Develop Bugs

OPENVPN under android 2.2

HOW TO MAKE A OPENVPN CONNECTION
(you must use latest kernel - since 2010-08-18 it is integrated (tun module must be integrated in kernel mdules)
-> system/lib/modules/tun.ko)
kernel: htc-msm-linux-20100818_135751-package.tar or newer needed (because there the tun module is included)
1.) install of "openvpn" binary.
we do this manually
a) download openvpn.zip and copy the file: "openvpn" to directory "/sdcard/openvpn"
b) then set the execute writes via:
chmod +x /system/bin/openvpn
2.) some special settings - i do it via a start script -> /sdcard/conf/froyo.user.conf
(see there for the custom_shells part ...)
Code:
# custom shell commands, these commands run last
custom_shells{
#openvpn (ifconfig and route is needed)
mkdir /system/xbin/bb
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route
#modprobe
modprobe tun
}
3.) copy your openvpn config files to directory /sdcard/openvpn
( my config file looks like: (for the client))
Code:
dev tap
dev-node /dev/tun
proto tcp-client
tls-client
#your server ip + port
remote 123.123.123.123 443
tls-auth /sdcard/openvpn/srv3.xxx.com_ta.key 1
ca /sdcard/openvpn/srv3.xxx.com_ca.crt
cert /sdcard/openvpn/srv3.xxx.com_rlt3.crt
key /sdcard/openvpn/srv3.xxx.com_rlt3.key
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
redirect-gateway
comp-lzo
verb 3
status /sdcard/openvpn/srv3.xxx.com_rlt3_status.log
log-append /sdcard/openvpn/srv3.xxx.com_rlt3.log
only for your info (my server config)
Code:
port 443
dev tap0
proto tcp-server
mode server
tls-server
tls-auth /etc/openvpn/srv3.xxx.com_ta.key 0
ca /etc/openvpn/srv3.xxx.com_ca.crt
cert /etc/openvpn/srv3.xxx.com.crt
key /etc/openvpn/srv3.xxx.com.key
dh /etc/openvpn/srv3.xxx.com_dh1024.pem
crl-verify /etc/openvpn/srv3.xxx.com_crl.pem
client-config-dir client-config
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
push "ping 10"
push "ping-restart 60"
push "ping-timer-rem"
mute 50
comp-lzo
status-version 2
status /var/log/openvpn/srv3.xxx.com_openvpn-status.log
log /var/log/openvpn/srv3.xxx.com_openvpn.log
verb 3
ifconfig 192.168.23.1 255.255.255.0
ifconfig-pool 192.168.23.2 192.168.23.9
push "route 192.168.23.0 255.255.255.0"
push "dhcp-option DNS 192.168.23.1"
push "dhcp-option DOMAIN vpn.xxx.com"
#Turn this on, if you want that all traffic goes over VPN
#push "route-gateway 192.168.23.1"
#push "redirect-gateway"
client-to-client
#using multiple cn's (no limited to single access via one cert files)
duplicate-cn
4.) install of "openvpn settings" from market place
then start app: "openvpn settings"
then configure there:
-> Load tun kernel adapter -> OFF
-> TUN modules settings: (not needed)
-> load module using -> modprobe (not needed)
-> path to tun module -> tun (not needed)
-> Path to configuration -> /sdcard/openvpn
-> Path to openvpn binary -> /sdcard/openvpn/openvpn
5.) Then you should see your config file and you can click it to start.
That's it
EDIT on 23.08.2010 + 30.08.2010

good article!

pride2 said:
good article!
Click to expand...
Click to collapse
maybe it should not iunder HTC HD, but anyhow ... if someone need it, he will find it -> search function is your friend

pride2 said:
good article!
Click to expand...
Click to collapse
Yeah it is a quite good article...
But there is one thing I don't understand... Or two...
Firstly... Why we have to link "route" and "ifconfig" twice?
Secondly... Why we have to link "/system/xbin/route" to "/system/xbin/route"?
In my opinion this will cause something like a loop which makes the command not executable... Could that be right?
Many regards

Crusoe86 said:
Yeah it is a quite good article...
But there is one thing I don't understand... Or two...
Firstly... Why we have to link "route" and "ifconfig" twice?
Secondly... Why we have to link "/system/xbin/route" to "/system/xbin/route"?
In my opinion this will cause something like a loop which makes the command not executable... Could that be right?
Many regards
Click to expand...
Click to collapse
the route is used by hardcoded path "/system/xbin/bb" from static "openvpn"
so, i was not sure if it is system/xbin or /system/xbin/bb, so i prefer to make both lnk's.
but addtional - i madea mistake, it is changed on first posting.
the mistakes are:
1.) openvpn-installer doesn't install conrrectly -> so, i did it manually
now.work
2.) ln was wrong: now the correct lnk's are:
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route
cu camel

I have the leaked 2.2 stock Froyo on my Incredible.
I get this after it authenticates:
FATAL: Cannot allocate TUN/TAP dev dynamically
Any ideas? I'm guessing it doesn't have the tun driver.

PokerMunkee said:
I have the leaked 2.2 stock Froyo on my Incredible.
I get this after it authenticates:
FATAL: Cannot allocate TUN/TAP dev dynamically
Any ideas? I'm guessing it doesn't have the tun driver.
Click to expand...
Click to collapse
EDIT:
please check my first posting (updated ...)

also as i can see - often the problem is to install the openvpn as executable, and also to "modprobe tun".
therefoore you can also add to your /sdcard/conf/froyo.user.conf like me:
(see there for the custom_shells part ...)
# custom shell commands, these commands run last
custom_shells{
#openvpn (ifconfig and route is needed)
mkdir /system/xbin/bb
ln -s /bin/busybox /system/xbin/ifconfig
ln -s /bin/busybox /system/xbin/bb/ifconfig
ln -s /system/bin/route /system/xbin/route
ln -s /system/bin/route /system/xbin/bb/route
#modprobe
modprobe tun
#map the executable openvpn file to /system/xbin or bin
mount --bind /sdcard/openvpn/openvpn /system/xbin/openvpn
}
############
sure maybe some links are not needed - not sure what you have set ..
and of course - you can make it more cleaner as me ... but it is working fine enough for me.
cu camel

[INFO] OpenVPN (tun.ko) for LG Tmobile Gslate

I just compiled a tun.ko and got OpenVPN working on the Tmobile Gslate! so I thought I would share:
1- Rooted (thanks to Chandon)
http://forum.xda-developers.com/showthread.php?t=1065882
2- Install tun.ko (Attached below)
download and unzip
Code:
adb remount
adb push tun.ko /system/lib/modules
adb shell
chmod 755 /system/lib/modules/tun.ko
Note: This tun module was built for kernel 2.6.36.3+
3- Install BusyBox using BusyBox Installer (from Market)
Install to /system/xbin
4- Install OpenVPN using OpenVPN Installer (from Market)
Install binary to /system/xbin
Install route to /system/xbin/bb
5- Install OpenVPN Settings (from Market)
6- Install OpenVPN static binary:
Download Static openvpn
Un-bz2 the file (7-Zip on Windows | bunzip2 on linux)
Code:
adb remount
adb push openvpn-static /system/xbin/openvpn
adb shell
chmod 555 /system/xbin/openvpn
7- Link Busybox ifconfig and route to /system/xbin/bb
Code:
adb shell
su
mkdir /system/xbin/bb
ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
ln -s /system/xbin/route /system/xbin/bb/route
8- Setup OpenVPN Settings (from Market)
OpenVPN settings > Advanced > Load tun kernel module <- turn ON
OpenVPN settings > Advanced > TUN module settings
Load module using - insmod
Path to tun module - /system/lib/modules/tun.ko
9- copy your .conf files to /sdcard/openvpn
REBOOT
CONNECT!~
Extra for SMB mounters : Cifs.ko ! - Attached!
Edit: June 5 '11 - Extra for Asian users : nls_utf8.ko - Attached!

