Related
Hello everyone,
If your just reading this, skip to page 2 to save me some embarassment... Been a learning curve.
Go here .... http://forum.xda-developers.com/showpost.php?p=47607547&postcount=17
First post here and well I hope it's in the right place. I am definitely a novice programmer, am a little comfortable writing small python scripts which leads to this...
I got my phone rooted, I have sl4a ( It Nice! I like it. You like dogs?), and I just got my CM 10 source on Ubuntu 10 like Google recommends. I got adb working and Terminal IDE so I originally wanted to get python to be able to be called by the bash shell it provides ( I think its bash). I sorta got it working for a single session but what a drag, and I would get an error along the lines that the title suggests, so I,m not happy about that.
I also managed to get a copy of python from com.googlecode.pythonforandroid into /system/bin/ and now when I type "python" into an ADB shell I get the python interpreter!!! Whoo hooo, but I still got that same error. A "import sys", "import ephem", and maybe a few more workes but still something is wrong it said something thiss stuff here..
"""[email protected]:/data/data # python
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
'import site' failed; use -v for traceback
Python 2.6.2 (r262:71600, Mar 20 2011, 16:54:21)
[GCC 4.4.3] on linux-armv7l
Type "help", "copyright", "credits" or "license" for more information.
>>>
"""
update/bump
Ok so looking at the error message again it seems that it wants two prefixes for the $PYTHONHOME variable, I assume two paths and the secon one is to the executable that I put in /system/bin/ which is already in my path hence why python is callable. I had also fumbled around haphazardly with my $PATH vriables the other day and may have added the path to some of the libs python was asking for such as libpython2.6.so, I think I added the directory that lib is found in to my path (its found in "/data/data/com.googlecode.pythonforandroid/files/python/lib/" I think, need to double check that one), so thats what ive done that made this 'click' so to speak into popping out the python interpretor.
Also I found this file...MSM8960_lpm.rc but I forgot from where it came. It looks as if it contains some global variables that get set during boot, am I right?
This is the top part of it...
"""
on early-init
start ueventd
on init
sysclktz 0
loglevel 3
# setup the global environment
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
export LD_LIBRARY_PATH /vendor/lib:/system/lib
export ANDROID_BOOTLOGO 1
export ANDROID_ROOT /system
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export EXTERNAL_STORAGE /mnt/sdcard
export EXTERNAL_STORAGE2 /mnt/sdcard/external_sd
export USBHOST_STORAGE /mnt/sdcard/usbStorage
export ASEC_MOUNTPOINT /mnt/asec
export LOOP_MOUNTPOINT /mnt/obb
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/core-junit.jar
"""
So I am thinking that if I set the paths to my Python exec and libs here, as well as Paths for Lua, Perl, JRuby, Python 2.7, Etc, etc then I would have an assortment of scripting languages to launch into ffrom ADB, am I right? This would help me and others write scripts for ADB in many languages to do repetitive grunt work from scripts.
Any advice would be great as it works but its like python is injured, "import os" didnt work ;( but "import sys" did
It would also be nice if these same vriables could be set for Terminal Emulator, Terminal IDE, and the like, I know SSH is in the works with T. IDE and that one has telnet though I havent figured that out yet.
What should I do? This seems like an OS related issue but if the interpreter is there and compiled for arm and the libs aswell why would this not work?
python -v output
this is the "python -v" output to show what's happening, maybe it'll help....
"""
[email protected]:/ # python -v
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
# installing zipimport hook
import zipimport # builtin
# installed zipimport hook
'import site' failed; traceback:
ImportError: No module named site
Python 2.6.2 (r262:71600, Mar 20 2011, 16:54:21)
[GCC 4.4.3] on linux-armv7l
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> import os
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named os
>>>
# clear __builtin__._
# clear sys.path
# clear sys.argv
# clear sys.ps1
# clear sys.ps2
# clear sys.exitfunc
# clear sys.exc_type
# clear sys.exc_value
# clear sys.exc_traceback
# clear sys.last_type
# clear sys.last_value
# clear sys.last_traceback
# clear sys.path_hooks
# clear sys.path_importer_cache
# clear sys.meta_path
# clear sys.flags
# clear sys.float_info
# restore sys.stdin
# restore sys.stdout
# restore sys.stderr
# cleanup __main__
# cleanup[1] zipimport
# cleanup[1] signal
# cleanup[1] exceptions
# cleanup[1] _warnings
# cleanup sys
# cleanup __builtin__
# cleanup ints: 3 unfreed ints
# cleanup floats
[email protected]:/ #
"""
That snippet you posted is from the init.rc inside the boot.img...so yes, it has all sorts of initialization code
CNexus said:
That snippet you posted is from the init.rc inside the boot.img...so yes, it has all sorts of initialization code
Click to expand...
Click to collapse
Ok, so I'll so some reading on setting $PYTHONHOME variable and others, I need to learn how that all works anyways. Most if not all of what I find documents how to set the variables for Windows, Mac, or Linux and not for Android. I will do my best to use that knowledge to fit this situation. I also need to dive around the file system a bit more and find all those libs and try to get the paths set for those to work with ADB and not just SL4A.
If I can do that maybe some more Linux programs/commands can be moved into Android's system, I know alot of the GUI apps for Linux have dependencies for python and gtk and qt, those modules might be portable to Android if they haven't already done so. Not to mention the other interpreters like Perl. To be perfectly honest what I want to do is port over Kali's toolset (at least the cmd line tools) over to android to they can be run from a terminal emulator or adb its self. Thats what I want to do with it, then wrap it all up into a ROM and build it. I know they have already compiled most of Kali's and BackTrack's programs on ARM so I was thinking of pulling those apps from there after an upgrade and then moving them into Androids system e.g /system/bin : /system/lib : /etc/* and so on, if the file systems are too different I suppose I can add directories and make a PATH for them or add them to $PATH once I learn how all that works.
Any good documentation on related issued anyone might be able to link to would be great, I'll be droppin by every so often while I'm grinding through google, thanks in advance for any help and thank you for your time, a bit of a read I suppose.
Environment variables like that would need to be set inside the boot.img, so if you want to unpack it and see exactly how things are defined and what other files are there (good exercise all around IMO), grab my tools from over here and unpack it for yourself and take a look:
cool tools
CNexus said:
Environment variables like that would need to be set inside the boot.img, so if you want to unpack it and see exactly how things are defined and what other files are there (good exercise all around IMO), grab my tools from over here and unpack it for yourself and take a look:
Click to expand...
Click to collapse
Well I downloaded twrp 2.3.1.0-d2spr and I used the split_boot tool in the package and got a little tree of files including the init.rc and the other msm one, they seem very similar if not identical (?), weird.
I just have a quick question, do I need to repack all this at a certain size? In other words, if I make any changes in the ramdisk image will it refuse to boot? I browsed over some sites and read somewhere that if I changed the kernal image it would fail a hash check and that the type of hashing ( I use bubble bags, but that's for another forum). How much attention do I need to pay to the size of these files I may alter before I repack and flash to the device?
Edge-Case said:
Well I downloaded twrp 2.3.1.0-d2spr and I used the split_boot tool in the package and got a little tree of files including the init.rc and the other msm one, they seem very similar if not identical (?), weird.
I just have a quick question, do I need to repack all this at a certain size? In other words, if I make any changes in the ramdisk image will it refuse to boot? I browsed over some sites and read somewhere that if I changed the kernal image it would fail a hash check and that the type of hashing ( I use bubble bags, but that's for another forum). How much attention do I need to pay to the size of these files I may alter before I repack and flash to the device?
Click to expand...
