough time to actually do this stuff
Click to expand...
Click to collapse
A (somewhat) valid question: For me, it requires a very understanding wife and sleep deprivation.
______________
OK, now let's keep this thread clean and on topic. Thanks!
See in my sig a guide how to decompile apks, edit, and recompile apks! link: http://forum.xda-developers.com/showthread.php?t=2147425
My question: I'm attempting to edit smali for the first time. However, it's pretty foreign. Any guides or tutorials out there? I've searched, but nothing substantive (just some pages on the nomenclature for the dalvik bytecode). My issue is that the instructions for the mod have different registers than me and I can't figure out how to adjust the changes.
It's difficult to answer generic questions like that.
Post up what you are trying to do and maybe we can all work it our together.
headsest control for AOSP
Ok... Team LiquidSmooth is stumped as am I, and I've spent about 8-10 hours searching all in all, through Google, CM threads, Android General/q&a and githubs... I'm still looking but wondering if I could get some help before their team or I pull any more hair out. Basically just what my title says, need the code for controlling music and phone calls from headset controls. The capacitive keys light up when the buttons are pressed but no actions are performed. It's as if the rom is just missing the path for them or something. Any help on where to search or anything, I'm game. Thanks guys.
SOLVED, thanks anyways guys :good:
upndwn4par said:
It's difficult to answer generic questions like that.
Post up what you are trying to do and maybe we can all work it our together.
Click to expand...
Click to collapse
Got it. I'll write up my issues...but, I've been having some trouble with adb and think that might be a bigger issue, haha:
I'm trying to allow adb to run as root. I decompiled boot.img, changed ro.secure to 0, recompiled boot.img, and pushed. Default.prop now shows ro.secure=0. But, I tried running adb remount and I still get permission denied? Someone said there may be other edits required, but I can't seem to find any.
Here's what I changed it to:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here's what ADB is telling me:
Code:
[email protected]:/ $ getprop ro.secure
getprop ro.secure
0
[email protected]:/ $ exit
exit
adb remount
[B]remount failed: Operation not permitted[/B]
ikjadoon said:
Got it. I'll write up my issues...but, I've been having some trouble with adb and think that might be a bigger issue, haha:
I'm trying to allow adb to run as root. I decompiled boot.img, changed ro.secure to 0, recompiled boot.img, and pushed. Default.prop now shows ro.secure=0. But, I tried running adb remount and I still get permission denied? Someone said there may be other edits required, but I can't seem to find any.
Here's what I changed it to:
Here's what ADB is telling me:
Code:
[email protected]:/ $ getprop ro.secure
getprop ro.secure
0
[email protected]:/ $ exit
exit
adb remount
[B]remount failed: Operation not permitted[/B]
Click to expand...
Click to collapse
Try this in terminal...
adb root
Then
adb remount
That should do it for ya.
task650 said:
Try this in terminal...
adb root
Then
adb remount
That should do it for ya.
Click to expand...
Click to collapse
Thanks for the reply! Right: I should probably be root before I try that command. Unfortunately, I tried "adb root" and it said: "adbd cannot run as root in production builds." I did some Google'ing and a few threads said that I should have changed ro.debuggable to 1 as well in default.prop.
So, I changed ro.debuggable=1 and, right, ro.secure=0 still. Then the oddest thing happened: I typed "adb root" into terminal and it went to a new line, no message. And then it disconnected my phone from ADB (I heard the little "ding ding" noise of disconnection). Unfettered, I typed in "adb remount," but of course then it complained that no devices were attached! I thought it was a fluke, so I tried it a few more times. It happened again and again.
In an ostensibly unrelated problem, I couldn't get SecSettings.apk to push back (even though android.policy.jar pushed fine), so I tried a Nandroid. TWRP seemingly did not like my changes to default.prop, as it went crazy (froze a few times) saying "cannot unmount /system" every time I tried a restore and then "Restore failed." Hmm...I pushed back my backed up boot.img and it restored fine.
I'm messing up somehow. So, I'm using VTS to unpack and repack the image. I saw that the output boot.img's are about 6MB, while the default ones I pulled are 10.1MB. Dev said it was probably just compression? Also, I'm pulling the boot.img via adb dd if=/dev/mnt/mmcblk0p7 of=/sdcard/boot.img. Are either of these too weird/wrong?
ikjadoon said:
Thanks for the reply! Right: I should probably be root before I try that command. Unfortunately, I tried "adb root" and it said: "adbd cannot run as root in production builds." I did some Google'ing and a few threads said that I should have changed ro.debuggable to 1 as well in default.prop.
