>>>> 22Jan2012: linboothkvc v1.0 source released in my linboothkvc thread. It works successfully on Omap3 and Omap4 based devices including NookTab. And with minimal changes/love can work with any rooted arm based linux device <<<<
>>>> 17Jan2012: Kernel module SUCCEEDS on NookTab to reboot into NIRVANA - NO NEED to BREAK the default SECURE BOOT CHAIN and NOTE THAT EVEN THIS CAN WORK ON ANY ROOTED DEVICE and not just NT, with minimal love so ENJOY <<<<
>>>> 16Jan2012: My kernel module based path (linboothkvc) to running custom kernels and roms is almost done, except for a __small part__ to get it running on NT now - IF ONLY PEOPLE HAD WAITED ...., we could have reaped the potential benefit in future, Why not !!!! why not ....WHY NOT !?!?. NOTE that it can allow one to run custom kernel/roms WITH OUT MODIFYING ANY CRITICAL PARTITIONS provided one sets it up properly/appropriately. Source for beta version available in my linboothkvc thread, for the interested developers/experimenters for now ... <<<<
>>>> I may not respond to the posts on this thread currently, because I am trying to get a alternate option called linboothkvc using kernel modules up and running (which will occupy my free time), which AVOIDS the NEED for this flaw in the first place for most of the people out there (i.e Custom ROMS with different kernels). However over the weekends, I will go thro all the posts on this thread <<<<
>>>> 14Jan2012: Initial pre-alpha version of kernel module path based source code uploaded to my linboothkvc thread for those still interested to experiment
http://forum.xda-developers.com/showthread.php?t=1427610
<<<<
Hi All,
If you have been following my posts over the last few days
NOTE: To people frustrated with UART requirement - I understand the restrictions of UART access, but a lot of ROMS can be done with 2ndihkvc or equivalent methods and with out needing a Custom kernel. If someone is talking about Custom/New kernel for Android 4.0 (ICS). Then do note my statement (in NOP BYPASS thread) on POWER of KERNEL MODULES in Linux, IT CAN BE USED TO ACHIEVE what you want to achieve, only that it requires bit more effort, which I or some one else has not put currently... thats all. AND THAT By holding off now, we can _potentially_(Risk is always there) reap the benifit with next years NEXT GEN Nook Tab+ or what ever they call it.
a) I have implemented 2ndihkvc, which follows the same fundamental concept as 2nd-init, but achieves it in a simpler way (Needed because some of the calls used in original 2nd-init doesn't work on NookTab, or have unnecessary dependencies (in this given context, otherwise they are good in them selves) which can be avoided with my simpler method)
b) I have provided the NOP Bypass method of running a modified Ramdisk and also 90% a modified kernel, provided UART access is there.
c) There is still the power of linux KERNEL MODULES to EXPLOIT. (Haven't had time on that yet).
If you ask me, this should cover all category of people. Be it people who want to run custom Roms, or people who want to experiment with Kernel and or other low level stuff for the fun of it.
There is a 4th method which will allow one to achieve (b) above with out requiring UART access or even uSD (potentially . If one reads between the lines from all my posts till date, the answer is hidden in there. Only that I haven't spelt it out directly or in the face. The reason is because It is a fundament flaw (rather there are potentially two at two different levels - one relatively simple and one relatively bit more involved - One I know for sure, another I have to dig bit more) in the way things are done currently in the secure boot chain on this device as well as potentially other devices with same or similar SOC (and or different SOC but with similar boot chain s/w components.
SHOULD WE BE WASTING i.e providing a solution which uses it, when there is already 2ndihkvc and NOP Bypass over UART and also the Linux KERNLE MODULE ROUTE to cater to most peoples needs.
Because if we do, then even the Device manufacturers and their partners will come to know about it and can easily fix it in their Newer/NextGen devices. While if we withhold it for now, we may be able to get access to it on their Next generation Devices with hopefully Arm A15 core or .... (NOTE: Depending on the boot sequence ROOT access may or may not be required for this).
The reason I am asking now is because, few people are asking my help on certain things and the reality is I know that the concept for which they want my inputs/guidance, can be applied at a more fundamental level here (or even at the same level), but that I have not ventured into it because of my delimma above.
NOTE: People who wanted my inputs/guidance wrt uSD, you all know who you are, I know the flaw to achieve what you want to achieve, but it is more powerful than what you all are currently thinking of doing/ ristricting yourselves to (You all have one input/... in there wrt devices . Unless let me think thro further and see if something can be done differently, with out exposing the flaw I have in mind to help you achieve what you want, otherwise i.e if there is nothing else I can come up with, and in turn if you people experiment further and are able to come up with the solution on your own, I would suggest that hold off on it for few days, think thro all the implications keeping what I have mentioned in this thread, and then take a call one way or the other.
