Hi,
I would like to extract 2 dll from GERMAN Rom.
I am intersted to msimda.dll and msimde.192.dll and i ma interested to learn how to work with universal rom.
But it drive me crazy...
I have read all the day this forum but i can't go on.
This is my last experiment
nkge.nba is qtek german rom (decoded)
mkdir files1 files2
dump nkge.nba -o 00000400 -e 001d2100 xip1.nb <-Offset From Universal Wiki
dump nkge.nba -o 00310000 -e 002d0000 xip2.nb <-Offset From Universal Wiki
dumprom -5 -d files1 xip1.nb <-Give me an error (after 27Files) :
error decompressing 90702000L0001f68d
fwrite: Invalid argument
error writing uncompressed data
dumprom -5 -d files2 xip2.nb <-OK
I have 59 files but there are no msimge.dll and msimge.192.dll probably they are in first xip block that give me an error.
Can you help me please?
Wat i am doing wrong?
byte.
plese somebody could help me?
Just a litle information or a link to read and study. i have searched all over the forum... but i am still blocked.
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
tripledes said:
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
Click to expand...
Click to collapse
Yes...thankyou very much for your reply.
I have just readed these posts but i can't go on.
I have nk.nba that is my Rom image decoded with HTC64 "Extended ROM Tool.exe" .
So i am trying with dumprom.exe and with viewimgfs.exe with the procedure described by mamaich in http://forum.xda-developers.com/showthread.php?t=249836
I can't extract file.
ViewImgFs (after a lot of " Unknown header type, FS_DATA_TABLE??") stop with message:
"C:\Documents and Settings\stefano\Desktop\HTC\imgfstools>Error! ProcessFixups: cannot map dump\dhcp.dll\s15627"
And i have a "dump" directory with this structure
dhcp.dll <DIR>
eapchap.dll <DIR>
iexplore.exe <DIR>
jscript.dll <DIR>
urlmon.dll <DIR>
ws2instl.dll <DIR>
Only file with same name of directory listed before.
Can you help me with step by step indication please?
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
pof said:
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
Click to expand...
Click to collapse
Thankyou... just another info..please.
I would like to extract file fro a complete German rom.
I am trying with nk.nbf extracted from UNI_QTEK_13096_185_10900_GER_Ship.exe .
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
So just for learning... can you tell me why is wrong the operations that i am doing?
Thankyou very much!
Bye
slevin said:
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
Click to expand...
Click to collapse
alpine, magican, universal... they use the same NBF format version, so the script is also valid to decode universal NBF files.
slevin said:
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Click to expand...
Click to collapse
This produces a decoded file (.nb), same as if you would run "alpinenbfdecode.pl" with -d parameter (decode), but I suggested you to use it with -r which outputs a RAW file, because rdmsflsh.pl expects a raw file and not a decoded file.
AFAIK the decoded file contains a header while the raw file doesn't, in the German Qtek ROM you said, the header looks like this:
Code:
00000010 51 54 45 4b 5f 31 30 32 20 20 20 20 20 20 20 20 |QTEK_102 |
00000020 47 45 52 20 20 20 20 20 31 2e 33 30 2e 39 36 20 |GER 1.30.96 |
00000030 20 20 20 20 20 20 20 20 55 6e 69 76 65 72 73 61 | Universa|
00000040 6c 20 20 20 20 20 20 20 30 20 20 20 20 20 20 20 |l 0 |
00000050 37 30 30 30 30 30 30 30 31 30 30 30 30 30 20 20 |70000000100000 |
00000060 30 20 20 20 20 20 20 20 31 36 31 31 31 31 31 30 |0 16111110|
00000070 30 30 30 30 30 30 20 20 61 39 62 33 61 64 39 35 |000000 a9b3ad95|
Probably someone more experienced with the formats can tell you the exact differences, otherwise if you know a bit of programming you can look at the program's source and try to figure out yourself
slevin said:
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
Click to expand...