Well, I'm able to connect to my OpenVPN server now, but there must be something different in the binary..."client.conf: Connected" keeps spamming the notification area. Are you having this problem?
On a related note - I've got a couple other options, if I can get my cross-compiling tools set up correctly...I could use SonicWALL's NetExtender app, but that needs ppp_async and ppp_synctty built. I also wanted to be able to talk to a Windows-friendly PoPToP VPN server, but I suspect I'd need the ppp_mppe.ko built for that.
I tried compiling the whole kernel with the options I've mentioned, but I don't think I did it right...the make went all the way through, but I was using the gcc 4.4.3 eabi set in the SDK/NDK toolset. Since then, I've been trying to set things up according notes I found at K's Cluttered loft ( at triple-w dot (noob html limitation workaround) ailis.de/~k/archives/19-ARM-cross-compiling-howto dot HyperText Markup Language ) but start encountering problems when I try to build glibc...do you know of any instructions/tutorials which might help to educate this n00b (aye, that be me) in the fine art of ARM cross compiling?

bealesbane said:
Well, I'm able to connect to my OpenVPN server now, but there must be something different in the binary..."client.conf: Connected" keeps spamming the notification area. Are you having this problem?
On a related note - I've got a couple other options, if I can get my cross-compiling tools set up correctly...I could use SonicWALL's NetExtender app, but that needs ppp_async and ppp_synctty built. I also wanted to be able to talk to a Windows-friendly PoPToP VPN server, but I suspect I'd need the ppp_mppe.ko built for that.
I tried compiling the whole kernel with the options I've mentioned, but I don't think I did it right...the make went all the way through, but I was using the gcc 4.4.3 eabi set in the SDK/NDK toolset. Since then, I've been trying to set things up according notes I found at K's Cluttered loft ( at triple-w dot (noob html limitation workaround) ailis.de/~k/archives/19-ARM-cross-compiling-howto dot HyperText Markup Language ) but start encountering problems when I try to build glibc...do you know of any instructions/tutorials which might help to educate this n00b (aye, that be me) in the fine art of ARM cross compiling?
Click to expand...
Click to collapse
Yeah I have that spamming problem too .. always have with the honeycomb tablets.
I used 4.4.0 eabi, and had to hard code the localversion in the setlocalversion file and absolute path to the eabi modules in the makefile to get it to cross compile
I built and attached the ppp_async.ko , ppp_synctty.ko , ppp_mppe.ko for you (I did not test a insmod as I built and tested the cifs and tun on a friends tablet - do let me know if these work!)

That's great! Thanks for putting those together. All of the modules you created insert fine with insmod (this version of busybox still has an issue with modprobe running on this tablet, suspect may be related to self-referring parameter, but hope to experiment more later) with the exception of mppe. That one comes back with "insmod: init_module '/system/lib/modules/ppp_mppe.ko' failed (File exists)".
This, however, may not be due to the module itself, strictly speaking. The other two, which are presented by SonicWALL as a workaround to their proprietary VPN app, inserted fine, but still produce an I/O error when a connection is attempted...closer inspection of the app's log reveals a similar complaint under the hood:
06-01 08:01:36.848 I/NetExtender.ppp( 8207): Nxhelper: start pppd main routine
06-01 08:01:36.858 D/NetExtender.ppp( 8207): using channel 1
06-01 08:01:36.858 E/NetExtender.ppp( 8207): Couldn't create new ppp unit: File exists
06-01 08:01:36.858 I/NetExtender.ppp( 8207): Nxhelper: pppd hung up, notify the service
My off the wall guess, pending further investigation, is that inserting mppe, or trying to initialize the other two, results in an attempt to create a device handle which is not being properly enumerated? ( i.e., attempting to create an instance of /dev/ppp, which already exists, instead of a new handle, say, /dev/ppp0, ppp1, etc.) Again, just theorizing blindly at this point - but you've certainly given me a great deal to work with, and I say thank ya big big.
I'll update you with any progress I make here, but at least for the time being I still have basic connectivity to one of my networks, and I can do much with that. And the cifs module works a treat as well!

In the meantime, a simple script allows me to toggle the VPN on and off without being annoyed by the spamming...then I add a widget to the script using ScriptManager (from the market) and viola! Look ma, no hands!
Code:
#!/system/bin/sh
BB="/system/xbin/busybox"
VPN="/system/xbin/openvpn"
TUNDTL=`$BB ifconfig tun0 2>&1`
RESULT=$?
if [ $((RESULT)) -eq 1 ]; then
$VPN --config /mnt/sdcard/openvpn/client.conf --daemon MYVPN
else
VPNPID=`ps openvpn | grep "^root"`
VPNPID=`echo $VPNPID | cut -d" " -f2`
if [ $((VPNPID)) -gt 99 ]; then
$BB kill -KILL $VPNPID
fi
fi
exit
(Just for anyone who doesn't want to wait until OpenVPN Settings gets a bugfix for Honeycomb. Obviously, adjust locations as needed. Oh, and don't give the script a name that starts with "openvpn"...unless you WANT a kamikaze script. This simple script obviously wouldn't work for multiple tunnels, (if they're even supported), but it does ya fine for the basic config.)

awesome idea for the spamming .. sadly I have 8 openVPN servers I switch between so i have to put up with the spamming.. any idea what the reason of the spamming is? maybe contact the dev?

The source for the app is available at 'code.google.com/p/android-openvpn-settings'. The issue has been reported already by a few people (issue 70), but it looks like there are quite a few other issues reported, so no telling if or when Mr. Schäuffelhut will have a chance to review it. It seems like it would be a good starter project for a would-be contributor...I haven't done any java developing, but it seems like it would be easier to isolate our issue and tweak it than bloat my simple script to allow multiple PIDs to be tracked and toggled...though the latter is certainly possible, and after I get my second OpenVPN server online (Audiogalaxy offline for better part of day yesterday, need to make myself independent of that), if the Java is too daunting I just may do so. So many tempting projects, so little time.

