Does anyone know how to modify the kernel command line on the Tab S 8.4? I have compiled a kernel from Samsung sources to allow SELinux behaviour to be changed at runtime (and also switched into permissive mode at boot time with androidboot.selinux=permissive on the kernel commandline).
However, the boot image tools all claim the command line is empty despite /proc/cmdline displaying a long kernel command line. Specifying a new one when repacking the boot image has no effect on the actual kernel command line at all.
Happy to share the kernel if anyone wants it. I've been running it for a few days now and it seems fine (which it should be given the minor changes from stock).
Related
i extracted the boot.img from my desire and run this script on it.
but it returns:
Code:
./unpack-bootimg.pl boot.img
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
i've been searching the internet for two days now and i cant find any other script that does that, only a tutorial for manually doing it with a hex editor, but that still doesn't cover that last file the script is complaining about.
any ideas?
p.s.: i need to modify boot.img because i'm trying to set up dual boot - android + android - for testing purposes, will post if successful
update:
i managed to extract kernel and ramdisk
first i tried booting kernel from fastboot, worked like a charm
then i tried booting kernel+ramdisk from fastboot - hangs on htc logo
i also tried compiling kernel+ramdisk into boot.img instuctions - again hangs on htc bootscreen
adb says no devices, fastboot detects it, but shows no ID, just ??????????
so apparently the last file in boot.img is important
any ideas?
i'm using cyangenmod7 btw
I have a phone which is a Wolfgang AT-AS43d. I'm trying to flash a new kernel on the device but it won't boot with the new kernel. The phone is a rebrand of the Techfaith Tracker.
I have pulled the config.gz from my phone and made several kernels (3.0.8, 3.4) using the aurora code for Qualcomm devices. With all of these kernels, the phone comes in a bootloop (show a logo -> black screen -> reboots -> show a logo -> etc). My stock kernel is a 2.6.35.11 version, so at last I made a kernel with the same version. But this one won't boot either.
I unpacked the stock kernel, made a change to a Android system property (ramdisk file), repacked it and flashed it to the phone. The phone will boot, so the way I'm flashing is correct (or correct me if I'm wrong).
In the config I pulled from the phone there are 2 config parameters that I cannot find anywhere in a Linux configuration and I am suspecting that I need these (the drivers) to successfully flash a new kernel. The 2 parameters are:
CONFIG_ANDROID_TF_CODE_BASE=y
CONFIG_MINIDRIVER_BASE_H900=y
Maybe TF stands for TechFaith?
Can anybody confirm that this is the reason why I'm unable to flash a new kernel?
Does anybody knows where to get these drivers?
Or is there an other solution to flash a new kernel on the phone?
Shouldn't these drivers made public, since it's part of a kernel?
Hi,
I've been trying to find a way to specify kernel commandline on the Xperia Play without having to recompile the kernel. I have tried fastboot -c option (with a boot.img flash of course) and also an mkbootimg with --cmdline option, but nothing seems to work. However it does work for HTC and Samsung devices.
I have discovered that the kernel source file at /arch/arm/kernel/setup.c is responsible for parsing the kernel flags from atag/bootloader and also in the compiled kernel, I figure something in here could be made to read the extra cmdline from boot.img header to append it. But upon comparing this file to HTC and Samsung kernel sources and trying some changes I could still not get it to work.
So my question is if this is possible to fix in the kernel? Or is it a bootloader limitation/difference of the Xperia line and simply not possible without recompiling the kernel every time?
TIA.
I've seen a lot of people asking about this in various threads, so I decided to release a version modded to run under Android. First things first:
1. This is not a support thread. I'm not even providing compiled binaries. I am providing code that will compile under CyanogenMod and should work once compiled.
2. I will answer legitimate questions about compiling or use, but not generic "will this work on xyz phone". I expect posts to state what attempts you have already made and where you got stuck. All other requests will be mocked mercilessly.
MODS TAKE NOTE: I already have two suspensions for mocking n00bs.
What is CVE-2016-0728? It is an overflow bug in the Sysv IPC interface. You can read the technical write-up here http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
What does it do for you? It allows a userspace program to grab a root token, and execute an arbitrary command. In the example code provided, it opens a root shell. This will provide temporary root on your phone.
Why a special version for Android? Two reasons: 1st, Android's Bionic lacks Keyutils needed to compile this successfully. You can cross-compile it using regular tools, but the provided code will compile under Android (using the NDK or CyanogenMod). 2nd, my makefile uses static linking to avoid problems with missing symbols. On my test device, a dynamically linked compiled version failed to find some libc symbols.
How do I patch my device to avoid the same problem: Here is the upstream fix: https://github.com/torvalds/linux/commit/23567fd052a9abb6d67fe8e7a9ccdd9800a540f2
How do I use it?
1. This exploit only works under kernel version 3.8 or higher on kernels with Sysv enabled. The execution may also be blocked by selinux. Google recently removed Sysv from the recommended Android kernel configs, and Linux has a patch for this problem, so expect devices to begin patching against this. Note this excludes the vast majority of older Android devices on kernel versions 3.4 and earlier.
2. I will assume you already know how to set up your build environment and sync CyanogenMod. Breakfast a device with a similar or the same processor and sync it. For example, my test device is arm64, so I breakfasted h815, LG G4, and then modified this line in the make file to say "generic" instead of cortex-a53. The resulting binary should work on any arm64 device.
3. Grab the exploit code (download zip) and place in your device folder (G4-common in our example).
4. "mka rootz"
5. The resulting binary is quite large (300 kb) due to static linking. You can pare it down by using dynamic linking if you think your device has compatible libc.