Click to collapse
Try the other methods which do not involve using perl, if you don't success doing what you want then install perl, it's just 5 minutes to do it and you'll benefit from many .pl applications from itsme... the process to install it and all the needed modules is explained on the wiki page I pointed you before
slevin said:
So just for learning... can you tell me why is wrong the operations that i am doing?
Click to expand...
Click to collapse
Sorry I don't know for sure, probably you are using an encoded file and the program you use to extract the files from it expects a raw file, I guess you can use prepare_imgfs.exe to fix this, but I'm not sure... you should better experiment with the tools until you accomplish your goal
ThankYou
Sorry for my delay ad thankyou very much for your help.
It works fine!
Now i am going to try to replace the two dll files and then i would like to build a custom cab to put in the extended rom.
Thankyou.
Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English
stanru1 said:
Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English
Click to expand...
Click to collapse
i would like to know an answer for this too. thanks
I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.
stanru1 said:
I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.
Click to expand...
Click to collapse
Very nice thanks.
If you find a way to repack it, it would be even better. I actually want to use this method for the hp1930. My problem is that there are no official updates for this model, so I have no shipped roms. Only a sd image dump.
What type of image is the sd dump? dnf or .bin (raw) ?
I think, it`s a raw dump. In any case, imgfs is the same on both images.
stanru1 said:
I think, it`s a raw dump. In any case, imgfs is the same on both images.
Click to expand...
Click to collapse
thanks again
any idea on how to get start address and size from a sd image? I can't find those signatures in the dump
thanks
The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link
stanru1 said:
The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link
Click to expand...
Click to collapse
thanks man,
I'm uploading to rapidshare right now.
the image was created using a 64mb sd so the image size might be a bit longer
edit :
this is the link: http://rapidshare.com/files/25438977/1930.rar.html
any updates on how to modify a sd image?
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
There are a few places where signatures are compared.
Various system apps used a single "shared id" and they must all have the same signature.
/system/framework/framework-res.apk must have a correct signature with respect to AndroidManifest.xml.
In any case, it's your Nook, what are you going to do?
Re-signing the system
make a full backup and make sure that it is good
create your own signature http://developer.android.com/tools/publishing/app-signing.html
make a directory for your patch
create the subdirectory META-INF\com\google\android\
put a copy of update-binary in there
write a updater-script and put it in there
create the subdirectory system\app
create the subdirectory system\framework
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Then:
zip the patch directory
copy it to your SD card
make sure that your WiFi is turned on if you are using ADB over WiFi!
recovery boot using ClockworkMod
install the patch from SD card
reboot
updater-script
Code:
# Replace signed components
mount("ext2", "/dev/block/mmcblk0p5", "/system");
package_extract_dir("system/app", "/system/app");
package_extract_dir("system/framework", "/system/framework");
unmount("/system");
# Delete packages.xml
mount("ext3", "/dev/block/mmcblk0p8", "/data");
delete("/data/system/packages.xml");
unmount("/data");
Flies in the ointment, caveats, etc...
The packages.xml contains some form of certs that have all changed.
Right now, the simplest way I know to deal with this is just to delete packages.xml.
The problem is, this will break most user applications since the user IDs will no longer agree.
The easiest thing to do is just to reinstall them.
For applications with a lot of data, it would be best to back up the configs or data.
When you first boot up, you may think that you are in a "boot loop".
The boot animation will run continuously.
If you have ADB connect still (and you had better!) you can fix this.
Your launcher application is probably causing lots of error on startup.
There are two ways to fix the problem with the launcher (or any other app)
uninstall and reinstall it
go into /data/data/com.myapp.whatever and chown everything to the user id of the application.
Code:
busybox chown -R 10011: databases
Don't chown the lib directory if there is one.
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Renate NST said:
create your own signature http://developer.android.com/tools/publishing/app-signing.html
Click to expand...
Click to collapse
Renate,
Won’t it be easier to use Andriod media key?
If we do, we can patch packages.xml, instead of deleting it, right?
Renate NST said:
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Click to expand...
Click to collapse
I wrote a script to do just that, can be adapted easily...
