Related
[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!
Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74
Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.
Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI
**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"
Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"
@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.
According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text
XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
There are a few places where signatures are compared.
Various system apps used a single "shared id" and they must all have the same signature.
/system/framework/framework-res.apk must have a correct signature with respect to AndroidManifest.xml.
In any case, it's your Nook, what are you going to do?
Re-signing the system
make a full backup and make sure that it is good
create your own signature http://developer.android.com/tools/publishing/app-signing.html
make a directory for your patch
create the subdirectory META-INF\com\google\android\
put a copy of update-binary in there
write a updater-script and put it in there
create the subdirectory system\app
create the subdirectory system\framework
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Then:
zip the patch directory
copy it to your SD card
make sure that your WiFi is turned on if you are using ADB over WiFi!
recovery boot using ClockworkMod
install the patch from SD card
reboot
updater-script
Code:
# Replace signed components
mount("ext2", "/dev/block/mmcblk0p5", "/system");
package_extract_dir("system/app", "/system/app");
package_extract_dir("system/framework", "/system/framework");
unmount("/system");
# Delete packages.xml
mount("ext3", "/dev/block/mmcblk0p8", "/data");
delete("/data/system/packages.xml");
unmount("/data");
Flies in the ointment, caveats, etc...
The packages.xml contains some form of certs that have all changed.
Right now, the simplest way I know to deal with this is just to delete packages.xml.
The problem is, this will break most user applications since the user IDs will no longer agree.
The easiest thing to do is just to reinstall them.
For applications with a lot of data, it would be best to back up the configs or data.
When you first boot up, you may think that you are in a "boot loop".
The boot animation will run continuously.
If you have ADB connect still (and you had better!) you can fix this.
Your launcher application is probably causing lots of error on startup.
There are two ways to fix the problem with the launcher (or any other app)
uninstall and reinstall it
go into /data/data/com.myapp.whatever and chown everything to the user id of the application.
Code:
busybox chown -R 10011: databases
Don't chown the lib directory if there is one.
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Renate NST said:
create your own signature http://developer.android.com/tools/publishing/app-signing.html
Click to expand...
Click to collapse
Renate,
Won’t it be easier to use Andriod media key?
If we do, we can patch packages.xml, instead of deleting it, right?
Renate NST said:
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Click to expand...
Click to collapse
I wrote a script to do just that, can be adapted easily...
Code:
@set keystore=..\keys\media.jks
@set storepass=android
@set alias=media
@set resigned_dir=.\new
@for %%i in ( .\*.apk ) do @(
echo %%i
copy %%i %resigned_dir%\%%~ni_%%~xi
zip -d %resigned_dir%\%%~ni_%%~xi META-INF\*
jarsigner -keystore %keystore% -storepass %storepass% %resigned_dir%\%%~ni_%%~xi %alias%
zipalign -f 4 %resigned_dir%\%%~ni_%%~xi %resigned_dir%\%%~ni%%~xi
del %resigned_dir%\%%~ni_%%~xi
)
@goto :eof
Just my 2 cents…
---------- Post added at 04:31 PM ---------- Previous post was at 04:22 PM ----------
Renate NST said:
...
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Click to expand...
Click to collapse
Guys,
If you run into a problem following Renate steps, it’ll be practically impossible to troubleshot without logcat log.
It might be a bit safer to use ADB over USB then over Wireless.
Even if you run into boot loop, ADB should work still.
I’m not 100% sure, if you need framework operational to establish wireless connection (for ADB to use).
ADB over USB definitely doesn't need framework running.
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Did you re-sign framework-res.apk too?
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Renate NST said:
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
Click to expand...
Click to collapse
Thank you!
Renate NST said:
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Click to expand...
Click to collapse
I don’t remember now, it was long time ago.
AFAIR, it was 4 keys
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
You can download them still from Google repository
http://mirror.yongbok.net/pub/pub/linux/android/repository/build/target/product/security/
Most ppl call media key androiddebug key, don’t ask me why.
Renate NST said:
Did you re-sign framework-res.apk too?
Click to expand...
Click to collapse
Not as of now. Waiting for your Reader.apk...
Renate NST said:
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
Click to expand...
Click to collapse
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Renate NST said:
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
Click to expand...
Click to collapse
Yep. Thanks for confirming this!
Renate NST said:
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Click to expand...
Click to collapse
When I see Nook booting image "with running dots", ADB is up already.
I was under impressing that’s the image ppl see while in boot loop.
ps shows it as bootanimation process
I guess, we are NOT on the same page again…
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Renate NST said:
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Click to expand...
Click to collapse
Renate,
I neither completely agree with you on bootanimation app nor want to pollute this thread with useless (IMO) discussion about it. If you want discuss it further – could you open another thread?
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
There are a number of problems with that, starting out that the opening screen is white on white.
Also, my Nook seems to think it's a phone now and the hack that I did for the "n" button is broken.
I switched back to the stock version.
On the plus side, my Nook now opens with just a button press and no swiping.
I remember some people were interested in that.
It's probably something in settings.db
Renate NST said:
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
Click to expand...
Click to collapse
AFAIR, everything on emulator is signed with keys I posted and nothing with B&N key - you don't need to resign.
Renate NST said:
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
Click to expand...
Click to collapse
Renate,
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Pull (backup) them to PC
Resign
Stop framework
Push resigned APKs to NST
Replace B&N cert reference in packages.xml to the one we used
Start framework
It might be some manual steps...
Do you think it might be useful?
And another script to restore...
First thing, I think that doing a system update to replace (as recommended in my first post) is overkill.
I wasn't sure whether simply starting and stopping the framework from the shell would be sufficient.
Apparently it is.
My only excuse is that I've bricked my Nook about 20 times and was being conservative.
What you want to sign your Nook with is your choice.
I hadn't looked into using any common signatures.
Android only mentions the single debug key in their documentation.
The emulator apks are signed with an Android signature, but not the same as the debug key.
ApokrifX said:
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Click to expand...
Click to collapse
Ok, but there is also all the other sharedUserId="1000"
I'm not sure how the cert references work in packages.xml
Does it work for framework-res.apk too?
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
I can see same sharedUserId used with different certs, so apps should use different android users...
See below:
Don’t know how to map sharedUserId to android user yet.
My [current] understanding is:
userId "10000" and above are apps generated.
Below – for system use.
I have now:
<package name="com.bn.nook.quickstart" codePath="/system/app/QuickStartActivity.apk" system="true" ts="1217592000000" version="7" sharedUserId="1000">
<cert index="4" />
<package name="com.google.android.server.checkin" codePath="/system/app/GoogleCheckin.apk" system="true" ts="1292347460000" version="7" sharedUserId="1000">
<sigs count="1">
<cert index="13" />
Obviously, due to cert mismatch, "com.bn.nook.quickstart" & "com.google.android.server.checkin" should use different users.
---------- Post added at 09:29 PM ---------- Previous post was at 09:04 PM ----------
ApokrifX said:
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
Click to expand...
Click to collapse
Here we go:
Code:
0 10019 com.google.android.apps.gtalkservice /system/app/gtalkservice.apk
0 10019 com.google.android.googleapps /system/app/GoogleApps.apk
0 10019 com.google.android.providers.gmail /system/app/GmailProvider.apk
0 10019 com.google.android.providers.talk /system/app/TalkProvider.apk
0 10021 com.google.android.gm /system/app/Gmail.apk
0 10022 com.android.vending /system/app/Vending.apk
1 10002 com.android.globalsearch /system/app/GlobalSearch.apk
1 10002 com.android.googlesearch /system/app/GoogleSearch.apk
1 10002 com.android.inputmethod.latin /system/app/LatinIME.apk
1 10002 com.android.launcher /system/app/Launcher.apk
1 10002 com.android.providers.applications /system/app/ApplicationsProvider.apk
1 10002 com.android.providers.contacts /system/app/ContactsProvider.apk
1 10002 com.android.providers.userdictionary /system/app/UserDictionaryProvider.apk
10 10001 com.adobe.air /system/app/AirRuntime.apk
10 10017 de.devmil.minimaltext /data/app/mt262.apk
10 10023 com.google.android.talk /system/app/Talk.apk
11 10013 com.ngc.fora /data/app/com.ngc.fora.apk
12 10015 siir.es.adbWireless /data/app/siir.es.adbWireless-1.apk
13 1000 com.google.android.providers.subscribedfeeds /system/app/GoogleSubscribedFeedsProvider.apk
13 1000 com.google.android.server.checkin /system/app/GoogleCheckin.apk
14 10018 com.david1171.minimalistblack /data/app/com.david1171.minimalistblack-1.apk
15 10014 com.smart.swkey /data/app/SWKey21.apk
16 10030 com.asksven.betterbatterystats /data/app/com.asksven.betterbatterystats.apk
17 10027 jackpal.androidterm /data/app/jackpal.androidterm.apk
18 10029 com.googlecode.droidwall.free /data/app/com.googlecode.droidwall.free.apk
19 10016 org.adw.launcher /data/app/org.adw.launcher-1.apk
2 10026 org.coolreader /data/app/org.coolreader.apk
20 10012 com.noshufou.android.su /data/app/Superuser.apk
3 10024 berserker.android.apps.sshdroid /data/app/berserker.android.apps.sshdroid.apk
4 1000 android /system/framework/framework-res.apk
4 1000 com.android.providers.settings /system/app/SettingsProvider.apk
4 1000 com.android.providers.subscribedfeeds /system/app/AccountAndSyncSettings.apk
4 1000 com.android.settings /system/app/Settings.apk
4 1000 com.bn.app.crypto.server /system/app/CryptoServer.apk
4 1000 com.bn.authentication.svc /system/app/BnAuthenticationService.apk
4 1000 com.bn.demomode /system/app/DemoMode.apk
4 1000 com.bn.devicemanager /system/app/DeviceManager.apk
4 1000 com.bn.nook.quickstart /system/app/QuickStartActivity.apk
4 1000 com.bn.syschecksum /system/app/SysChecksum.apk
4 1000 com.bn.waveformdownloader.svc /system/app/WaveformDownloader.apk
4 10005 com.android.certinstaller /system/app/CertInstaller.apk
4 10009 com.android.packageinstaller /system/app/PackageInstaller.apk
4 1001 com.android.phone /system/app/Phone.apk
4 1001 com.android.providers.telephony /system/app/TelephonyProvider.apk
4 10011 android.tts /system/app/TtsService.apk
5 10000 com.android.gallery /system/app/Gallery.apk
5 10000 com.android.providers.downloads /system/app/DownloadProvider.apk
5 10000 com.android.providers.drm /system/app/DrmProvider.apk
5 10000 com.android.providers.media /system/app/MediaProvider.apk
5 10000 com.bn.nook.accessories /system/app/Accessories.apk
5 10000 com.bn.nook.affiledownloadservice /system/app/AFfileDownloadService.apk
5 10000 com.bn.nook.cloud.service /system/app/CloudService.apk
5 10000 com.bn.nook.community /system/app/NookCommunity.apk
5 10000 com.bn.nook.dadmin /system/app/DownloadAdmin.apk
5 10000 com.bn.nook.home /system/app/Home.apk
5 10000 com.bn.nook.library /system/app/Library.apk
5 10000 com.bn.nook.reader.activities /system/app/Reader.apk
5 10000 com.bn.nook.shop /system/app/Shop.apk
5 10000 com.bn.nook.social /system/app/Social.apk
6 10025 com.andoku.two.free /data/app/com.andoku.two.free.apk
7 10028 org.connectbot /data/app/org.connectbot.apk
8 10003 com.bn.cloud.svc /system/app/BnCloudRequestSvc.apk
8 10004 com.android.browser /system/app/Browser.apk
8 10006 com.bn.deviceregistrator /system/app/DeviceRegistrator.apk
8 10007 com.android.htmlviewer /system/app/HTMLViewer.apk
8 10008 com.android.music /system/app/Music.apk
8 10010 com.svox.pico /system/app/PicoTts.apk
9 10020 com.benhirashima.nookcolorsettings /system/app/NookColorTools.apk
ApokrifX said:
Don’t know how to map sharedUserId to android user yet.
