Sorry if this isnt the correct section but I am assuming this would be applicable to Development...I wanted Dev's to take a look at it and clarify on it if indeed this is know or even applicable to our phones...I recieved this info from a friend with a Sprint Epic 4g...
Please close or move if this is an inappropriate section Mod's...thanks
What Is Carrier IQ? Why Should We Care?
Put simply - and bluntly - Carrier IQ is a software package buried deep within Android by Samsung at the behest of Sprint. It has been in active use since the time of the Moment, if not before. The company that develops it, also known as Carrier IQ, bills it as "Mobile Service Intelligence". In their own words,
[T]he combination of the MSIP and IQ Insight lets you move seamlessly from broad trend data across many users, through comparative groups down to diagnostic data from individual devices. Now, not only can you identify trends, you have the power to drill down to specific instances, giving you the insight your specialists need to make a difference.
On its own, that description can vary from harmless, to worrying, depending on how you look at it. It's not until one drills deep down into the system and ferrets out every piece of the software that one truly knows what it contains. As some of you might remember, ACS took the first steps toward disabling the Carrier IQ software with the release of SyndicateROM and Xtreme Kernel 1.0. That, however, didn't even scratch the surface.
Carrier IQ's native libraries are plainly visible - libiq_client.so and libiq_service.so in /system/lib. During every boot, this service is launched - you can see it in Settings > Applications > Running Services as "IQAgent Service". These native libraries are called by non-native (Android application) libraries located in ext.jar (the client) and framework.jar (the service). Removal of these (rather obviously-named) libraries alone, be it the .so files or the libraries in framework or ext, will, obviously, break boot. So I - k0nane - had to dig deeper. To make a long story short, reference to the IQ Service and IQ Client were littered across the deepest portions of the framework, and some of the most basic functions of the Android system as we know it.
Carrier IQ as a platform is designed to collect "metrics" at any scale. What I found it to hook into is far beyond the scope of anything a carrier needs - or should want - to be collecting. Carrier IQ sits in the middle of, and "checks" the data of, SMS and MMS messages. It listens for and receives every battery change notifications. It hooks into every web page you view, and every XML file your device reads. It receives every press of the touch screen. It 'sees' what you type on the physical keyboard. It reads every number you press in the dialer. It can track which applications you use, what 'type' they are, how often, and for how long. It hooks into data sent and received.
I, and the rest of ACS, ask Samsung and Sprint - why do you want this information? Why do you need it? Why is the capability in place?
The only saving grace - if there is one - to this nasty, ten-legged mutant spider is that its logs are off by default. During the investigation process, I was able to enter its UI.
That being said, the question still must be asked - why is the service even running? Why does Sprint and Samsung feel the need to leave a dormant monster in every one of its most loyal customers' phones?
Here's the most important part (tl;dr): the Carrier IQ service is a drain on battery life and performance. ACS noticed a significant rise in Smartbench scores and overall system 'snappiness' after Carrier IQ's removal. In addition, with it removed, ACS team lead rjmjr69 saw 30 hours of battery life, with heavy use, on the stock battery.
Below are two screenshots of it.
interesting read, I wonder if verizon uses something similar.
Bawb3 said:
interesting read, I wonder if verizon uses something similar.
Click to expand...
Click to collapse
Wow. Very interesting indeed. Makes me curious. Thank you for sharing.
Sent from my SCH-I500 using XDA App
If they are using it, it's not in the same location as Sprint's phones:
Code:
# cd /system/lib
cd /system/lib
# ls | grep iq
ls | grep iq
# ls *iq*
ls *iq*
ls: *iq*: No such file or directory
#
Yea I couldn't locate it there either, or anywhere for that matter so I figured someone here may have at least heard of it or could confirm its not applicable to us....
I had people in IRC check this out yesterday. they found no trace of it. Sounds like a Sprint only thing. thanks for posting though! I forgot to lol.
imneveral0ne said:
I had people in IRC check this out yesterday. they found no trace of it. Sounds like a Sprint only thing. thanks for posting though! I forgot to lol.
Click to expand...
Click to collapse
Well thats def good to know...thanks for the info....
Most phones have similar programs. Trust me. I can't wait till you stumble over what else 4g phones can do.
tapout27 said:
Carrier IQ's native libraries are plainly visible - libiq_client.so and libiq_service.so in /system/lib. During every boot, this service is launched - you can see it in Settings > Applications > Running Services as "IQAgent Service".
Click to expand...
Click to collapse
Ya, this part jumped out at me as being the quickest thing to check. None of that is true on the fascinate, even for the stock vzw ROM. I'm sure there is a lot of information tracking going on, but it's not called Carrier IQ on the fascinate.
They already know you better than you know yourself, even if you don't use their phone OS, so one question remains: Do you welcome your Google overlords?
GizmoDroid said:
Google overlords?
Click to expand...
Click to collapse
Often it's not provided in the actual os (people were spotting it)...its actually buried in hardware. It started a long time ago. Similar to key loggers. Then as technology improved they found other methods. You didn't think your girl was the only one you were sexting did you? ****, when you video chat it's even saved and they let you know lol.