Click to collapse
Yes, actually. You need to repack at certain offsets/addresses or the device will be unable to read it properly
Run the boot_info script on your .img file and it will give you everything you need to know to repack the boot.img correctly
First you gotta repack the ramdisk (repack_ramdisk [optional out file])
Then after you do that, you can use the mkbootimg binary along with the info from my boot_info script to make a new boot.img with the right offsets
I've done a ton of boot.img splitting, so here's what it should look like (I forget the cmdline parameter)
Code:
mkbootimg --kernel KERNEL --ramdisk RAMDISK --base 0x80200000 --oversize 2048 --cmdline 'android.I.don't.remember.this.one' --ramdiskaddr 0x81500000 -o new_boot.img
Sent from my S3 on Sense 5 (you jelly?)
CNexus said:
Yes, actually. You need to repack at certain offsets/addresses or the device will be unable to read it properly
Run the boot_info script on your .img file and it will give you everything you need to know to repack the boot.img correctly
First you gotta repack the ramdisk (repack_ramdisk [optional out file])
Then after you do that, you can use the mkbootimg binary along with the info from my boot_info script to make a new boot.img with the right offsets
I've done a ton of boot.img splitting, so here's what it should look like (I forget the cmdline parameter)
Code:
mkbootimg --kernel KERNEL --ramdisk RAMDISK --base 0x80200000 --oversize 2048 --cmdline 'android.I.don't.remember.this.one' --ramdiskaddr 0x81500000 -o new_boot.img
Sent from my S3 on Sense 5 (you jelly?)
Click to expand...
Click to collapse
Thanks,
I actually just got the CWM ROM manager, I updated my CWM and am backing up my rom now, its pretty much stock lacking updates cuz of root I think, I eventually wanna get over to CM or some other rom but CM seems to be supported pretty well.
1) So the backup just finished a second ago, can I pull a boot image out of that? :EDIT: Check. I saw it in the recovered folder.
2) I'll use the boot info on that img when I get it.
3) I guess this is all for testing the variables and getting interpreters to run from adb and T.E. after that I need to install CM 10 to get some blobs, thats all thats hanging me up from modifying the source to build my own version, this is great exercise as it will need to be done when building this "Cyano-Kali" or whatever, I was also thinking "Kali0id" as in Kalioid and Kali zero i.d.
ok well I did some messing around and I got this lill chroot setup working from adb which is kool, I just took a no gui kali.img and a script I found to chroot into it ( Maybe Google "Weaponizing Android"), it needs a lil investigating though I get a couple errors, it looks like it was modified from a chroot into ubuntu (arm).
I put the script into /system/xbin/ and then made it executable (that seems to be the only place I could chmod), I looked at the sript at it points to a coded directory for the kali.img which is something like "/storage/sdcard0/kali/kail.img". This puts the script in a location that is already in the environ variable and you can call it from any cwd by typing "kali".
Note: Interesting tip (may be trivial to the pros), typing "bash" gives me a colorful interface and the bash interpreter, this is good for a first command when entering the terminal or adb because then you can modify the bash rc file found in "/system/etc/bash/" (I think, I'll double check later.*FIXED*).
So, I think I might be able to mod those variables there to include PYTHONPATH, PYTHONHOME, etc...
Then when I launch bash i should be able to launch python and whatever else. (*Check*, it works but you must first "bash" and then "python" to allow the bashrc file to get ran and add PYTHONHOME and PYTHONPATH to the enviroment)
I think the first shell that you get put into is shell and not bash but maybe I'm wrong.
*side note, If you want to su into bash its best ime to do that first, then bash, otherwise when you su while in bash you loose the color, idk why.
heres my results so far...
Code:
[email protected]:~$ adb devices
List of devices attached
xxxxxxxxxx device
[email protected]:~$ adb shell
[email protected]:/ $ su
[email protected]:/ # bash
void endpwent()(3) is not implemented on Android
localhost / # kali
ioctl LOOP_SET_FD failed: Device or resource busy
mount: Device or resource busy
net.ipv4.ip_forward = 1
[[email protected] ~$ cd .. && ls
bin dev home lost+found mnt proc run selinux sys usr
boot etc lib media opt root sbin srv tmp var
[[email protected] /$ which macchanger
/usr/bin/macchanger
[[email protected] /$ which ophcrack
/usr/bin/ophcrack
[[email protected] /$ which reaver
/usr/bin/reaver
[[email protected] /$ which aircrack-ng
/usr/bin/aircrack-ng
[[email protected] /$ python --version
Python 2.7.3
[[email protected] /$ perl --version
This is perl 5, version 14, subversion 2 (v5.14.2) built for arm-linux-gnueabi-thread-multi-64int
(with 80 registered patches, see perl -V for more detail)
Copyright 1987-2011, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
[[email protected] /$ bash --version
GNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabi)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
[[email protected] /$ python
Python 2.7.3 (default, Jan 2 2013, 22:35:13)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> import sys
>>>
[[email protected] /$ exit
Shutting down Kali ARM
failed: Device or resource busy
losetup: /dev/block/loop255: Device or resource busy
localhost / # exit
1|[email protected]:/ # ^D
1|[email protected]:/ $ ^D
[email protected]:~$
Does anybody know how to mount an external sdcard from the command line on the Debian version of Linux on Android?
Is that even possible, like driver wise and what not?
Nice!
To mount it, first you would need it's device name or UUID..
Sent from my S3 on Sense 5 (you jelly?)
Success!
Alright! I got Python working from the terminal emulator!
I ended up copying the files that got installed by the original installer into my system/ lib, xbin, and, bin directories I just kinda put stuff here or there and then I just got one error about platform independent libraries instead of both dependent and independent. I'm alil add about things sometimes. Then about ten minutes ago while chilling on the patio the syntax for the PythonHome and path variables became clear to me. So i changed it to export and wrapped the paths in quotes and figured out the prefix : exec_prefex thing.
Now python works!!!!!!! ill run it on adb tomorrow and show the results as well as exactly how to get it working after i figure out exactly what i did right. It was probably the last thing.
Edge-Case said:
Alright! I got Python working from the terminal emulator!
I ended up copying the files that got installed by the original installer into my system/ lib, xbin, and, bin directories I just kinda put stuff here or there and then I just got one error about platform independent libraries instead of both dependent and independent. I'm alil add about things sometimes. Then about ten minutes ago while chilling on the patio the syntax for the PythonHome and path variables became clear to me. So i changed it to export and wrapped the paths in quotes and figured out the prefix : exec_prefex thing.
Now python works!!!!!!! ill run it on adb tomorrow and show the results as well as exactly how to get it working after i figure out exactly what i did right. It was probably the last thing.
Click to expand...
Click to collapse
Nice
Sent from my S3 on Sense 5 (you jelly?)
Solution !
Ok I got everything cleaned up a bit, lets see whats going on here...
So hopefully bash is preinstalled for everyone, I just found it, the only changes I made in the past week are installing...
1) CyanogenMod, I believe you will need to already be rooted, have busybox, and a custom recovery to get this far. If you can get CyanogenMod working then you'll probably be able to replicate this, mayeb even with just root and busybox on a stock sprint rom, idk.
2) SL4A along with Python 2.6, Perl, and JRuby. (I hope normal ruby programs can be ran will JRuby, if not I'll either mod the programs or port ruby to android or look for another port.
3) Terminal IDE. This could have been a source of bash if it wasn't native to android or the Terminal Emulator/busybox.
Once you have The above, at least python 2.6 with SL4A, Terminal Emulator, Busybox, and root.