So, I changed ro.debuggable=1 and, right, ro.secure=0 still. Then the oddest thing happened: I typed "adb root" into terminal and it went to a new line, no message. And then it disconnected my phone from ADB (I heard the little "ding ding" noise of disconnection). Unfettered, I typed in "adb remount," but of course then it complained that no devices were attached! I thought it was a fluke, so I tried it a few more times. It happened again and again.
In an ostensibly unrelated problem, I couldn't get SecSettings.apk to push back (even though android.policy.jar pushed fine), so I tried a Nandroid. TWRP seemingly did not like my changes to default.prop, as it went crazy (froze a few times) saying "cannot unmount /system" every time I tried a restore and then "Restore failed." Hmm...I pushed back my backed up boot.img and it restored fine.
I'm messing up somehow. So, I'm using VTS to unpack and repack the image. I saw that the output boot.img's are about 6MB, while the default ones I pulled are 10.1MB. Dev said it was probably just compression? Also, I'm pulling the boot.img via adb dd if=/dev/mnt/mmcblk0p7 of=/sdcard/boot.img. Are either of these too weird/wrong?
Click to expand...
Click to collapse
Are you running adb shell as superuser?
Try:
adb shell
su
adb remount
After typing su you will need to grant superuser permission on your device.
Things to check when pushing with adb:
System, app, and framework folders are mounted r/w in root explorer.
USB debugging is enabled.
I am lazy so I use Eclipse for pushing and pulling files.
Repacked boot images are almost always smaller than the original (sometimes a lot smaller).
upndwn4par said:
Are you running adb shell as superuser?
Try:
adb shell
su
adb remount
After typing su you will need to grant superuser permission on your device.
Things to check when pushing with adb:
System, app, and framework folders are mounted r/w in root explorer.
USB debugging is enabled.
I am lazy so I use Eclipse for pushing and pulling files.
Repacked boot images are almost always smaller than the original (sometimes a lot smaller).
Click to expand...
Click to collapse
EDIT: I gave up, haha. Thank you guys, though. I just copied and pasted both files onto /sdcard and then used the good 'ole adb shell mount -o remount,rw /system and then busybox cp of the files over. Copy worked. And the mod worked. And, honestly, I don't flash enough to make adb root worth it. It's a few extra seconds of my life to type the extra commands instead of taking 2 days to figure out this boot.img....
----
I re-did the ro.secure=0 edit in the boot.img through dsixda's kitchen, just to be sure it wasn't VTS. I also "flashed" it via adb dd in recovery this time instead of in Android. I also left ro.debuggable=0 as that does not seem pertinent to allowing adb to run as root, but simply to debug system apps, etc. Does anyone know any actual information on whether ro.debuggable=0 is required to allow adbd to run as root?
1) ADB shell as superuser: um, I didn't think about that! I thought adb root and adb remount were ADB commands, not shell commands? But, I tried it anyways, but it simply said "error: device not found". See http://prntscr.com/wvjmq
2) Right, ADB shell has SU rights as "always grant" per the SuperSU app.
3) Pushing with ADB: oh, huh! So, adb remount or mount -o remount,rw /system are not recursive? Meaning they only apply to the top-level directory? I think that's what you're saying, but that has never been a problem in the past...I think. And, technically, that doesn't explain why when I didn't mount /system/framework specifically android.policy.jar pushed fine. Pushing SecSettings.apk to /system/app causes a "Permission denied" error. Can Android reject apks? I did a few minor edits to SecSettings.apk, from this mod: http://forum.xda-developers.com/showthread.php?t=2002620
4) Thanks for the boot.img size clarification; got a little worried after having "lost" 40% of the image, haha!
tl;dr:
1) Using either VTS or dsixda's kitchen to modify boot.img to ro.secure=0 and running "adb root" = "adbd cannot run as root in production builds." Pulled and flashed boot.img via adb dd.
2) Unrelated to issue 1 (I think): after mounting system via adb shell (mount -o remount,rw /system), I cannot push SecSettings.apk into /system/app ("Permission denied"), while android.policy.jar pushes just fine /system/framework.
I appreciate everyone's help here. I think it's something really little that I've missed and I just can't figure it out.
ikjadoon said:
EDIT: I gave up, haha. Thank you guys, though. I just copied and pasted both files onto /sdcard and then used the good 'ole adb shell mount -o remount,rw /system and then busybox cp of the files over. Copy worked. And the mod worked. And, honestly, I don't flash enough to make adb root worth it. It's a few extra seconds of my life to type the extra commands instead of taking 2 days to figure out this boot.img....