Edit: And so you know a little about me, I was employed at Applied Materials. 80% of your phones electronics are co-built from our wafer and chip technologies that are rebranded as soley Intel, nvidia ect. I worked on duos the same year P3S HIT THE MARKET.
Related
Hello! to anyone who might read this
First off, let me tell you a tiny bit about myself (Bare with me here).
My name is Christian, I'm 19 and I'm an intern at an IT-section. I've been working here for a year already - Each year interns are to write two individual papers about different subjects. My last paper was a virtual Windows Server 2003 Server Park Environment for another company. This year my first paper is on Android.
My place of work supports other workplaces, such as schools, the hospital, social workers, basically everything. With next-gen phones and new OS' out - Naturally, we're upgrading. The question is what OS to go with. That's why I was asked to create a paper on Android, showing how a work-phone could be. Not all of the details have been planned out yet, but it goes something like this:
- Create a ROM with the necessary applications
- Strip the ROM of anything ..unnecessary (Could be anything, Gapps even).
- Choose/Develope a Launcher that can work pretty much out-of-the-box without having to customize too much.
That's pretty much all the information I've been given for now. I've been given a HTC Desire to 'play around with'. I've been told we're going to have a meeting about it soon. The reason I'm creating this thread is to give myself sort of a roadmap, I guess. And I'd love your opinions on how I can best do this, what I should base my ROM on and anything else you might think I need to know.
Peace.
It's a great idea for a workplace to go with android for employees given the ability to create more secure levels of access since it's based on linux. Also the ability to tailor the OS and UI to suite the needs of the business are something that's desired more and more these days. The downfalls you'll have to overcome are battery power (stripped down OS could nix that) and the fact that most companies will lean more towards Blackberry for two main reasons.
First is security, lets face it, Google is the internet for the most part and a lot of people fear the unknown such as where does their data go and what's done with it. Is it erased (securely)? Is it shared and what about data leaks?
Also, even though I love Android, for a business setting Blackberry has everything right. Android lacks in the 'push' area by a longshot and (from what I've seen) Blackberry supports more email protocals. Let's not forget when you're emailing all day or writing a paper a physical keyboard is more desired, a lot of Android phones lack that.
If the correct phones were chosen and (with a custom ROM and apps) the right measures were taken to address the push issue, plus maybe some sort of native encryption to ease security concerns - I think you could make a very valid argument to use Android phones for their employees. Android beats the othe OS types by a longshot, you just have to address those small but major issues.
Using Android as platform for devices inside an organization makes a lot of sense.
I disagree with KCRic about the superiority of BlackBerry on push and mail systems compatibility. Remember that BB requires you to use a secondary server to "translate" your Exchange, Notes, GroupWise or whatever you have to the devices.
Agree 100% in terms of the keyboard issue.
Something Android has on its side is that Google is the internet. Android was designed from the bottom up to be a "connected" platform. This means mobile devices with ample access to databases and hosted applications. If a business is still wondering if the data on the cloud is the solution, they may not be here on the next decade.
Believe me, you don't find many devices with VPN support, something that is already supported on most Android ROMs. Secure connections and a secure local storage can be easily achieved, the tools are already there.
Think also not only on phones but many other devices (tablets, kiosks, etc) that can benefit from this idea.
I think the major obstacle will be to convince the service provider to let your organization put customized ROMs on the devices. They will panic. Maybe if your agreement says that you provide the support. I already have to go through some of this (on a different initiative) and it is not easy.
KCRic was right about blackberry .... was. The Droid Pro puts that puppy to bed for good, I think. To the OP, your company needs to take back that desire and get ahold of a Droid pro for you. That'll be the (as of right now) best device for workplace use and give you the best launch-off point.
Sent from my DROIDX using XDA App
Thank you gentlemen, I appreciate your input!
My company will most likely be standardizing on the Desire Z as the 'top notch' phone - And some sort of first level entry phone for employees that don't need aweesomesauce features. I've begun dissecting my own ROM using dsiXDA's kitchen. If my company is going to settle on Android as a platform I will have to build the ROM from source, though. Seeing as when I'm finished with my internship someone else will have to continue development on the ROM.
Right now I'm going to dissect a couple of ROMS. My place of work wants to see which of the two fits best for us: AOSP or Sense. I'm an AOSP man myself but Sense is easier to use for 'newbies' and it's also easier to configure too look-and-work-just-like-this, if that makes sense. THANKFULLY dxiXDA's kitchen exists so the workload isn't .. ****ty just yet.
Again, thank you for your input!
zHk3R said:
Thank you gentlemen, I appreciate your input!
My company will most likely be standardizing on the Desire Z as the 'top notch' phone - And some sort of first level entry phone for employees that don't need aweesomesauce features. I've begun dissecting my own ROM using dsiXDA's kitchen. If my company is going to settle on Android as a platform I will have to build the ROM from source, though. Seeing as when I'm finished with my internship someone else will have to continue development on the ROM.