Code:
@set keystore=..\keys\media.jks
@set storepass=android
@set alias=media
@set resigned_dir=.\new
@for %%i in ( .\*.apk ) do @(
echo %%i
copy %%i %resigned_dir%\%%~ni_%%~xi
zip -d %resigned_dir%\%%~ni_%%~xi META-INF\*
jarsigner -keystore %keystore% -storepass %storepass% %resigned_dir%\%%~ni_%%~xi %alias%
zipalign -f 4 %resigned_dir%\%%~ni_%%~xi %resigned_dir%\%%~ni%%~xi
del %resigned_dir%\%%~ni_%%~xi
)
@goto :eof
Just my 2 cents…
---------- Post added at 04:31 PM ---------- Previous post was at 04:22 PM ----------
Renate NST said:
...
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Click to expand...
Click to collapse
Guys,
If you run into a problem following Renate steps, it’ll be practically impossible to troubleshot without logcat log.
It might be a bit safer to use ADB over USB then over Wireless.
Even if you run into boot loop, ADB should work still.
I’m not 100% sure, if you need framework operational to establish wireless connection (for ADB to use).
ADB over USB definitely doesn't need framework running.
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Did you re-sign framework-res.apk too?
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Renate NST said:
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
Click to expand...
Click to collapse
Thank you!
Renate NST said:
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Click to expand...
Click to collapse
I don’t remember now, it was long time ago.
AFAIR, it was 4 keys
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
You can download them still from Google repository
http://mirror.yongbok.net/pub/pub/linux/android/repository/build/target/product/security/
Most ppl call media key androiddebug key, don’t ask me why.
Renate NST said:
Did you re-sign framework-res.apk too?
Click to expand...
Click to collapse
Not as of now. Waiting for your Reader.apk...
Renate NST said:
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
Click to expand...
Click to collapse
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Renate NST said:
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
Click to expand...
Click to collapse
Yep. Thanks for confirming this!
Renate NST said:
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Click to expand...
Click to collapse
When I see Nook booting image "with running dots", ADB is up already.
I was under impressing that’s the image ppl see while in boot loop.
ps shows it as bootanimation process
I guess, we are NOT on the same page again…
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Renate NST said:
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Click to expand...
Click to collapse
Renate,
I neither completely agree with you on bootanimation app nor want to pollute this thread with useless (IMO) discussion about it. If you want discuss it further – could you open another thread?
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
There are a number of problems with that, starting out that the opening screen is white on white.
Also, my Nook seems to think it's a phone now and the hack that I did for the "n" button is broken.
I switched back to the stock version.
On the plus side, my Nook now opens with just a button press and no swiping.
I remember some people were interested in that.
It's probably something in settings.db
Renate NST said:
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
Click to expand...
Click to collapse
AFAIR, everything on emulator is signed with keys I posted and nothing with B&N key - you don't need to resign.
Renate NST said:
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
Click to expand...
Click to collapse
Renate,
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Pull (backup) them to PC
Resign
Stop framework
Push resigned APKs to NST
Replace B&N cert reference in packages.xml to the one we used
Start framework
It might be some manual steps...
Do you think it might be useful?
And another script to restore...
First thing, I think that doing a system update to replace (as recommended in my first post) is overkill.
I wasn't sure whether simply starting and stopping the framework from the shell would be sufficient.
Apparently it is.
My only excuse is that I've bricked my Nook about 20 times and was being conservative.
What you want to sign your Nook with is your choice.
I hadn't looked into using any common signatures.
Android only mentions the single debug key in their documentation.
The emulator apks are signed with an Android signature, but not the same as the debug key.
ApokrifX said:
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Click to expand...
Click to collapse
Ok, but there is also all the other sharedUserId="1000"
I'm not sure how the cert references work in packages.xml
Does it work for framework-res.apk too?
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
I can see same sharedUserId used with different certs, so apps should use different android users...
See below:
Don’t know how to map sharedUserId to android user yet.
My [current] understanding is:
userId "10000" and above are apps generated.
Below – for system use.