You can (the file system maybe different for different phones but since we are in a specific place of this forum I'll stick with what I found on my phone specifically)
Use a root browser and find a way to remount your file system to read/write or r/w or rw mode so you can write to /system directory. It is located in the / directory of the entire system, not just the sdcard0 partition.
You can open a terminal and type "set" to get a closer look at whats happening here on Android. We are mainly interested in the Environment Variables.
What I did was copy
"/storage/sdcard0/com.googlecode.pythonforandroid/extras/python" ----> "/system/etc/python" ##THIS IS A DIRECTORY
"/data/data/com.googlecode.pythonforandroid/files/python/lib/python2.6" ----> "/system/lib/python2.6" ##THIS IS A DIRECTORY
"/data/data/com.googlecode.pythonforandroid/files/python/bin/python" -> "/system/xbin/python ##THIS IS A FILE, IT IS AN EXECUTABLE!
"/"/data/data/com.googlecode.pythonforandroid/files/python/lib/" ----> "/system/lib/python2.6/" ##WE WANT ALL THE "*.so" FILES NEXT TO THE ORIGIONAL "*/PYTHON2.6/" DIR IN THE "DATA/DATA/" SIDE OF THE TREE TO BE COPIED TO THE SYSTEM SIDE AND INTO THE "/system/lib/python2.6/" DIR NEXT TO THE "/system/lib/python2.6/lib-dynload/" DIR
We want our "/system/lib/python2.6" directory to contain the following :
"/lib-dynload" is a dir; and all the .so files from earlier there are about 8 with a fresh install of python and no modules, some of you may already know how to incorporate modules from this point, but I still need to do some experimenting.
---------------------------------------------------------
OK
if you still following then your gonna wanna do the following
go to "/system/etc/bash" and open the bashrc file, we need to add PYTHONPATH and PYTHONHOME to it, this is how I set it up....
About half way down it will read
Code:
"""
# set some environment variables
HOME=/sdcard
TERM=linux (maybe change this to "Administrator" but that may break something)
"""
# Our additions follow:
export PYTHONHOME="/system/etc/python:/system/xbin/python"
export PYTHONPATH="/system/etc/python:/system/lib/python2.6/lib-dynload:/system/lib/python2.6"
Ok, now if you go to your teminal emulator or ADB shell you can type:
bash [press enter]
python [press enter]
and check out the results
or
su [enter]
bash [enter]
python [enter]
and see what happens
whats happening is that your PYTHONHOME and PYTHONPATH variables are being set when you enter bash, and since they are exported from the bashrc file they get carried over to any child activities that may spawn, such as "python". Correct me if I am wrong.
I may have forgot some little file I put somewere a few days ago or something so let me know if it doesn't work for you i'll do my best to help you get it working on your phone to,
other then finding a rc file for the shell that you start with when you launch the terminal or any other process maybe even, I may need to do what CNex suggested and complete the change in a boot.img to flash to my phone. that should result in the variables being passed to all activities.
Peace yo
Any questions I'll drop around if this dies of from here, well live and let die I suppose.
Just a screen shot
Just a screen shot.
I found the "mkshrc" file in "/system/etc" today so I added the PATHs to that file and now when teminal emulator starts it has access to python's libs. ("/system/etc/mkshrc" should be the location)
I've run into two problems, the first I can live with, the second is only more reason to port Kali's toolset into android.
1) I can't yet access the pydocs for interactive help, for example...
Code:
[email protected]:~$ adb shell
[email protected]:/ $ python
dlopen libpython2.6.so
Python 2.6.2 (r262:71600, Mar 20 2011, 16:54:21)
[GCC 4.4.3] on linux-armv7l
Type "help", "copyright", "credits" or "license" for more information.
>>> import android
>>> help (android)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/site.py", line 431, in __call__
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/pydoc.py", line 1720, in __call__
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/pydoc.py", line 1766, in help
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/pydoc.py", line 1508, in doc
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/pydoc.py", line 1314, in pager
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/pydoc.py", line 1338, in getpager
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/tempfile.py", line 286, in mkstemp
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/tempfile.py", line 254, in gettempdir
File "/home/manuel/AptanaStudio3Workspace/python-for-android/python-build/output/usr/lib/python2.6/tempfile.py", line 201, in _get_default_tempdir
IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']
>>>
And
2) When I chroot into Kali.img the PYTHONPATH and PYTHONHOME variables get carried over and interfear with python within Kali. ????
Work around: is just modifing "bashrc" then when you want python or other inerpreters launch bash first and call kali from shell.
Solution: is porting Kali's Toolkit and more Linux programs and commands into Android. Then release as rom or give instructions on how to set up.
No Really, I think I got it figured out this time.
If your running python 2.6 via Py4a then youll use the first script to access python from the command line or over adb, you'll need su to but it in /system/bin or /system/xbin and to use this command to write to the system partition "mount -wo remount systemfs /system" when your done use "mount -ro remount systemfs /system" (with out the quotes of course).
Note: adbd can only be ran as root, so this method will only work as root. Also I had some trouble disconnecting from adb as "exit", it hung till I unplugged the phone from usb. But, still I got to run scripts python that utilize the androids api with-out having to directly open sl4a and then the python interpreter from there.
Note2: Maybe one who was slick enough could get the source for sl4a and pick out the server and facade code, then make a little dex to be ran from the command-line instead of starting the server via "am" and instead of using sockets, maybe ashmem to share the JSON results that get sent back to python.
This is the script for 2.6 :
Code:
#!/system/bin/sh
am start -a com.googlecode.android_scripting.action.LAUNCH_SERVER \
-n com.googlecode.android_scripting/.activity.ScriptingLayerServiceLauncher \
--ei com.googlecode.android_scripting.extra.USE_SERVICE_PORT 54326
export AP_PORT=54326
export AP_HOST=127.0.0.1
adbd &
export EXTERNAL_STORAGE=/mnt/sdcard/com.googlecode.pythonforandroid
export PY4A=/data/data/com.googlecode.pythonforandroid/files/python
export PY4A_EXTRAS=$EXTERNAL_STORAGE/extras
PYTHONPATH=$EXTERNAL_STORAGE/extras/python
PYTHONPATH=${PYTHONPATH}:$PY4A/lib/python2.6/lib-dynload
export PYTHONPATH
export TEMP=$EXTERNAL_STORAGE/extras/python/tmp
export HOME=/sdcard
export PYTHON_EGG_CACHE=$TEMP
export PYTHONHOME=$PY4A
export LD_LIBRARY_PATH=$PY4A/lib
$PYTHONHOME/bin/python "[email protected]"
This one is for 3.2 :
Code:
#!/system/bin/sh
am start -a com.googlecode.android_scripting.action.LAUNCH_SERVER \
-n com.googlecode.android_scripting/.activity.ScriptingLayerServiceLauncher \
--ei com.googlecode.android_scripting.extra.USE_SERVICE_PORT 54332
export AP_PORT=54332
export AP_HOST=127.0.0.1
adbd &
export EXTERNAL_STORAGE=/mnt/sdcard/com.googlecode.python3forandroid
export PY34A=/data/data/com.googlecode.python3forandroid/files/python3
export PY4A_EXTRAS=$EXTERNAL_STORAGE/extras
PYTHONPATH=$EXTERNAL_STORAGE/extras/python3
PYTHONPATH=${PYTHONPATH}:$PY34A/lib/python3.2/lib-dynload
export PYTHONPATH
export TEMP=$EXTERNAL_STORAGE/extras/python3/tmp
export HOME=/sdcard
export PYTHON_EGG_CACHE=$TEMP
export PYTHONHOME=$PY34A
export LD_LIBRARY_PATH=$PY34A/lib
$PYTHONHOME/bin/python3 "[email protected]"
Explanation:-First, the server which handles calls to Android's APIs gets starts by it's activity with am and port is set.