Please provide your thoughts on this after thinking thro the options already available on NookTab (root access, kernel modules, UART UBoot access and inturn 2ndihkvc and NOP Bypass or equivalents)
Based on all the feedbacks as well as bit more thinking from my side, I will take a call on this.
Forum moderators I know this is the development portion of the forum, but I wanted feedback from Developers also that is the reason why I have posted here. But beyond that I leave it to you, whether you want this to continue here or move it out.
UART access is not sufficient, as it is required during every reboot of the device if we wanted to have a custom kernel and ROM. This is simply an unacceptable state of affairs. (Say, my tablet turns off while on holiday, or at the airport. What then am I to do? Let is sit and wait off until I can get back home to my UART equipment in order to reboot?
The idea that the UART work around is sufficient is a nice one, however it is wrong.
---
Oh also, it's just a matter of time before they patch the u-boot in the Nook Tablet anyways... so it's not like this UART method is going to stick around forever anyways.
cfoesch said:
UART access is not sufficient, as it is required during every reboot of the device if we wanted to have a custom kernel and ROM. This is simply an unacceptable state of affairs. (Say, my tablet turns off while on holiday, or at the airport. What then am I to do? Let is sit and wait off until I can get back home to my UART equipment in order to reboot?
The idea that the UART work around is sufficient is a nice one, however it is wrong.
---
Oh also, it's just a matter of time before they patch the u-boot in the Nook Tablet anyways... so it's not like this UART method is going to stick around forever anyways.
Click to expand...
Click to collapse
Hi
I understand the restrictions of UART access, but a lot of ROMS can be done with 2ndihkvc or equivalent methods and with out needing a Custom kernel. If someone is talking about Custom/New kernel for Android 4.0 (ICS). Then note my statement (in NOP BYPASS thread) on POWER of KERNEL MODULES in Linux, IT CAN BE USED TO ACHIEVE what you want to achieve, only that it requires bit more effort, which I or some one else has not put currently... thats all.
By holding off now, we can potentially reap the benifit with next years Nook Tab+ or what ever they call it.
Im not a Developer but I've got a few questions. NOP requires to open up your device, so I think probably 95% won't open their device for ICS and I think since the device had a dual core CPU we should get ICS roms. Now my actual question how does your 2init work or how do you install it on our device? But great work so far keep on.
Sent from my SGH-T989
Just out the flaw now. Someone else might reveal it and you won't get the credit.
Don't you want a Wikipedia entry saying that you found this flaw? lol.
PM me about the flaw, I'll see if we should have it outed yet or not (sorry guys, but if it's a decent exploitable flaw and we have other methods, I'm pretty sure I'm with hkvc on it.)
xdahgary said:
Just out the flaw now. Someone else might reveal it and you won't get the credit.
Don't you want a Wikipedia entry saying that you found this flaw? lol.
Click to expand...
Click to collapse
Not worried for 2 reasons,
a) It doesn't bother if my name comes or not. I am exploring just for the fun of exploring.
AND MORE IMPORTANTLY,
b) Actually I have already revealed the flaw in my NOP Bypass thread, indirectly, if only, one reads carefully all my lines as well as between them. Only that I have just replaced one or two of the steps with a different steps thats all for now.
If someone else find the same flaw, he will realise the same, if he reads my posts once again with his new knowledge.
What an awesome idea, we can have a root for the Nook Tablet+ or whatever else in a years time!
...
So, um... what do I do now with my Nook Tablet? It's a piece of garbage now, I guess, so, I'll just return it since it's still within the Holiday return period? I suppose I'll just have to wait for the Nook Tablet+ to have a custom ROM running on my Nook... ("But you can UART hack it!" ... *sigh* I've already explain that that is not sufficient. The UART hack is a stop gap, and should only be stopped at if that is the absolute only option available.)
And I mean no disrespect to xIndirect, but why should he be the lone gatekeeper of what exploits and hacks are out there for the Nook Tablet? I would rather see this exploit before making a decision as well, but I don't think it fair that someone should have privileged access to the exploit. Either release it to everyone or DON'T SAY ANYTHING IN THE FIRST PLACE.
cfoesch, I have no plans to be using the exploit shown for myself. I am not going to be the "lone gatekeeper" I just want to know what it is before I give my full opinion. Chill.