----
I re-did the ro.secure=0 edit in the boot.img through dsixda's kitchen, just to be sure it wasn't VTS. I also "flashed" it via adb dd in recovery this time instead of in Android. I also left ro.debuggable=0 as that does not seem pertinent to allowing adb to run as root, but simply to debug system apps, etc. Does anyone know any actual information on whether ro.debuggable=0 is required to allow adbd to run as root?
1) ADB shell as superuser: um, I didn't think about that! I thought adb root and adb remount were ADB commands, not shell commands? But, I tried it anyways, but it simply said "error: device not found". See http://prntscr.com/wvjmq
2) Right, ADB shell has SU rights as "always grant" per the SuperSU app.
3) Pushing with ADB: oh, huh! So, adb remount or mount -o remount,rw /system are not recursive? Meaning they only apply to the top-level directory? I think that's what you're saying, but that has never been a problem in the past...I think. And, technically, that doesn't explain why when I didn't mount /system/framework specifically android.policy.jar pushed fine. Pushing SecSettings.apk to /system/app causes a "Permission denied" error. Can Android reject apks? I did a few minor edits to SecSettings.apk, from this mod: http://forum.xda-developers.com/showthread.php?t=2002620
4) Thanks for the boot.img size clarification; got a little worried after having "lost" 40% of the image, haha!
tl;dr:
1) Using either VTS or dsixda's kitchen to modify boot.img to ro.secure=0 and running "adb root" = "adbd cannot run as root in production builds." Pulled and flashed boot.img via adb dd.
2) Unrelated to issue 1 (I think): after mounting system via adb shell (mount -o remount,rw /system), I cannot push SecSettings.apk into /system/app ("Permission denied"), while android.policy.jar pushes just fine /system/framework.
I appreciate everyone's help here. I think it's something really little that I've missed and I just can't figure it out.
Click to expand...
Click to collapse
If you post the kernel (untouched) for me. I will go through the process myself. That when when/if it works I can tell you my exact steps so that you can try it out for yourself. Let me know exactly what you are trying to accomplish also.
task650 said:
If you post the kernel (untouched) for me. I will go through the process myself. That when when/if it works I can tell you my exact steps so that you can try it out for yourself. Let me know exactly what you are trying to accomplish also.
Click to expand...
Click to collapse
You guys are too kind. I feel like you have more important things to do than help a sucker like me. If you're very bored, go ahead.
Attached is my stock, unadulterated boot.img inside a zip. What I am trying to accomplish: push system files from ADB (without going into the shell). I think you need adbd to run as root to do that, right? So, an "insecure" kernel. Thus, I should be able to type "adb root" and then "adb remount" to make /system rw instead of ro and then type "adb push SystemUI.apk /system/app/SystemUI.apk" and it work. I thought I just needed to make ro.secure=0 in the boot.img's default.prop, but it looks like that is not enough.
But, honestly, if it looks like it takes too much time (I'm serious; I honestly think Samsung sent me a borked phone), it's all good. ADB shell and Busybox cp will suffice. I'm just more curious of what I am doing wrong here.
~Ibrahim~
Interesting. I am getting the same error (yes, ro.secure=0 and ro.debuggable=1).
As soon as I am finished with the update I am working on I will look in to this - unless Task figures it out first. If for no other reason, just because I want to know.
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Me>cd c:\android
c:\Android>adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
041b9c2b device
c:\Android>adb shell
[email protected]:/ $ adb root
adb root
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
1|[email protected]:/ $ su
su
[email protected]:/ # adb remount
adb remount
error: device not found
1|[email protected]:/ # adb root
adb root
error: device not found
1|[email protected]:/ #WTF?
upndwn4par said:
Interesting. I am getting the same error (yes, ro.secure=0 and ro.debuggable=1).
As soon as I am finished with the update I am working on I will look in to this - unless Task figures it out first. If for no other reason, just because I want to know.
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Me>cd c:\android
c:\Android>adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
041b9c2b device
c:\Android>adb shell
[email protected]:/ $ adb root
adb root
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
error: device not found
1|[email protected]:/ $ su
su
[email protected]:/ # adb remount
adb remount
error: device not found
1|[email protected]:/ # adb root
adb root
error: device not found
1|[email protected]:/ #WTF?
Click to expand...
Click to collapse
You shouldn't be running adb root inside of a shell. You're running two instances of adb and only need the first connection. The reason you're getting device not found is because you're running an instance of adb on the device and it's looking for other devices. Try it again without running adb shell.
Sent from my SAMSUNG-SGH-I747