-Second, AP_PORT and AP_HOST get exported so that android.py will have its parameters set to interact with the "facade"
-Third, adbd gets started in the background (I cant give a full explanation, but I found the RPC mechanism between the python interpreter and the sl4a server when android.py is imported and droid.* is attempted)
-Fourth, Python's environment variables get set, doing it this way helps to avoid copying the whole python installation to /system (as I did in the past ), just put one of these scripts in /system/bin or /system/xbin and name it "python" then chmod the script "chmod 755 python" you will be able to call the interpreter and put the shabang in your python scripts (ie "#!/system/bin/python").
-Fifth, launch the interpreter.
Here is a short session over adb:
Code:
[email protected]:/ # python
dlopen libpython2.6.so
Python 2.6.2 (r262:71600, Mar 20 2011, 16:54:21)
[GCC 4.4.3] on linux-armv7l
Type "help", "copyright", "credits" or "license" for more information.
>>> import android
>>> droid = android.Android()
>>> droid.makeToast("Hello!")
Result(id=0, result=None, error=None)
>>> droid.getLastKnownLocation()
Result(id=1, result={u'passive': {u'bearing': 0, u'altitude': 0, u'time': 1384816643565L, u'longitude': -67.551754299999999,
u'provider': u'network', u'latitude': 96.0520909, u'speed': 0, u'accuracy': 3533}, u'network': {u'bearing': 0, u'altitude': 0, u'time':
1384816643565L, u'longitude': -67.551754299999999, u'provider': u'network', u'latitude': 96.0520909, u'speed': 0, u'accuracy':
3533}, u'gps': None}, error=None)
>>> exit()
And some credit to others:
http://code.google.com/p/python-for...sh?r=997929b1bbaa53cdf76acfff419ec13c13f869b7
http://stackoverflow.com/questions/10839879/python-sl4a-development
Those are links to where I got some info from to help put this together. The adbd thing was just trying "adb forward tcp:xxxx tcp:xxxx" but that didn't work, so I tried adbd forward tcp:xxxx tcp:xxxx and it looked like it hung there, so I ctl^ c and then just adbd and it hung there again, but when used the "&" to background it and then went to python to try android.py, it worked:good:
And for a lot of fun, go here:
http://code.google.com/p/android-scripting/wiki/ApiReference
-or here-
http://www.mithril.com.au/android/doc/index.html
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
HEXcube said:
The real reason behind adb root or insecure adb is the adb daemon in the device running at root permissions. In pre-Android 4.1 versions, this is usually decided by some initialisation script(like init.rc) at boot time. The script checks for value in default.prop,local.propand other environment variables.
If it finds build.prop,default.prop or local.prop property file with ro.secure=0 adbd is allowed to run as root. You'll get adb root and hence will be able to do commands like adb remount,adb root and adb shell's prompt'll be # by default. The user may be displayed as [email protected] or [email protected] adb GUIs like Android Commander and QtADB will get to work in Root mode.
But,if it's ro.secure=1, adb daemon is made to work in secure mode, and adb won't change to root mode on issuing adb root command. However, if su binary is present in $PATH, u can still call su command from adb shell. But, it's not enough for Android Commander to get Root Access. It is possible to attain adb root through any one of the following methods:
1.For CyanoGenMod based ROMs there is an option in Settings->Developer Settings->Root access to control root access. Choose ADB only or Apps and ADB in options to get adb root.
2.Else use adbd Insecure app by chainfire if you have a rooted device. This is useful, especially for Android 4.1+ devices.
3.Or, you may manually edit default.prop to set it's value to 0, but original default.prop will be restored from boot partition everytime you reboot(this is the reason why adb Insecure cannot permanently do adb root, though there is an option to repeat the rooting procedure everytime the device boots). This method is called temporary adb root. On pre-Android 4.0 ROMs default.prop file was located in / directory. I read that from Android 4.x this file is in ramdisk and so more difficult to edit. But Android 4.0 has local.prop which is easier to modify than default.prop( See method 5)
4.For permanent adb root, you'll have to extract boot.img, change default.prop, repack and then flash it back to device.
5. In Android 4.0 there's local.prop file in /data partition. Setting ro.secure=0 in this file will do adb root permanently. Else you can set another property ro.kernel.qemu=1 in the same file. But, this value makes the system think that it is running in an android emulator. Many exploits and root methods set this property temporarily to gain root. But, it may cause side effects if used permanently. Setting ro.secure=0 is recommended. Do this command in terminal app or adb shell:
echo ro.secure=0 >/data/local.prop
or you can manually copy a local.prop file with ro.secure=0 as it's content to /data.
6.Note that method 3,4 and 5 won't work in Android 4.0 Jelly Bean onwards. According to Dan Rosenburg(drjbliss in XDA),the researcher who discovered adb root emulator exploit and many other exploits, Jelly Bean doesn't parse any property files to set the ownership of adb daemon. The stock adbd will have to be replaced with an insecure one to gain adb root. But still,as adbd is located in /sbin whose contents are reloaded everytime on reboot from boot.img, it won't be permanent.
7. For permanent adb root, you may flash an insecure boot.img(one that contains and insecure adbd)
8. If you're really desperate and can't get adb root to work with any of the above methods use an exploit. Most of the adb based rooting methods utilise some exploit to make the adb daemon run as root. By studying the exploit and implementing it you could gain adb root atleast temporarily.I'm not recommending this method but as a last resort you could try them.
Acknowledgements: Thanks to Dan Rosenberg for explaining the reasons behind adb root, especially the one in Jelly Bean.
Click to expand...
Click to collapse
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
@nijel8
Thanks for sharing this. I will test this out on my device. If successful I would like to share this over in the One SV forums.
I never even considered this idea smh lol.
Edit: confirmed working
Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.
Success. Nexus 5 and I changed Franco kernel to insecure.
Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?
Fuzzy13 said:
Thanks so much for sharing this. I too use adb a lot and need an insecure kernel.
Success. Nexus 5 and I changed Franco kernel to insecure.
Franco kernels used to be insecure but none thus far have been on the N5. Any reason behind this?
Click to expand...
Click to collapse
My guess is devs play it safe so average Joe don't mess with /system... ha-ha
btw is "adb logcat" working for you?
Only problem with the adbd from chainfires ADB Insecure is that it breaks adb wireless,any solution ?
nijel8 said:
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
Click to expand...
Click to collapse
Some time ago I 've tried to do this for a Nexus6, running Marshmallow.
Android has tighten up security, so I got bootloops.
Anyone has managed to do this?
Thank you!
nijel8 said:
Note: Found out there is one small problem with this mode - "adb logcat" is not working. As a workaround run "adb shell su -c logcat"
The Problem:
I am a heavy ADB user (QtADB) and was having problems getting it to mount /system rw and pushing/editing files in real time. Had no problems doing all this by mounting /system in recovery but rebooting the phone just to make some system files changes is kind of inconvenient. So I did some research and found this:
Original thread: Can't get ADB Root Access in certain ROMs?
So I desided to modify my favorite kernel img and give it a try. I used Imoseyon's leanKernel but it should work with any kernel.
