Related
Hi everyone,
I tried to gather some information to install OpenVPN on the Galaxy Tab 10.1, but could not complete the install.
I already installed successfully OpenVPN Installer, BusyBox Installer, OpenVPN Settings, copied tun.ko to modules folder (/system/lib/modules).
I ran those commands (first had read only errors but eventually succeeded with adb console) :
insmod /modules/tun.ko
ln -s /system/bin/busybox/system/xbins/bb/ route
ln -s /system/bin/busybox/system/xbins/bb/ ifconfig
Then, when i launch OpenVPN Settings, it starts connecting but finally says "FATAL: Linux ifconfig failed, could not start external program".
Anybody could tell me how to do it properly? Is it even possible on the Galaxy Tab 10.1?
Many thanks!!!
I'm about to try it right now, I have ovpn running on my galaxy s, just going to create certificates for my tablet, and copy the config across and see if it works.
I believe the default kernel includes tun support.. or so I have been told.. will find out I guess.
Thanks! Keep me updated please.
Anyone able to make progress on getting openvpn working?
Hi. I just wanted to add that if anyone have any more info on openvpn and tun.ko for the gt-7100 that i too would be greatful.
Vissie
I have openvpn working. I installed busybox installer, openvpn and openvpn settings from the market place.
I Used root explorer and made the directory /system/xbin/bb. I also used root explorer to make this directory read/write. Then I used a terminal app to do
Su
ln -s /system/xbin/route /system/xbin/bb/route
ln -s /system/xbin/ifconfig /system/xbin/bb/ifconfig
after this make the directory read only. In openvpn settings point tun.ko path to
/data/media/openvpn/openvpn/tun.ko
add your config and that should do it
i still can't connect
Well when i comment
iproute /data/local/bin/iproute-wrapper.sh
Click to expand...
Click to collapse
openvpn connects but i cant browse my local lan
when i uncomment this line nothing happens when i try to connect
what did i missed?
one more question - im using ccd folders with different push commands on my vpn server - this doesnt seem to work aswell.
Anyone could post stepby step iproute configuration for our devices?
thanks
Wojtek
I've been trying again and again.
I always get "FATAL: Linux ifconfig failed, could not start external program".
Anyone could post a complete tutorial ?
Thanks.
I did it!!!
I installed OpenVPN Installer, BusyBox Installer, OpenVPN Settings, copied tun.ko to modules folder (/system/lib/modules), then copied the configuration files of my VPN (ca.crt and client.ovpn) to /sdcard/openvpn.
I ran those commands with adb tools :
mount -o remount,rw /system
insmod /modules/tun.ko
mkdir /system/xbin/bb
ln -s /system/xbin/busybox /system/xbin/bb/ifconfig
ln -s /system/xbin/busybox /system/xbin/bb/route
In the advanced settings of OpenVPN Settings, the path to tun module is "/system/lib/modules/tu", the path to configurations is "/sdcard/openvpn" and the path to openvpn binary is "/system/xbin/openvpn".
Then i launched OpenVPN Settings, entered the username and password and it connected.
I hope it can help...
Which kernel are you using -- stock or ??
I'm running the stock kernel.
can you please tell me......
armavista said:
I installed OpenVPN Installer, BusyBox Installer, OpenVPN Settings, copied tun.ko to modules folder (/system/lib/modules), then copied the configuration files of my VPN (ca.crt and client.ovpn) to /sdcard/openvpn.
I ran those commands with adb tools :
mount -o remount,rw /system
insmod /modules/tun.ko
mkdir /system/xbin/bb
ln -s /system/xbin/busybox /system/xbin/bb/ifconfig
ln -s /system/xbin/busybox /system/xbin/bb/route
In the advanced settings of OpenVPN Settings, the path to tun module is "/system/lib/modules/tu", the path to configurations is "/sdcard/openvpn" and the path to openvpn binary is "/system/xbin/openvpn".
Then i launched OpenVPN Settings, entered the username and password and it connected.
I hope it can help...
Click to expand...
Click to collapse
You said you run stock kernel, but what rom are you on: kmb, kme?
Also, can you please point me to the tun.ko file or a pointer of where I can get it.(the one that you have working)
Much thanks.
The version of my kernel is [email protected] #1.
ROM : HMJ37.UEKF3 P7510UEKF3
I attached the tun.ko file i used for you.
Keep me updated...
I managed to make openvpn work.
I am using openvpn setting software.
For galaxy tab 10.1, the openvpn binary and the associated lib liblzo.so is missing, so you just need to copy those two files from , say cm7 sources.
Simply download the attachment and extract it, there are two files:
openvpn : copy it to /system/xbin/openvpn ( don't forget chmod 755 to it )
liblzo.so: copy it to /system/lib/liblzo.so ( don't forget chmod 644 to it )
I have tested it on my galaxy tab 10.1 P7510, works great.
Hoping this would help.
Sorry to mention, i am using starburst kernel which already have tun support in the kernel.
For stock kernel, maybe you need to have matched tun.ko copied from elsewhere.
I get this message
[email protected]:/ # insmod /modules/tun.ko
insmod: can't open '/modules/tun.ko
I pushed tun.ko to /system/lib/modules via adb , though I cant see it with root explorer
If it's there tou should be able to see it with root explorer
I run GT-P7500, Kernel 2.6.36.3, [email protected] #1, buildnr HMJ37 P7500XXWKG9, baseband XXKG7, ).