Simple VPN handler script to tide us over until 0.4.8 or more in OpenVPN-Settings
Ok, since you were so kind as to compile those extra modules for me, I figure the least I can do is give you something in return. Here's a simple VPN handler to manage multiple tunnels. Filenames for config files are entered relative to the CFGS folder, and module load/remove is manual rather than auto...and I put in connection sharing, as I'm using it this way...but it'll certainly let you use as many tunnels as the kernel will let you work with.
As always, the standard, 'you take your life into your own hands if you use this code, not responsible for problems up to and including user death' disclaimer applies. It seems to be working for me, though I'm only using 2 VPN's ATM.
Good luck! (Will still let you know if I make any progress in Java Dev)
Code:
[email protected]: /data/local/bin > cat ./vpnhandler
#!/system/bin/sh
export BB="/system/xbin/busybox"
export VPN="/system/xbin/openvpn"
export MODS="/system/lib/modules"
export CFGS="/mnt/sdcard/openvpn"
export SPACES=" "
LOOPBACK=0
while [ $((LOOPBACK)) -eq 0 ]; do
LOOPBACK=1
CIFMOD=`$BB lsmod | grep -c "^cifs"`
if [ $((CIFMOD)) -eq 0 ]; then CIFMOD="Load"; else CIFMOD="Remove"; fi
TUNMOD=`$BB lsmod | grep -c "^tun"`
if [ $((TUNMOD)) -eq 0 ]; then TUNMOD="Load"; else TUNMOD="Remove"; fi
clear
echo "Simple VPN Handler"
echo "=================="
echo
echo "ACT # Tunnel Name Configuration File "
echo "--- --- -------------------- ------------------------------"
while read vpndefs; do
TUNNO=`echo "${vpndefs}" | cut -d"~" -f1`
TUNNAME=`echo "${vpndefs}" | cut -d"~" -f2`
TUNCFG=`echo "${vpndefs}" | cut -d"~" -f3`
TUNSTAT=`$BB ps w | grep openvpn | grep -c "\-\-daemon ${TUNNAME}\$"`
if [ $((TUNSTAT)) -eq 1 ]; then TUNSTAT="*"; else TUNSTAT=" "; fi
DISPLINE=" ${TUNSTAT} ${SPACES:0:$((3-${#TUNNO}))}${TUNNO} ${TUNNAME}${SPACES:0:$((22-${#TUNNAME}))}${TUNCFG}"
echo "${DISPLINE}"
done < "${CFGS}/cfglist"
echo
echo "_______________________________________________________________"
echo
echo " A - Add a new tunnel definition"
echo " D - Delete an existing tunnel "
echo " C - ${CIFMOD} CIFS Module "
echo " T - ${TUNMOD} TUN Module "
echo " S - Share tap0 to eth0 traffic "
echo " X - Break traffic forwarding "
echo " Q - Quit "
echo
echo -n " Select action, or a tunnel number to toggle on or off : "
read actkey
if [ "$actkey" = "C" -o "$actkey" = "c" ]; then
LOOPBACK=0
if [ "$CIFMOD" = "Load" ]; then
LOADMOD=`$BB insmod ${MODS}/cifs.ko 2>&1`
else LOADMOD=`/system/bin/toolbox rmmod cifs.ko 2>&1`
fi
fi
if [ "$actkey" = "T" -o "$actkey" = "t" ]; then
LOOPBACK=0
if [ "$TUNMOD" = "Load" ]; then
LOADMOD=`$BB insmod ${MODS}/tun.ko 2>&1`
else LOADMOD=`/system/bin/toolbox rmmod tun.ko 2>&1`
fi
fi
if [ "$actkey" = "S" -o "$actkey" = "s" ]; then
LOOPBACK=0
iptables -F; iptables -t nat -F; iptables -X; iptables -t nat -X
echo 1 | tee /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT
fi
if [ "$actkey" = "X" -o "$actkey" = "x" ]; then
LOOPBACK=0
iptables -F; iptables -t nat -F; iptables -X; iptables -t nat -X
echo 0 | tee /proc/sys/net/ipv4/ip_forward
fi
if [ "$actkey" = "A" -o "$actkey" = "a" ]; then
LOOPBACK=0
echo; echo -n " Enter tunnel number to assign : "; read TUNNO
TUNCHK=`cat "${CFGS}/cfglist" | grep -c "^${TUNNO}~"`
if [ $((TUNCHK)) -eq 0 ]; then
echo; echo -n " Enter a name for the tunnel : "; read TUNNAME
echo; echo -n " Enter filepath/name for config file (relative to ${CFGS}) : "; read TUNCFG
echo "${TUNNO}~${TUNNAME}~${TUNCFG}" >> "${CFGS}/cfglist"
else echo -n " That number is already in use. "; read TUNNO
fi
fi
if [ "$actkey" = "D" -o "$actkey" = "d" ]; then
LOOPBACK=0
echo; echo -n " Enter tunnel number to delete : "; read TUNNO
TUNCHK=`cat "${CFGS}/cfglist" | grep -c "^${TUNNO}~"`
if [ $((TUNCHK)) -eq 0 ]; then
echo -n " That number is not currently in use. "; read TUNNO
else vpndefs=`cat "${CFGS}/cfglist" | grep "^${TUNNO}~"`
TUNNAME=`echo "${vpndefs}" | cut -d"~" -f2`
TUNSTAT=`$BB ps w | grep openvpn | grep -c "\-\-daemon ${TUNNAME}\$"`
if [ $((TUNSTAT)) -gt 0 ]; then
echo; echo -n " Tunnel is active. Turn off before deleting."; read TUNNO
else RESULT=`cat "${CFGS}/cfglist" | egrep -v "^${TUNNO}~" > "${CFGS}/cfglist.tmp"`
$BB mv -f "${CFGS}/cfglist.tmp" "${CFGS}/cfglist"
fi
fi
fi
if [ "$actkey" = "Q" -o "$actkey" = "q" ]; then LOOPBACK=0; fi
if [ $((LOOPBACK)) -eq 1 ]; then
TUNCHK=`cat "${CFGS}/cfglist" | grep -c "^${actkey}~"`
LOOPBACK=0
if [ $((TUNCHK)) -eq 0 ]; then
echo -n " That number is not currently in use. "; read TUNNO
else TUNNO="${actkey}"
vpndefs=`cat "${CFGS}/cfglist" | grep "^${TUNNO}~"`
TUNNAME=`echo "${vpndefs}" | cut -d"~" -f2`
TUNCFG=`echo "${vpndefs}" | cut -d"~" -f3`
TUNSTAT=`$BB ps w | grep openvpn | grep -c "\-\-daemon ${TUNNAME}\$"`
if [ $((TUNSTAT)) -gt 0 ]; then
VPNPID=`$BB ps w | grep openvpn | grep "\-\-daemon ${TUNNAME}"`
VPNPID=`echo $VPNPID | cut -d" " -f1`
if [ $((VPNPID)) -gt 99 ]; then
RESULT=`$BB kill -KILL $VPNPID`
fi
else RESULT=`$VPN --config "${CFGS}/${TUNCFG}" --daemon "${TUNNAME}"`
fi
fi
fi
if [ "$actkey" = "Q" -o "$actkey" = "q" ]; then LOOPBACK=1; fi
done
exit
Note: It'll throw out some screen errors if you don't have a zero length file in $CFGS/cfglist, but it'll let you add your first tunnel anyway. (Didn't bother to trap for that.)
Oh, and ScriptManager doesn't seem to like digging for scripts in /data/local/bin, but doesn't appear to have a problem executing things in /mnt/sdcard, even though I don't seem to be able to set the execute bit on any file in that fs. There's reference in Google of known glitch in some kernels that cause fs' mounted with the 'default_permissions,allow_other' flags to behave strangely. If they ever fix that, you may need to relocate, that's all.
Note also that the "ACT" column which denotes 'active' tunnels with an '*' only verifies that there is a process running with the designated label name. At this time, actual connectivity is left to you to determine.

it's very helpful, thanks very much!!
but could you compile nls_utf8.ko too? please