How To:
1. Get Android Image Kitchen and extract it to your PC;
2. Open your_favorite_kernel.zip with 7zip and extract boot.img file to Android Image Kitchen folder;
3. Drag and Drop boot.img over unpackimg.bat. Kernel is unpacked and you will see 2 new folders - ramdisk and split_img;
4. Go to ramdisk folder and open default.prop file with text editor. This probably is not necessary but just in case change ro.secure and ro.adb.secure to 0 (zero):
Code:
ro.secure=0
ro.adb.secure=0
5. Get Chainfire's adbd Insecure v1.30, open it with 7zip, in assets folder you will see 3 .png files. Extract adbd.17.png to ramdisk\sbin folder;
6. Delete original kernel adbd file and rename adbd.17.png to adbd;
7. Go back to Android Image Kitchen folder and run repackimg.bat by just click on it. This will repack the modified kernel to image-new.img file ready for flashing;
8. Rename image-new.img to boot.img and replace the original one in your_favorite_kernel.zip by Drag and Drop in 7zip window;
9. Close 7zip, copy modified your_favorite_kernel.zip to /sdcard and flash it in recovery.
10. Enjoy ADB full root access for /system;
Warnings:
I can't guarantee 100% success with this mod. I did this only with leanKernel and it works great, Haven't tried any other kernels so I am note sure how all this will end up. IT CAN SOFT BRICK YOUR PHONE!!! Keep a copy of the original kernel on your /sdcard!!!
Doing this while trying to find the correct tools for proper repack of the modified kernel sometime I was ending up with the phone not booting to Android, goes straight to download mode. Don't panic... Just remove battery, place it back, hold Volume Up + Home + Power buttons booting to recovery. Flash the original kernel and you are back all good.
The usual stuff:
I AM NOT RESPONSIBLE FOR ANYTHING ... bla-bla-bla...
All the credits goes for the developers created the great tools used for this mod.
If you think it's useful fill free to say THEM and me thanks.
Click to expand...
Click to collapse
Can this work with Note 3 N900 (exynos kernel) sir? Or just only for snapdragon chipsrt kernel? Thanks sir!
does this work on locked bootloader devices?
a custom kernel exists for my devices (G928A) with AdB Insecure , but its got a few qwirks that need worked out ( that require fully rooting the device )
all im looking for is insecure Adb, ( which I have tried to change ro.secure=0 and adb.secure=0 both with Echo commands in shell) for temporary adb root on the device
how did ManIT make his custom kernel undetectable/passable by the bootloader but with modifications?
if this will work ... then I will just edit an image pulled from the devices current boot.img and do the same adb insecure edit to the ramdisk.. to update the root flash kernel... shes a bit dated.... and there isn't one for marshmallow specific one yet.
I was also reading about a filler file due to block sizing when repacking the image ... so I created a copy file and edited the contents till it zipped back to within 1kb of data... will this be detected and flagged at boot?
help please
Great tutorial.
I did it by following the steps in your post.
Thank you for clear and precise explanation.
Anybody have a pre-patched / adb root enabled adbd at hand (10.0.36 or higher - current is 10.0.41 I think)?
Did anyone successfully install debian kit on the galaxy note 10.1 (2014) ?
I tried,
sh /storage/emulated/0/debian-kit-1-6.shar
unpacks properly, but then nothing happens. A wizard is supposed to start.
I tried both 1-6.shar from Doviak, and 1-5.shar from sven-ola
I did the following. Start with unrooted device. Accept KK OTA upgrade. Now
I have SM-P600 with Android 4.4.2. Root with CF. This fails.
Flash openrecovery-twrp-2.6.3.3-lt03wifiue.img.tar with Odin. Then boot into TWRP and
install UPDATE-SuperSU-v1.94.zip. Now some apps ask for root access and it seems to be
granted; installed sdfix, and at least one app (aplinequest) that could not write after
the KK upgrade can now write to extsdcard.
Installed Debian Kit app. All green checks, except red Xs for "Kernel modules supported"
and "Valid 'su' command found". But I know su is working. (I think there was a red X by Debian
Kit already unpacked)
Transfer debian-kit-1-6.shar to device. I follow instructions, Install connectbot. Give 'su'.
Run sh /storage/emulated/0/debian-kit-1-6.shar
Get error messages (I didnt record them), such as md5sum not found, and
a couple of other binaries not found. I give echo $PATH and then look for these binaries
in my path. They are not there. So I install BusyBox Free. Run the shar file again. I
get a list of files extracted, but then nothing happens. Now I see that debian kit wants
to use its own busybox and I didnt need to install busybox, but debian kit did not work
in any case.
I try to run /data/local/deb/autorun with sh autorun. Exits with "Unsupported CPU or architecture"
Investigate and find shell var CPU is set correctly to "armel" on first past, but when the script
runs again with exec, CPU is ''. So I hardcode CPU=armel. Then I can get a little further.
And so on and so on, hardcoding CPU in all the scripts. Trying to get the scripts to see the
correct binaries, etc. Now I have a diskimage installed, can't go forward and can't uninstall.
If anyone can shed some light....
update
Deleted everything and started over. Using adb shell. I notice
that the installer says
Included busybox failed.
and tries to use system tar, sed, etc, which it cannot find.
However, If I put #!/system/bin/sh at the top of debian-kit-1-5.shar
And run ./debian-kit-1-5.shar rather than sh ./debian-kit-1-5.shar,
then the script runs for quite a while and extracts a lot of files.
It fails eventually with
ash: id: Permission denied
In fact, from the adb shell I get
126|[email protected]:/data/local # id
uid=0(root) gid=0(root) context=u:r:init:s0
[email protected]:/data/local # ./deb/armel/busybox ash -c "id"
ash: id: Permission denied
126|[email protected]:/data/local # ./deb/armel/busybox ash -c "/system/bin/id"
ash: /system/bin/id: Permission denied
More Update
It seems that in some cases the user 'shell' has permission to do something, but 'root' does not.
One thing stopping the debian kit install process is that root running a shell located under /data cannot run any executables via
passing a string on the command line. They can run commands interactively (maybe because the command
line uses exec ?). But the user 'shell' can run executables this way. E.g. I copied /system/bin/mksh to the /data partition.
[email protected]:/ $ su
[email protected]:/ # /data/local/bin/mksh -c "id"
/data/local/bin/mksh: id: Permission denied
1|[email protected]:/ # /system/bin/mksh -c "id"
uid=0(root) gid=0(root) context=u:r:init_shell:s0
[email protected]:/ # su shell
[email protected]:/ $ /data/local/bin/mksh -c "id"
uid=2000(shell) gid=2000(shell) context=u:r:init:s0
There are a few posts scattered around other forums mentioning the same problem when trying to
install debian kit, but no responses even recognized that there was a problem.
The solution was to install an selinux permissive kernel. Then installation
went normally.
I think I can help.
injola said:
Did anyone successfully install debian kit on the galaxy note 10.1 (2014) ?
I tried,
sh /storage/emulated/0/debian-kit-1-6.shar
unpacks properly, but then nothing happens. A wizard is supposed to start.
I tried both 1-6.shar from Doviak, and 1-5.shar from sven-ola
I did the following. Start with unrooted device. Accept KK OTA upgrade. Now
I have SM-P600 with Android 4.4.2. Root with CF. This fails.
Flash openrecovery-twrp-2.6.3.3-lt03wifiue.img.tar with Odin. Then boot into TWRP and
install UPDATE-SuperSU-v1.94.zip. Now some apps ask for root access and it seems to be
granted; installed sdfix, and at least one app (aplinequest) that could not write after
the KK upgrade can now write to extsdcard.
Installed Debian Kit app. All green checks, except red Xs for "Kernel modules supported"
and "Valid 'su' command found". But I know su is working. (I think there was a red X by Debian
Kit already unpacked)
Transfer debian-kit-1-6.shar to device. I follow instructions, Install connectbot. Give 'su'.