I have seen statements that there is no tun.ko in the kernel and the available versions of tun.ko do not work with the 3.1 Honeycomb kernel, I have.
I do not have a folder called modules under /system/lib, shall I create one.
The directory modules I have is /lib/modules/...
insmode did not work.
I run openvpn from the shell and it stops after establishing the TCP connection, this is just before establishing the tun...clearly I am still missing the tun.
Does anyone else experienced same problem or have a solution?
Hi I'm having a nightmare trying to get openvpn installed.
When I do the insmod /modules/tun.ko i get
the following
[email protected]:/ # insmod /modules/tun.ko
insmod: can't open '/modules/tun.ko'
255|[email protected]:/ #
any idea what I'm doing wrong
Hey everybody.
I also have some problem with openvpn connection.
At first i turn on openvpn the start the configuration (at the same time i started a ping on my server: ping 300.300.300.300 -t)
After that my ping works for 12 - 14 times. After the 12 + 14 times then it shows "out of time" error message.
What have i done wrong? (Every 5 seconds at the bottom of my tab it shows "myvpn.openvpn: Connected"
Preferences:
Samsung Galaxy Tab 10.1 Rooted
Android 3.1
Newest Busybox
Done everything from the tutorial of this topic
Update: When i turn the tun module on then the ping only works for about 9 times.
After about 20 failed pings, the pink works again for the amount i wrote.
Problem:
Tethering problem with my RAZR XT910,PSHAsiaRetail.en
Findings:
Not NAT rule enabled in netfilter.
Solution: This is my simple solution.
0)
Code:
adb shell
1) Get root access.
Code:
$ su
2) Enable NAT in netfilter using iptables, by inserting the rule.
Code:
# iptables -t nat -F
# iptables -t nat -A POSTROUTING -o qmi0 -j MASQUERADE
3) Check with # iptables -t nat -nvL
Example
Code:
# iptables -t nat -nvL
0 0 MASQUERADE all -- * qmi0 0.0.0.0/0 0.0.0.0/0
Conclusion:
Very bad/immature tethering implementation by Motorola.
Updates: 2012--07-13
For ICS 4.0.4 Motorola had changed the FORWAD chain to DROP, and we need change it back to ACCPET to make successful tethering.
Code:
adb shell 'su -c "iptables -F; iptables -P FORWARD ACCEPT; iptables -t nat -A POSTROUTING -o qmi0 -j MASQUERADE"'
Update 2 2012-07-13
Finally ... the CORRECT way to set up tethering... goto post #21
http://forum.xda-developers.com/showpost.php?p=28698646&postcount=21
Thank you.
Thanks for this! Works well.
Hello to both of you,
this tip is very interesting!
Is there a way to make the same thing under Windows?
Thanks for your help!
Windows? You even can run the commands without connecting to PC/Laptop.
If you want to use Windows, get adb and related driver for windows.
1) Connect your RAZR and let windows 'see' and install driver
2) Start-> Run -> cmd
3) cd \to\path\where\you\put\the\adb.exe
4) adb.exe shell
Now you should get command prompt $ and ready to run commands.
5) $ su
The prompt will change to #, which mean you are going to run commands using 'root' or supervisor power/authority.
6) Type or copy the commands in my previous post.
You also can use Andriod terminal emulator, such as Connectbot in local mode, and continue from step 5)
Good luck.
Thank you.
Hello Bahathir,
I didn't remember the very useful android terminal emulator!
Your tip worked great! Thanks a lot man!
I wonder how Motorola can forget something like that...
Sent from my XT910 using XDA Premium App
the problem turns back by restarting
Hi,
Thanks for your tip, it works very well but after I restart the phone same problem and I need to reenter the codes!
any comments?
Cheers,
Ardal
Yes, I forgot to mention that, this method is temporary. You need to run the commands after reboot. But, it's still better than nothing.
Sent from my XT910 using XDA App
unbelievable bug it this motorola (( hey, I have an idea but dont know how to make it (working on it):
to put these two line commands somewhere like autoexec.bat (I don't know what is equivalent in android)
So you guys know better than me about android, what do you think?
Cheers,
Ardal
Yes ,and it's called init.d or rc.d.
Sent from my XT910 using XDA App
Already done, by help of script manager. Set your commands as a script in etc/init.d/ with SU permission, boot.
I have also sent an email to Motorola Australia and asked them to release an update to solve this problem.
Thank you for the follow up with Motorola. Please update and share us their responses.
Actually, the commands should be invoke when we start tethering ,and should be removed when we stop tethering for enhanced security.
Sent from my XT910 using XDA App
Hi fellow!
Thanks for the tip! It really helped!
I don't know if Motorola "forgot" it, I think it was a way to block Tethering...
Anyway, I managed to permanently apply these modifications without need permanent root. BUT I'M NOT RESPONSIBLE FOR ANY DAMAGE YOUR DEVICE SHOULD HAVE! YOU MUST HAVE A MINIMUM LINUX KNOWLEDGE TO SAFELY EXECUTE THESE STEPS!
1) You will need adb working and the zip file with the scripts necessary to root Droid Razr on Linux / MAC (you can easily find it...)