Click to expand...
Click to collapse
Need help with this one... :crying:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
When you change a signature, you have to change the something.
When you change signatures in most cases, the system shrugs and rebuilds packages,xml
It's mostly changing the signature on framework-res.apk (name="android") that causes the biggest problems.
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
(This generates a lot of text, hence the redirect.)
Renate NST said:
Android only mentions the single debug key in their documentation.
Click to expand...
Click to collapse
URL?
Renate NST said:
The emulator apks are signed with an Android signature, but not the same as the debug key.
Click to expand...
Click to collapse
Compared few keys (Subject Key Identifiers) out of curiosity:
Android keys
Code:
testkey 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
shared CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
platform 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
media CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
NC2.1 EMU
Code:
Browser 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
LatinIME CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
framework-res 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
MediaProvider CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
---------- Post added at 10:13 PM ---------- Previous post was at 10:07 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
Click to expand...
Click to collapse
Ok. Just to make sure, we are on same page again:
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Code:
<package name="com.google.android.providers.talk" codePath="/system/app/TalkProvider.apk" system="true" ts="1292347460000" version="7" sharedUserId="10019">
<sigs count="1">
<cert index="0" key="3082...9308a" />
...
<package name="com.google.android.googleapps" codePath="/system/app/GoogleApps.apk" system="true" ts="1292347460000" version="130" sharedUserId="10019">
<sigs count="1">
<cert index="0" />
Do you mean something else?
---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
Click to expand...
Click to collapse
Interesting...
Could you extract CERT.RSA from "the app" and "the system app" and compare, please?
---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------
[/COLOR]
Renate NST said:
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
Click to expand...
Click to collapse
How do we map:
Code:
Package [com.asksven.betterbatterystats] (49ea9250):
userId=10030 gids=[1015, 3003]
to names we see with ls -l
ApokrifX said:
URL?
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Click to expand...
Click to collapse
Yup, it looks like you are 100% correct.
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Moreover the end of the keys in packages.xml don't agree with the same position.
http://developer.android.com/tools/publishing/app-signing.html
The SDK tools create the debug keystore/key with predetermined names/passwords:
Keystore name: "debug.keystore"
Keystore password: "android"
Key alias: "androiddebugkey"
Key password: "android"
CN: "CN=Android Debug,O=Android,C=US"
Click to expand...
Click to collapse
The point is not that this single key is documented, the point is that the others are not.
Renate NST said:
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Click to expand...
Click to collapse
Right.
Could you compare certs "X509v3 Subject Key Identifier", please?
Renate NST said:
Moreover the end of the keys in packages.xml don't agree with the same position.
Click to expand...
Click to collapse
I’m not sure, I get this...
Renate NST said:
The point is not that this single key is documented, the point is that the others are not.
Click to expand...
Click to collapse
---------- Post added at 11:15 PM ---------- Previous post was at 11:01 PM ----------
Looks like in certs in packages.xml are stored in pkcs8 hex format:
shared.pk8
Code:
0000000000: 30 82 04 BE 02 01 00 30 │ 0D 06 09 2A 86 48 86 F7
0000000010: 0D 01 01 01 05 00 04 82 │ 04 A8 30 82 04 A4 02 01
0000000020: 00 02 82 01 01 00 C8 C2 │ DB FD 09 4A 2D F4 5C 3F
0000000030: F1 A3 2E D2 18 05 EC 72 │ FC 58 D0 17 97 1B D0 F6
packages.xml
Code:
<cert index="2" key="3082...b2db" />
They can be easily dumped from packages.xml right into pkcs8 format, no need to get them from packages.
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Renate NST said:
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Click to expand...
Click to collapse
I didn’t do this part yet.
I guess, a bit fiddling with openssl or keytool will do just fine.
Renate NST said:
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Click to expand...
Click to collapse
If you post both (from packages.xml), I’ll decrypt them.
I’m pretty sure, they are different.
Renate NST said:
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
Click to expand...
Click to collapse
Yep. There is no point.
Renate NST said:
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Click to expand...
Click to collapse
I wrote already, what might be different if you do it.
IMO, just patching it might be safer...
BTW: I decoded certs from packages.xml - there 4 different ones from B&N there.
ApokrifX said:
I decoded certs from packages.xml - there 4 different ones from B&N there.
Click to expand...
Click to collapse
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
If you just delete packages.xml you can either fix the non-shared user ids in packages
or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Renate NST said:
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
Click to expand...
Click to collapse
I dunno, they are trivially convertible, try for yourself:
Unzip CERT.RSA from stock Reader.apk
Obviously (or not), CERT.RSA is pkcs7 and certs in packages.xml are hex strings x509
Let’s convert pkcs7 -> x509
Code:
openssl pkcs7 -inform DER -in CERT.RSA -out CERT.PEM -print_certs
openssl x509 -inform PEM -in CERT.PEM -outform DER -out CERT.x509.DER
Now open CERT.x509.DER is any hex editor:
Code:
0000000000: 30 82 04 96 30 82 03 7E │ A0 03 02 01 02 02 09 00
0000000010: CF 3F 93 2A 95 18 91 A5 │ 30 0D 06 09 2A 86 48 86
...
0000000480: BF 46 EB 99 2F F8 A8 9A │ 1F 66 2D 91 4F 0C 93 FE
0000000490: 44 7D 2F D0 C2 CC DC F7 │ 5E 84
And compare with packages.xml
Code:
<cert index="5" key="308204963082037ea003020102020900cf3f932a951891a5300d06092a864886
…
bf46eb992ff8a89a1f662d914f0c93fe447d2fd0c2ccdcf75e84" />
Renate NST said:
If you just delete packages.xml you can either fix the non-shared user ids in packages or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Click to expand...
Click to collapse
What about this case:
ApokrifX said:
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Click to expand...
Click to collapse
Do we need to do anything manually or deleting packages.xml will recreates everything properly?
Well, you seem to have a handle on all this.
I've never heard of pkcs7 or any of its friends.
Deleting packages.xml will result in the non-shared user ids to be assigned in order as the APKs are discovered by the PackageManager.
User ids are only used for file permissions on /data/data as far as I know.
Hello XDA users, deciding to post this here because i figured it could get some use/i could get some feedback
(Placing it in general because i honestly dont think it could work anywhere else)
Basicly over the past few months ive been taking my multiple script for android, & rewriting/compressing into 1 library
& adding features/functionality that i consider useful. This script has never touched a PC, & only been written on android
(BTEP & DroidEdit Pro), & is designed to:
A.) Extend the basic terminals functionality.
B.) Extend customized scripts, & making scripting semi-easier.
C.) Offer multi-device compatibility while keeping origional functionality.
The script is capable of determining all critical variables on initialization, from
partitions (both mount name, & partition number can be easily obtained), OS/ANDROID version/type
Execution mode (source/exec), Autodetect instigator (Eg: boot, script, shell, etc.) If present, Execution level,
Etc, seamlessly before scripts execution, & modify its own execution accordingly.
The script can be used in a similar method to busybox (Eg, can be called directly, or through symlink
(Symbolic link) using functions name, & allows adding multiple switches at runtime which can totaly
Customize execution without touching a configuration (yes, it does support configurations).
Or for script/shell, can be sourced for max performance & increased functionality.
This script is designed to be as native as possible, & only requires busybox/toolbox, & bash (4.1+)
(Systems default/sh) is not sufficient.
Readme (1/2, Read 2nd post):
Code:
----------------------------------------------------------------------------------------------------
Table of contents:
1.) Basic information
2.) Installation
3.) Usage
3a.) Basic commandline switches
4.) Included functions & definitions (Execution)
4a.) Included functions & definitions (Source only)
##########################################################################################################
Basic Information 1.
SuperBox is a multi-call, multi-execution function library (think busybox with bash & sourcing),
built on ANDROID, For ANDROID, Designed to increase script efficiency, & offer "unstandard"
multi-device functionality, & some functionality considered "missing" from ANDROID/Linux by default.
##########################################################################################################
Installation 2.
Superbox is designed to be easy to install/use, and requires very few steps/dependancies to install.
Before installing, please check this small list of prerequisites & insure you have the required
dependancies to ensure correct installation, the following are required:
a.) BASH 4.x (4.0+) installed & linked to '/system/bin' & '/system/xbin', Systems default is not
sufficient & cannot support SuperBox in all needed areas.
b.) BusyBox 1.18+ (tested on v1.19.4), Please ensure toolbox is also fully installed.
c.) Device must be rooted & running S-off (insecure kernel, read kernel documentation)
This part can be bypassed if installing through recovery. Some features will be limited.
d.) SuperBox is a terminal/script expansion toolkit, as such, a terminal emulator (Such as BTEP aka:
Better Terminal Emulator Pro, or similar) is recommended for optimal usage.
if your device can meet the above requirements, you are ready to install.
To install, simply move the downloaded script (superbox, or superbox.txt) to either '/system/bin', or
'/system/xbin', if the downloaded file has an extension, remove it.
Set permissions to 755 (rwxr-xr-x), Once complete, open your preferred terminal, & type 'su -c bash'
once in bash, type 'superbox' (or whatever you named the script), or 'superbox --info', if the operation
succeeded without error, you can begin full installation, Simply type either:
'superbox --install', or 'superbox --install <FUNCTION> to fully install, or install specific function.