You should try and come up with a working recovery!
Sent from my LG-V909 using XDA Premium App

bealesbane said:
Ok, since you were so kind as to compile those extra modules for me, I figure the least I can do is give you something in return. Here's a simple VPN handler to manage multiple tunnels. Filenames for config files are entered relative to the CFGS folder, and module load/remove is manual rather than auto...and I put in connection sharing, as I'm using it this way...but it'll certainly let you use as many tunnels as the kernel will let you work with.
As always, the standard, 'you take your life into your own hands if you use this code, not responsible for problems up to and including user death' disclaimer applies. It seems to be working for me, though I'm only using 2 VPN's ATM.
Good luck! (Will still let you know if I make any progress in Java Dev....
Click to expand...
Click to collapse
Bealsbane way to go man, that is far more code than I could figure out! now i feel like i owe you a beer! haha .. I tried the code but it helps to have a gui currently .. i although do have alot of Java experience and possibly you and I could get a new OpenVPN Settings/Installer for gingerbread/honeycomb based devices!
once again thanks!

aureole999 said:
it's very helpful, thanks very much!!
but could you compile nls_utf8.ko too? please
Click to expand...
Click to collapse
Added to the first Post .. please test it and let me know if it works! good luck!
edit: tested by aureole999 and confirmed working

Excellent work ru1dev. I just added this thread to the G-Slate XDA bit.ly bundle. Would you mind if I posted a link to it over on G-SlateFans?

Bling_Diggity said:
Excellent work ru1dev. I just added this thread to the G-Slate XDA bit.ly bundle. Would you mind if I posted a link to it over on G-SlateFans?
Click to expand...
Click to collapse
Go ahead as long as it is a link back to the OP. Thanks for spreading the knowledge

please dont bash me as i know im a little off topic but hi everyone i have a major issue with my rooted gslate.if anyone can help it would be greatly appreciated. i downloaded cw from the market and when it askes you for compatibility i accedently chose the option (lg optimus 3d) thinking it was for my gslate and now after i turned off the gslate and go to turn it back on its stuck on LG blackscreen and says
[HasValidKernelImage] Magic value mismatch:
[DetectOperatingSystems]kernel image is invalid !!!
Starting Fastboot USB download protocol
Ive looked all over the internet and cant find anything to help me out so please can someone help me.
maybe a way to nvflash the proper kernel back.

tun.ko checksum
Hi guys, can anybody please post the md5sum output of the tun.ko? even though im using the same kernel, i cannot load the module on my g-slate. thanks

jomnoc said:
Hi guys, can anybody please post the md5sum output of the tun.ko? even though im using the same kernel, i cannot load the module on my g-slate. thanks
Click to expand...
Click to collapse
md5 - 3daf2d134dc2ae6c4a40fe3d8ac49344

Thanks! I have 6707fd6a79cc849d13e8dd4016f96028 .... ideas? can you upload your file? Thanks again

jomnoc said:
Thanks! I have 6707fd6a79cc849d13e8dd4016f96028 .... ideas? can you upload your file? Thanks again
Click to expand...
Click to collapse
yes that is the md5 for the tun.ko .. in a rush i gave you the md5 for the zip of the tun.ko previously. are you sure you are running kernel 2.6.36.3+
it has to be exactly that kernel..with the '+' on the end

yes i am. or i was haha.. it was a friend's tablet. but it certainly had that kernel version. thanks for the help. if i get it again i may ask for help

[HOWTO] USB/RNDIS Tethering (root required)

First, let me apologize if solutions to this problem have already been posted on this forum and elsewhere. I developed this solution completely independently, and I am sharing it here in hopes that it may prove useful to someone else.
This pair of scripts will allow you to share your phone's Internet connection with a computer via a USB cable. It definitely works when the computer is running Linux (assuming you have RNDIS support in your kernel), and it should work as well when the computer is running Windows. However, it will not work with Mac, as OS X does not have an RNDIS driver.
First, upload these two scripts to your /sdcard:
/sdcard/usb_tether_start.sh:
Code:
#!/system/bin/sh
prevconfig=$(getprop sys.usb.config)
if [ "${prevconfig}" != "${prevconfig#rndis}" ] ; then
echo 'Is tethering already active?' >&2
exit 1
fi
echo "${prevconfig}" > /cache/usb_tether_prevconfig
setprop sys.usb.config 'rndis,adb'
until [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
ip rule add from all lookup main
ip addr flush dev rndis0
ip addr add 192.168.2.1/24 dev rndis0
ip link set rndis0 up
iptables -t nat -I POSTROUTING 1 -o rmnet0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
dnsmasq --pid-file=/cache/usb_tether_dnsmasq.pid --interface=rndis0 --bind-interfaces --bogus-priv --filterwin2k --no-resolv --domain-needed --server=8.8.8.8 --server=8.8.4.4 --cache-size=1000 --dhcp-range=192.168.2.2,192.168.2.254,255.255.255.0,192.168.2.255 --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/cache/usb_tether_dnsmasq.leases < /dev/null
/sdcard/usb_tether_stop.sh:
Code:
#!/system/bin/sh
if [ ! -f /cache/usb_tether_prevconfig ] ; then
echo '/cache/usb_tether_prevconfig not found. Is tethering really active?' >&2
exit 1
fi
if [ -f /cache/usb_tether_dnsmasq.pid ] ; then
kill "$(cat /cache/usb_tether_dnsmasq.pid)"
rm /cache/usb_tether_dnsmasq.pid
fi
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING 1
ip link set rndis0 down
ip addr flush dev rndis0
ip rule del from all lookup main
setprop sys.usb.config "$(cat /cache/usb_tether_prevconfig)"
rm /cache/usb_tether_prevconfig
while [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
To start USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_start.sh'"
Grant the superuser request on the phone if one appears.
If you're on Linux, you'll see a new network interface appear (probably called "usb0"). Bring the link up on that interface (ip link set usb0 up), run a DHCP client, and you're all set!
If you're on Windows, it will probably Just Work™.
To stop USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_stop.sh'"
Again, grant the superuser request on the phone if one appears.
That's it!

OMG !!!!
You rock ! This solution is the FIRST one which works on my international i9300 device (not a 'Sprint' version) with cm10.1.
I can't understand why ... but i'll keep your script on my ext SDCard.
I'll prupose this script to french cm10.1 users.
Thank you!