2) From that zip, take zergRush and extract to a folder.
3) Plug the phone with USB debugging enable and execute:
adb shell 'cd /data/local/tmp/; rm *'
adb push zergRush /data/local/tmp/
adb shell './data/local/tmp/zergRush'
At this point, zergRush will try to obtain root.
After the execution, enter in shell (adb shell), you will see that you will be logged as root! The good point is that it is temporary, if you reboot your device and delete everything on /data/local/tmp/ your device will be exactly the same as it was before root.
4) So, with root access, get rc.local:
adb pull /etc/rc.local
REMEMBER TO BACKUP THIS FILE!
5) Be careful now: edit rc.local and add the following lines:
# Enable Tethering
# http://forum.xda-developers.com/showthread.php?t=1435619
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o qmi0 -j MASQUERADE
at the end of file, just before:
exit 0
OBS.: look that I have modified the original rule and added '-s 192.168.42.0/24'. Here, all devices connected to my RAZR in tethering mode has an ip from LAN 192.168.42.0/24. So, the masquerading will only work when package is coming from this LAN. I think it should increase security and avoid some problems. But remember, if you set up wifi router to assign an IP from another LAN you will have to add another rule!
6) Save and push it back:
adb push rc.local /etc/
7) Enter in shell and gives rc.local permission to be executed:
adb shell
cd /etc
chmod 755 rc.local
exit
8) After it, reboot and the change should be persistent.
I have tested it and, even after a factory reset, the changes are persistent!
Now I can successfully use Wifi and USB tethering.
Thanks one more time for these great information!
Also, I want to thanks tophyr from freenode #android-dev, myn from EFnet #android, and rob0 from freenode #Netfilter.
Ronan
Hi fellows,
EDITED: the problem was gone after I repositioned my router
I'm having a big trouble.
When I enable this, my Wifi connection becomes very unstable. It keeps disconnecting if I heavily use it. Any ideas?
Ronis_BR said:
Hi fellows,
EDITED: the problem was gone after I repositioned my router
I'm having a big trouble.
When I enable this, my Wifi connection becomes very unstable. It keeps disconnecting if I heavily use it. Any ideas?
Click to expand...
Click to collapse
Android Wifi Tether 3.1-beta11, now available for download... http://android-wifi-tether.googlecode.com
Requires root, though... Don't you need root to run iptables anyway? Definitely needed to edit the rc file.
tekahuna said:
Android Wifi Tether 3.1-beta11, now available for download... http://android-wifi-tether.googlecode.com
Requires root, though... Don't you need root to run iptables anyway? Definitely needed to edit the rc file.
Click to expand...
Click to collapse
Yes, you need root to edit rc.local, but, after pushing it back, you don't need it anymore.
Ronis_BR said:
Hi fellow!
Thanks for the tip! It really helped!
I don't know if Motorola "forgot" it, I think it was a way to block Tethering...
Click to expand...
Click to collapse
FYI, my RAZR XT910 is contract free and not from VZW. It also has Hotspot and tethering features. That why I said, the it is the bad implementation at the first place.
# Enable Tethering
# http://forum.xda-developers.com/showthread.php?t=1435619
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o qmi0 -j MASQUERADE
Click to expand...
Click to collapse
Yes, but, to be sure the FORWARDING is enabled, add this line
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable IP Forwarding in kernel
The ip_forward is 1, when you enabled the Hotspot/tethering, but just in case, if Motorola also disable the IP Forwarding in kernel. Yes, the netfilter's rules NEEDs the ip_froward value to be 1, to make the NATting to works.
BTW, I did not add the '-s 192.168.2.0/24' because, the NATting will not work if user change the hotspot default IP to other than 192.168.2.xxx.
Thank you and great job. I think this is not only for RAZR, but also for most Android smartphones which has 'iptables' command.
Good luck.
Great
bahathir said:
Problem:
Tethering problem with my RAZR XT910,PSHAsiaRetail.en
Findings:
Not NAT rule enabled in netfilter.
Solution: This is my simple solution.
1) Get root access.
2) Enable NAT in netfilter using iptables, by inserting the rule.
Code:
# iptables -t nat -F
# iptables -t nat -A POSTROUTING -o qmi0 -j MASQUERADE
3) Check with # iptables -t nat -nvL
Example
Code:
# iptables -t nat -nvL
0 0 MASQUERADE all -- * qmi0 0.0.0.0/0 0.0.0.0/0
Conclusion:
Very bad/immature tethering implementation by Motorola.
Thank you.
Click to expand...
Click to collapse
Working great on 2.3.6 Stock, thank you!!!!!
ichi go said:
Hello Bahathir,
I didn't remember the very useful android terminal emulator!
Your tip worked great! Thanks a lot man!
I wonder how Motorola can forget something like that...
Sent from my XT910 using XDA Premium App
Click to expand...
Click to collapse
you can save to a shell script, let say mytether and execute ./mytether.sh later on...
but the init file is much convenient.
Any idea why doesn't work on Asia.03 ICS was what fixed issue in Asia.03 GB.
Sent from my XT910 using xda premium
Yes.
It is because Motorla had changed the default FORWARD chain policy to DROP, and all packets which going out from other IPs going through it will be dropped and ignored. So no connections for client's.