Motorola Defy was locked bootloader too, may be to try and run port Defy bootmenu for Nook Tablet?
source: github.com/CyanogenDefy/android_external_bootmenu
Indirect said:
cfoesch, I have no plans to be using the exploit shown for myself. I am not going to be the "lone gatekeeper" I just want to know what it is before I give my full opinion. Chill.
Click to expand...
Click to collapse
If you buy a plot of land and the seller has accidentally left seeds there and isn't coming back for them, do you grow a garden on your current plot of land, or do you decide not to plant them and hope that the next time you buy a plot of land they might forget some seeds again?
I would rather tend the garden I own than hope for a better plot of land with seeds I may never have.
Cheers!
-M
XDA member since 2007
Sorry if my post is offtopic, I just want to help with development.
My SE Xperia x10 came worh a locked bootloader and devs figured out how to make a bootable recovery (xrecovery) based on CWM, may be with an adaptation for the NT we can get the world of custom roms, even with locked bootloader this crappy phone got cuatom kernels by bypassing the bootloader, hope this give little ligth to you guys the real Developers.
If this post is garbage mods please delate it.
Sent from my BNTV250 using xda premium
Hello, I beleive if there is a software way to get ICS + maybe overclocking it should be tried first as this IS what most people are waiting for. That's the big dream they got. If someone knows how to implement that, then please by all means do so ..
P.S. you said so much where to look for the flaw in your posts that if I was a programmer from B&N I'd know where to look like everybody else. Assuming they are not complete morons they can already figure it out too. Can they plug the hole or not? Is it oversight or permanent design flaw ? We'll see. Best way to keep a secret is to " keep it secret " , ie not talk about it at all. Especially if soft mod ICS, hw acceleration and overclocking already available.
Sent from my LG-P500 using Much Love
First of all hkvc +1 for your efforts.
I voted yes, the NT developers can read between the lines in your posts as well.
Whats life without risks once in a while
Hi All,
I understand very well that even BN devs will be looking and potentially can figure out and fix it. That is the risk, but at one level I don't mind taking the risk and see if it works out to my/our advantage (i.e the bug being still open in a new device (From BN or any other Vendor)) or disadvantage(the bug is either way fixed).
Also the flaw can affect ANY DEVICE (Not just NOOK TAB) using similar secure boot chain not just NookTab, that is also one reason why I am bit wary of releasing the info or a implementation which uses it just like that.
I will share my finding with few people on the forum/outside in few days time so that even If I loose interest in this, there will be few people with the required knowledge (i.e if they haven't already figured out on their own by then (and released something or not ...)).
Also I haven't taken a final call on this yet. I am in a delima, so getting all your opinions also before I decide.
Time permitting I will also attack/explore the KERNEL MODULE PATH in a few days time, so that people don't have to depend on this flaw in the first place, but use the wonderful world of Linux Kernel Modules to achieve what they want.
LexS007 said:
Motorola Defy was locked bootloader too, may be to try and run port Defy bootmenu for Nook Tablet?
source: github.com/CyanogenDefy/android_external_bootmenu
Click to expand...
Click to collapse
Hi,
With my modified 2nd-init (2ndihkvc), you can run bootmenu or any other user space mechanisms already on NookTab
absolutely YES, we r all xdaers, right hehehe. Thanks all devs especially hkvc for the efforts
hkvc said:
Hi,
With my modified 2nd-init (2ndihkvc), you can run bootmenu or any other user space mechanisms already on NookTab
Click to expand...
Click to collapse
It's very good. Thanks!!!
First off, not a dev but read religiously.
2nd, release it if the people who would take advantage of it agree. The rest of us say "great,woohoo!" But I must admit, I can't take advantage of it. But I certainly don't want to make a hardware uart to boot custom roms.
That being said, if its more complicated to install with a different method, that's fine. As long as it doesn't include a soldering iron.
But if it were easier to make a custom rom, or open up more capabilities of the kernal or whathaveyou, well that would attract more developers to make roms, etc. and so on and so forth.
Btw. Yes, exploit may exist if outedin a later tablet, but you found this one.... I have faith the next flaw will be found in the next one too.
A bird in the hand is worth two in the bush.
Posted from my B&N Nook Tablet... rooted of course!
jotekman said:
A bird in the hand is worth two in the bush.
Click to expand...
Click to collapse
I would say this summarizes everything I want to say on the topic.
Related
Hi,
Would like to know if there is plans on PS Groove development for Xperia x10. I think many people would appreciate this.
Thanks and good work btw on the bootloader so far.
Hey have a look at this link ;-)
PSGroove being ported to Android Devices!
Sony will have it patched before it gets done, so it's going to be quickly irrelevant anyways.
Do you know that for a fact or is it just one of your many assumptions...