Right now I'm going to dissect a couple of ROMS. My place of work wants to see which of the two fits best for us: AOSP or Sense. I'm an AOSP man myself but Sense is easier to use for 'newbies' and it's also easier to configure too look-and-work-just-like-this, if that makes sense. THANKFULLY dxiXDA's kitchen exists so the workload isn't .. ****ty just yet.
Again, thank you for your input!
Click to expand...
Click to collapse
If you don't want the employees messing around with their phones, I'd definately exclude the Market app (Vending.apk) and include the apps of which you believe they are necessary. There's just to much crap in the market and even if it isn't meant to damage your phone, it still can do some damage if you put too much apps with the same functions on it. Experience? Yes, with my X10. The thing was damn slow until I removed a whole bunch of apps.
Hello has anyone used the money toolkit app to access your account?. On my iphone I have an official natwest app, which am sure is safe however a bit worried about this one cause it clearly states not affiliated with any bank.
Hi marvi0
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
You are absolutely right to question apps like ours, and I wish more people were more diligent in this resect.
The biggest barrier to using any third party financial app is trust. For a small start up like ours, theres a bit of a catch 22 thing. The best way for people to trust our app is to see others using it, which means having enough early trail blazers use it.
I hope you do read some of the pages on our site regarding security - we have gone to very great lengths to keep you in charge of your credentials.
But this is still only our word. Probably the best thing to help increase your confidence is to look on our get satisfaction pages - (we cant delete messages, so it is an open conversation). Also check the comments on the Android market, again we can't even respond as the developer (which can be frustrating).
I hope others do respond on here, though we only have 500+ active users, so I would be a bit surprised.
There will always be some nervousness committing to our app, ultimately you have to go with your instincts - most people who see our app don't go on to enter their details, which is a shame in my opinion (obviously), because those who do find our app really useful.
Any questions, just ask.
Cheers.
Dan.
I have installed it and it looks pretty good
I have my fingers crossed regarding the security
Thanks for your reply so does this app actually allow me to view my natwest account information?
marvi0 said:
Thanks for your reply so does this app actually allow me to view my natwest account information?
Click to expand...
Click to collapse
it does yeah
you get an overview and then when you click on the account it drills down into the transactions
you cant see direct debits etc
also i wish you could change the theme, the wooden effect is a bit yukky, lol
but it does the job fine
also you have to manually log out or the app will run in the background, and if someone picks up your phone they can see the bank funds etc
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
MTK-Dan said:
winwiz - thanks for that.
You are not alone a few people don't like the wooden theme, so we are thinking of changing that.
The idea was that it continues the web site theme of being a work bench - continuing to follow the tool kit idea! We also didn't want to look like another boring bank, but probably it doesn't work that well on the phones.
Regarding logging out - we keep you logged in on purpose, (it will time out after 5 minutes) it is really annoying when you accidentally go back too far or want to swap to another app and have to log back in. Perhaps we should make that another setting?
some people even choose to keep their password remembered, and rely on the phones own security.
Remember this is a READ ONLY app, there is absolutely no way anyone could transfer funds, or make any changes to your bank.
We've got some nice things planned, like categorising your sending and graphs etc.
So any feedback or ideas really welcome - especially on the get satisfaction pages
Cheers.
Click to expand...
Click to collapse
Hi Dan,
Thanks for the great feedback. I'd like the option to customise the background, or if this is not possible, a solid black background. The timeout option should be configurable so the user can set the timeout period!
I look forward to the updates
MTK-Dan said:
I am Dan - founder of Money Toolkit, so obviously my opinion is not impartial
...
Any questions, just ask.
Click to expand...
Click to collapse
Hi Dan,
Was just deliberating about using Money Toolkit and I had a couple questions. I've no knowledge in this area so please bare with me.
On the blog post here: hxxp://moneytoolkit.com/2010/09/secure-mobile-banking/
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
Which I agree doesn't sound ideal - but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?
Secondly - regarding the security - the same blog post says:
"Not only would someone have to get access to your phone they would have to go to the same lengths as they would if they wanted to ‘hack’ into a bank, but they would have to do it three times!"
I presume that each location storing data can't login to the bank account in part. Instead a single server instance would have to login - requiring all 3 parts of the information to do so as banks usually randomise the questions asked. That presumption may be wrong however - but if it's correct does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?
You said that:
"Yodlee then sells your bank data to the web site that you signed up".
"but they have to make money to be a sustainable business. How does money toolkit intend to make money? Which part of users financial details will be utilised to do this?""
Click to expand...
Click to collapse
We point out the normal relationship with Yodlee because Yodlee is an independant third party, they are the entity that you end up having the biggest contractual relationship with, in fact you sign over power of attourney to them when you use a web site that uses their aggregation (read the small print).
Regarding Money Toolkit making money, so far we don't! Of course, as you point out, we need to, so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
"Secondly - regarding the security...