See section 3a (Basic commandline switches) for full list of available switches, or section 4
(Included functions) for list of executable functions.
##########################################################################################################
Usage: 3.
SuperBox allows multiple methods of execution, & preferred method is left completely up to the user.
Sourcing:
SuperBox can be sourced either in terminal, or script, using something similar to
'. superbox', or '. ./superbox' if kept in unstandard path. if sourcing in terminal & script appears
to continue to execute, Try adding '--noboot' switch (see section 3a).
Script allows extra functionality not typically available in execution mode.
Execution:
this is the most typical use for superbox, & as easy as typing 'superbox <function>' or '<function>'
when fully installed. For list of all available functions, use 'superbox --list' to generate full list
of available applets, Please note that when using '--list' or even app count when using '--info' is
only listing execution type applets, Source functions are NOT included in this list.
----------------------------------------------------------------------------------------------------------
Basic commandline switches 3a.
SuperBox allows adding additional variables through commandline to modify per-execution variables,
Without editing a configuration, or worrying about recurrent changes. These variables effect a wide
range of scripts functions, & are available in 2 levels,
1.) SuperBox switches:
These switches effect the script as a whole, & are listed/added by the double-hyphon prefix ('--')
These are the only switches listed in this readme, for individual functions switches, please use
'superbox <function> --help' or '<function> --help' if fully installed.
1.) Function switches:
These switches only effect the function being processed, & are listed by a single-hyphon ("-"),
These are not available in all functions. Function switches should be used after superbox switches.
SuperBox switches:
The following MUST be passed as MODE & must be called directly from SuperBox, Eg:
'superbox --<MODE>', Not capable of being passed as variable.
install | Usage: '--install <FUNCTION> --installto={PATH}', Generates symbolic link for FUNCTION in
| PATH, if no FUNCTION specified, installs all, if no path, Default is used.
remove | Usage: '--remove <FUNCTION>', Opposite of above, Removes link for specified function.
| Scans system to find symbolic link, use '--full' switch to scan full recursive.
chkbb | Checks install status of busybox, & capable of generating missing links, use '--fix' to
| auto repair any/all missing links.
version | Displays installed SuperBox's version.
list | Lists all included execution-capable functions included in current version.
The following are to be used after mode (function listing), Eg: 'superbox <MODE> --<SWITCH>' or
'<MODE> --<SWITCH> when fully installed.
debug | Forces debugging on script (uses 'set -x' command), applies to script as a whole.
bb/tb | Pre-determines which busybox/toolbox versions to use, Must be used as '--bb=/path/to/file'
| or '--bb/path/to/file', Specifying invalid input will restore defaults when executing.
color | Default Colors for modes allowing color. sets color based on position in strings, Eg:
| '012345678' (upto 9 characters) where: 0=Error, 1=Note/Highlight, 2=Note2, 3=Normal,
| 4=File, 5=Path, 6=Link, 7=Background, 8=border, use pound (#) in place of unused spacing.
| for full listing of colors, Please see 'manfunc Col'
nocolor | Overrides above switch, & disables color in all segments.
installto | Modify install location for current component. (Used as '--installto={PATH}')
| MUST be used after install mode (Effects most file-based sections).
file | Usage: '--file="{/FULL/PATH/TO/FILE}"', used to set file path/name for specific segments
| Only effects segments where single-file processing is key.
local | Usage: '--local=\"{PATH\"', Assign path to use as local directory.
home | Usage: '--home=\"{PATH\"', Assign path to use as home directory, Use above over this.
time | Usage: "--time='{FORMAT}'", Specify time format (see '--timef'), (used for Lecho, etc.).
timefull | Usage: "--timef='{FORMAT}'", Specify full time/date format for script. %Y=4-digit year,
| %m=2-digit month, %d=2-digit day, %H=2-digit hr (24hr), %l=hour (12hr), %M=2-digit min,
| %S=2-digit seconds, %h=print month, %l=hour (12hr), %a=3-char day, %c=full (default).
log | Usage: '--log=<LEVEL>', set logging level/mode for script. *BROKEN, DONT USE*
logfile | Can only be used with '--log' greater then 1. Usage '--logfile=\"{PATH/FILE}\"'
tmpfile | specify temporary file to use for processing some segments.
tmppath | specify temporary path to use when needed for processing some segments.
list | Lists all included execution-level functions in current build.
help | Use immediately after <APPLET> to display information & usage on selected applet, Some
| applets will only display partial information by default, Use '--full' after help to
| display full information on specified function.
fix | Multipurpose switch, Allows bypassing non-critical errors, allows repairing any/all
| fixable errors, & serves to aid some functions.
silent/q | silences most (non-critical) output from STDOUT.
##########################################################################################################
*NOTE
some functions might not be considered 'main stream' or correct, but through trial & error, seem to work
Best with the chosen method.
Some functions are a WiP, might not be functioning correctly.
If you experience an issue, or have a suggestion, Please let me know.
**EDIT**
Updated, most functions should work correctly now.
Readme (2/2):
Code:
Included Functions (Execution) 4.
alignapk <file>
> Automaticly align <file> if specified, or all installed apks otherwise. can specify specific apk, or
simply apk name if apk is installed. Ex: 'alignapk systemui' is equivalent to
'alignapk /system/app/SystemUI.apk", extension (apk) is not needed, if path is specified, must be case
specific, otherwise alignapk will attempt to process case insensitive. Script will generate a SQL
database by default, but can specify text-based database with customized settings (See default config)
bam <Process1> <Process2>...
> kill any running processes matching specified input. Partial matches are supported, Eg:
'bam media' can kill 'android.process.media', aswell as any/all packagenames including 'media'
baseext <FILE> <MODE>
> echos the base extension of <FILE> if no MODE specified, or filename without extension if <MODE> is 1.
Anything else will display File with 'MODE' as extension, Eg: 'baseext ex ample' will return ex.ample
bar <var1> <var2> <var3>..
> displays accurate progress bar on screen, with the default terminal width as overall length.
Supports multiple customizable parameters. Only supports duration & strict percentage in current
build, More uses will be added in future builds (Eg: watch process, count, etc). Supported switches:
-t | Specify total time to run the bar, Usage: '-t=' where '' is scripts duration.
-p | Specify strict percentage to display (dont count) Eg: '-p60' will display 60% progress & quit.
-e | Specify displayed text when running the bar, multiline supported, can use script variables.
-d | Specify ASCII character to use for generating progress bar. default is '='.
-w | Override default width to use when processing bar, default is terminals width.
-n | Show progress Percentage (%) rather then progress bar (-b works as the oppisite)
-s | Display incrementing progress bar (jumps by ~1%) rather then the per-increment jump.
-k | same as '-s', but shows percentage at end of bar. (will increase exec time)
basepath <PATH>
> echos the base path or mount point (closest to rootfs) of <PATH>
byte <BYTES>
> Automagicly calculates Bytes(B)/kilobytes (Kb)/Megabytes (Mb)/Gigabytes (Gb) based on
on given Number in 'BYTES' on the *1024 principle, Eg: 'byte 1024 = 1Kb', Supports decimal places,
& maximum decimal points can be modified by 'MaxDec=' variable. Uses rounding to strip access.
Using '0' as 2nd variable will remove non-numaric characters from return (Eg: 'Kb/Mb/Gb/etc.).
Using '1' as 2nd variable will seperate non-numaric & numaric characters (Eg: '1Kb' would b '1 Kb').
calc <VAL EXPR VAL> or echo "VAL EXPR VAL"|calc
> similar basic functionality to 'bc', mini calculator script using 'awk' & 'printf', Supports Piping,
(function|function), float integers (decimals) & multiple types of arithmatic.
chrg_type <MODE>
> Quickly determines where the device is currently getting power from. Following modes are supported:
0 = Quiet output, returns 0-2 for Battery/AC/USB respectively.
1 = similar to '0', but displays code Aswell as return code.
2 = displays source (Eg: Battery/AC/USB), all other modes will simply display string.
chkdir <PATH> <PERM> <OWNER.GROUP>
> Checks existance of <PATH>, calls 'mkdir -p' if not exist, & sets permissions <PERM>
(numaric) when creating, & sets owner/group if spedified.
chksize <MOUNT> <CHECK> <ECHO>
> Checks if <MOUNT> has <CHECK> mb free (good for checking before extracting/installing). Returns 1/0
accordingly. set <ECHO> to 0 to use errorcode & disable echoing to STDOUT (if statment, (echo $?))
chkstate <INPUT> <EXEC_CMD>
> Determines if <INPUT> is available for script use, able to detect functions, aliases, links, binaries,
files, Variables, etc. specify <EXEC_CMD> to exwcute <INPUT> if detected. (binaries/functions/etc.)
Col <STRING> <MODE> or Col <STRING>
> Used for colored text Replace 'Col' with either: Bla(ck), Blu(e), Red, Gre(en), Whi(te), Mag(enta),
Cya(n), Yel(low). Ex: 'Bla "sample text" 1', Available modes are: 1=Bold, 2=Underline, 3=colorfill
(switches background/text), 4=no newline, 5=bold (no newline), 6=underline (no newline).
columns <MODE>"
> prints available columns, Set <MODE> to 1 to print number of lines (height of prompt).
conv <celsius|fahrenheit> <TEMP>, or conv <F> <T> "<STRING>"
> a rather bloated conversion script capable of converting tempuratures, or string to various formats.
-When converting tempuratures, both 'conv c 100', & 'conv 100c' are correct & will output sum
-When converting string, 'F' (From) & 'T' (To) must be specified to begin calculation.
'F' & 'T' can be one of the following: 'a' (ascii) (normal text), 'b' (binary, outputs 8-digit binary
code for each character specified), or 'h' (hexadecimal), when processing from hex, 4th variable
specifies preceeding character(s) to add to each return (default is '\x'), if set to 0, no characters
are added to string, only 2-digit hex is returned, For example: 'conv a h hello' (no 4th variable)
returns '\x68\x65\x6C\x6C\x6F', while 'conv a h hello 0' returns '68656C6C6F'.
divider <LENGTH> or divider -d<CHAR> <LENGTH>
> generates a bar (String of character(s) or CHAR if set), <LENGTH> characters long, if no LENGTH set,
total width of terminal window is used. Use '-d<CHAR> to customize character, Default is pound ('')
Eco <ABCDE> "TEXT"
> Echos <TEXT> with specific atributes, based on <ABCDE>, where: A=Line only [0|1], B=no newline[0|1],
C=(Bold[1], Underline[2], None[0]), D=Text color, E=Background color. Valid colors include:
0 - black, 1 - Red, 2 - Green, 3 - Yellow, 4 - Blue, 5 - Magenta, 6 - Cyan, 7 - White
ex <path/to/file>
> Extract archive to designated path, & even allows recompiling. use '--help' for more information.
exist <INPUT>
> Attempts to detect input & gives return code depending on findings Eg: 3=Dir, 2=Link, 1=File, 0=none.
fdate <INPUT>
> Same usability as 'busybox date -r', Returns modified date of <INPUT> Output can be adjusted
using '--timef' switch.