I have now:
<package name="com.bn.nook.quickstart" codePath="/system/app/QuickStartActivity.apk" system="true" ts="1217592000000" version="7" sharedUserId="1000">
<cert index="4" />
<package name="com.google.android.server.checkin" codePath="/system/app/GoogleCheckin.apk" system="true" ts="1292347460000" version="7" sharedUserId="1000">
<sigs count="1">
<cert index="13" />
Obviously, due to cert mismatch, "com.bn.nook.quickstart" & "com.google.android.server.checkin" should use different users.
---------- Post added at 09:29 PM ---------- Previous post was at 09:04 PM ----------
ApokrifX said:
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
Click to expand...
Click to collapse
Here we go:
Code:
0 10019 com.google.android.apps.gtalkservice /system/app/gtalkservice.apk
0 10019 com.google.android.googleapps /system/app/GoogleApps.apk
0 10019 com.google.android.providers.gmail /system/app/GmailProvider.apk
0 10019 com.google.android.providers.talk /system/app/TalkProvider.apk
0 10021 com.google.android.gm /system/app/Gmail.apk
0 10022 com.android.vending /system/app/Vending.apk
1 10002 com.android.globalsearch /system/app/GlobalSearch.apk
1 10002 com.android.googlesearch /system/app/GoogleSearch.apk
1 10002 com.android.inputmethod.latin /system/app/LatinIME.apk
1 10002 com.android.launcher /system/app/Launcher.apk
1 10002 com.android.providers.applications /system/app/ApplicationsProvider.apk
1 10002 com.android.providers.contacts /system/app/ContactsProvider.apk
1 10002 com.android.providers.userdictionary /system/app/UserDictionaryProvider.apk
10 10001 com.adobe.air /system/app/AirRuntime.apk
10 10017 de.devmil.minimaltext /data/app/mt262.apk
10 10023 com.google.android.talk /system/app/Talk.apk
11 10013 com.ngc.fora /data/app/com.ngc.fora.apk
12 10015 siir.es.adbWireless /data/app/siir.es.adbWireless-1.apk
13 1000 com.google.android.providers.subscribedfeeds /system/app/GoogleSubscribedFeedsProvider.apk
13 1000 com.google.android.server.checkin /system/app/GoogleCheckin.apk
14 10018 com.david1171.minimalistblack /data/app/com.david1171.minimalistblack-1.apk
15 10014 com.smart.swkey /data/app/SWKey21.apk
16 10030 com.asksven.betterbatterystats /data/app/com.asksven.betterbatterystats.apk
17 10027 jackpal.androidterm /data/app/jackpal.androidterm.apk
18 10029 com.googlecode.droidwall.free /data/app/com.googlecode.droidwall.free.apk
19 10016 org.adw.launcher /data/app/org.adw.launcher-1.apk
2 10026 org.coolreader /data/app/org.coolreader.apk
20 10012 com.noshufou.android.su /data/app/Superuser.apk
3 10024 berserker.android.apps.sshdroid /data/app/berserker.android.apps.sshdroid.apk
4 1000 android /system/framework/framework-res.apk
4 1000 com.android.providers.settings /system/app/SettingsProvider.apk
4 1000 com.android.providers.subscribedfeeds /system/app/AccountAndSyncSettings.apk
4 1000 com.android.settings /system/app/Settings.apk
4 1000 com.bn.app.crypto.server /system/app/CryptoServer.apk
4 1000 com.bn.authentication.svc /system/app/BnAuthenticationService.apk
4 1000 com.bn.demomode /system/app/DemoMode.apk
4 1000 com.bn.devicemanager /system/app/DeviceManager.apk
4 1000 com.bn.nook.quickstart /system/app/QuickStartActivity.apk
4 1000 com.bn.syschecksum /system/app/SysChecksum.apk
4 1000 com.bn.waveformdownloader.svc /system/app/WaveformDownloader.apk
4 10005 com.android.certinstaller /system/app/CertInstaller.apk
4 10009 com.android.packageinstaller /system/app/PackageInstaller.apk
4 1001 com.android.phone /system/app/Phone.apk
4 1001 com.android.providers.telephony /system/app/TelephonyProvider.apk
4 10011 android.tts /system/app/TtsService.apk
5 10000 com.android.gallery /system/app/Gallery.apk
5 10000 com.android.providers.downloads /system/app/DownloadProvider.apk
5 10000 com.android.providers.drm /system/app/DrmProvider.apk
5 10000 com.android.providers.media /system/app/MediaProvider.apk
5 10000 com.bn.nook.accessories /system/app/Accessories.apk
5 10000 com.bn.nook.affiledownloadservice /system/app/AFfileDownloadService.apk
5 10000 com.bn.nook.cloud.service /system/app/CloudService.apk