...does that mean a hacker could just hack that single server instance and intercept the traffic being sent to the bank?"
Click to expand...
Click to collapse
Well your main assumptions is correct, but the reasoning not quite right. Firstly it is not just because of the random nature of the security questions that the three way split is valuable, but literally each part is utterly useless without the other parts, they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption). Our IP's and the bank's are hard coded so a traditional man in the midle attack is ruled out. They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
As you may know, the huge majority of security problems come from static data being discoverable (cd's and memory sticks left on trains for example). In our case the three seperate locations, including your phone make this kind of static data recovery, all but impossible.
However... you are right tht if someone managed to compromise the individual server that, at that moment (we have many), did that specific decryption: then if they were very smart, they might have the ability to detect your secure bank details. Though it would be almost imposible for that to happen and us not know about it. To alter our code and not have our systems detect the intrusion would be phenomenal.
MTK-Dan said:
so we have two options - we will ask for 50p per month (for example), or we will offer good deals with companies we trust (generally not main stream banking companies), where we will make a commission, if we do that we will make the commission obvious and share it with the person taking the offer.
Click to expand...
Click to collapse
Great, both options sound reasonable
MTK-Dan said:
they are three parts of an encrypted file, which MUST come together before it is possible to decrypt.
Click to expand...
Click to collapse
Neat, didn't realise.
MTK-Dan said:
The decrypted file (now only in volatile memory) then returns values to your phone and it is your phone which sends (over SSL) the right request to the bank, so they would have to breach our own SSL traffic (and custom encryption).
They would in effect, have to dupe you into downloading a dodgy Money Toolkit apk for this to be possible.
Click to expand...
Click to collapse
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
aph5 said:
Great, both options sound reasonable
Neat, didn't realise.
That at least does sound secure (without understanding it more) I suppose there may also be security issues beyond a dodgy .apk file if the Android device has been rooted - because I think that allows apps to work outside of their sandbox. Again, I don't know enough about that.
Thanks for the detailed answers, it gives me more confidence in the service.
Click to expand...
Click to collapse
Is it possible to transfer money to whomever you want with this app?
First off, I want to apologize if this information is either or both regurgitated and irrelevant.
I was looking for information on eMMC, and there really isn't much, and I found an old article that describes how data reliance works with eMMC. At least a cursory look.
One of the features of Reliance (and Reliance Nitro) file system is that it never overwrites live data. It will always use free space on disk or in case there is no space, it will give “disk full” error back to the application. Reliance also has a special transaction mode called “Application-controlled”. In this case, Reliance only conducts a transaction point when asked by the application.
Click to expand...
Click to collapse
Full article here. Information about integration with embedded linux, here.
What struck me was the "Application-controlled" part. It would explain the technology that is undoing changes to /system when the system kills the temp root. I wonder if its possible for temp root to trigger the "commit" function of reliance once some small changes have been made...
Hope this is of some use.
CyWhitfield said:
First off, I want to apologize if this information is either or both regurgitated and irrelevant.
I was looking for information on eMMC, and there really isn't much, and I found an old article that describes how data reliance works with eMMC. At least a cursory look.
Full article here. Information about integration with embedded linux, here.
What struck me was the "Application-controlled" part. It would explain the technology that is undoing changes to /system when the system kills the temp root. I wonder if its possible for temp root to trigger the "commit" function of reliance once some small changes have been made...
Hope this is of some use.
Click to expand...
Click to collapse
Just an FYI, system is an EXT4 FS. This would require not only a custom kernel, but a lot of one offs in the way it's dealing with data. From what I've seen, this isn't what they are using.
But that's a very good find, I am looking into some of the information. Never heard of this before.
Thanks for the info. I would love to find out more about how this memory technology works. More articles are welcome!
Isn't that basically just wear leveling?
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
edufur said:
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
Click to expand...
Click to collapse
In all reality, I'm thinking this is the eventuality. Sprint knows that with root access we can circumvent the WiFi tether that they want to charge you for. They would never be OK with that.
Sent from my PG86100 using Tapatalk
Just an FYI, system is an EXT4 FS. This would require not only a custom kernel, but a lot of one offs in the way it's dealing with data. From what I've seen, this isn't what they are using.
But that's a very good find, I am looking into some of the information. Never heard of this before.
Click to expand...
Click to collapse
Given that you have taken a much closer look at the inner workings than I have, I will defer to your observation with a caveat
According to wiki eMMC supports something called Reliable Write. This suggests that the reversion capability is a part of the eMMC standard. Reliance sounds more and more like a commercial implementation of this function decoupled from a specific media type. After looking it over again, nowhere in the article about Reliance is eMMC mentioned.
Isn't that basically just wear leveling?
Click to expand...
Click to collapse
Wear leveling is a byproduct of what reliable write is doing. The difference is the ability to defer commitment of file system changes, so that a failed system update wont brick the device.
I do not know if changes made to the device are immediate and revertable (i.e., if eMMC is not told to commit a write, the changes just "go away" when its remounted). Nor do I know if reversions can be made on the fly, as we are experiencing when temp root gets deactivation.