Here is the default rules.
Code:
$ adb shell 'su -c "iptables -nvL"'
Chain INPUT (policy ACCEPT 460 packets, 282K bytes)
pkts bytes target prot opt in out source destination
0 0 all -- !lo+ * 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
145 8251 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
343 270K all -- * * 0.0.0.0/0 0.0.0.0/0 owner socket exists
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 325 packets, 34323 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- * !lo+ 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
145 8251 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
319 34011 all -- * * 0.0.0.0/0 0.0.0.0/0 owner socket exists
Chain costly_shared (0 references)
pkts bytes target prot opt in out source destination
0 0 penalty_box all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 owner socket exists
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain penalty_box (1 references)
pkts bytes target prot opt in out source destination
Look at the FORWARD chain and other bizarre rules. We can change it to a more cleaner rules.
Code:
adb shell 'su -c "iptables -F; iptables -P FORWARD ACCEPT; iptables -t nat -A POSTROUTING -o qmi0 -j MASQUERADE"'
1) iptables -F : Flush/remove all rules
2) iptables -P FORWARD ACCEPT : Change the default FORWARD chain policy to ACCEPT, which allow all traffic goes through
3) iptables -t nat -A POSTROUTING -o qmi0 -j MASQUERADE : Enable the NAT rule.
Enjoy the tethering and good luck.
Thank you.
I have a rooted a GT-I9195 (SGS4-mini) done with CF-Auto-Root and the latest Busybox. I then decided to use the "Ssh server" from The Olive Tree, since it is simple, small, free, but unfortunately have ads. For on-device/local shell, I use the Android Terminal Emulator and everything works great, including su and shell environment.
However, I have a really strange bahaviour when connecting using ssh via WiFi, and trying to su.
First when connecting via ssh, I get the following message.
Code:
[SIZE=2]$ ssh -2 -4 -t [email protected] -p 50555
Authenticated with partial success.
[email protected]'s password:
/system/bin/sh: No controlling tty: open /dev/tty: No such device or address
/system/bin/sh: can't find tty fd
/system/bin/sh: warning: won't have full job control
[email protected]:/ $[/SIZE]
I have Googled this and there's little useful info. On one site they even say:
Code:
[SIZE=2]Getting a controlling tty
[B]How does one get a controlling terminal? [COLOR=Red]Nobody knows[/COLOR], this is a great mystery.[/B]
The System V approach is that the first tty opened by the process
becomes its controlling tty. The BSD approach is that one has to
explicitly call
ioctl(fd, TIOCSCTTY, ...);
to get a controlling tty.
Linux tries to be compatible with both, as always, and this results in
a very obscure complex of conditions. Roughly:
The [B]TIOCSCTTY [/B]ioctl will give us a controlling tty, provided that (i)
the current process is a session leader, and (ii) it does not yet have
a controlling tty, and (iii) maybe the tty should not already control
some other session; if it does it is an error if we aren't root, or we
steal the tty if we are all-powerful.
Opening some terminal will give us a controlling tty, provided that
(i) the current process is a session leader, and (ii) it does not yet
have a controlling tty, and (iii) the tty does not already control
some other session, and (iv) the open did not have the [B]O_NOCTTY[/B] flag,
and (v) the tty is not the foreground VT, and (vi) the tty is not the
console, and (vii) maybe the tty should not be master or slave pty.
[/SIZE]
Now this is not the end of the world, if it was not that it doesn't understand normal terminal control characters and in addition, when I do su, I loose the command prompt. However, using the "-i" (interactive) switch gets me the "#" prompt, but environment is still completely messed up:
Code:
[SIZE=2][email protected]:/ $ [B]su -c /system/bin/sh -i[/B]
/system/bin/sh: No controlling tty: open /dev/tty: No such device or address
/system/bin/sh: can't find tty fd
/system/bin/sh: warning: won't have full job control
[email protected]:/ #[/SIZE]
I've never had or seen this issue before. Any ideas?
(Also, where would I put a source to my .bashrc and make sure it runs when su'ing or ssh?)
PS. The phone is using a stock 4.2.2 SELinux kernel.
Code:
[SIZE=2]Device: Samsung Galaxy S4 Mini LTE (GT-I9195)
Board/Platform: MSM8930AB (Snapdragon 400)
Baseband: I9195XXUBML4
Kernel: 3.4.0-2340422
[email protected] #1
Build: JDQ39.I9195XXUBML4
SE: SEPF_GT-I9195_4.2.2_0022
ro.build.date: Sat Dec 21 01:46:00 KST 2013
ro.build.description: serranoltexx-user 4.2.2 JDQ39 I9195XXUBML4
[/SIZE]
I still have no idea of what's causing those error messages above, also because logcat is not telling us anything interesting either. Only as Warning from "System.err", but without any useful information. However, I have got some improvement in the terminal behavior when doing the initial ssh connection.
One problem seem to be that the TERM environment variable was copied from local machine (PC side) to remote server (Android phone), thus giving TERM=cygwin to the Android shell. This can be disabled or changed as follows.
Some relevant SSH options:
Code:
[SIZE=2]
-e escape_char
Sets the escape character for sessions with a pty (default: `~'). The escape
character is only recognized at the beginning of a line. The escape charac-
ter followed by a dot (`.') closes the connection; followed by control-Z sus-
pends the connection; and followed by itself sends the escape character once.