5 10000 com.bn.nook.community /system/app/NookCommunity.apk
5 10000 com.bn.nook.dadmin /system/app/DownloadAdmin.apk
5 10000 com.bn.nook.home /system/app/Home.apk
5 10000 com.bn.nook.library /system/app/Library.apk
5 10000 com.bn.nook.reader.activities /system/app/Reader.apk
5 10000 com.bn.nook.shop /system/app/Shop.apk
5 10000 com.bn.nook.social /system/app/Social.apk
6 10025 com.andoku.two.free /data/app/com.andoku.two.free.apk
7 10028 org.connectbot /data/app/org.connectbot.apk
8 10003 com.bn.cloud.svc /system/app/BnCloudRequestSvc.apk
8 10004 com.android.browser /system/app/Browser.apk
8 10006 com.bn.deviceregistrator /system/app/DeviceRegistrator.apk
8 10007 com.android.htmlviewer /system/app/HTMLViewer.apk
8 10008 com.android.music /system/app/Music.apk
8 10010 com.svox.pico /system/app/PicoTts.apk
9 10020 com.benhirashima.nookcolorsettings /system/app/NookColorTools.apk
ApokrifX said:
Don’t know how to map sharedUserId to android user yet.
Click to expand...
Click to collapse
Need help with this one... :crying:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
When you change a signature, you have to change the something.
When you change signatures in most cases, the system shrugs and rebuilds packages,xml
It's mostly changing the signature on framework-res.apk (name="android") that causes the biggest problems.
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
(This generates a lot of text, hence the redirect.)
Renate NST said:
Android only mentions the single debug key in their documentation.
Click to expand...
Click to collapse
URL?
Renate NST said:
The emulator apks are signed with an Android signature, but not the same as the debug key.
Click to expand...
Click to collapse
Compared few keys (Subject Key Identifiers) out of curiosity:
Android keys
Code:
testkey 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
shared CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
platform 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
media CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
NC2.1 EMU
Code:
Browser 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
LatinIME CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
framework-res 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
MediaProvider CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
---------- Post added at 10:13 PM ---------- Previous post was at 10:07 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
Click to expand...
Click to collapse
Ok. Just to make sure, we are on same page again:
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Code:
<package name="com.google.android.providers.talk" codePath="/system/app/TalkProvider.apk" system="true" ts="1292347460000" version="7" sharedUserId="10019">
<sigs count="1">
<cert index="0" key="3082...9308a" />
...
<package name="com.google.android.googleapps" codePath="/system/app/GoogleApps.apk" system="true" ts="1292347460000" version="130" sharedUserId="10019">
<sigs count="1">
<cert index="0" />
Do you mean something else?
---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
Click to expand...
Click to collapse
Interesting...
Could you extract CERT.RSA from "the app" and "the system app" and compare, please?
---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------
[/COLOR]
Renate NST said:
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
Click to expand...
Click to collapse
How do we map:
Code:
Package [com.asksven.betterbatterystats] (49ea9250):
userId=10030 gids=[1015, 3003]
to names we see with ls -l
ApokrifX said:
URL?
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Click to expand...
Click to collapse
Yup, it looks like you are 100% correct.
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Moreover the end of the keys in packages.xml don't agree with the same position.
http://developer.android.com/tools/publishing/app-signing.html
The SDK tools create the debug keystore/key with predetermined names/passwords:
Keystore name: "debug.keystore"
Keystore password: "android"
Key alias: "androiddebugkey"
Key password: "android"
CN: "CN=Android Debug,O=Android,C=US"
Click to expand...