6. The exploit takes some time to run (6 hours plus on a phone). Due to it's nature it is reported to only have a 1 in 3 chance of success (you have to intentionally overflow the keyring while other processes are also using the keyring, so there is another chance a different process could cause it to overflow before you do).
7. Most modern Android devices do not let you execute arbitrary code from user accessible locations anymore. If you are attempting to root a device with this, you have to place the binary in a location that will let you execute it. This location or availability of it may vary by device. "/data/local/tmp" may be available. There are various programs that install command line tools in a location a non-root user can access them as well. You can use Better Terminal Emulator Pro for instance. It lets you open up a shell on your device, and it has a bin directory at "/data/data/com.magicandroidapps.bettertermpro/bin" you can copy the executable to. Make sure you chmod 777 the executable after copying it. Better Term Pro also comes with busybox, so you can potentially remount your system r/w after getting temporary root for more permanent root
8. Usage is something like "./rootz PP1" where PP1 is the name of the key you want to use. That's name should work for you.
9. Wait 6 hours and enjoy
Phones known to not be affected (I am only listing phones that meet the basic critieria, ie kernel version 3.8 and up. Also only stock firmwares. So your crappy Galaxy S III is not going on this list. And neither is your already rooted phone):
1. BlackBerry Priv (/proc/keys node missing)
2. LG G4 (/proc/keys node missing)
Phones known to be affected
1. NONE. (It appears very few devices ship with CONFIG_KEYS on Android OEM builds, although CyanogenMod has it turned on.)
If the /proc/keys is missing this exploit will fail, yes?
[email protected]:/data/local/tmp $ ./rootz PP1
uid=2000, euid=2000
msgget: Function not implemented
I do have /proc/keys kernel version 3.18 6.01 marshmellow
Guess I lack SysV.... I have /proc/keys in the filesystem, but the actual file is empty when I cat it.
I have /proc/sysvipc present on this device.
I don't think this exploit can actually work for android. It requires the adresses of symbols (like commit_creds). These adresses can only be taken from /proc/kallsyms but if you are not a root user the output will be 0's.
Also many devices luck SysV IPC. Though we can still replace msgget with sendmmsg or something equivalent and then bypass ASLR. I saw you have written a fucntion get_symbols but it actually return something like: 000000000.
rm
rm
symbols
First sorry for my bad writing!
I also see only 0x000... in /proc/kallsyms
Could we extract the adresses of symbols directly from a kernel image an then use that list instead /proc/kallsyms?
Cynob
Hello to all!
I'm an heavy oneplus user, currently with Nord, but i'm try to use my old but Gold Oneplus 3 to run Klipper+Moonraker+Fluidd.
Klipper side everything is perfect, still remains one big issue: there is no kernel compiled for OP3 which has USB_SERIAL_CH341 driver enabled.
I'm trying to build but without success. Here is what i've done under Linux Mint latest version.
First of all i've installed a lot of packages, i cant remember all because i used various guides since initially i was not able neither of finish compilation.
Then i've downloaded:
kernel source: https://github.com/lin16-microg/android_kernel_oneplus_msm8996/tree/lin-16.0-mse2
from this ROM thread, which is the rom im still using: https://forum.xda-developers.com/t/...ened-lineageos-16-0-for-oneplus-3-3t.4034869/
initially i've tried to use EVAgcc toolchain, but it was impossible to finish to build. Then i switched to AOSP toolchains:
32bit: https://android.googlesource.com/pl...inux-androideabi-4.9/+/refs/heads/pie-release
64bit: https://android.googlesource.com/pl...64-linux-android-4.9/+/refs/heads/pie-release
With Them i was able to compile from source, but before doing i modified the file called "lineageos_oneplus3_defconfig" by adding "USB_SERIAL_CH341=y" just under the "USB_SERIAL=y" in order to have the serial driver compiled and loader (if i have understood right?).
to build i've used from inside kernel source cloned directory:
>make clean
>make mrproper
>ARCH=arm64 SUBARCH=arm64 CROSS_COMPILE=googletoolpath/bin/aarch64-stuffs- CROSS_COMPILE_ARM32=googletoolpath/bin/arm-stuffs- make O=out lineageos_oneplus3_defconfig
>ARCH=arm64 SUBARCH=arm64 CROSS_COMPILE=googletoolpath/bin/aarch64-stuffs- CROSS_COMPILE_ARM32=googletoolpath/bin/arm-stuffs- make O=out Image -j2
in this way i've obtained an Image (not a zimage since with zimage returned error).
Then i unpacked the stock boot.img with Android Image Kitchen, substituted boot.img-kernel file (which is an archive..?) with the compiled image renamed.
Finally i repacked everything.
Tried to flash the repacked boot img but no boot, the phone returns to fastboot screen.
I've noticed that my newboot.img is around 25mb insted of around 12mb like the stock one present in the Rom.zip
Probably the error resides in how i've managed to unpack and repack the kernel image..
Do someone see some heavy error which can cause the problem? What can i try?
From a side, as automation engineer, i want to learn and try to do it by myself, but on the other side, if someone is able to compile it for me with serial CH341 driver enabled a beer is assured.
Thanks all to have read up to now and for any advice
not sure that's important but you forgot to gzip kernel before repacking. I recommend to compile with configuration of running kernel from device /proc/config.gz first.
alecxs said:
not sure that's important but you forgot to gzip kernel before repacking. I recommend to compile with configuration of running kernel from device /proc/config.gz first.
Click to expand...
Click to collapse
I've to try because it is not gzipped by default, the problem is that I don't found all in one scripts or config file as the one mentioned by you. I would never thought that rebuild a kernel were so tricky.