OS X does not have an RNDIS driver? really?
...OS X does not have an RNDIS driver...
Click to expand...
Click to collapse
Please have a look at HoRNDIS: USB tethering driver for Mac OSX (it even supports modern/recent OSX versions!) @ hxxp://joshuawise.com/horndis (unable to embed inline URL link due to new user restriction)
whitslack said:
First, let me apologize if solutions to this problem have already been posted on this forum and elsewhere. I developed this solution completely independently, and I am sharing it here in hopes that it may prove useful to someone else.
This pair of scripts will allow you to share your phone's Internet connection with a computer via a USB cable. It definitely works when the computer is running Linux (assuming you have RNDIS support in your kernel), and it should work as well when the computer is running Windows. However, it will not work with Mac, as OS X does not have an RNDIS driver.
First, upload these two scripts to your /sdcard:
/sdcard/usb_tether_start.sh:
Code:
#!/system/bin/sh
prevconfig=$(getprop sys.usb.config)
if [ "${prevconfig}" != "${prevconfig#rndis}" ] ; then
echo 'Is tethering already active?' >&2
exit 1
fi
echo "${prevconfig}" > /cache/usb_tether_prevconfig
setprop sys.usb.config 'rndis,adb'
until [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
ip rule add from all lookup main
ip addr flush dev rndis0
ip addr add 192.168.2.1/24 dev rndis0
ip link set rndis0 up
iptables -t nat -I POSTROUTING 1 -o rmnet0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
dnsmasq --pid-file=/cache/usb_tether_dnsmasq.pid --interface=rndis0 --bind-interfaces --bogus-priv --filterwin2k --no-resolv --domain-needed --server=8.8.8.8 --server=8.8.4.4 --cache-size=1000 --dhcp-range=192.168.2.2,192.168.2.254,255.255.255.0,192.168.2.255 --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/cache/usb_tether_dnsmasq.leases < /dev/null
/sdcard/usb_tether_stop.sh:
Code:
#!/system/bin/sh
if [ ! -f /cache/usb_tether_prevconfig ] ; then
echo '/cache/usb_tether_prevconfig not found. Is tethering really active?' >&2
exit 1
fi
if [ -f /cache/usb_tether_dnsmasq.pid ] ; then
kill "$(cat /cache/usb_tether_dnsmasq.pid)"
rm /cache/usb_tether_dnsmasq.pid
fi
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -D POSTROUTING 1
ip link set rndis0 down
ip addr flush dev rndis0
ip rule del from all lookup main
setprop sys.usb.config "$(cat /cache/usb_tether_prevconfig)"
rm /cache/usb_tether_prevconfig
while [ "$(getprop sys.usb.state)" = 'rndis,adb' ] ; do sleep 1 ; done
To start USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_start.sh'"
Grant the superuser request on the phone if one appears.
If you're on Linux, you'll see a new network interface appear (probably called "usb0"). Bring the link up on that interface (ip link set usb0 up), run a DHCP client, and you're all set!
If you're on Windows, it will probably Just Work™.
To stop USB tethering:
Code:
adb shell "su -c 'sh /sdcard/usb_tether_stop.sh'"
Again, grant the superuser request on the phone if one appears.
That's it!
Click to expand...
Click to collapse

what is the difference between this and native tethering?

for rooted stock roms
http://forum.xda-developers.com/showthread.php?t=2224083
this is the by far the easiest..

Netflix Workaround for 4.4.2 KitKat ROMs

If your like me, you use the Netflix profiles and you don't want to use and old version. Nor do you want to disable auto app updates.
I call this a workaround because you have to do it before you run Netflix... Every time. But maybe someone with more experience can make it permanent. Also I think it disables HD Video in Netflix.
Simply open /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml as a text document and place "nflx_player_type" value="8" on the next line under <map>
If you want, you can place the following in a *.sh file and run it with script manager with super user selected.
if [ -f /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml ]; then
grep -q nflx_player_type /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml && exit 0
cp /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig && sed -e 's|</map>|<int name="nflx_player_type" value="8" />\n</map>|g' /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig > /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml && rm /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig
fi
I found this workaround here: forum.odroid.com/viewtopic.php?f=14&t=63
Sent from my Optimus G Pro using Tapatalk

Netflix Black
ackliph said:
If your like me, you use the Netflix profiles and you don't want to use and old version. Nor do you want to disable auto app updates.
I call this a workaround because you have to do it before you run Netflix... Every time. But maybe someone with more experience can make it permanent. Also I think it disables HD Video in Netflix.
Simply open /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml as a text document and place "nflx_player_type" value="8" on the next line under <map>
If you want, you can place the following in a *.sh file and run it with script manager with super user selected.
if [ -f /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml ]; then
grep -q nflx_player_type /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml && exit 0
cp /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig && sed -e 's|</map>|<int name="nflx_player_type" value="8" />\n</map>|g' /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig > /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml && rm /data/data/com.netflix.mediaclient/shared_prefs/nfxpref.xml.orig
fi
I found this workaround here: forum.odroid.com/viewtopic.php?f=14&t=63
Sent from my Optimus G Pro using Tapatalk
Click to expand...
Click to collapse
I have an issue of a gray screen but audio on the netflix app using CM 11.
The above seems to be too much work. I found Netflix Black instead which works fine, but no chromecast support.
Download here: (I'll post a link to the dev when I can find it)
https://www.dropbox.com/s/qjza3ic2fyiea14/Netflix-Black-Rotation-V2.1.2.apk
Original Thread Here: http://forum.xda-developers.com/showthread.php?t=1178425

I can confirm that Netflix Black does work fine with CM11.

Netflix black working fine with latest PAC
2SHAYNEZ

[LG V50] temp root exploit via CVE-2020-0041 including magisk setup

temp root exploit for LG V50 ThinQ with android 10 firmware
including temporal magisk setup from the exploit​
The exploit uses CVE-2020-0041 originally designed for Pixel 3 running kernel 4.9.
I have adapted the Pixel 3 specific exploit for kernel 4.14 that is used with LG phones running Android 10 with March security patch level.
This work has been done upon request of @Inerent who contributed not only with very fine donations, but also did all the testing on his LG phone, as I do not own any LG phone myself.
As an addon I have implemented setup of magisk v20.4 from temp root exploit included su permission asking notification support, that has been also a hell of work to get working.
SUPPORTED TARGETS
You can find currently running fw version with 'getprop ro.vendor.lge.factoryversion' command run in an adb shell.
LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0 - LG V50 ThinQ with V500N20m fw, 2020-03-01 security patch level
LMV500NAT-00-V20f-LAO-COM-JAN-31-2020+0 - LG V50 ThinQ with V500N20f fw, 2020-01-01 security patch level
LMV500NAT-00-V20b-LAO-COM-DEC-23-2019+0 - LG V50 ThinQ with V500N20b fw, 2019-12-01 security patch level
LMV500AT-00-V20g-LAO-COM-MAR-10-2020+0
LMV500AT-00-V20a-LAO-COM-JAN-24-2020+0
LMV500AT-00-V20e-LAO-COM-JAN-23-2020+0
LMV450AT-00-V20a-LAO-COM-JAN-15-2020-ARB00+2 - LG V50 ThinQ Sprint fw, 2020-01-01 security patch level
Please note, it is unlikely that any other fw version than those listed above would work.
The only (unlikely) case when the exploit could work with different fw version (or different phone model) would be that they would use binary identical kernel image in the firmware.
USAGE HOWTO
be sure to run supported firmware version on your phone (you may need to downgrade, involving factory reset)
enable developer mode options and in there adb debugging (eventually install adb drivers)
download the v50g8-mroot3.zip with the exploit attached in this post and unzip it
use 'adb push v50g8-mroot3 /data/local/tmp' and get temp root with following commands in 'adb shell':
Code:
cd /data/local/tmp
chmod 755 ./v50g8-mroot3
./v50g8-mroot3
If it worked, you should see something like this:
Code:
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
...
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root) context=kernel
root_by_cve-2020-0041:/data/local/tmp #
In case you get 'target is not supported', you may list supported targets with
Code:
./v50g8-mroot3 -T
and try to force one close to yours using '-t num' option.
Please see the 2nd post for magisk setup from temp root details.
Please be careful what you use the temp root for.
Changing something in partitions protected by dm-verity (or Android Verified Boot 2.0), like for example /system, /vendor or kernel boot partition, can result with a not anymore booting phone.
In such case you would need a way to emergency flash stock firmware to recover.
This is why it is called 'temp root' - you get a root shell only temporarily, it is lost with reboot and it does not allow to make permanent changes in crucial partitions until bootloader unlock is achieved.
Some partitions might still be possible to modify - for example in case of sony xperia phones it was possible to do permanent debloat via changes in /oem partition and such debloat would survive even factory reset. Similarly some modem configs have been present in /oem allowing to setup IMS for different operators/regions or tune other modem related stuff.
SOURCES
Exploit sources for all releases are available at my github here.
CREDITS
Big thanks to Blue Frost Security for the excellent writeup and the exploit itself.
DONATIONS
If you like my work, you can donate using the Donate to Me button with several methods there.
Already donated:
@Catalin Oprea ($710)
Luis Rosado ($30)
Kirn Gill ($6) LG V60 user
Android Maisters ($30)
Matthew Hinkle ($40)
Daniel Novo ($22)
Tony Romeo ($56)
Yurii Boiko ($20)
VL48 ($33)
Savcho Savchev ($30)
Josue W ($15)
Reyna Cruz ($15)
Tyler Thompson ($3)
Tam Van Phan ($8,4)
MR D CRANSON ($25)
Gilberto Lozada ($15)
Keith Young ($45)
Zee Bee ($11)
Kevin Borges ($50) root bounty at gofundme.com
Catalin Oprea (+$50) root bounty at gofundme.com
Luke Miller ($50) root bounty at gofundme.com
@AngryManMLS ($20)
@Shtiff1 ($20)
Thank you very much to all who donated or are about to donate.
DOWNLOAD