Setting the character to "none" disables any escapes and makes the session
fully transparent.
-T Disable pseudo-tty allocation.
-t Force pseudo-tty allocation. This can be used to execute arbitrary screen-
based programs on a remote machine, which can be very useful, e.g. when
implementing menu services. Multiple -t options force tty allocation, even
if ssh has no local tty.
[/SIZE]
Some relevant SSH -o options:
Code:
[SIZE=2][B]RequestTTY[/B]
Specifies whether to request a pseudo-tty for the session. The argument may
be one of: "no" (never request a TTY), "yes" (always request a TTY when stan-
dard input is a TTY), "force" (always request a TTY) or "auto" (request a TTY
when opening a login session). This option mirrors the -t and -T flags for
ssh(1).
[B]
SendEnv[/B]
Specifies what variables from the local environ(7) should be sent to the
server. Note that environment passing is only supported for protocol 2. The
server must also support it, and the server must be configured to accept
these environment variables. Refer to AcceptEnv in sshd_config(5) for how to
configure the server. Variables are specified by name, which may contain
wildcard characters. Multiple environment variables may be separated by
whitespace or spread across multiple SendEnv directives. The default is not
to send any environment variables.
[/SIZE]
So by using the ssh -T option (which is equivalent to using '-o RequestTTY="no"'), we are disabling "pseudo-tty allocation" which doesn't work anyway, but with the effect of not forwarding local TERM to server, and thus setting it to default "vt100" which accepts backspace (but not insert). But a better way is to actually set the TERM variable on our own. This is done by simply adding it as a prefix to the ssh command like this:
Code:
[SIZE=2]TERM=[B]vt220[/B] ssh -t [email protected] -p 50555[/SIZE]
(This effectively, but temporarily overrides the local TERM value and forwards it to remote server shell.)
RanTime!
Since Google intruduced the SELinux/SEAndroid features, they have essentially fukced up the entire AOS ecosystem as based on good-old normal Linux environments and all the years of standards therein. Basically nothing works as before and as logically intended or preferred and I bet from now on, developers will have to spend a significant and expensive time, on just trying to setup their various developer environments and jump through the hoops of dikchead Google engineers, rather than on actual developing. A very sad story all thanks to the populist "security" eye-candy marketing.
The SU time!
Apparently after having read about the various quirks and issues in using an SELinux Enforced based AOS {4}, it seem that the issue from OP is probably due to one of 3 things or a combination thereof.
My su binary (SuperSU 1.94) is not yet handling SElinux properly
The SSHd server is not handling SELinux properly
Lack of properly set SSH and SHELL environment files on the server side
As for (1) I just have to wait and see. For (2) we can only test with other SSHd servers/solutions which I don't know what to use. (They're all, either not free or full of ads. WTF!) And finally, for (3) we can only test, since I don't have the source code...
Unfortunately listing the SuperSU (1.94) command line options is not very helpful, since they're rather poorly explained. While some of the option themselves just doesn't work (for me). It would have been great if @Chainfire could write a more detailed how-to {2} for all these options, but then again we should be extremely grateful he's written anything at all.
Code:
[SIZE=2]Usage: su [options] [--] [-] [LOGIN] [--] [args...]
------------------------------------------------------------------------------------
Options:
-c, --command COMMAND pass COMMAND to the invoked shell
-cn, --context CONTEXT switch to SELinux CONTEXT before invoking
-h, --help display this help message and exit
-, -l, --login pretend the shell to be a login shell
-m, -p,
-mm, --mount-master connect to a shell that can manipulate the
master mount namespace - requires su to be
running as daemon, must be first parameter
--preserve-environment do not change environment variables
-s, --shell SHELL use SHELL instead of the default detected shell
-v, --version display public version and exit
-V display internal version and exit
Usage#2: su LOGIN COMMAND...
Usage#3: su {-d|--daemon|-ad|--auto-daemon|-r|--reload}
auto version starts daemon only on SDK >= 18 or
if SELinux is set to enforcing
Usage#4: su {-i|--install|-u|--uninstall}
perform post-install / pre-uninstall maintenance
[/SIZE]
References:
[1] [Chainfire G+] Next Android version: even more breakage
[2] [Chainfire] How-To SU (Guidelines for problem-free su usage)
[3] SuperSU Download
[4] [Google] Validating Security-Enhanced Linux in Android
From THIS very old post by @mirabilos , it is possible that command-line TAB-completion and up-arrow is not working on all mksh binaries. So perhaps we just need a new static mksh binary installed?
Tab expansion is pretty broken on BSD with xterm and GNU screen, but the same seems to work better on ssh’ing out to Linux, I wonder why, since all software involved is the same… except tput though. But it works like that and is usable. With post-R40 mksh, you can get about with even less hacks (more similarity to AT&T ksh).
Click to expand...
Click to collapse
However, this still doesn't explain why I have no controlling tty for ssh sessions.
Also I tested a new and different SSH server called SSHelper, which has more features and is better maintained, without ads, but is also 6 times larger at ~ 6MB, because of included OpenSSH, FTP and webserver log functionality. When logging in via ssh I get:
Code:
...
Server refused to allocate pty
Followed by an empty non-responsive connection.