FixCl
> Returns color to normal, regardless of user-preset defaults.
getblock <MOUNT_NAME>
> Simply echos the block ID of requested point, saves a lot on scripting & allows true multi-device
compatibility. Usage as: 'getblock system'
gnasty <OPTIONS> <PATH>, Or 'gnasty <PATH>'
> Searches for files/paths with names containing invalid characters such as
[+ { ; " \ = ? ~ ( ) < > & * | $], Prints any/all links, includes full path by default. Modes include:
-d - specify directory, used as '-d={PATH}', not needed in most cases.
-m - Max search depth from directory, cannot be less then 1 (default). Usage: '-m' or '-m='.
-i - Display files inode (index number), useful for looping output to irm.
ipath <path>
> Will auto-correct <path> to case-sensitive (if exist) when input does not match case
(case-insensitive path correction through function)
irm [-irRfna] FILE, or 'irm FILE'
> remove (unlink) FILE using inode (index number). used for files/paths with illegal
characters in the name, (Eg: '+ { ; \" \\ = ? ~ ( ) < > & * | $'). The following modes are supported:
-i - Always prompt before removal | -f - Never prompt before removal
-r|-R - Remove file(s)/path recursively | -a - Only use name (no inode, replicating busybox rm)
-n - Ignored, used solely for script use.
is_num <STRING>
> Checks if 'STRING' is numaric (Contains only numbers), Returns 0 if true, 1 otherwise.
Can use '1' as second variable to echo result aswell as return code, eg 'is_num <STR> 1'.
lc "<INPUT>"
> Switches input to all lowercase, supports whitespace/newline, no limitations.
Lecho <MODE> <TEXT> <FILE1> <FILE2>
> Used to pipe text to log (while removing color/string data) & terminal.
If no file specified, Simply replicates echo with log header. Supports the following headers:
1=' : ' (default), 2='[!]' (error), 3=' > ' (note), 4=' ' (continuation).
lperm <PATH|FILE> <MODE>
> Execute user pre-generated configurations (mperm) based on input, can choose to either restore whole
path to configured state, or simply process 1 file from said config.
set <MODE> to 0 to disable recursive loading (dont descend into subdirectories).
manfunc <function>
> Displays available information for selected function, Operates identical to: '<function> --help'.
many <TEST> <STRING>
> Determine how many times <TEST> appears in <STRING>
md5 <string>
> Generates md5 hash from string (or filename).
mk <path/to/directory_or_file_to_archive>
> Use 7-Zip to build specified archive efficiently through script. While keeping full functionality
(and even adding), Supports 7z, zip, xz, bzip2, gzip, tar, & wim archive types. use '--help' for info
mod <OPTION> <var1> <var2>
> Modifies particular segments of device: Following options are supported:
b | brightness Modifies LCD (Display) brightness NOT supported on some devices.
display | Modify current pixal density, Eccepts numarical value (like lcd.density in build.prop),
Changes are made on the fly, & will reset all open applications, use with caution, can use
'reset' to reload default density from build.prop, Usage: 'mod density <value>'.
mperm <PATH|FILE> <MODE>
> Generate configuration for specified input, recording type, Permissions, Owner & Group, These configs
can then be loaded at any point specified, or ondemand using lperm, Supports the following modes:
0=non-recursive, 1=ignore errors,
myip
Display devices current IP, using nothing but wget, making it the trimmest ip oneliner around :)
ofcourse, internet connection is required.
nocl <STRING>
> Removes color variables from <STRING> to allow recording dato to log.
pinfo <NAME> <MODE>
> Neatly Prints process information for specified <NAME>, Supports the following modes:
1=Display PID (replicating pgrep), 2=Displays processes full Name, 3=Displays Parent Ppid,
4=display all options, 5=Display processes adj lvl, 6=Displays current State, S=sleeping, R=running,
7=Displays Owner, 8=Displays the Group (if set).
pos <VAL> <STRING>
> Displays start point(s) of 'VAL' in string, If multiple instances are detected, prints all starting
points seperated by customizable delimiter (Default is " " (whitespace)). If using custom delimiter,
('-d' switch), switch MUST be passed as first variable & specified as '-d%' where '%' is the new
character to use, Eg: instead of: 'pos hi hellohiwatup', Use: 'pos -d% hi hellohiwatup'.
Only effects multiple occurences of 'VAR'.
printl <FILE> <START> <END>
> Prints specific line(s) from FILE, If END is unspecified, prints 1 line, Otherwise prints from 'START'
to 'END', Using 'EOF' for 'END' will print to end of 'FILE', Using 'C' for 'START' will count lines.
pwr <mode>
> Advanced power control, with additional modes, which should work on multiple devices, Available modes:
reboot | reboot device, can use 'reset' aswell with same effect. can use 'hot' as 3rd variable to
perform hot reboot (still performs sync), simply reboots OS without rebooting kernel.
off | shutdown device, does exactly as stated.
download| Reboot into download mode. Might not be supported on some devices.
recovery| Reboot into recovery mode. Might not be supported on some devices.
wipe | Wipes cache/dalvik, then performs full reboot.
fc | Set fast-charge mode (needs kernel support), Eg: 'pwr fc 1' to enable, 'pwr fc 0' to disable
Using 'pwr fc' will display status, or support if unsupported.
rand <LENGTH> <MODE>
> Output random string 'LENGTH' characters long (Default is 32), if 'Mode' is unspecified, or is
Invalid, Output will consist of all printable characters. The following modes are available:
0 - Only print Letters (Upper & lower case) & digits
1 - Only print Letters (Upper & lower case)
2 - Only print digits
3 - Only print letters (Upper case)
4 - Only print letters (Lower case)
readperm <STRING>
> Opposite of 'showperm', displays permissions level from readable string. Easier to use switch
(& even switch again). Sticky/"special" fully supported. Again, 'switch' is easier/cleaner to manage.
remount <MODE> <0|1>
> remounts system & rootfs in specified mode, Second variable in string is unneeded But determines
check state, 1 will use rootfs as check, 0 will use '$System' (default), Use '--help' for more info
rootrw/rootro
> Mounts 'rootfs' as R/W (Read/Write) & R/O (Read/Only) respectively, similar to miniscripts included
in most Roms, With the exception that it utilizes the autodetection available in script, & should
work on any device/rom.
setlength "<STRING>" <POSITION> <LENGTH>
> displays the adjusted value of <STRING>, & should be under <LENGTH>,
autocorrects/centers based on given input, If no length is specified, 'Cw' (Common width) is used,
or scripts cefault. for position, -1 is right, 0 is left, 1 is center.
setown <FILE|PATH> <OWNER.GROUP>
> Glorified chown, With logging support.
setperm <FILE|PATH> <PERM>
> Glorified chmod, With logging support.
setprops
> Similar functionality to 'sysctl' Set system properties from configuration.
Can use '--file' to Specify reference file.
setval <VARNAME> <POINT> <FORCE> <POINT2> <FALLBACK_VALUE>
> Set values on system files, up to 2 points can be set for a variable, Can also specify fallback
If no value set in VARNAME. and no default, VARNAME, is used to reference the variable in error
sha256/sha512 <string>
> Generates sha512/sha256 encoded hash from string, similar to 'md5' function.
showperm <PERM_STRING>
> Displays permissions string in readable form from input, sticky/"special" notes are fully supported.
Switch is easier to use & capable of doing both.
size <MODE> <POINT> <[1,MB|2,AUTO|*,KB]>
> Echos the value of specified mode on specified <POINT> (modes 1-4 are for mount points).
If incorrect mount specified, Returns errorcode. Automaticly fixes missing '/' on specified mount if
not present. Third variable specifys out format. 1 is Mb, 2 is auto (kb/mb/gb with tags), * is kb
only (default), Following Modes are supported: 1=Full size, 2=Used space, 3=Used %, 4=Free space,
5=Size (use for files/paths, will not work on mounts, added '5' on request).
stype <INPUT>
> Defines file type & offers return code based on existance. Returns the following:
0=no input, 1=File, 2=Function, 3=Keyword, 4=Builtin, 5=Directory, 6=Variable, 7=Unknown/not exist.
switch <STRING>
> Switch permissions string from either human readable (rwxrwxrwx) or Numaric (777), or vice versa.
sysrw/sysro
> Mounts '/system' as R/W (Read/Write) & R/O (Read/Only) respectively, similar to miniscripts included
in most Roms, With the exception that it utilizes the autodetection available in script, & should
work on any device/rom.
sput <mode> <option1> <option2>
> large function resembling 'tput', rebuilt for 'light' or dumb terminals, should work for most scripts
requiring tput, use 'sput --help' for more information on available options.
toggle <string>
> Checks if <string> can be considered a "true or false" statement, eg: 'toggle 1' would be '0',
'toggle yes' is 'no', 'toggle on' is off, etc. Uses 'togglevars' string. case inspecific.
tree <path>, or tree --arguments -triggers <path>
> Displays directory information based on user input, if no input specified, Current path is used.
Allows using 'tree.cfg' in '$LocalPath' directory. Use '--help --full' for more information.
truncp [-f] <path> <length> <symbol>
> Truncate <path> to <length>, & prepend <symbol> to beginning when truncated. Default <symbol> is ".."
If '-f' switch is used, Path is truncated to <length> specificly, no exceptions, otherwise splits at
closest base to <length> (default length is 20), Eg: 'truncp /system/etc/SuperBox 12' will return:
'../SuperBox', & 'truncp -f /system/etc/SuperBox 12' will return '..c/SuperBox' (12chars precisely)
Output must never exceed <value>, Truncation does not occur unless <path> is over <length>.
uc "<INPUT>"
> Switches input to all uppercase, supports whitespace/newline, no limitations.
Included Functions (Source Only) 4a.
Please note that the functions listed here might not be a complete list of available applets for use in
source mode, & the applets listed here are unavailable in execution mode due to limitations of bash
script handling (Only available when sourced or sourced through script).
cd <path>, or cd <var> <path>
> works as a replacement/extension to shell's builtin. can auto-cd to files path if file is specified
& supports additional (unstandard) functionality, while keeping origional functionality fully intact.