There really isn't much information out there about this that is easy to find.
Is your name Ben? Or are you perhaps searching on this because of a post that Ben made on HTC? His claim was that even with an unlocked bootloader, that the eMMC could still be locked and prevent us from getting root. This seems far fetched to me.
Click to expand...
Click to collapse
Neither. eMMC isn't "locked" per se. HTC is using some mechanism that will revert the contents of /system to a prior state when some unknown condition is met. I do not mean to suggest that this is being done through "reliable write" or "Reliance", since it has already been pointed out by someone much more knowledgable on the subject than I that a standard EXT4 file system is being used. I honestly have no idea. I found this information somewhat by accident, and thought that if it could prove useful I should share it here.
Something is dynamically protecting the contents of /system. Once the phone is rooted, I have no doubt that this "something" will be rendered quite impotent. If it were not possible to do so in the first place, OTAs wouldn't work
Sprint knows that with root access we can circumvent the WiFi tether that they want to charge you for. They would never be OK with that.
Click to expand...
Click to collapse
The first part of your statement is true, Sprint knows full well that we can circumvent their attempts to charge us for WiFi tethering with root access. They have known this for years. They also know that in reality there is no way they can completely prevent someone from tethering their phone in one way or another. Even without root access. Ref: PDANet.
In my opinion, this protection of the eMMC contents was designed to reduce support costs from failed OTA updates bricking phones, and perhaps as protection against malware that can attain root, not unlike what Temp Root does.
I am not as paranoid as some here and refuse to accept that this was done specifically to thwart efforts to root the phone. The vast (and i mean VAST) majority of people who buy this phone will never even consider rooting the devices. This same majority has a subset of people that are easily stupid enough to screw up an OTA update or download and install malware.
I will take it a step further and opine that the only reason HTC is unlocking the bootloader is because we are such a minority AND that by tinkering with an unlocked device, we are actually helping HTC improve their product. They would rather have a more appealing facebook page than worry about losing a minuscule fraction of wifi tethering income.m Moreover, take a good look at where Sprint stands in the market, and what they have done recently to improve their position. They are doing a lot of really cool things, and have taken impressive steps to improve customer service and corporate image. That they would allow this bashing of HTC to continue unabated over a handful of tethering dollars is unlikely.
I appreciate your canter, very informative. A thanks will come your way.
Sent from my PG86100 using Tapatalk
Does pdanet allow wireless tether? I didn't think it did.
Sent from my PG86100 using Tapatalk
Nutzy said:
Does pdanet allow wireless tether? I didn't think it did.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
It doesn't act as a hotspot, no.
Sent from my PG86100 using XDA App
Nutzy said:
I appreciate your canter, very informative. A thanks will come your way.
Sent from my PG86100 using Tapatalk
Click to expand...
Click to collapse
Much appreciated!
Sent from my PG86100 using XDA App
So, I would be interested in hearing more thoughts on this. Is the eMMC independent of the OS? In other words, would a custom ROM have to obey and work with the eMMC? Or could a custom ROM be made to either disable the eMMC or make it do what we want?
edufur said:
So, I would be interested in hearing more thoughts on this. Is the eMMC independent of the OS? In other words, would a custom ROM have to obey and work with the eMMC? Or could a custom ROM be made to either disable the eMMC or make it do what we want?
Click to expand...
Click to collapse
I think you're misunderstanding this. The eMMC is the memory inside the device that everything is stored on. It replaced the old NAND chips in older devices.
The OS is stored & runs off of eMMC memory, it's not independent. If you were to 'turn off' the eMMC the device would do nothing. A lot of the security features available on the chip itself probably aren't in use. HTC has been using their own form of write protection since early last year, even on the NAND based Evo 4G. I'd stake a bet they're using the same system here, and we just need to find a way to flash the ENG bootloader like we did last year to get around it.
I agree with you. reliance is setup to ward against "unauthorized" changes to the /system partitions. i believe the developer community takes way too deep a look at each action made by a corporation (htc) and view them as "big brother", when infact most changes are actually approved, reviewed, and committed by someone in accounting with no technical skills whatsoever. these people are forced to look at the bigger scheme of things and make a decision about it (after working for sprint for almost 2 years now...i can tell you how many decisions are literally made by someone who has no idea what the heck he is making decisions on).
instead of looking at them "trying to stop the development community from unlocking wireless tether" look at them as a CEO (who most of the time has no technical knowledge) and a PR rep (who really only cares about how their company is viewed) and using this kind of encryption is only there to "safeguard" their devices against attacks.
one would think the secret to perm rooting the device is triggering the reliance write function so it commits the changes instead of reloading them. if /system doesnt get changed unless theres an OTA of some sorts....theres more than likely a hash table that reliance would check against to verify...so an OTA would need to write to that table first, then make the changes....
more than likely some other noob has already said something along those lines and been flamed for it as well...just throwing it out there....
newkidd said:
.........
one would think the secret to perm rooting the device is triggering the reliance write function so it commits the changes instead of reloading them. if /system doesnt get changed unless theres an OTA of some sorts....theres more than likely a hash table that reliance would check against to verify...so an OTA would need to write to that table first, then make the changes....