Is this the same as […]this problem elsewhere? Man, I'm searching for ideas and keep coming back to your questions all over the 'net
To clarify, I talked to someone at Google; they renamed mksh into just sh lately, but this should have no adverse effect. They currently ship R48 and “would have updated it if I knew there was a new version”. That being said, the code of the shell itself is not at fault here.
The “no controlling tty” message here is a red herring: you do not have access to a tty at all, let alone a ctty
As I said elsewhere, use “ssh -t” and either change the SELinux policies to allow pty/tty pair allocation, or disable it (possibly set it into permissive mode).
@mirabilos: Yes, thanks for that info. I haven't updated this thread since I started it, in anticipation of a writeup about SELinux. However, that proves to be a little over my head, so it will take some time. What is clear though, is that the above problem is connected with the SEAndroid protection mechanisms, which in turn have been mangled and incorporated into Samsungs KNOX.
Also I have been busy making the SSHelper support thread:
[APP][INFO|SUPPORT] SSHelper (The free Android SSH Server Application)
There I have also added a small section about mksh.
@ E:V:A - I recently put together a little package containing all necessary bins/scripts to create a SSH server (via dropbear and dropbearkey) (properly secured, not public) and connect with a SSH client (ssh). The package also contains bins/scripts to create a Telnet server (via utelnetd) and connect with Telnet client (via "static busybox" telnet). Everything works with superuser that I've tested. Linked in my signature and attached to post as well.
Instructions (for anyone who sees this and would like a guide)::
Basically just extract it anywhere with:
Code:
tar -xf easy.ssh.and.telnetz.clients+servers.tar.gz
(if it's in /sdcard/Download which is probable, do "cd /sdcard/Download" then run the above)
Change directory inside the folder:
Code:
cd ./ssh.telnetz
There are 6 scripts: ssh.start(connect to ssh server via ssh), sshd.start(create ssh server), ssh.kill(kill ssh processes and remove ssh server keys), and... 3x telnet scripts for the telnet equivalents.
Running scripts and optional parameters:
Code:
./telnetd.start [ shell ]
e.g. TELNET_PORT=8080 ./telnetd.start /system/bin/mksh
./telnet.start [ ip port ]
e.g. ./telnet.start 192.168.0.3 8080
./sshd.start [ <dropbear_flags_and_options ]
e.g. ./sshd.start (default port is 8090)
./ssh.start [ ip port shell ]
e.g. ./ssh.start 192.168.0.3 8090 /system/bin/mksh
Default ip is the loopback 127.0.0.1 so you can test running a server and connecting to it on your phone at the same time. Just change params as described above to connect from/to your phone (phone is client/server).
***As far as I have tested on Android 4.4.4, this works perfectly as root or restricted user. You can get a su'd ssh shell by starting the sshd.start with /system/xbin/su or just entering su after you've connected as a restricted user.***
I've finally found a work-around for the crippled /dev/pts job-control and su combination. There are two small problems that combines to this issue.
1. The SELinux policy is screwed up by Samsung. And others?
2. The /dev/pts is mounted wrong by default.
The work-around:
Make sure you're device is already in Enforcing mode, so that you get the proper su prompt (#).
1. Open terminal session 1.
Code:
[SIZE=2]
## On Terminal 1
ssh -2 [email protected] -p 2222
$ su -c /system/bin/sh -i
# su 0 setenforce 0
# umount /dev/pts
# su -cn u:r:init:s0 -c "busybox mount -t devpts -o rw,seclabel,relatime,mode=620,gid=5 devpts /dev/pts"[/SIZE]
2. Now go to Terminal 2 and login:
Code:
[SIZE=2]## On terminal 2
ssh -2 [email protected] -p 2222
$
[/SIZE]
(You now have job-control but no su possibility.)
3. Now go back to Terminal 1 and enable Enforcing mode:
Code:
[SIZE=2]## On Terminal 1
# su 0 setenforce 1
[/SIZE]
4. Now go back to Terminal 2 and escalate to su:
Code:
[SIZE=2]## On terminal 2
$ su -c /system/bin/sh -i
# [/SIZE]
Unfortunately if you exit the su (#) shell, you'll have to repeat steps 2-4 of the procedure.
Hello,
I want to install DNScrypt proxy 1.4 on my android phone. You can get it here : download.dnscrypt.org/dnscrypt-proxy/
Could someone please make a tutorial an tell me how to install this? I want it to work with following DNS server: https://dnscrypt.eu/
It is a great enhancement in security and I would be glad if someone can get it to work and tell us.
Regards
Is nobody interested in this? [emoji20]
Can't believe there is no response. Is no one of the XDA members who looked at this able to install DNScrypt on there phone?
Do you prefer flappy bird clones over such a security enhancement?
Bump again then.
Bump
Another bump for all secureless xda members
XDA members are not able to install a tar.gz package on their android phone? Aww, really guys?!
B u m p
Seriously, no one...?
How to install dnscrypt on android
Requirements:
rooted phone
installed busybox
some handy tools like terminal emulator or ssh daemon for testing purpose, file explorer with acces to system partition
dnscrypt: https://copy.com/M6r38z6g3iyj (thanks to GitHub esp. @daddybr, KionLi...) - files for arm7
About:
We need to run dnscrypt every time phone is booted - for this purpose is necessary to add script "dnscrypt" into "init.d" directory In this script-file you can also change parameters like used resolver/provider etc.
dnscrypt-proxy is main binary file which will provide dnscrypt service for us. There is also script to start/stop dnscrypt-proxy service anytime we need and made some other usefull things for us...