Supports the following variables:
> -l | follow links to home path. (eg: 'cd /etc' would cd to '/system/etc'), defaults as on.
> -p | dont follow links to home path (oppisite of above, cds to given input).
> -c | process case insensitive (Eg: 'cd /SYSTEM/ETC' would cd to '/system/etc') Default is off.
> -m | make path if path doesnt exist, then cd to created path (nofail cd).
Variables can be passed either united, or seperate, & in any order, Eg: '-l -p -m -c' or '-lpmc'
error <id> <string1> <string2>..
> prints error message to stderr based on error 'id'. available ids can vary with build & it is not
recommended to call this function, for compatibility reasons, only ids that are garunteed to remain
unchanged are, '-1' (self-defined, no error notice), & '3' (self-defined with error notice).
Error ID & definitions start at line ~157, & continue to 'END_ERR' & can be previewed with 'printl'.
getsizes <base-size>
> used for generating spacing when generating menus in a uniform fashion, if 'base-size' is unspecified,
Script will use terminal width instead. Exports the following variables:
Cw - Custom width, overall width of panel (base-size, or columns)
Ws - Workspace, Width of 'Cw' Minus borders (Side1/Side2 & Edge) (if set).
Side - Width of sides ('Ws'/3), Use for left/right on 3-column menu.
Middle - Width of middle ('Ws'/3 & adjusted for uneven width), Use for left/right on 3-column menu.
Left - Width of left ('Ws'/2'), use for 2-column menu.
Right - Width of right ('Ws'/2 & adjusted for uneven width), Use for 2-column menu.
getvals $*
> used for functions eccepting runtime variables, & offers extended customizations when compared to
using 'shift' & 'if/case' statements. Only requires a nested 'ctrigs' function determining all
applicable switches, & a note to 'ctrigerr $1' on undefined. all additional variables passed to this
function are exported to V{1..20}. (script allows up to 20 variable/switch combinations by default).
'getvals' will auto-clean all previous user-variables before start, & clean all unused when done.
inpth <VARIABLENAME> <DEFAULTPATH>
> Checks if 'VARIABLENAME' has a directory, if not, sets 'VARIABLENAME' to 'DEFAULTPATH/VARIABLE'
used for defaulting files to correct locations, 'VARIABLENAME' must be variables name, & must be set,
setclock <mode>
> can pass variable as mode, allows '0/1' as values, exports either 12hr (0), or 24hr (1) formatted
variable (variable name 'Time') for use with 'date' Eg: 'date +$Time'
up <path> <count>
> replicates 'cd ..', if no variable passed, cd's up one level from current directory, if 'path' is
specified, cd's up 1 level from 'path', or 'count' levels up from either.
Use as either 'up', 'up <count>', 'up <path>', or 'up <path> <count>'.
Configurations:
Configurations are unneeded for execution, but can be used to set default values
To use during execution
By default, configurations are read from:
'/system/etc/SuperBox' > main (system) configurations.
'/data/local/SuperBox' > user (writable) configurations.
User configurations will override system configurations if exist.
Main configuration (SuperBox.cfg):
Code:
#======================================================================#
# __ #
# Main configuration for: /\ \ #
# ____ __ __ _____ __ _ __\ \ \____ ___ __ _ #
# / ,__\/\ \/\ \/\ __`\ /'__`\/\`'__\ \ '__`\ / __`\/\ \/ \ #
# /\__, `\ \ \_\ \ \ \_\ \/\ __/\ \ \/ \ \ \_\ \/\ \_\ \/> </ #
# \/\____/\ \____/\ \ ,__/\ \____\\ \_\ \ \_,__/\ \____//\_/\_\ #
# \/___/ \/___/ \ \ \/ \/____/ \/_/ \/___/ \/___/ \//\/_/ #
# \ \_\ By: YupitsMine420 #
# \/_/ #
#======================================================================#
# File definitions: #
# can use full path, or script variable to define. not read by default.#
# #
# Used for 'setprops', Similar functionality to sysctl, sets system #
# properties from configuration file. #
# Prop_File: $LocalPath/SystemProps.cfg #
# #
# Used for chkbb, when generating missing links, all links generated #
# are written to this file for easy uninstall #
# BusyBox_File: $LocalPath/BusyBox_Add.cfg #
# #
# Specify custom BusyBox/ToolBox binaries for script to use #
# #
##Use_BusyBox: $System/etc/SuperBox/bin/busybox1210 #
# Use_ToolBox: $System/stest/Data/bin/toolbox #
# #
#======================================================================#
#
# Permissions configurations
#
# Paths:
Perm_Src_Dir=755 # Source paths.
Perm_Cfg_Dir=644 # Configuration paths.
Perm_Bin_Dir=775 # Binary (executable) paths.
#
# Files:
Perm_Src_File=644 # Sourcable files.
Perm_Cfg_File=644 # Configuration files.
Perm_Bin_File=755 # Binary (executable) files.
#
DefOwner=root # Default owner.
DefGroup=root # Default group
#
#======================================================================#
#
# Basic configurations:
#
# User configuration path, should be R/W by default (usually '/data').
# Configurations in this path will override base configurations.
LocalPath='$Data/local/SuperBox'
#
# Set scripts clock format, 0=12hr, 1=24hr.
use_24hr=1
#
# Enable/Disable colors in all segments. 1=enable, 0=disable
ColorMode=1
#
# Specify default Colours for modes allowing colour. Format is:
# '0 1 2 3 4 5 6 7 8', where: 0=Error, 1=Note/Highlight, 2=Note2,
# 3=Normal, 4=File, 5=Path, 6=Link, 7=Background, 8=Borders.
DefaultColors=(1 3 6 2 6 4 5 0 5)
#
# Set how many decimal points to allow in arithmatic calculations,
# used in (most) filesize segments. Default value is "2"
# Set to '0' to disable float integers (round to closest full number)
MaxDec=2
#
# Sets path used to store/load permissions configurations for 'm/lperm'
# these configurations are device specific & should not be ported or
# re-used outside of this ROM. Path set below should be constantly R/W.
PermDir="$LocalPath/Perms"
#
#======================================================================#
#
# SuperBox specific Configurations:
#
# Scripts default log method, 0=disabled, 1=critical, 2=full.
sbox_log_level=0
#
# sloggers default log method, '%' fits to width,'-' quiets output.
# (only outputs to log) only effects terminal.
sbox_log_mode=
#
# Specify if date should be appended to log name when generating.
# string is manipulated with 'sbox_log_tag' variable
# With the default value of '%a-%h-%d_%H-%M'
sbox_log_usedate=0
#
# if old log exists, append new data to the end when enabled.
sbox_log_append=1
#
# Allow superbox to be called by cron (startup), 1=Enable, 0=Disable.
sbox_allow_boot=1
#
# specify if SuperBox requires administrator on launch.
sbox_need_admin=1
#
# Link names that will be treated as direct call to SuperBox, Eg:
# Wont be treated as execution mode (links must be manually generated).
sbox_null_links="sbox2 superbox sbox.old sbox.new"
#
#======================================================================#
#
# cd (icd) Configurations:
#
# Specify if 'cd' should check match path/name case-sensitively
# Default is '1' (true), should use '-c' instead of changing this.
icd_usecase=1
#
#======================================================================#
#
# alignapk (zipalign) configurations:
#
# Zip alignment configurations:
# Zip default alignment level, 0 = disabled, 1 = auto, 2 = forced.
align_level=2
#
# Use MD5 sum for each file when processing align. 1=true, 0=false
align_usemd5=0
#
# Use SQL table for storing data, 1 = true, 0 = text database
align_usesql=1
#
# SQL table name to store configurations
align_table=zipalign
#
#======================================================================#
#
# Other (Misc.) Configurations:
#
Tree configration (tree.cfg) (can be appended to main configuration):
Code:
#======================================================================#
# __ #
# Tree configuration for: /\ \ #
# ____ __ __ _____ __ _ __\ \ \____ ___ __ _ #
# / ,__\/\ \/\ \/\ __`\ /'__`\/\`'__\ \ '__`\ / __`\/\ \/ \ #
# /\__, `\ \ \_\ \ \ \_\ \/\ __/\ \ \/ \ \ \_\ \/\ \_\ \/> </ #
# \/\____/\ \____/\ \ ,__/\ \____\\ \_\ \ \_,__/\ \____//\_/\_\ #
# \/___/ \/___/ \ \ \/ \/____/ \/_/ \/___/ \/___/ \//\/_/ #
# \ \_\ By: YupitsMine420 #
# \/_/ #
#======================================================================#
#
# Directories script will avoid, script supports partial matches when
# processing these paths. individual entries should be seperated by (":").
# 'bad_files' & 'bad_links' variables can also be defined to ignore said entry
tree_bad_dirs=":/proc:/dev:/sys:/:"
#
# Force processing any input, even if entry exists in 'tree_bad_*' variable(s)
tree_skip_check=0
#
#
# Used to connect same-depth paths when processing sub-directories &
# files, Default is "|", should be quoted.
tree_ui_con="|"
#
# Used as padding for filenames/etc. to match depth.
tree_ui_dep="+=>"
#
# Seperates file/link/date/size information when displaying tree.
tree_ui_sep="-->"
#
# Specify how tree will process links when detected.
# 0 = Normal, 1 = Ignore link, 2 = ignore all (dont display).
tree_link_mode=0
#
# Enable to Display directory info/size & file/link/dir count, etc.
tree_show_info=True
#
# Show size information when procesing files/links.
tree_show_size=1
#
# Show last modified date when procesing all files/dirs/links.
tree_show_date=1
#
# Enabling will stop script from processing more then 1 directory
# deep into base path.
tree_no_recurs=0
#
# Default Colormode for tree, Mode is '0 1 2 3 4 5 6 7 8 9' where:
# 0 = file, 1 = link, 2=directory, 3=note, 4=background, 5=connector,
# 6=depth, 7=seperator, 8=time, 9=size.
tree_color_mode=(1 3 6 2 0 6 3 8 4)
#
To see what variables are exported when script is sourced, you can create a small script such as:
Code:
export > /cache/1
. sbox
export > /cache/2
cat /cache/2|while IFS= read -r i;do
[[ "$(grep "$i" /cache/1)" ]] || echo "$i"
done
$bb rm -f /cache/{1,2}
save & run, will display all re-usable variables generated by superbox.
*NOTE
Change '. sbox' to '. <name_of_script>' depending on what you named it
adding switches after '. sbox' will enable the variable associated with said switches
My phone does neat stuff!
Sent from my SAMSUNG-SGH-T989 using xda app-developers app
kj2112 said:
My phone does neat stuff!