Click to collapse
The point is not that this single key is documented, the point is that the others are not.
Renate NST said:
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Click to expand...
Click to collapse
Right.
Could you compare certs "X509v3 Subject Key Identifier", please?
Renate NST said:
Moreover the end of the keys in packages.xml don't agree with the same position.
Click to expand...
Click to collapse
I’m not sure, I get this...
Renate NST said:
The point is not that this single key is documented, the point is that the others are not.
Click to expand...
Click to collapse
---------- Post added at 11:15 PM ---------- Previous post was at 11:01 PM ----------
Looks like in certs in packages.xml are stored in pkcs8 hex format:
shared.pk8
Code:
0000000000: 30 82 04 BE 02 01 00 30 │ 0D 06 09 2A 86 48 86 F7
0000000010: 0D 01 01 01 05 00 04 82 │ 04 A8 30 82 04 A4 02 01
0000000020: 00 02 82 01 01 00 C8 C2 │ DB FD 09 4A 2D F4 5C 3F
0000000030: F1 A3 2E D2 18 05 EC 72 │ FC 58 D0 17 97 1B D0 F6
packages.xml
Code:
<cert index="2" key="3082...b2db" />
They can be easily dumped from packages.xml right into pkcs8 format, no need to get them from packages.
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Renate NST said:
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Click to expand...
Click to collapse
I didn’t do this part yet.
I guess, a bit fiddling with openssl or keytool will do just fine.
Renate NST said:
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Click to expand...
Click to collapse
If you post both (from packages.xml), I’ll decrypt them.
I’m pretty sure, they are different.
Renate NST said:
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
Click to expand...
Click to collapse
Yep. There is no point.
Renate NST said:
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Click to expand...
Click to collapse
I wrote already, what might be different if you do it.
IMO, just patching it might be safer...
BTW: I decoded certs from packages.xml - there 4 different ones from B&N there.
ApokrifX said:
I decoded certs from packages.xml - there 4 different ones from B&N there.
Click to expand...
Click to collapse
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
If you just delete packages.xml you can either fix the non-shared user ids in packages
or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Renate NST said:
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
Click to expand...
Click to collapse
I dunno, they are trivially convertible, try for yourself:
Unzip CERT.RSA from stock Reader.apk
Obviously (or not), CERT.RSA is pkcs7 and certs in packages.xml are hex strings x509
Let’s convert pkcs7 -> x509
Code:
openssl pkcs7 -inform DER -in CERT.RSA -out CERT.PEM -print_certs
openssl x509 -inform PEM -in CERT.PEM -outform DER -out CERT.x509.DER
Now open CERT.x509.DER is any hex editor:
Code:
0000000000: 30 82 04 96 30 82 03 7E │ A0 03 02 01 02 02 09 00
0000000010: CF 3F 93 2A 95 18 91 A5 │ 30 0D 06 09 2A 86 48 86
...
0000000480: BF 46 EB 99 2F F8 A8 9A │ 1F 66 2D 91 4F 0C 93 FE
0000000490: 44 7D 2F D0 C2 CC DC F7 │ 5E 84
And compare with packages.xml
Code:
<cert index="5" key="308204963082037ea003020102020900cf3f932a951891a5300d06092a864886
…
bf46eb992ff8a89a1f662d914f0c93fe447d2fd0c2ccdcf75e84" />
Renate NST said:
If you just delete packages.xml you can either fix the non-shared user ids in packages or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Click to expand...
Click to collapse
What about this case:
ApokrifX said:
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Click to expand...
Click to collapse
Do we need to do anything manually or deleting packages.xml will recreates everything properly?
Well, you seem to have a handle on all this.
I've never heard of pkcs7 or any of its friends.
Deleting packages.xml will result in the non-shared user ids to be assigned in order as the APKs are discovered by the PackageManager.
User ids are only used for file permissions on /data/data as far as I know.