How to:
check if directory "init.d" in /system/etc/ exist - if there is not such directory use program "Universal Init.d" and create it - otherwise follow bellow
extract downloaded files and put it into same directories they are, just to system partition (u can use any file browser with access to system partition, eg. Solid Explorer)
check if there is file "resolv.conf in /system/etc/ directory
- if there is not such file create it and put this into it "nameserver 127.0.0.1"
- if there is such file check if "nameserver 127.0.0.1"and delete else
all files putted in directory /system/xbin/ should have right permission to work correctly
Checking functionality:
Easiest way is to visit "www.opendns.com/welcome"
If it is working you will get something like "Your Internet is safer, faster, and smarter..."
If it is not working you will get something like "OOPS..."
Other way is to run nslookup in terminal emulator and check if you get 127.0.0.1 and name, eg "nslookup 8.8.8.8"
The hardest way is to use wireshark or tcpdump and analyze traffic while browsing on the phone..., eg. http://askubuntu.com/questions/105366/how-to-check-if-dns-is-encrypted
Also you can check if dnscrypt-proxy is running in terminal , eg. "ps w |grep dnscrypt"
DNS setting
Did anyone got this one to work? I did all the steps mentioned but it seems that the resolv.conf is not being checked. I even try with apps to change dns settings (dnset, dnschanger..) it just seems that the dynamic dns assigment takes precedence, it keeps going to the dynamically assigned DNS server when on wifi and LTE. Aside from that I did not have any issues, dnscrypt runs fine with all arguments. I'm trying this on a Verizon Galaxy S5.
<dexter> said:
Did anyone got this one to work? I did all the steps mentioned but it seems that the resolv.conf is not being checked. I even try with apps to change dns settings (dnset, dnschanger..) it just seems that the dynamic dns assigment takes precedence, it keeps going to the dynamically assigned DNS server when on wifi and LTE. Aside from that I did not have any issues, dnscrypt runs fine with all arguments. I'm trying this on a Verizon Galaxy S5.
Click to expand...
Click to collapse
Yes, working here.
Had trouble with afwall though, but this post http://forum.xda-developers.com/showpost.php?p=54263022&postcount=8 helped me.
Script i've used:
Code:
$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53 || true
$IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53 || true
$IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
$IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
$IPTABLES -A "afwall" --destination "208.67.220.220" -j RETURN
You can restrict the last line to only UDP 443 if you want.
Confirmed packets with tcpdump, blocked UDP 53 at my router.
piscoo said:
Yes, working here.
Had trouble with afwall though, but this post http://forum.xda-developers.com/showpost.php?p=54263022&postcount=8 helped me.
Script i've used:
Code:
$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53 || true
$IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53 || true
$IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
$IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
$IPTABLES -A "afwall" --destination "208.67.220.220" -j RETURN
You can restrict the last line to only UDP 443 if you want.
Confirmed packets with tcpdump, blocked UDP 53 at my router.
Click to expand...
Click to collapse
Could you please write a small, complete guide for the installation of DNScrypt? I still can't get it to work.
Draygon said:
Could you please write a small, complete guide for the installation of DNScrypt? I still can't get it to work.
Click to expand...
Click to collapse
Flash this zip from recovery. It works
Do you have any source for this?
How can I enter the IP address of the service I want to use?
Draygon said:
How can I enter the IP address of the service I want to use?
Click to expand...
Click to collapse
Edit /etc/init.d/dnscrypt and see here
So you compiled DNScrypt for Android from this source at github?
Draygon said:
So you compiled DNScrypt for Android from this source at github?
Click to expand...
Click to collapse
No. I just flashed zip file and investigated on it
Anyone flash this zip besides the guy who posted it? Can't find much reference to this file name anywhere dnscrypt-5-armv7-opendns.zip
lamero1 said:
No. I just flashed zip file and investigated on it
Click to expand...
Click to collapse
How do you set your phones global DNS setting for any dynamic IPs on any network? I cannot figure out how to point my phone to 127.0.0.1
Draygon said:
So you compiled DNScrypt for Android from this source at github?
Click to expand...
Click to collapse
Assuming you have the Android NDK installed (no idea how to do it under Windows; Cygwin has never been my forte... Under Arch all you need to do is install the packages from the AUR), it's insanely easy to do yourself, thanks to the build scripts in the libsodium and dnscrypt packages.
Code:
export ANDROID_NDK_HOME=${ANDROID_NDK} # Or wherever your NDK dump happens to be residing
mkdir ~/dnsc && pushd ~/dnsc
This part deals with signature verification, used to determine we have not received a tampered-with copy of DNSCrypt. This page is being delivered over unsecured HTTP, so don't necessarily trust what's being written here.
Again: REMEMBER THAT THIS PAGE IS UNSECURE (granted, I imagine a person intending to cause malice would remove these warnings but, hey, it's not like I have alternatives). I'm also not a security expert in the slightest, so it wouldn't be surprising if it transpired I was giving bad advice.