........
Click to expand...
Click to collapse
that stuck out in bold to me..... hmmmmmm
I probably was overlooking what eMMC was, however based on the links the user gave, I later learned a little more about its potential. It would appear that HTC is doing something along the lines of the operations expressed in the link. And if they are not fully replicating efforts, it would be a shame. I like the concept of wear leveling and efficient read/writes. It would be my hope that we could integrate all those functions within a custom rom.
I found a page on the Micron site on eMMC. In the tech notes section there are informational downloads for just one chip. Specifically, the Qualcomm QSC6695
You have to register to download them. A process I have already started. Their site claims it takes a half hour to register a new account.
Once I have the PDFs, I will attach them to the OP.
I don't know if this is the chip the evo 3d is using, but if it is these may prove beneficial to have.
EDIT: Nevermind. i'd have to sign an NDA first.
EDIT: Although, this looks interesting.
Geniusdog254 said:
A lot of the security features available on the chip itself probably aren't in use. HTC has been using their own form of write protection since early last year, even on the NAND based Evo 4G. I'd stake a bet they're using the same system here, and we just need to find a way to flash the ENG bootloader like we did last year to get around it.
Click to expand...
Click to collapse
Perhaps, but a hint at the design really tells me that it would only make sense to offload this protection to the eMMC. Posted a link just a minute ago with the eMMC "enablement" model in PDF form. Interesting read...
CyWhitfield said:
I found a page on the Micron site on eMMC. In the tech notes section there are informational downloads for just one chip. Specifically, the Qualcomm QSC6695
You have to register to download them. A process I have already started. Their site claims it takes a half hour to register a new account.
Once I have the PDFs, I will attach them to the OP.
I don't know if this is the chip the evo 3d is using, but if it is these may prove beneficial to have.
EDIT: Nevermind. i'd have to sign an NDA first.
EDIT: Although, this looks interesting.
Click to expand...
Click to collapse
VERY interesting link & read for sure
CyWhitfield said:
The first part of your statement is true, Sprint knows full well that we can circumvent their attempts to charge us for WiFi tethering with root access. They have known this for years. They also know that in reality there is no way they can completely prevent someone from tethering their phone in one way or another. Even without root access. Ref: PDANet.
In my opinion, this protection of the eMMC contents was designed to reduce support costs from failed OTA updates bricking phones, and perhaps as protection against malware that can attain root, not unlike what Temp Root does.
I am not as paranoid as some here and refuse to accept that this was done specifically to thwart efforts to root the phone. The vast (and i mean VAST) majority of people who buy this phone will never even consider rooting the devices. This same majority has a subset of people that are easily stupid enough to screw up an OTA update or download and install malware.
I will take it a step further and opine that the only reason HTC is unlocking the bootloader is because we are such a minority AND that by tinkering with an unlocked device, we are actually helping HTC improve their product. They would rather have a more appealing facebook page than worry about losing a minuscule fraction of wifi tethering income.m Moreover, take a good look at where Sprint stands in the market, and what they have done recently to improve their position. They are doing a lot of really cool things, and have taken impressive steps to improve customer service and corporate image. That they would allow this bashing of HTC to continue unabated over a handful of tethering dollars is unlikely.
Click to expand...
Click to collapse
I completely agree with all of that. Other carriers have taken many steps to try to prevent wireless tethering. They've asked google to filter certain apps from the market from their customers, they've sent out letters to their customers who they suspect of tethering, they've used ECM's to try to stop it.
But Sprint...they've been remarkably silent on that front. Hell they don't even seem to plan on putting any usage caps in place. In my opinion, I suspect that Sprint wants to be different from the other carriers. They can't outright allow tethering because people would go nuts with it and it would saturate their network. Instead they have this approach of telling you that you can't do it without paying extra, but they look the other way when you do.
I don't know if I fully agree on why HTC locks the phone so tight though. I mean they really went out of their way to make sure nobody touches it. There could have been far more simple countermeasures in place to prevent malware yet still be open to somebody who has physical access to the phone.
It can't be that Sprint insisted on it being that way, otherwise Sprint would have insisted that the Nexus S be fully locked, so I don't believe that this is a carrier issue at all, at least not as far as the Evo 3D is concerned.
One of my suspicions is that HTC may make a profit off of having certain apps installed, much in the way that PC OEM's get paid to preload different apps (e.g. norton.) It could be that they want to make sure that you can't remove them. However that profit they make off of these apps may be significantly offset by having a really negative facebook page, hence the decision to unlock.
Hard to say really.
I need to find a very good DEV who is available to work on a fairly large project.
I am a disabled yet still serving soldier, who has a need for a specific app. This app will help millions of people and I DO plan to market it to both VETS and
NON Vet disabled persons (as well as anyone else who wants it!) Vets will of course have either a free or reduced price option.