Run sh /storage/emulated/0/debian-kit-1-6.shar
Get error messages (I didnt record them), such as md5sum not found, and
a couple of other binaries not found. I give echo $PATH and then look for these binaries
in my path. They are not there. So I install BusyBox Free. Run the shar file again. I
get a list of files extracted, but then nothing happens. Now I see that debian kit wants
to use its own busybox and I didnt need to install busybox, but debian kit did not work
in any case.
I try to run /data/local/deb/autorun with sh autorun. Exits with "Unsupported CPU or architecture"
Investigate and find shell var CPU is set correctly to "armel" on first past, but when the script
runs again with exec, CPU is ''. So I hardcode CPU=armel. Then I can get a little further.
And so on and so on, hardcoding CPU in all the scripts. Trying to get the scripts to see the
correct binaries, etc. Now I have a diskimage installed, can't go forward and can't uninstall.
If anyone can shed some light....
Click to expand...
Click to collapse
I have the same tablet and I tried to answer you several times but when I give exact instructions they don't let my reply get to the thread for some reason. So I'll have to be less specific, sorry. Anyway. I rooted with an omnirom based setup. 412. Homemade. Once you get the debian-kit-1-6-testing.jpeg and you've unloaded it to you your root directory try:
#sh /data/local/deb/mk-debian -i
Follow the usage correctly and until your done testing leave:
-h
At the end of the script. But be sure to set it to armel and 2047 and wheezy and set the mirror to:
deb. .org/dists/wheezy/ main contrib non-free
Kali
catch all the protools and for the gpg licence use google search my username KeizerPaPa and I'll give you the gpg on my + account. Goodluck. ]
---------- Post added at 06:40 PM ---------- Previous post was at 06:28 PM ----------
KeizerPaPa said:
I have the same tablet and I tried to answer you several times but when I give exact instructions they don't let my reply get to the thread for some reason. So I'll have to be less specific, sorry. Anyway. I rooted with an omnirom based setup. 412. Homemade. Once you get the debian-kit-1-6-testing.jpeg and you've unloaded it to you your root directory try:
#sh /data/local/deb/mk-debian -i
Follow the usage correctly and until your done testing leave:
-h
At the end of the script. But be sure to set it to armel and 2047 and wheezy and set the mirror to:
deb http .org/dists/wheezy/ main contrib non-free
Kali
catch all the protools and for the gpg licence use google search my username KeizerPaPa and I'll give you the gpg on my + account. Goodluck. ]
Click to expand...
Click to collapse
Make sure you piece the above together correctly, they wouldnt let me type it all together. Thats deb http: //http
Then .kali then .org/dists....... have fun. If ya get stuck on the gpg search me and ask. KeizerPaPa
A reason why mine failed at first was because "Debian kit" is set to resolve ip addresses using "only" your Primary DNS Server (DNS 1). When I finally pinged my Primary DNS server, I found it was not functional. My Secondary DNS server (DNS 2) was functional (this also explains why my internet was slower than it should have been while browsing the internet)
I changed my Primary DNS server by
1) going into the WIFI settings
2) long-pressing on the WIFI I was connected to
3) choosing "Mofify..."
4) checking the "Show advanced..." option
5) changing from "DHCP" to "Static"
6) entering a functional DNS server (such as 8.8.4.4) for "DNS 1"
- Hyp
https://redd.it/59n5r9
If its possible to do on other phones that run the un-patched kernel I suppose it can be done on the Spring G5. If so that would be the luckiest break ever lol.
Not sure if its really going to be a root method and let super user work because the owner of the repo said "I put 'root' in quotes, because technically, it isn't rooting. However, it creates a binary called 'run-as' that can execute packages as root.".
He also he mentioned it has'sent been tested on 64-bit
I'm working on trying to understand how exactly the bug works, and to see if it can be replicated. In theory, it should work because even 64-bit desktop kernels are affected. Additionally, the bug still exists in the kernel upstream, so all Android devices should be affected.
Update on this. The exploit does work on the LG Stylo 2, which is running very similar software to the LG G5, but I am having issues installing su, but I do have root...temp root at least.
this will not root your phone to let you run titanium backup or Xposed APIs. If you lucky you can maybe make changes to build.prop and only if the system partition is not signed like the kernel is. So I would not bet on this.
with temp root can you mount system as rw and make changes? if not it's completly pointless
can you provide binary, so we do not have to compile. I would try it as well
lg phone ever not get root?
I have the exploit running on my Stylo 2, but I can't do anything. SELinux is set to enforcing, but I do have a root shell.
Code:
λ adb -d shell
[email protected]:/ $ run-as exec whoami
Warning: setcon transition to 'u:r:init:s0' failed (is SELinux Enforcing?)
root
[email protected]:/ $ run-as exec dd if=/dev/block/bootdevice/by-name/boot of=/sdcard/boot.img
Warning: setcon transition to 'u:r:init:s0' failed (is SELinux Enforcing?)
dd: /dev/block/bootdevice/by-name/boot: Permission denied
1|[email protected]:/ $
can you mount system partition as r/w to modify system files?
We can use the Dirtycow exploit to replace any file in the system memory with a file of the same size, but All files will revert once rebooted thanks to SELinux as mentioned, it enforces whatever file you replaced with same security. Escalated privileges doesn't seem possible while SELinux is enforcing. There is a thread dedicated for more discussion from others with more knowledge below:
http://forum.xda-developers.com/general/security/dirty-cow-t3484879
Believe me many people are working for this to be our Savior.
Couldn't we use this method, modify the update file to be rooted, then let the 7.0 install itself?
Hi all -
I have made updated scripts before, but something isn't working out for me. I started with this guys script here:
https://forum.xda-developers.com/showpost.php?p=19093919&postcount=20
Purpose is to add lines to build.prop from the script (also does a backup).
First time through I was getting an error which I resolved by updating to a different updater-binary.
I know that the .sh script that I am copying over is running (using some simple touch statements), however it never seem to touches my build.prop.
I think the issue is that somehow it can't access the build.prop file, possibly because it isn't mounting /system properly.
It seems to use busybox commands which I don't have on my device (and I'd rather not install, as I don't want to have to depend on it after clean flash).
Can someone help me out or point me to another script/method of updating build.prop via updater-script?
thanks
Yeah, I don't know what's going on.
I've also tried these scripts meant to modify build.prop:
https://forum.xda-developers.com/android/apps-games/pie-pixel-stuff-t3846138 (the prop patch script)
and
https://forum.xda-developers.com/showthread.php?t=2664332
Scripts appear to run fine, but build.prop is never edited.
None of these scripts states they are for the 3, but they do indicate they at least worked with the original Pixel.
Is something different in the 3 that would be preventing any of these from working?
TraderJack said:
Yeah, I don't know what's going on.
I've also tried these scripts meant to modify build.prop:
https://forum.xda-developers.com/android/apps-games/pie-pixel-stuff-t3846138 (the prop patch script)
and
https://forum.xda-developers.com/showthread.php?t=2664332
Scripts appear to run fine, but build.prop is never edited.
None of these scripts states they are for the 3, but they do indicate they at least worked with the original Pixel.
Is something different in the 3 that would be preventing any of these from working?
Click to expand...
Click to collapse
Try changing the updater-script code from busybox to toybox.
Edit: I took the script and made one that seems to work on Pixel 3's. Like the one you posted, put the lines you want added in the tmp/misc text file.
Tulsadiver said:
Try changing the updater-script code from busybox to toybox.
Edit: I took the script and made one that seems to work on Pixel 3's. Like the one you posted, put the lines you want added in the tmp/misc text file.
Click to expand...