MAGISK SETUP FROM TEMP ROOT WITH LOCKED BOOTLOADER
To enjoy the temporal root with apps asking for root permission, you can now start magisk v20.4 from the root shell provided by the exploit.
download the v50g8-mroot3.zip with the exploit attached in the first post
download Magisk-v20.4.zip from magisk releases page on github here
use 'adb push v50g8-mroot3.zip Magisk-v20.4.zip /data/local/tmp' to copy the zips to the phone
unzip and prepare magisk setup with following commands in 'adb shell'
Code:
cd /data/local/tmp
unzip v50g8-mroot3.zip
chmod 755 v50g8-mroot3 magisk-setup.sh magisk-start.sh
./magisk-setup.sh
get temp root and start magisk up with following commands in 'adb shell':
Code:
cd /data/local/tmp
./v50g8-mroot3
./magisk-start.sh -1
./magisk-start.sh -2
./magisk-start.sh -3
just this point should be done after each reboot to get magisk running again.
NOTE: please be sure to enter each command separately, line after line - do not paste all in a single block and do not put them in a script.
There are reasons this is divided in 3 stages. With this approach I got the best stability, while putting ./v50g8-mroot3 together with -1 and/or -2 stuff in a single script run resulted with a reboot most of the time.
Phases 2 and 3 need to be split for functional reasons to start magisk with working su permission asking notification.
If it worked, you should see something like this:
Code:
flashlmdd:/ $ cd /data/local/tmp
flashlmdd:/data/local/tmp $ ./v50g8-mroot3
[+] factoryversion = LMV500NAT-00-V20m-LAO-COM-MAR-10-2020+0
[+] Mapped 200000
[+] selinux_enforcing before exploit: 1
[+] pipe file: 0xffffffd07822fa00
[+] file epitem at ffffffd102da6d00
[+] Reallocating content of 'write8_inode' with controlled data...............[DONE]
[+] Overwriting 0xffffffd07822fa20 with 0xffffffd102da6d50...[DONE]
[+] Write done, should have arbitrary read now.
[+] file operations: ffffff9dee01ebf8
[+] kernel base: ffffff9dece80000
[+] Reallocating content of 'write8_selinux' with controlled data..[DONE]
[+] Overwriting 0xffffff9def290000 with 0x0...[DONE]
[+] init_cred: ffffff9def02fcd0
[+] memstart_addr: 0xfffffff040000000
[+] First level entry: ae7f6003 -> next table at ffffffd06e7f6000
[+] Second level entry: ae419003 -> next table at ffffffd06e419000
[+] sysctl_table_root = ffffff9def05c710
[+] Reallocating content of 'write8_sysctl' with controlled data.......[DONE]
[+] Overwriting 0xffffffd1316fc268 with 0xffffffd0ba748000...[DONE]
[+] Injected sysctl node!
[+] Node write8_inode, pid 7109, kaddr ffffffd0c1193700
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_selinux, pid 6726, kaddr ffffffd08bfeb400
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Node write8_sysctl, pid 6772, kaddr ffffffd0afc0d000
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Replaced sendmmsg dangling reference
[+] Cleaned up sendmsg threads
[+] epitem.next = ffffffd07822fa20
[+] epitem.prev = ffffffd07822fad8
[+] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -1
+ FRESH=false
+ '[' -1 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ ./magiskpolicy --live --magisk 'allow dumpstate * * *'
Load policy from: /sys/fs/selinux/policy
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -2
+ FRESH=false
+ '[' -2 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=2
+ '[' 2 '=' 2 ']'
+ mount -t tmpfs -o 'mode=755' none /sbin
+ chcon u:object_r:rootfs:s0 /sbin
+ chmod 755 /sbin
+ cp -a magisk/boot_patch.sh /sbin
+ cp -a magisk/magiskboot /sbin
+ cp -a magisk/magiskinit64 /sbin
+ cp -a magisk/busybox /sbin
+ cp -a magisk/util_functions.sh /sbin
+ cd /sbin
+ chmod 755 boot_patch.sh busybox magiskboot magiskinit64 util_functions.sh
+ mkdir r
+ mount -o bind / r
+ cp -a r/sbin/. /sbin
+ umount r
+ rmdir r
+ mv magiskinit64 magiskinit
+ ./magiskinit -x magisk magisk
+ ln -s /sbin/magiskinit /sbin/magiskpolicy
+ ln -s /sbin/magiskinit /sbin/supolicy
+ false
+ chcon -R u:object_r:magisk_file:s0 /data/adb/magisk
+ rm -f magiskboot util_functions.sh boot_patch.sh
+ ln -s /sbin/magisk /sbin/su
+ ln -s /sbin/magisk /sbin/resetprop
+ ln -s /sbin/magisk /sbin/magiskhide
+ mkdir /sbin/.magisk
+ chmod 755 /sbin/.magisk
+ >/sbin/.magisk/config
+ echo 'KEEPVERITY=true'
+ >>/sbin/.magisk/config
+ echo 'KEEPFORCEENCRYPT=true'
+ chmod 000 /sbin/.magisk/config
+ mkdir -p /sbin/.magisk/busybox
+ chmod 755 /sbin/.magisk/busybox
+ mv busybox /sbin/.magisk/busybox
+ mkdir -p /sbin/.magisk/mirror
+ chmod 000 /sbin/.magisk/mirror
+ mkdir -p /sbin/.magisk/block
+ chmod 000 /sbin/.magisk/block
+ mkdir -p /sbin/.magisk/modules
+ chmod 755 /sbin/.magisk/modules
+ mkdir -p /data/adb/modules
+ chmod 755 /data/adb/modules
+ mkdir -p /data/adb/post-fs-data.d
+ chmod 755 /data/adb/post-fs-data.d
+ mkdir -p /data/adb/service.d
+ chmod 755 /data/adb/service.d
+ chcon -R -h u:object_r:rootfs:s0 /sbin/.magisk
+ chcon u:object_r:magisk_file:s0 /sbin/.magisk/busybox/busybox
+ /sbin/magisk --daemon
client: launching new main daemon process
+ pidof magiskd
+ MP=14148
+ '[' -z 14148 ']'
+ >/sbin/.magisk/escalate
+ echo 14148
+ '[' -e /sbin/.magisk/escalate ']'
+ sleep 1
+ '[' -e /sbin/.magisk/escalate ']'
root_by_cve-2020-0041:/data/local/tmp # ./magisk-start.sh -3
+ FRESH=false
+ '[' -3 '=' --fresh ']'
+ '[' ! -e /data/adb/magisk/busybox ']'
+ STAGE=3
+ '[' 3 '=' 2 ']'
+ >/sbin/.magisk/magiskd
+ echo -e '#!/system/bin/sh\n/sbin/magisk --daemon'
+ chmod 755 /sbin/.magisk/magiskd
+ chcon u:object_r:dumpstate_exec:s0 /sbin/.magisk/magiskd
+ getprop init.svc.dumpstate
+ SVC=''
+ timeout=10
+ '[' 10 -gt 0 ']'
+ stop dumpstate
+ killall -9 magiskd
+ stop dumpstate
+ mount -o bind /sbin/.magisk/magiskd /system/bin/dumpstate
+ start dumpstate
+ timeout=10
+ '[' 10 -le 0 ']'
+ pidof magiskd
+ MP=14165
+ '[' -n 14165 ']'
+ break
+ stop dumpstate
+ sleep 1
+ umount /system/bin/dumpstate
+ rm -f /sbin/.magisk/magiskd
+ '[' '' '=' running ']'
+ rm -f /dev/.magisk_unblock
+ /sbin/magisk --post-fs-data
+ timeout=10
+ '[' -e /dev/.magisk_unblock -o 10 -le 0 ']'
+ sleep 1
+ timeout=9
+ '[' -e /dev/.magisk_unblock -o 9 -le 0 ']'
+ /sbin/magisk --service
+ sleep 1
+ /sbin/magisk --boot-complete
+ chmod 751 /sbin
root_by_cve-2020-0041:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:magisk:s0
root_by_cve-2020-0041:/data/local/tmp # uname -a
Linux localhost 4.14.117-perf #1 SMP PREEMPT Tue Mar 10 18:44:38 KST 2020 aarch64
root_by_cve-2020-0041:/data/local/tmp # getenforce
Permissive
Now you can exit the temp root shell and use 'su' to get a root shell controlled by magisk manager or allow other apps that need root as asking for root permission now works.
You can even re-enable selinux like this from 'adb shell':
Code:
su -c 'setenforce 1'
The magisk setup from exploit including working permission asking has been fully developed by me, it uses some novel techniques to overcome the limitations caused by magisk run from a temp root instead of being integrated in boot process as a service.
TIPS FOR BETTER STABILITY OF THE EXPLOIT
The exploit works based on use after free, that means it depends on state of memory heap and how it changes during exploit time.
That means there is some portion of unpredictability and a chance that something else is overwritten than hoped for by shaping the heap.
So to get best results, one should stop anything that could run in background, like:
set airplain mode, turn off wifi and bluetooth so there is no data connection at all
set "Stay awake" to ON while charging (i.e. using adb shell) in developer options
disable auto updates of system and apps
debloat your system so useless apps do not run in background
reboot your phone having all the above
wait two minutes after boot up with phone unlocked, screen on connected to PC via usb cable having 'adb shell' already active (checking with 'uptime' command)
start the exploit
after getting root shell and succesfuly starting magisk, do not forget to properly exit the temp root shell by use of 'exit' command two times, so the 'adb shell' with the exploit is ended with the rest of clean up
CHANGELOG
2020-05-11 : Initial release (V500N20m-testJ) supporting V500N20m all Korean variants
2020-05-16 : multiple targets supported (v50g8-root)
2020-05-20 : v50g8-dump tool to dump kernel space memory available in G8 thread
2020-05-24 : implemented support for magisk start from the exploit (v50g8-mroot), added support for V50 Sprint with 2020-01-01 security patch level
2020-06-10 : fixed problem when V50 rebooted/crashed soon after obtaining temp root shell, released as v50g8-mroot2
2020-06-23 : hopefully stability improved even more with V50 allowing stable magisk start from temp root, released as v50g8-mroot3