You will be required to know every aspect of a project DEV to include the GUI, images, background, visual aid, the Database, it has to "share" and export to several mediums including googleCal and Excel graphs. It may be built with a module style or have a lot of options that can be turned on or off. Some will be protected so it can't be turned off unless a password is entered depending upon the level of disability and functions needed per person.
I will expect a non-disclosure agreement. I have done the paperwork to protect my idea.
I will expect timely completion of phases as well as bug fixes. All of which I am very realistic about. We just need to be in daily or even hourly communication if needed.
This is a long term project that can lead to a permanent type of side job for all the ongoing updates/changes.
I need to get this moving while I am still able to keep track of what I actually need it to do. Your development skills will be instrumental in getting this up and running. You will have full liberty to do the app as you see fit as long as it meets the needs and has the ability to do each task I need. I really don't care how it is done as long as the outcome is correct. I have certain tasks that must be included, you are more than welcome to add your ideas as well.
Payment is of course Negotiable as either upfront or a portion of future income from sales, or possibly both. This will be agreed upon in writing for everyones safety, but this will really be more of a friendly work together type of environment.
Please msg me or reply here for more details.
(Mods, if this is is the wrong category, I apologize. Just move me and I will learn my lesson!)
Must have placed this in the wrong area! I can't seem find a good developer in the entire world that wants to take on a very lucrative (possibly like all good ideas are) project??
Wow Ok anyone know where I should look or post my "Programmer wanted" ad?
You would probably be better posting it in the developer forums rather than Q & A.
Good luck with your project!
All the best,
Ash
In the past, CM has allowed users to opt out of sending their data. It's recently decided to remove the "optout feature" (c'mon, is that really a "feature"), forcing users to eat it.
http://www.androidpolice.com/2013/0...pting-out-of-cm-stats-cyanogen-says-to-chill/
"Cyanogenmod Will No Longer Allow Opting Out of CM Stats-- Cyanogen Says to Chill"
in response, i kindly made this argument:
"A fundamental issue still exists. If the data is collected via a unique identifier, and it has a timestamp, then it isn't as anonymized as people think. Anyone with a basic understanding of data security knows that. I think the uproar has to do with the reputation of the team as the protectors and defenders of our platform...you give us choice. But when we see behavior that doesn't add up, were naturally going to believe you've used that position in the community to do evil. We understand you want the the data.
What doesn't make sense, and the natural road for us all to go down:
1) is this being used to monetize CM?
2) installation data: to include location, language, device, build version, and carrier, are all things that can be identified using a single, static event report. Why should we be comfortable with an always-collecting, transmitting-in-the-background service? What's the use-case for this? You've said yourself that Google Play apps themselves often collect this data..why is that method insufficient for CM? And why should we have to expect the same from you guys as we do from everyone else. Surely there's a way to collect the necessary data you need with a scalpel, negating the need for a device drag-net like this.
In all seriousness, i trust CM to do the right thing...i just can't tell right now if they've done the lazy thing, and created a service which is omnipresent, omnipotent, running in the background and silently spying on me, just so CM can tell which language my device is running, my general location, my build information, etc.
That's fine, it's simple data, and it's fairly straight forward.
The question is, if you needed that data (which CM says it does), then why are you collecting a much, much more complicated data set, and why won't a simple installation report do? Why won't running for a short period of time...say, 5-7 days do?
Why did they take the Carrier IQ route?
Maybe they want it just so they can have it. As Koushik stated on the google plus post (where he does a great job at assuaging some fears, and creating others):
"---Did you know over half of our users are in China? They just passed the US in terms of CM installation base.
Call it ego surfing, but the data is incredibly useful."
So they're collecting all this data, without a need? It's obvious why it's extremely useful to understand, say....which language most of your users use, etc. But you don't need a 24/7 service to find out what language people use your device in.
Anyways, here's the Google + Post:
https://plus.google.com/103583939320326217147/posts/GwnzKJijBKj
Here, he has, however, provided a screenshot of your data in action, assuaging the fears of most (we never truly get to see what our data looks like after its sent through the mizteereeus pipez of the interwebz, magically transformed, and then spit back out to an analyst), and he even tells you a bit about what data it collects. What he doesn't say, is why on earth submitting the data once, after installation, in a single report wont do, or why a build report once a week, or however often, wont do.
That's the end of my tinfoil hat tirade. Like i said, i love CM, i trust them, but i'm disappointed. The reasons i listed above are arguments made to explain why people are raising hell because of this. I don't believe they'll do anything nefarious, and personally, they can ego=surf with my data all they want. It IS pretty cool. Maybe the move was a tad bit short-sighted though, because they may have gotten a bit out of touch with their users, and their users opinion of them-- and that's what my posts were supposed to do...they were supposed to bring the way I (and other's) think about them more in line with reality.