Click to collapse
Thanks...is the one you sent meant to be a Magisk flashable module or a TWRP one? It looks like a Magisk one.
The problem I was having with most of the other scripts was two-fold:
1) There did seem to be some mount issues. Not all the scripts I was using used busybox, the just specified "mount". Additionally, some scripts appeared to do mount commands in the updater-script (with its special syntax) while others attempted to do them in the script that was called via the run_program() calls. I think the mounts were working in most cases, though some seemed to fail on remounts if the /system was already mounted. It seems the correct way to do this (at least on Pixel 3) is to use toybox mount commands in updater-script. I couldn't find a lot of info about this, but is toybox built into the Pixel 3? I assume so, unless Magisk was putting it in the /sbin directory (which I doubt).
2) Most of the scripts I was working with are twrp flashable files, and none of those were working (no errors though). Definitely the issue I found was that build.prop is not located in /system when twrp has mounted the filesystem. It is in /system/system/build.prop. I was able to get scripts working to modify this by ensuring the mount commands worked and pointing to /system/system/build.prop. I don't understand the change in the extra subdirectory, and not many people have mentioned it.
I haven't been really up on recent developments. It seems that people have become adverse to installing TWRP permanently in the recovery and maybe people aren't really using TWRP modules anymore instead of going to Magisk ones? I don't really understand why not to install TWRP because I can still pass all the safety checks, use google pay, etc with TWRP installed. But if this is the way the community is going, I guess I need to stop assuming I can do these things via TWRP flashes.
TraderJack said:
Thanks...is the one you sent meant to be a Magisk flashable module or a TWRP one? It looks like a Magisk one.
The problem I was having with most of the other scripts was two-fold:
1) There did seem to be some mount issues. Not all the scripts I was using used busybox, the just specified "mount". Additionally, some scripts appeared to do mount commands in the updater-script (with its special syntax) while others attempted to do them in the script that was called via the run_program() calls. I think the mounts were working in most cases, though some seemed to fail on remounts if the /system was already mounted. It seems the correct way to do this (at least on Pixel 3) is to use toybox mount commands in updater-script. I couldn't find a lot of info about this, but is toybox built into the Pixel 3? I assume so, unless Magisk was putting it in the /sbin directory (which I doubt).
2) Most of the scripts I was working with are twrp flashable files, and none of those were working (no errors though). Definitely the issue I found was that build.prop is not located in /system when twrp has mounted the filesystem. It is in /system/system/build.prop. I was able to get scripts working to modify this by ensuring the mount commands worked and pointing to /system/system/build.prop. I don't understand the change in the extra subdirectory, and not many people have mentioned it.
I haven't been really up on recent developments. It seems that people have become adverse to installing TWRP permanently in the recovery and maybe people aren't really using TWRP modules anymore instead of going to Magisk ones? I don't really understand why not to install TWRP because I can still pass all the safety checks, use google pay, etc with TWRP installed. But if this is the way the community is going, I guess I need to stop assuming I can do these things via TWRP flashes.
Click to expand...
Click to collapse
This is TWRP flashable to system. Not a module and cannot be installed via magisk manager.
Edit. The script was hard coded on that one. If you want to do custom scripting and not just add lines, use this one. In this one, bptweaks.sh and misc text are tweakable. In the first one, just misc.
This is not my work other than a few tweaks. This is an altered magisk installer. Used to be able to mount and run scripts.
Tulsadiver said:
This is TWRP flashable to system. Not a module and cannot be installed via magisk manager.
Edit. The script was hard coded on that one. If you want to do custom scripting and not just add lines, use this one. In this one, bptweaks.sh and misc text are tweakable. In the first one, just misc.
This is not my work other than a few tweaks. This is an altered magisk installer. Used to be able to mount and run scripts.
Click to expand...
Click to collapse
Thanks. I have not run this yet. It's not that I don't trust you, but I like to audit the script and since this appears to be a modified template the script is rather large and appears to be doing a bunch of things. Therefore I don't want to run it on my phone until I know exactly what it is modifying.
However, I can't see how this will work because it seems to have the same issue as the other scripts. In updater-script it has the following relevant section:
Code:
bp="/system/build.prop"
toybox mount /system
toybox mount /data
if [ -f /system/build.prop.bak ];
then
rm -rf $bp
cp $bp.bak $bp
else
cp $bp $bp.bak
fi
echo " " >> $bp
echo "# Enable pixel theme" >> $bp
echo " " >> $bp
for mod in misc;
do
for prop in `cat /data/tmp/tmp/$mod`;do
export newprop=$(echo ${prop} | cut -d '=' -f1)
sed -i "/${newprop}/d" /system/build.prop
echo $prop >> /system/build.prop
done
done
So it uses toybox to mount /system and then attempts to modify /system/build.prop by iterating through the misc file and editing inline the changes found therein. The problem here is that build.prop isn't in that location on my phone. Look at this adb output from my phone with TWRP running (slightly edited because I get linker errors on every command once /system is mounted..due to some endless recursion in the file system I think?):
Code:
crosshatch:/ # ls -l /system
total 0
drwx------ 3 root root 0 1970-08-29 20:11 etc
crosshatch:/ # toybox mount /system
crosshatch:/ # ls /system
acct d firmware init.recovery.crosshatch.rc lost+found postinstall storage
bin data init init.recovery.sdm845.rc metadata proc sys
bugreports default.prop init.crosshatch.rc init.usb.configfs.rc mnt product [B]system[/B]
cache dev init.environ.rc init.usb.rc odm res ueventd.rc
charger dsp init.rc init.zygote32.rc oem sbin vendor
config etc init.recovery.blueline.rc init.zygote64_32.rc persist sdcard
crosshatch:/ # cd /system/system
crosshatch:/system/system # ls
app [B]build.prop[/B] etc fake-libs64 framework lib64 product vendor
bin compatibility_matrix.xml fake-libs fonts lib priv-app usr
So I simply don't see how it is possible that the script you sent would modify /system/system/build.prop.
You have a Pixel 3 and ran this and it worked? If so, I'm curious does your build.prop show in the same location as mine within your adb session?
The only way I could see this working is if there is something magic in the code I haven't reviewed yet or somehow the filesystem from *within* twrp (the context of where this runs) looks different than if I do this over adb. I don't think that is likely, but I'm not an expert.
TraderJack said:
Thanks. I have not run this yet. It's not that I don't trust you, but I like to audit the script and since this appears to be a modified template the script is rather large and appears to be doing a bunch of things. Therefore I don't want to run it on my phone until I know exactly what it is modifying.
However, I can't see how this will work because it seems to have the same issue as the other scripts. In updater-script it has the following relevant section:
Code:
bp="/system/build.prop"
toybox mount /system
toybox mount /data
if [ -f /system/build.prop.bak ];
then
rm -rf $bp
cp $bp.bak $bp
else
cp $bp $bp.bak
fi
echo " " >> $bp
echo "# Enable pixel theme" >> $bp
echo " " >> $bp
for mod in misc;
do
for prop in `cat /data/tmp/tmp/$mod`;do
export newprop=$(echo ${prop} | cut -d '=' -f1)
sed -i "/${newprop}/d" /system/build.prop
echo $prop >> /system/build.prop
done
done
So it uses toybox to mount /system and then attempts to modify /system/build.prop by iterating through the misc file and editing inline the changes found therein. The problem here is that build.prop isn't in that location on my phone. Look at this adb output from my phone with TWRP running (slightly edited because I get linker errors on every command once /system is mounted..due to some endless recursion in the file system I think?):
Code:
crosshatch:/ # ls -l /system
total 0
drwx------ 3 root root 0 1970-08-29 20:11 etc
crosshatch:/ # toybox mount /system
crosshatch:/ # ls /system
acct d firmware init.recovery.crosshatch.rc lost+found postinstall storage
bin data init init.recovery.sdm845.rc metadata proc sys
bugreports default.prop init.crosshatch.rc init.usb.configfs.rc mnt product [B]system[/B]
cache dev init.environ.rc init.usb.rc odm res ueventd.rc
charger dsp init.rc init.zygote32.rc oem sbin vendor
config etc init.recovery.blueline.rc init.zygote64_32.rc persist sdcard
crosshatch:/ # cd /system/system
crosshatch:/system/system # ls
app [B]build.prop[/B] etc fake-libs64 framework lib64 product vendor
bin compatibility_matrix.xml fake-libs fonts lib priv-app usr
So I simply don't see how it is possible that the script you sent would modify /system/system/build.prop.