Ok guys, OK!!!!
Here is a guide made for noobs for Root (download, extract and copy root file inside platform tools folder) and Backup in it, using Adb Platform Tools
Root and Backup V50 Korea
1. Download LG V50 Root (extract it and copy inside platform tools folder), Platform Tools ADB and LG USB Drivers 4.4.2 and install it
https://forum.xda-developers.com/v5...g-v50-temp-root-exploit-via-cve-2020-t4098077
https://www.mediafire.com/file/mu78ydkoalgfzyd/platform_tools_adb.zip/file
http://tool.lime.gdms.lge.com/dn/downloader.dev?fileKey=UW00120120425
2. Connect USB then Enable Developer Options and USB Debugging and enable Stay Awake Screen
3. Turn off wifi, data, bluetooth restart phone, unlock screen and let it 1 minute to load all processes
4. Run Power shell command from inside platform tools folder (SHIFT+right mouse and open power shell here) and type cmd and hit enter
5. Run command - adb devices - a pupup should appear on your phone - tap Allow and Remember it on your phone!
6. Run one by one the following commands
adb push V500N20m-testJ /data/local/tmp
adb shell
cd /data/local/tmp
chmod 755 ./V500N20m-testJ
./V500N20m-testJ
7. When rooted you will have this lines in terminal
[*] Launching privileged shell
root_by_cve-2020-0041:/data/local/tmp #
If root is not achieved or phone restarts by itself repeat from step 3
Backup Important non KDZ Stuff like IMEI
1. Download this file backupselected.sh and move it inside your adb program This is already pushed to Platform Tools folder so ignore it
https://www.mediafire.com/file/gh00t76n4ctc061/backupselected.sh/file
2. Run this command from cmd
adb push backupselected.sh /data/local/tmp
3. Obtain Temp Root and from root shell run these
chmod -R 777 /data/local/tmp
./backupselected.sh
4. Backup will be saved in Download folder on your phone
Usefull Commands - Maybe @j4nn can help us with more usefull commands
rm *.* - delete all files
rm -rf (folder name) - delete that folder
adb push (folder or file name) /data/local/tmp - copy that folder or file name to that /data/local/tmp address
cd /data/local/tmp - then - pm install (appname) - installs it

Thank you. Can't wait for the G8 root guide!

Excellent someday we will have the Bootloader unlocked and for being to install the R
ags
j4nn said:
temp root exploit for LG V50 ThinQ with android 10 firmware​
...................................................................Mod Edit: Removed bulk of unnecessarily quoted OP.........................................................
Thank you very much to all who donated or are about to donate.
DOWNLOAD
Click to expand...
Click to collapse
Mod Edit: Please DO NOT quote the entire OP. Either use HIDE tags or trim the quote as I did. Thank you.