Edit: It's important to note that, as explained to us by CM, CM Statistics calls home upon reboot. Whether it runs all the time, or just for a nanosecond upon reboot, or 24/7 is important as well, but I'm unable to verify any of this, because my github skills are w34ks4uce. If we had a independent dev who could take a look at CM Stats and then explain exactly (key word) what it was collecting, that'd be über helpful....but it wouldn't mean anything in the long run. Because I was viewing the macroscopic effects of the decision. A comprehensive announcement and explanation wold probably have been prescient, because the information contained in the Google+ post is just as key as the announcement itself-- the stigma of collecting data is far to strong to just say one day-- "sneaky, sneaky--no more opting out".
Nothing has changed here, only the fact that it's enabled by default vs opt-out. The dataset hasn't changed.
Don't use it if you don't like it. They are not spying on you. WITHOUT stats they would have zero visibility to what is actually used. Download data is trash compared to actual usage.
And what if they decide they want to improve Language X translations, but only 10 people use it? Worth it? Or what about Device Y that only a handful of people are still clinging onto? Resources can be used in better ways.
I knew I'd see a post crying about this eventually...
If this thread turns into a flame fest it will be locked
As for data collection...you are using Android right?
Also check the permissions to all those third party apps.
Thanks in advance for keeping this thread civil or ignoring it.
Friendly Neighborhood Moderator
I take my privacy seriously, as I'm sure most of us do. As mentioned previously market apps gain a certain amount of info from us.
Maybe CM should have a free version with no opt out or a pay version with one (key maybe). That should make everyone happy.
Sent from my SAMSUNG-SGH-I717 using xda premium
khaytsus said:
Nothing has changed here, only the fact that it's enabled by default vs opt-out. The dataset hasn't changed.
Don't use it if you don't like it. They are not spying on you. WITHOUT stats they would have zero visibility to what is actually used. Download data is trash compared to actual usage.
And what if they decide they want to improve Language X translations, but only 10 people use it? Worth it? Or what about Device Y that only a handful of people are still clinging onto? Resources can be used in better ways.
I knew I'd see a post crying about this eventually...
Click to expand...
Click to collapse
This.
Whoooooooo caaaares delete thread
RoOt-[]D [] []V[] []D-BeEr
Solution to all this: OpenPDroid
briand.mooreg said:
I take my privacy seriously, as I'm sure most of us do. As mentioned previously market apps gain a certain amount of info from us.
Maybe CM should have a free version with no opt out or a pay version with one (key maybe). That should make everyone happy.
Sent from my SAMSUNG-SGH-I717 using xda premium
Click to expand...
Click to collapse
I think this is a brilliant idea, regardless of the status of CM Stats. A paid version with a extra feature set would be awesome.
As far as the argument for data like language, region, build, etc. I think we can say conclusively that this could be handled by a installation report, that runs once after installation or upgrade.
The type of data they need doesn't neccesitate a background service, which is why its naturally suspicious.
Sent from my Transformer using XDA Premium HD app
btswein said:
This.
Click to expand...
Click to collapse
I though is was enabled by default. Is this something the devs choose? Upon installation, i see a "cm statistics is running" banner in notification. Even so, what's changing, is their removing opt out all together.
Sent from my Transformer using XDA Premium HD app
http://review.cyanogenmod.org/#/c/35047/
well there you have it:
Commit MessagePermalink
Restore the opt-out for stats.
* Apparently this is a bigger issue for a small number of extremely
vocal users. We should respect their wishes, no matter how off-base
their claims are in this context.
Change-Id: I9eef9a65260ec4e360d398f80d610a198c09c915
Thanks to: khaytsus
for posting the link
khaytsus said:
http://review.cyanogenmod.org/#/c/35047/
Click to expand...
Click to collapse
Is there a way we can educate/frame a conversation around how to do this in a way accepting of the vocal crowd? Perhaps an outreach campaign, minimal in effort that might encourage more users to opt in? This is an area where fundamental good can be done. The same people who've been vocal should have no problem explaining what would get them to opt in.
I think this whole thing might have been a brief thing, but if the statistics really help the project, we can all have our cake and eat it too.
Sent from my SAMSUNG-SGH-I717 using XDA Premium HD app
khaytsus said:
I knew I'd see a post crying about this eventually...
Click to expand...
Click to collapse
You knew you'd see a post crying about this because of all that data your collecting told you lol!
Just teasin!
I would have just frozen the background service. ...
We rooty types can do that sort of thing now days. ..
And just to prevent the assumption that I missed the point of the OP. ...I didn't, and can only imagine the amount of target data our carriers pull by simply using our device. (See lengthy contract and service agreement of your carrier)...
CM data is small potatoes by comparison. ..and while quite useful to them in the generation of custom firmwares, it's a useless data source for us.
I've freely given cyanogen my data for years. And in return Steve has given me high quality work for my trouble. .....privacy concerns accepted. ....g
The easiest way to prevent CM from getting any data from you is too not install, not really that hard to figure out.
Sent from my SAMSUNG-SGH-I717 using xda premium