Sent from my SAMSUNG-SGH-T989 using xda app-developers app
Click to expand...
Click to collapse
Yep, playing with terminal is fun xD
Not quite a full terminal, but close
Ive managed to replicate some missing binaries in script, & modify some standards to suite my needs xD
Uploading a bash 4.1.0 binary for those who want it, the 1 thing this script relies on thats not standard
Just rename to 'bash', move to '/system/bin' & chmod 755 (rwxr-xr-x), then create symlink in xbin for compatability
(some scripts will use /system/xbin/bash, while others will use /system/bin/bash, easy to resolve with symlink)
Default bashrc (/etc/bash/bashrc)
Code:
# /etc/bash/bashrc
#
# This file is sourced by all *interactive* bash shells on startup,
# including some apparently interactive shells such as scp and rcp
# that can't tolerate any output. So make sure this doesn't display
# anything or bad things will happen !
#
# Test for an interactive shell. There is no need to set anything
# past this point for scp and rcp, and it's important to refrain from
# outputting anything in those cases.
[[ $- == *i* ]] || return
#
# Bash won't get SIGWINCH if another process is in the foreground.
# Enable checkwinsize so that bash will check the terminal size when
# it regains control. http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11)
shopt -s checkwinsize
#
# Enable history appending instead of overwriting.
shopt -s histappend
#
# set some environment variables
TERMINFO=/system/etc/terminfo
MANPATH=/system/etc/man:/system/man:/data/local/man
INFOPATH="$MANPATH"
HOME=/sdcard
TERM=xterm
#
# Enable color
CLICOLOR=1
#
# Control history location/format/etc.
HISTFILE="/system/etc/bash/bash_history"
HISTFILESIZE=3000
HISTCONTROL=ignoreboth
HISTSIZE=10000
#
# Prompt color codes
txtblk='\e[0;30m' # Black - Regular
txtred='\e[0;31m' # Red
txtgrn='\e[0;32m' # Green
txtylw='\e[0;33m' # Yellow
txtblu='\e[0;34m' # Blue
txtpur='\e[0;35m' # Purple
txtcyn='\e[0;36m' # Cyan
txtwht='\e[0;37m' # White
bldblk='\e[1;30m' # Black - Bold
bldred='\e[1;31m' # Red
bldgrn='\e[1;32m' # Green
bldylw='\e[1;33m' # Yellow
bldblu='\e[1;34m' # Blue
bldpur='\e[1;35m' # Purple
bldcyn='\e[1;36m' # Cyan
bldwht='\e[1;37m' # White
unkblk='\e[4;30m' # Black - Underline
undred='\e[4;31m' # Red
undgrn='\e[4;32m' # Green
undylw='\e[4;33m' # Yellow
undblu='\e[4;34m' # Blue
undpur='\e[4;35m' # Purple
undcyn='\e[4;36m' # Cyan
undwht='\e[4;37m' # White
bakblk='\e[40m' # Black - Background
bakred='\e[41m' # Red
badgrn='\e[42m' # Green
bakylw='\e[43m' # Yellow
bakblu='\e[44m' # Blue
bakpur='\e[45m' # Purple
bakcyn='\e[46m' # Cyan
bakwht='\e[47m' # White
txtrst='\e[0m' # Text Reset
#
# specify name of prompt
PROMPT_COMMAND='echo -ne ""'
#
# layout for coloring prompt command, if using color use this method only
# or get used to the blank prompt after executing command
if [ ${EUID} -eq 0 ];then
PS1="bash-4.1\[$txtred\]# \[\e[m\]"
else
PS1="bash-4.1\[$txtgrn\]$ \[\e[m\]"
fi
PS2='> '
PS4='+ '
#
# Set up a a few aliases to make commandline processing
# slightly easier.
for i in cat chmod chown df insmod ln lsmod mkdir more mount mv rm rmdir rmmod umount vi;do
eval alias ${i}=\"busybox ${i}\"
done
alias ls='busybox ls --color=auto'
alias sysro='mount -o remount,ro /system'
alias sysrw='mount -o remount,rw /system'
#
# Fix some 'change directory' aliases.
alias cd..='cd ..'
alias cdl='cd -L'
alias ..='cd ..'
alias ...='cd ../..'
#
# Annoyed by 'su' sending you to shell (sh)?
# Uncomment the following.
# alias su='su -c bash'
#
# Enable cmd style clear
alias cls='clear'
#
# Sudo semi-fix
alias sudo='su -c'
#
# Allow pulling command from history easily
alias hist='history|grep '
#
Updated for those few who download, fixed most broken functions & changed most default configuration names
If using configurations, you must use the new templates, original defaults still apply
If you have any issues using this build, please let me know, also, few new functions, & partially updated readme for
better definitions on new/existing options. included makeshift changelog for those who want it.
BTW. found a few binaries that work on our device, with all dependancies,
Such as:
7z (including 7za)
bc
GNU dc
GNU nano
GNU tput (with all dependancies such as terminfo db)
& various others (totaling about 30 GNU applications), just pm me if you want em. shouldnt upload as they aint my builds
Hi
I love my firestick, it does so much more than what my previous raspberry pi (running kodi) could do. However one thing the pi could do was offer perfect CEC control via my TV's remote and one goal I have is to use a single (harmony) remote to control my entire AV setup.
The firestick does offer some level of CEC support but seems to vary hugely between different TVs, in my case on my Panasonic plasma tx-p42g30 I can only get the play/pause button to work (edit: the rewind, fast forward and stop buttons also work). So something is working but maybe not mapped properly?
Surely there must be somekind of file which can be edited to help map the CEC controls correctly? can anyone shed any light?
I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt
I_did_it_just_tmrrow said:
I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt
Click to expand...
Click to collapse
Whatever you think might get the ball rolling, it's one of those things before rooting was more accessible I'd assumed it'd be locked out feature to mod, but presumably with root it's a possibility now? I recall on the raspberry Pi i copied over a certain config file to enable additional buttons on my TV remote so hoping the same can be done.
I'm from the UK
My Panasonic XXX is currently not here.
Can you try to:
1. enable adb
2. open adb on a pc and type in
Code:
adb shell
or
Code:
adb shell
3. enable Panasonic's CEC and make sure you can use the less commands wich are usable
4a. type in shell
Code:
su
if you had root
4b. type in the shell
Code:
cat /proc/bus/input/devices
and tell us the output
5. There should be a line wich a named input, like input8 or input3.
6. type in the shell
Code:
cat THE_WHOLE_PATH_TO_THAT_INPUT_FILE
and tell us if he react if press on valid (working) buttons and non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
Greetings by Idijt
I_did_it_just_tmrrow said:
I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt
Click to expand...
Click to collapse
I_did_it_just_tmrrow said:
My Panasonic XXX is currently not here.
Can you try to:
1. enable adb
2. open adb on a pc and type in
Code:
adb shell
or
Code:
adb shell
3. enable Panasonic's CEC and make sure you can use the less commands wich are usable
4a. type in shell
Code:
su
if you had root
4b. type in the shell
Code:
cat /proc/bus/input/devices
and tell us the output
5. There should be a line wich a named input, like input8 or input3.
6. type in the shell
Code:
cat THE_WHOLE_PATH_TO_THAT_INPUT_FILE
and tell us if he react if press on valid (working) buttons and non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
Greetings by Idijt
Click to expand...
Click to collapse
I've tried the commands via ADBfire and opening the adb shell - on 'su' I get a not found error (I don't have root)
On the 'cat /proc/bus/input/devices' command I get the following:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
godsakes said:
I've tried the commands via ADBfire and opening the adb shell - on 'su' I get a not found error (I don't have root)
On the 'cat /proc/bus/input/devices' command I get the following:
Click to expand...
Click to collapse
Why did you stop at Step 5?
Like I told you, do step 6,
Code:
cat /devices/virtual/input/input1
and tell us if he react if you press on valid (working) buttons and/or non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
I can not check this before weekend.
Perhaps you dont have the right to "cat" the input1 without su/without root, but I think you should.
Greetings by Idijt
I_did_it_just_tmrrow said:
Why did you stop at Step 5?
Like I told you, do step 6,
Code:
cat /devices/virtual/input/input1
and tell us if he react if you press on valid (working) buttons and/or non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
I can not check this before weekend.
Perhaps you dont have the right to "cat" the input1 without su/without root, but I think you should.
Greetings by Idijt
Click to expand...
Click to collapse
I'm afraid I get "no such file or directory" with that command...
Point me to the safest rooting guide and I'll give it a another try once rooted
godsakes said:
I'm afraid I get "no such file or directory" with that command...
Click to expand...
Click to collapse
Perhaps you need to mount the system partition to rw (read, write) and it is currently ro (read only).
To change this mount you need root but you should be able to read thethe read the input.
Please make again the first cat step and be sure, that you cat in the next step the right input + path from the amazon-cec device.
Perhaps the inputs are connected to devices on device startup.
godsakes said:
Point me to the safest rooting guide and I'll give it a another try once rooted
Click to expand...
Click to collapse
Point youself to the, perhaps availible, right rooting method or guide. Sorry but this is your device, you know your current stock FW and this is not the thread topic.
I own a stick with root, but hardware rooted with emmc adapter. If you life in germany or a neighbour country I can help you.
I hope we can leave this topic by its own topic
It really could be possible to add some keys from the tv remote.
Greetings by Idijt
Ok, I've since used king root to root the stick
Now when i type 'SU' the command line does indicate the user (if that's the right word?) is root
But I still get the same error... could you just double check I've done the right commands
Your commands seems to be right. I am not the 100% Linux pro but I am 80% sure that I do that on this way with a Xiaomi Bluetooth Controller.
Can list the area's?
Code:
su
ls /devices/
ls /devices/virtual/
ls /devices/virtual/input/
Each line after the other.
If that not work, tell us. You can check this too with another Input and device. Did you got always that error?
ByTheWay: you can just Copy the Text out of the shell/adb and put them here into a Code Block. This also very nice for people who are searching for some words.
Any other here who can help us?
Greetings by Idijt
I_did_it_just_tmrrow said:
Your commands seems to be right. I am not the 100% Linux pro but I am 80% sure that I do that on this way with a Xiaomi Bluetooth Controller.
Can list the area's?
Code:
su
ls /devices/
ls /devices/virtual/
ls /devices/virtual/input/
Each line after the other.
If that not work, tell us. You can check this too with another Input and device. Did you got always that error?
ByTheWay: you can just Copy the Text out of the shell/adb and put them here into a Code Block. This also very nice for people who are searching for some words.
Any other here who can help us?
Greetings by Idijt
Click to expand...