You have a Pixel 3 and ran this and it worked? If so, I'm curious does your build.prop show in the same location as mine within your adb session?
The only way I could see this working is if there is something magic in the code I haven't reviewed yet or somehow the filesystem from *within* twrp (the context of where this runs) looks different than if I do this over adb. I don't think that is likely, but I'm not an expert.
Click to expand...
Click to collapse
Most of the code has to do with mounting and unmounting magisk.img and not applicable. I ran this on my pixel 3XL and did indeed put the code in my build.prop. I'm not saying the code itself works, just that this edits the build.prop. Here is a version that has a bit more of the code stripped out.
Edit:. That code in bptweaks.sh and that you posted is not mine either. It came from one of the links in your original post. I thought you were indicating that you could not get a script to install. All I did was try and make a vehicle for a script that could modify the build.prop.
Tulsadiver said:
Most of the code has to do with mounting and unmounting magisk.img and not applicable. I ran this on my pixel 3XL and did indeed put the code in my build.prop. I'm not saying the code itself works, just that this edits the build.prop. Here is a version that has a bit more of the code stripped out.
Click to expand...
Click to collapse
That's really interesting/strange. Would you do me a favor when you have a few minutes and adb in with twrp booted and see if your file system mirrors mine? Specifically, when you mount /system does build.prop show inside /system or in /system/system/build.prop.
If I adb into my phone with the OS booted it is in /system/build.prop, but from within twrp it is one more /system directory deep.
I'll try to review the latest one you sent and run it on my phone to see if it indeed works. I have a bit more confusion because the way this zip is built is that the updater-script looks to be a normal shell script. In most of these flashables I have seen the update-script is a special script that only uses a special syntax of commands, such as:
Code:
package_extract_file();
set_perm();
mount();
run_program("/tmp/backuptool.sh", "backup");
etc...
The code I see in this update-script is what you would normally find in an external shell script like that referenced in the run_program() above.
I don't know how Magisk actually builds theirs, though I can say that the updater-binary is significantly larger than the one used in other flashable zip files I have seen. Can you speak to that at all?
TraderJack said:
That's really interesting/strange. Would you do me a favor when you have a few minutes and adb in with twrp booted and see if your file system mirrors mine? Specifically, when you mount /system does build.prop show inside /system or in /system/system/build.prop.
If I adb into my phone with the OS booted it is in /system/build.prop, but from within twrp it is one more /system directory deep.
I'll try to review the latest one you sent and run it on my phone to see if it indeed works. I have a bit more confusion because the way this zip is built is that the updater-script looks to be a normal shell script. In most of these flashables I have seen the update-script is a special script that only uses a special syntax of commands, such as:
Code:
package_extract_file();
set_perm();
mount();
run_program("/tmp/backuptool.sh", "backup");
etc...
The code I see in this update-script is what you would normally find in an external shell script like that referenced in the run_program() above.
I don't know how Magisk actually builds theirs, though I can say that the updater-binary is significantly larger than the one used in other flashable zip files I have seen. Can you speak to that at all?
Click to expand...
Click to collapse
The update-binary is the BusyBox installer script and zip extraction. It runs first, then the updater-script runs. Open the update-binary with a text editor. Above the ELF files is script.
Tulsadiver said:
The update-binary is the BusyBox installer script and zip extraction. It runs first, then the updater-script runs. Open the update-binary with a text editor. Above the ELF files is script.
Click to expand...
Click to collapse
Ok...so that appears to be completely different to how most "normal" flashable zip files work where the update-binary is a smaller full binary script that then launches the update-script which uses the syntax I mentioned above. Clearly the Magisk devs know what they are doing but all the other flashables I have downloaded (and created) have not used this method. Unfortunately, it makes it impossible for me to compare apples to apples in why nothing else works and really doesn't answer any of the questions. While this script may work, it gives me no answers as to why it does, and why the others fail :/
TraderJack said:
Ok...so that appears to be completely different to how most "normal" flashable zip files work where the update-binary is a smaller full binary script that then launches the update-script which uses the syntax I mentioned above. Clearly the Magisk devs know what they are doing but all the other flashables I have downloaded (and created) have not used this method. Unfortunately, it makes it impossible for me to compare apples to apples in why nothing else works and really doesn't answer any of the questions. While this script may work, it gives me no answers as to why it does, and why the others fail :/
Click to expand...
Click to collapse
Yes, it's in the mounting. Pixel 3's don't seem to use BusyBox. They've looks like they've gone to toybox. What this dumbed down version of magisk util_function.sh appears to be doing is installing BusyBox and setting it to be used instead. This one is more like you are used to seeing. The only way I could get it to work is still by using magisk util_function.sh for mounting purposes. I would not be able to write a script like that myself.
I haven't read all of the replies in this thread so forgive me if I'm saying something that someone else has already said.
I had the same issue as you've had when I first started flashing custom files onto my 1st Gen Pixel and what I've found that's worked for me is to do this:
1.) Boot into TWRP & flash Magisk
2.) Reboot into bootloader
3.) Boot into TWRP again & flash your custom files
4.) Boot up the phone as you normally would
Not 100% sure this will work since you have a Pixel 3 and this worked for me on a Pixel 1 but I'd think it would be worth trying.
HesThatGuy said:
I haven't read all of the replies in this thread so forgive me if I'm saying something that someone else has already said.
I had the same issue as you've had when I first started flashing custom files onto my 1st Gen Pixel and what I've found that's worked for me is to do this:
1.) Boot into TWRP & flash Magisk
2.) Reboot into bootloader
3.) Boot into TWRP again & flash your custom files
4.) Boot up the phone as you normally would
Not 100% sure this will work since you have a Pixel 3 and this worked for me on a Pixel 1 but I'd think it would be worth trying.
Click to expand...
Click to collapse
Thanks, but 100% not relevant - not only to the replies, but also to the OP.
TraderJack said:
Thanks, but 100% not relevant - not only to the replies, but also to the OP.
Click to expand...
Click to collapse
Sounds like you need to disable dm-verity to edit build prop without using Magisk. Magisk is one big overlay seems to be the way of the future tho. I personally been disabling verity then adding xbin folder to root then linking to system then installing BusyBox to xbin. I don't like using Magisk to install BusyBox module or any module that alters the system because you will have to use Magisk to modify system from there on out instead of jus manully doing it yourself with a root explorer.
Also if you was to flash a open gapps zip it would add a addon.d folder to system. which open gapps and Magisk will install their backup scripts to the addon.d folder. would be a good place for you to add your own backup script as well.
Yeah, you need to disable verity to properly mount /system, /vendor, and /product partitions. It is not hard. In magisk manager just go to advanced options, untick verity, then install magisk from the app. After changes you can put verity back if that bugs you.