Read http://doc.libsodium.org/installation/README.html for instructions on how to get libsodium's SHA256 hashsum (which you can verify against the file you've got downloaded by running sha256sum) and for the public key used to sign the downloaded files. It can be imported by copying it, pasting it into a Notepad etc. instance, saving it and running gpg --import <whatever.gpg>.
Use your own judgement, other keyservers and Google to determine whether you have jedisct1's real key.
Download dnscrypt's dependency, libsodium:
Code:
curl -O https://download.libsodium.org/libsodium/releases/libsodium-1.0.2.tar.gz -O https://download.libsodium.org/libsodium/releases/libsodium-1.0.2.tar.gz.sig
Verify the file's signature:
Code:
gpg --verify libsodium-1.0.2.tar.gz.sig libsodium-1.0.2.tar.gz
I get the following (the warning can be ignored -- unless you've managed to verify the key with jedisct1 in person):
Code:
gpg: Signature made Tue 10 Feb 2015 10:59:17 AM GMT using RSA key ID 2B6F76DA
gpg: Good signature from "Frank Denis (Jedi/Sector One) <redacted>" [unknown]
gpg: aka "Frank Denis (Jedi/Sector One) <redacted>" [unknown]
gpg: aka "Frank Denis <redacted>" [unknown]
gpg: aka "Frank Denis <redacted>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 54A2 B889 2CC3 D6A5 97B9 2B6C 2106 27AA BA70 9FE1
Subkey fingerprint: 0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA
If everything looks OK, then continue. Conversely, if anything is out of place, then abort. Seriously.
Untar and go to the directory with the libsodium code:
Code:
tar xf libsodium-1.0.2.tar.gz && pushd libsodium-1.0.2
It's not in the tarball yet, so download this into the dist-build folder and chmod 0755 it.
If running into problems, edit aandroid-armv7-a.sh and do the following:
change TARGET_ARCH to arm
set the march value to armv7-a
Start building libsodium:
Code:
./dist-build/android-armv7-a.sh
I get the following dumped:
Code:
[email protected] ~/dnsc/libsodium-1.0.0 % ./dist-build/android-arm.sh
<configure output removed>
libsodium has been installed into /home/faheem/dnsc/libsodium-1.0.0/libsodium-android-arm
./dist-build/android-arm.sh 21.97s user 2.72s system 165% cpu 14.927 total
Note the line saying where libsodium has been installed. Let its value be stored in the environment:
Code:
export SODIUM_ANDROID_PREFIX=<folder where libsodium has been installed, as reported by android-arm.sh>
Consider removing debugging symbols to reduce the size of the file:
Code:
./android-toolchain-arm/arm-linux-androideabi/bin/strip $SODIUM_ANDROID_PREFIX/lib/libsodium.so
I won't repeat what's on the main dnscrypt.org site or, really, what I've already written.
popd back to the ~/dnsc folder and download the latest version of dnscrypt and its signature. Follow the instructions on the website to verify the tarball's SHA256SUM and run gpg like above to verify the tarball against the signature. If everything is OK, untar dnscrypt like we did libsodium.
Run to build:
Code:
./dist-build/android-armv7.sh
If running on Lollipop, make the changes below, as per alihassani:
add -fPIE to the end of the CFLAGS
place export LDFLAGS="-fPIE -pie" under the CFLAGS line
If running into problems running android-armv7.sh, make the applicable changes above again.
After it's been built, you'll get this:
Code:
[email protected] ~/dnsc/dnscrypt-proxy-1.4.1 % SODIUM_ANDROID_PREFIX="$HOME/dnsc/libsodium-1.0.0/libsodium-android-arm/" dist-build/android-armv7.sh
<configure output snipped>
dnscrypt-proxy has been installed into /home/faheem/dnsc/dnscrypt-proxy-1.4.1/dnscrypt-proxy-android-armv7
Again, consider stripping the resulting binary. Transfer, fix permissions etc.
Some notes:
The binary is dynamically linked to libsodium. If installing, you'll need to copy libsodium.so to /system/lib. If you're just testing you can put libsodium.so in the same folder as the dnscrypt-proxy binary and invoke dnscrypt-proxy as such: LD_LIBRARY_PATH=<path to current folder> ./dnscrypt-proxy
The prefix is weirdly set by the android-build script. You'll need to point dnscrypt to the resolver list manually (I recommend putting it somewhere on the system partition as a file on the [internal] SD card is too easy to change): https://github.com/jedisct1/dnscrypt-proxy/issues/123
Hi everyone,
I'm trying to do a Mac Spoof from my Motorola Moto E (Rooted of course!) but I have a problem cause i'm quite sure i'm not succeeding in spoofing!
Well, I installed BusyBox and Terminal Emulator.
Than i go to Terminal Emulator and wrote:
"su" (so I have permission from SUPERSU)
[email protected]_umts : / # busybox ifconfig wlan0 down
[email protected]_umts : / #busybox ifconfig wlan0 hw ether [New Mac]
[email protected]_umts : / #busybox ifconfig wlan0 up
[email protected]_umts : / #
Than the terminal doesn't say anything else.
After that, the wifi from the device doesn't work anymore ( I have to disable and renable the wifi to make it work again) and of course the mac didn't change...... anyone has an idea, need some help, I am new of Android!!!