Awesome patiently waiting for spring g8 to be compatable.

Received 150 USD to my paypal from Kevin Borges with following comment:
KanBorges said:
Thank you so much for your work. This is all the money in the bounty I set up on Gofundme. com. My username in XDA is @KanBorges . Again, thank you! Hopefully you can get twrp/magisk soon.
Click to expand...
Click to collapse
Thank you and all other contributors for the donations.
I've updated the first post (not only the donations list but added some more clarifications too).
Please note, as discussed since beginning with @Inerent, only the temp root exploit has been supposed to be implemented by me.
There is however available an engineering booloader, that may eventually allow to unlock bootloader after flashing from temp root.
This needs to be tested first and can involve some risks to brick the phone.
I do not own any LG phone (and do not even want one), so I am not doing that, sorry.
But I've already checked few things regarding the engineering bootloader and I can conclude, that it could be compatible in the sense that it most likely would not brick the device.
The reason I see that comparing stock firmware ABL image and the eng bootloader (aka ABL) seems that both use the same signing root certificate and they both have identical OU info in the signature certificate:
Code:
OU=07 0001 SHA256,
OU=06 0000 MODEL_ID,
OU=05 00000000 SW_SIZE,
OU=04 0031 OEM_ID,
OU=03 0000000000000001 DEBUG,
OU=02 000A50E100310000 HW_ID,
OU=01 000000000000001C SW_ID
If it would work with android 10 is another question though.
Please find attached source for split utility, to get some parts of the image likely to start with a signature certificate.
Those parts then can be converted to text form representation of the certificate via following command for example:
Code:
openssl x509 -in LUN4_abl_a_COM3.img-001238 -inform der -text -noout > LUN4_abl_a_COM3.img-001238.txt

Yes, Jann, thats true. But thx for helping us with some advices. I hope we are a big community (also users are coming from LG v30 and V40) and will figure this out, or rise another bounty if not.
Thx for helping us!

$20 donation sent to @j4nn from me. Thanks for the hard work.

@AngryManMLS, thank you for the donation. Updated the first post.

LG G8
Inerent said:
It seems this lg g820UM is the code for all USA carriers and Canada and should work for all like for koreans
If you do March root it will be compatible with February or January? If yes then pick March firmware.
Firmwares here.:
https://lg-firmwares.com/lg-lmg820um-firmwares/
Click to expand...
Click to collapse
Please note, if the exploit works with March firmware, it does not make it compatible with any other older firmwares, even if they are vulnerable.
The kernel build (binary image) is different there, i.e. it would need different offsets in the exploit to succeed.
The reason for selecting March security patch level with LG V50, i.e. the V500N20m firmware version, has been in order to exploit the newest still exploitable firmware.
The bug has been fixed in LG kernel since April security patch level, so using March fw allows you to use the latest still vulnerable and the most up to date fw for the temp root.
For other targets like the G8 might be useful to select other fw version if there are multiple variants that would use identical kernel binary image, possibly even not having a downloadable fw release for a variant, while existing for another variant (this may be a case if phone variants have identical or nearly the same hw).

j4nn said:
For other targets like the G8 might be useful to select other fw version if there are multiple variants that would use identical kernel binary image, possibly even not having a downloadable fw release for a variant, while existing for another variant (this may be a case if phone variants have identical or nearly the same hw).
Click to expand...
Click to collapse
The difficult thing is that the G8 variants are all over the place with which firmware/security patch they are on. My T-Mobile variant (G820TM) is on January 2020 meanwhile say the Verizon variant (G820UM) is on February 2020. So it's a mess which pretty much tells me each variant will need to have it's own exploit made for it.
Edit: Just found out the G820UM just got the April security update. KDZ isn't out yet for that.

j4nn said:
Please note, if the exploit works with March firmware, it does not make it compatible with any other older firmwares, even if they are vulnerable.
The kernel build (binary image) is different there, i.e. it would need different offsets in the exploit to succeed.
The reason for selecting March security patch level with LG V50, i.e. the V500N20m firmware version, has been in order to exploit the newest still exploitable firmware.
The bug has been fixed in LG kernel since April security patch level, so using March fw allows you to use the latest still vulnerable and the most up to date fw for the temp root.
For other targets like the G8 might be useful to select other fw version if there are multiple variants that would use identical kernel binary image, possibly even not having a downloadable fw release for a variant, while existing for another variant (this may be a case if phone variants have identical or nearly the same hw).
Click to expand...
Click to collapse
Hello, I've been talking to inherent on telegram; I think he sent you some of my outputs / logs. I'm sorry I haven't been able to donate as I'm unfortunately not old enough to do so. I've got a Sprint g8 which is stuck on the Android 10 beta on November patch. If you adapt this for other g820um variants, will it likely work with my patch or not?

@AngryManMLS, most likely April security fixed the bug making it not exploitable anymore.
Yes, each kernel build/image would need specific support in the exploit.
@antintin, I need the binary image of kernel used in the firmware that is running the phone we would target with the temp root exploit in order to develop support for it.
Is your Android 10 beta on November patch firmware downloadable anywhere?
Or can you flash any other firmware?
Can you say which G8 model/carrier would have identical hardware to your Sprint G8, while having a downloadable fw?

j4nn said:
@AngryManMLS, most likely April security fixed the bug making it not exploitable anymore.
Yes, each kernel build/image would need specific support in the exploit.
@antintin, I need the binary image of kernel used in the firmware that is running the phone we would target with the temp root exploit in order to develop support for it.
Is your Android 10 beta on November patch firmware downloadable anywhere?
Or can you flash any other firmware?
Can you say which G8 model/carrier would have identical hardware to your Sprint G8, while having a downloadable fw?
Click to expand...
Click to collapse
Well I'm not entirely certain, maybe I can ask vl48. I think any g820um should be fine though. I doubt there is any beta kdz available to download, however. I unfortunately can only go on the final pie version or November patch beta 10 on my Sprint. My updates are broken :

After the temp root, can we flash Magisk patched boot img to /dev/block/bootdevice/by-name/boot_a or something like that? Does it still work after a reboot

@quantan, most likely not, due to dm-verity/AVB 2.0 - it is a temp root...
Magisk (with possibly limited functionality) may be eventually started from the exploit, but it seems not to work yet...

Would be good to at least have android 10 on the Australian V50 but we can't even get that.
Will never buy lg again.

snake65 said:
Would be good to at least have android 10 on the Australian V50 but we can't even get that.
Will never buy lg again.
Click to expand...
Click to collapse
That is not LG fault, is your carrier one. Wait patiently, pretty soon all our problems are resolved.

snake65 said:
Would be good to at least have android 10 on the Australian V50 but we can't even get that.
Will never buy lg again.
Click to expand...
Click to collapse
I have to agree with you on this one. Right now, LG is getting it's lunch eaten by many Chinese OEMs and their bleeding cash in the smartphone business. LG latest "FLAGSHIP", the V60, is a d*** joke when comparing it's 60Hz screen refresh rate to any new smartphone. It's selling for $809.99 new on Tmob and their already selling for less than $700 on Ebay. By end of summer, $390?
I too "Will never buy LG again!".
BTW, I have an Essential PH-1, admittedly old hardware but I'm already running Android 11 DP4 as a daily with very few problems. The V50 won't see 11 for what....... 18 months?