Click to collapse
same error with all 3 of those commands, I've tried a couple of variations of the previous step but again same error
Code:
[email protected]:/ $ su
su
[email protected]:/ # ls /devices/
ls /devices/
/devices/: No such file or directory
1|[email protected]:/ # ls /devices/virtual/
ls /devices/virtual/
/devices/virtual/: No such file or directory
1|[email protected]:/ # ls /devices/virtual/input/
ls /devices/virtual/input/
/devices/virtual/input/: No such file or directory
1|[email protected]:/ # cat /proc/bus/input/devices
cat /proc/bus/input/devices
I: Bus=0005 Vendor=0000 Product=0000 Version=0008
N: Name="amazon_touch"
P: Phys=
S: Sysfs=/devices/virtual/input/input0
U: Uniq=
H: Handlers=event0
B: PROP=0
B: EV=b
B: KEY=400 0 0 0 0 0 0 0 0 0 0
B: ABS=2650000 1000000
I: Bus=0003 Vendor=0000 Product=0000 Version=0001
N: Name="amazon-cec"
P: Phys=
S: Sysfs=/devices/virtual/input/input1
U: Uniq=
H: Handlers=kbd event1
B: PROP=0
B: EV=3
B: KEY=3ff 0 0 400000 2fc000 c3060 0 0 0 10004 210000 192 40000c01 9e3781 0 8010
0000 10000002
I: Bus=0005 Vendor=0000 Product=0000 Version=0008
N: Name="kcmouse"
P: Phys=
S: Sysfs=/devices/virtual/input/input2
U: Uniq=
H: Handlers=mouse0 event2
B: PROP=0
B: EV=7
B: KEY=70000 0 0 0 0 0 0 0 0
B: REL=103
[email protected]:/ # cat /devices/virtual/input/input2
cat /devices/virtual/input/input2
tmp-mksh: cat: /devices/virtual/input/input2: No such file or directory
1|[email protected]:/ # cat devices/virtual/input/input1
cat devices/virtual/input/input1
tmp-mksh: cat: devices/virtual/input/input1: No such file or directory
1|[email protected]:/ # cat //devices/virtual/input/input1
cat //devices/virtual/input/input1
tmp-mksh: cat: //devices/virtual/input/input1: No such file or directory
1|[email protected]:/ #
All u have here is
[email protected]:/ # ls -la /sys/devices/virtual/input/input1/
drwxr-xr-x root root 2016-06-23 22:39 capabilities
drwxr-xr-x root root 2016-06-23 22:39 event1
drwxr-xr-x root root 2016-06-23 22:39 id
-r--r--r-- root root 4096 2016-06-23 22:39 modalias
-r--r--r-- root root 4096 2016-06-23 22:39 name
-r--r--r-- root root 4096 2016-06-23 22:39 phys
drwxr-xr-x root root 2016-06-23 22:39 power
-r--r--r-- root root 4096 2016-06-23 22:39 properties
lrwxrwxrwx root root 2016-06-23 22:39 subsystem -> ../../../../class/input
-rw-r--r-- root root 4096 2016-06-23 22:39 uevent
-r--r--r-- root root 4096 2016-06-23 22:39 uniq
BTW.
I've also got hard times with CEC with my sammy 40c650 . Only FF and REW are recogized by AFTS .
There is clear visibility on triggered events but no visibility on direct input (lack of tool)
[email protected]:/ # getevent -li /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
add device 1: /dev/input/event1
bus: 0003
vendor 0000
product 0000
version 0001
name: "amazon-cec"
location: ""
id: ""
version: 1.0.1
events:
KEY (0001): KEY_ESC KEY_ENTER KEY_DOT KEY_F5
KEY_KPENTER KEY_UP KEY_PAGEUP KEY_LEFT
KEY_RIGHT KEY_DOWN KEY_PAGEDOWN KEY_MUTE
KEY_VOLUMEDOWN KEY_VOLUMEUP KEY_POWER KEY_PAUSE
KEY_STOP KEY_HELP KEY_MENU KEY_BACK
KEY_EJECTCD KEY_PLAYPAUSE KEY_RECORD KEY_REWIND
KEY_FASTFORWARD KEY_SOUND KEY_MEDIA KEY_UNKNOWN
KEY_OPTION* KEY_INFO KEY_FAVORITES KEY_EPG
KEY_SUBTITLE KEY_ANGLE KEY_RED KEY_GREEN
KEY_YELLOW KEY_BLUE KEY_CHANNELUP KEY_CHANNELDOWN
KEY_LAST KEY_CONTEXT_MENU KEY_NUMERIC_0 KEY_NUMERIC_1
KEY_NUMERIC_2 KEY_NUMERIC_3 KEY_NUMERIC_4 KEY_NUMERIC_5
KEY_NUMERIC_6 KEY_NUMERIC_7 KEY_NUMERIC_8 KEY_NUMERIC_9
input props:
<none>
Output on button pressing (only FF and REW give out anything)
[email protected]:/ # getevent -l /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
EV_KEY KEY_REWIND DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD UP
EV_SYN SYN_REPORT 00000000
The correct input device for cec on your FireStick is: /dev/input/event1.
If you want to change the behavior of your remote keys you can create a file named amazon-cec.kl under: /system/usr/keylayout.
However, don't know how this is on the FireTV and FireTV2. On the FireTV2 i don't get any responses using getevent and evtest and i dont own a FireTv Gen 1.
Edit:
Haven't seen the last post. Try using evtest on /dev/input/event1. It shows you the keycodes so you can assign them in the layout file.
for my old tv it would look like this:
Code:
# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Custom Keylayout for Sony Bravia KDL-*EX72* cec function on FireStick
# NOTE
# This mainly mapps menu to the options button and home to the home button,
# additionaly we assign keys to the special buttons (red, blue, info etc.).
# To make our life easier we just assign F1-F7 to those keys.
# Comments contain original values as per evtest /dev/input/event1
# NOTE: F1-F7 seem to not get passed to Kodi!? As Workaround we use A-F
key 96 DPAD_CENTER #KPEnter (Real Enter)
key 103 DPAD_UP #Up
key 105 DPAD_LEFT #Left
key 106 DPAD_RIGHT #Right
key 108 DPAD_DOWN #Down
key 128 MEDIA_STOP #Stop
key 139 HOME WAKE_DROPPED #Menu
key 158 BACK WAKE_DROPPED #Back
key 164 MEDIA_PLAY_PAUSE #PlayPause
key 168 MEDIA_REWIND #Rewind
key 208 MEDIA_FAST_FORWARD #Fast Forward
key 357 MENU #Option
key 358 F #Info - KEY_INFO
key 365 E #EPG - KEY_EPG
#key 370 SUBTITLE #Subtitle - KEY_SUBTITLE
key 398 A #Red Button - KEY_RED
key 399 B #Green Button - KEY_GREEN
key 400 C #Yellow Button - KEY_YELLOW
key 401 D #Blue Button - KEY_BLUE
key 402 PAGE_UP #Channel Up
key 403 PAGE_DOWN #Channel Down
key 512 0 #Numeric 0
key 513 1 #Numeric 1
key 514 2 #Numeric 2
key 515 3 #Numeric 3
key 516 4 #Numeric 4
key 517 5 #Numeric 5
key 518 6 #Numeric 6
key 519 7 #Numeric 7
key 520 8 #Numeric 8
key 521 9 #Numeric 9
Reading the above 2 posts and using the command 'getevent -1 /dev/input/event1'
I can get some reporting - but only for the buttons already recognised (play, rewind, fastforward, stop), I also have a play/pause button on my remote but it's recognised as the same command as the play button
Code:
[email protected]:/ $ su
su
[email protected]:/ # getevent -l /dev/input/event1
getevent -l /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
EV_KEY KEY_PLAYPAUSE DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_PLAYPAUSE UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_STOP DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_STOP UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD UP
EV_SYN SYN_REPORT 00000000
Try using evtest and look if the keycodes are indentical or not and remap them how you like.
I dont recommend using getevent for other use than getting the correct input device. If you press some button it only shows some kind of default value for the keyevent reported from your input device.
If you use evtest on /dev/input/event1 you can see what i mean by looking at the top of the output.
@WheelchairArtist done & done
[email protected]:/ # evtest /dev/input/event1
Input driver version is 1.0.1
Input device ID: bus 0x3 vendor 0x0 product 0x0 version 0x1
Input device name: "amazon-cec"
Supported events:
Event type 0 (Sync)
Event type 1 (Key)
Event code 1 (Esc)
Event code 28 (Enter)
Event code 52 (Dot)
Event code 63 (F5)
Event code 96 (KPEnter)
Event code 103 (Up)
Event code 104 (PageUp)
Event code 105 (Left)
Event code 106 (Right)
Event code 108 (Down)
Event code 109 (PageDown)
Event code 113 (Mute)
Event code 114 (VolumeDown)
Event code 115 (VolumeUp)
Event code 116 (Power)
Event code 119 (Pause)
Event code 128 (Stop)
Event code 138 (Help)
Event code 139 (Menu)
Event code 158 (Back)
Event code 161 (EjectCD)
Event code 164 (PlayPause)
Event code 167 (Record)
Event code 168 (Rewind)
Event code 208 (Fast Forward)
Event code 213 (Sound)
Event code 226 (Media)
Event code 240 (Unknown)
Event code 357 (Option)
Event code 358 (Info)
Event code 364 (Favorites)
Event code 365 (EPG)
Event code 370 (Subtitle)
Event code 371 (Angle)
Event code 398 (Red)
Event code 399 (Green)
Event code 400 (Yellow)
Event code 401 (Blue)
Event code 402 (ChannelUp)
Event code 403 (ChannelDown)
Event code 405 (Last)
Event code 438 (?)
Event code 512 (?)
Event code 513 (?)
Event code 514 (?)
Event code 515 (?)
Event code 516 (?)
Event code 517 (?)
Event code 518 (?)
Event code 519 (?)
Event code 520 (?)
Event code 521 (?)
Testing ... (interrupt to exit)
Event: time 452.538264, type 1 (Key), code 139 (Menu), value 0
Event: time 452.538274, -------------- Report Sync ------------
Event: time 462.140498, type 1 (Key), code 139 (Menu), value 1
Event: time 462.140507, -------------- Report Sync ------------
Event: time 478.609635, type 1 (Key), code 357 (Option), value 0
Event: time 478.609643, -------------- Report Sync ------------
Event: time 490.073024, type 1 (Key), code 357 (Option), value 1
Event: time 490.073032, -------------- Report Sync ------------
Event: time 503.634929, type 1 (Key), code 357 (Option), value 0
Event: time 503.634937, -------------- Report Sync ------------
Event: time 513.041136, type 1 (Key), code 168 (Rewind), value 1
Event: time 513.041146, -------------- Report Sync ------------
Event: time 513.260947, type 1 (Key), code 168 (Rewind), value 0
Event: time 513.260955, -------------- Report Sync ------------
Event: time 514.352655, type 1 (Key), code 208 (Fast Forward), value 1
Event: time 514.352663, -------------- Report Sync ------------
Event: time 514.576434, type 1 (Key), code 208 (Fast Forward), value 0
Event: time 514.576442, -------------- Report Sync ------------
there is no amazon-cec.kl under /system/usr/keylayout/ (also tested all in https://source.android.com/devices/input/key-layout-files.html) . I've downloaded Sony Bravia amazon-cec ,rebooted and nothing changed . Also creating Vendor_0000_Product_0000_Version_0001.kl keylayout (same as detected device ) give nothing ... no new button recognized ever .
Did u gave the amazon-cec file the right permissions and set the right owner? Also make sure to not forget the .kl at the end.
Also in my file the buttons u pressed (as seen in your post) are mapped the exact same way.
You could try to switch keycodes 139 and 208 to see if the layout file works.
Just for the record, today i updated my amazon-cec.kl file because it didn't work with my new stick on android 5, maybe that was your problem with my file?
If you still need/want to remap the buttons here is the new file (removed depracted WAKE_DROPPED flag and remapped Subtitle to G):
Code:
# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Custom Keylayout for Sony Bravia KDL-*EX72* cec function on FireStick
# NOTE
# This mainly mapps menu to the options button and home to the home button,
# additionaly we assign keys to the special buttons (red, blue, info etc.).
# To make our life easier we just assign F1-F8 to those keys.
# Comments contain original values as per evtest /dev/input/event1
# NOTE: F1-F8 seem to not get passed to Kodi!? As Workaround we use A-G
key 96 DPAD_CENTER #KPEnter (Real Enter)
key 103 DPAD_UP #Up
key 105 DPAD_LEFT #Left
key 106 DPAD_RIGHT #Right
key 108 DPAD_DOWN #Down
key 128 MEDIA_STOP #Stop
key 139 HOME #Menu
key 158 BACK #Back
key 164 MEDIA_PLAY_PAUSE #PlayPause
key 208 MEDIA_REWIND #Rewind
key 168 MEDIA_FAST_FORWARD #Fast Forward
key 357 MENU #Option
key 358 F #Info - KEY_INFO
key 365 E #EPG - KEY_EPG
key 370 G #Subtitle - KEY_SUBTITLE
key 398 A #Red Button - KEY_RED
key 399 B #Green Button - KEY_GREEN
key 400 C #Yellow Button - KEY_YELLOW
key 401 D #Blue Button - KEY_BLUE
key 402 PAGE_UP #Channel Up
key 403 PAGE_DOWN #Channel Down
key 512 0 #Numeric 0
key 513 1 #Numeric 1
key 514 2 #Numeric 2
key 515 3 #Numeric 3
key 516 4 #Numeric 4
key 517 5 #Numeric 5
key 518 6 #Numeric 6
key 519 7 #Numeric 7
key 520 8 #Numeric 8
key 521 9 #Numeric 9
I switched the Rewind and FastForward buttons so you can check if it gets accepted.
You could also check logcat for any hints:
Code:
logcat | grep amazon-cec
I am trying to map the recent apps and applications key on samsung bluetooth keyboard to teh recnet apps and apps buttons, just like the app_switch capactive button. The Home button and back button the the physical keyboard already work. Following the below guide, one would modify /system/usr/keylayout/Generic.kl with relevant scan codes
Code:
#http://www.thriveforums.org/forum/toshiba-thrive-development/9626-how-create-customized-keylayout-any-usb-bluetooth-keyboard-rooted.html
#/system/usr/keylayout/Generic.kl
key 704 RECENTAPPS
key 705 APPLICATION
and save the file as /system/usr/keylayout/Vendor_04e8_Product_a006.kl, where the keyboard's vendor and product id are found by
Code:
cat /proc/bus/input/devices
; on my device this gets the following
I: Bus=0005 Vendor=04e8 Product=a006 Version=0001
N: Name="Samsung Bluetooth Keyboard EJ-CT800"
P: Phys=
S: Sysfs=/devices/virtual/misc/uhid/input11
U: Uniq=
H: Handlers=sysrq event11 sec_debug
B: PROP=0
B: EV=12001b
B: KEY=147 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10003 2010007 ff9f317a c14057ff febeffdf ffefffff ffffffff fffffffe
B: ABS=ffffff00 0
B: MSC=10
B: LED=1f
However, this does not work; niether does copying the appropriate keylayout file Vendor_04e8_Product_a006.kl directly from samsung stock rom, which shows the key scancoes above. Instead, it seems some people got it working by changing the source code related to whievever key code you desire and compile android.policy.jar ike this:
evilisto said:
platform/frameworks/base/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
from :
Code:
} else if (keyCode == KeyEvent.KEYCODE_APP_SWITCH) {
if (down && repeatCount == 0) {
showOrHideRecentAppsDialog(RECENT_APPS_BEHAVIOR_SHOW_OR_DISMISS);
}
return -1;
}
to :
Code:
} else if (keyCode == KeyEvent.KEYCODE_APP_SWITCH) {
if (down && repeatCount == 0 && !keyguardOn) {
try {
mStatusBarService.toggleRecentApps();
} catch (RemoteException e) {
Slog.e(TAG, "RemoteException when showing recent apps", e);
}
}
return -1;
}
Click to expand...
Click to collapse
It seems simple enough, but i am not compilng yet; it would be useful to have this for cm roms, but not sure about compatibility with different rom versions (i.e., cm-11, 12, 13, 14); if someone builds this, perhaps comment on this... thanks
would someone like to compile this and try, as i'm sure a lot of people have this keyboard? :laugh:
err, found my error with the recentapps button; making it app_switch instead of recentapps makes it work, so it only remains to make the application button, which opens the app drawer. i ohpe this interests somebody, but if not whatever
I have the same issue. I guess it's a rom compatibility thing. My Samsung Bluetooth keyboard works fine except for recent apps key (F2) then F3 and F4 don't work as in when you hit those keys, nothing happens at all. I hope we can find a workaround for this.
Same issue here as well.
I am using as well the Original keyboard of tab s (EC-JT800) with aicp ROM 7.1. (preatty good i would say) but there are several issues with the hardware keyboard like:
change between 2-3 languages (no keyboard mapping)
app switching (F2) and app drawer (F3) buttons are not working
caps lock light not turn on
lang does nothing
etc.
I have tried another ROM which is based on the samsung stock firmware: IronRom V3.2 ( https://forum.xda-developers.com/galaxy-tab-s/development/prerooted-stock-touchwiz-rom-t2973107) and i noticed that the keyboard is fully working as expected. Therefore i assume that the keyboard layout is the original from samsung incorporated into the ROM. If we copy this layout it will work on a 7.* ROM version ?
Update: Searching inside the above mentioned ROM i found the file Vendor_04e8_Product_a006.kl which i am planning to copy over. The thing is that the system filesystem is read only.
Any Idea ?
---------- Post added at 15:07 ---------- Previous post was at 14:33 ----------
I research and it seems that ssome of the mapping missings are :
key 368 LANG
# F2 F3 F4
key 704 RECENTAPPS
key 705 APPLICATION
key 706 SIP_ON_OFF
# LEDs
led 0x01 CAPS_LOCK
Will copy the file over from the other ROM and update about the results.
I'm trying to do the same here, with Lineage OS on an SM-T800.
As already said, the stock keylayout, which includes something like this:
Code:
key 704 RECENTAPPS
key 705 APPLICATION
key 706 SIP_ON_OFF
key 707 VOICESEARCH
key 708 QPANEL_ON_OFF
key 710 SFINDER
key 712 MULTI_WINDOW
does not work on non-stock ROMs. I can also verify that setting scancode 704 to keycode APP_SWITCH, does work.
Indeed, these keycodes (RECENTAPPS, etc) are not mentioned in the KeyEvent android developers page, nor can I find a substitute for the missing ones.
For the language switch, I tried running inside an adb shell the command
Code:
input keyevent LANGUAGE_SWITCH
and sure enough, I was able to switch language on my keyboard.
I then checked to see what is emitted when I press the "LANG" key on the keyboard, and it seems that it's just SHIFT+SPACE. So I went ahead and defined a keychar file (/system/user/keychars/Vendor_04e8_Product_a006.kcm) where I asked for Shift+Space to send the LANGUAGE_SWITCH keycode. No luck
As a temporary solution, I've mapped the "keyboard" key (just right of the Function key) to LANGUAGE_SWITCH, and that is working fine.
So my keylayout for now includes:
Code:
key 704 APP_SWITCH
key 706 LANGUAGE_SWITCH
Last (but not least), I have no clue how to drive the led for caps-lock. I tried all led numbers from 0x00 to 0x1f in the keylayout file, nothing seems to be doing the trick. I also cannot find any proper documentation on that, to understand how it works.
I'll keep digging. I really don't get why the key character map file didn't work for setting the language. At least that part should be feasible.
Quite strange.
I have installed the IronRom V3.2 (https://forum.xda-developers.com/galaxy-tab-s/development/prerooted-stock-touchwiz-rom-t297310 ) and the keyboard layout is working fine !!! Functions keys, language key and the caps lock led are all working. Keep in mind that this ROM is based on stock and is running android 6.0.1
I wonder if a copy of the files /system/user/keychars/* to a newer android version might work. I also noticed on other nougat versions (AICP, LIneage) that the keyboard settings are completely different that Marshmallow.
ale_kons said:
Quite strange.
I have installed the IronRom V3.2 (https://forum.xda-developers.com/galaxy-tab-s/development/prerooted-stock-touchwiz-rom-t297310 ) and the keyboard layout is working fine !!! Functions keys, language key and the caps lock led are all working. Keep in mind that this ROM is based on stock and is running android 6.0.1
I wonder if a copy of the files /system/user/keychars/* to a newer android version might work. I also noticed on other nougat versions (AICP, LIneage) that the keyboard settings are completely different that Marshmallow.
Click to expand...
Click to collapse
Your link seems to be wrong.
If this ROM is based on samsung stock, then my guess would be that this is what makes it work with the keyboard, not necessarily the android version. Did you use the ROM with the stock kernel or the "ironstock" kernel?
I guess I have the stock kernel, have to check though
My kernel version is: 3.4.113-IronStock_SM-T800_V3.2
Current ROM: IronRom V3.2_T800
As mentioned above the keyboard is working as it was supposed too.