Cuz last i heard from the "hacker" team that made the psjailbreak code that not even them are too sure on any of the sides, nobody actually knows.
And cuz the ps3 is open to homebrew, whats the difficulty of patching the update string? I mean they already have made "stalth gaming" possible by editing sertain files...
And the ps3 has a HUGE game library that personally for me just thats enough cuz i almost never play online on it.
I bought a AVR chip with PSGroove support so to speak. I will have it on Monday, but if i knew it would be developed for Android i wouldnt have bought it.
So belive me, not too many ppl care "if" Sony patches it... And even if they do, the exploit cannot be patched, its a lot like the iPhone Jailbreak.
Let the Cat&Mouse game begin...
This project tickles the very core of my geekdom. Not so much because it opens up the PS3 for piracy but but because it's a completely insane yet feasible and even kinda logical concept.
Emulating an 8mhz Atmel on the Snapdragon? Very doable.
Proper hardware access to the USB port? With rooted phone, you have it.
So theoretically it's possible and if it comes to fruition we'll be able to "root" the PS3 by hooking up our cellphones to it and running some software. I don't know about you guys but for me that would be a serious contender for the "Epic hack of the year" award.
ddewbofh said:
"Epic hack of the year" award.
Click to expand...
Click to collapse
Of the century i would say great moment in hacking history.
http://netzke.blogspot.com/
This guy is the closest to actually having something... Hope it works, so i can feel stupid for buying a USB Dev Kit ;-)
PSFreedom was release for N900 :
http://kakaroto.homelinux.net/2010/...k-ps3-with-n900-worked-finished-and-released/
KaKaRoTo said that the driver can be adapted to the others devices :
KaKaRoTo said:
By writing this exploit as a standard linux driver, this means that my module can be used on any other linux-enabled devices.. this means not only the N900, but also the 770, N800, N810, Android phones and future Meego devices. It might need a little porting for some devices though, but it should still work…
Click to expand...
Click to collapse
If someone can work on the X10's port
any devs willing to give it a shot?
Sent from my X10i using XDA App
brat81 said:
any devs willing to give it a shot?
Sent from my X10i using XDA App
Click to expand...
Click to collapse
I'm looking at what parts need to be modified and if porting it is even possible to begin with. Both Maemo and Android run Linux kernels but that's about it as far as similarities go. Even though it's a separate kernel module it needs to have certain options built into the kernel. If those bits aren't there we're SOL.
Update: The configuration file for the stock kernel indicates that the USB chipset supports HCD (Host Controller Driver) mode at least.
ddewbofh said:
I'm looking at what parts need to be modified and if porting it is even possible to begin with. Both Maemo and Android run Linux kernels but that's about it as far as similarities go. Even though it's a separate kernel module it needs to have certain options built into the kernel. If those bits aren't there we're SOL.
Update: The configuration file for the stock kernel indicates that the USB chipset supports HCD (Host Controller Driver) mode at least.
Click to expand...
Click to collapse
if you can figure this out, i would donate or send a reward. I might pay up 25$ for this.. the convenience of just using my phone when i go somewhere to hack a buddy's PS3 would be awesome.
JQE said:
if you can figure this out, i would donate or send a reward. I might pay up 25$ for this.. the convenience of just using my phone when i go somewhere to hack a buddy's PS3 would be awesome.
Click to expand...
Click to collapse
*meh* Screw donations, the hacking itself is reward enough.
Source code is @ http://github.com/kakaroto/PSFreedom
also taken form the blog
Q: What do I need to use PSFreedom on my N900 ?
A: First, you need a N900 (duh) and a PS3 (duh) with firmware 3.41. The N900 should be running the stock kernel (-omap1) not a modified kernel. Then you just need to scp the files to the N900 and run the -enable script.
Q: How much of the source is Nokia N900 specific? Are you using the Linux USB Gadgets library?
A: Very little is N900 specific, I’m using the include/linux/gadget.h if that’s what you mean. See next Q/A for more info.
Q: How hard is it to port it to a new device ?
A: Well, I’ve just separated my code from the N900 specific stuff, so it’s quite easy, there are mainly two functions to write, one to get and one to set the USB address.. two other functions that only return some static result depending on the configuration of the controller (the name of the endpoints, and whether the controller supports high speed or full speed mode).
Read the README file provided with PSFreedom, and check the psfreedom_machine.c file for specifics on what to implement.
Q: How can I port it to a new device.
A: Well, first, you need to figure out what controller your device uses, in the case of the N900, it’s ‘musb’..
Then go to the driver code for that controller (probably in drivers/usb/gadget) and look for ‘SET_ADDRESS’. In the case of musb, it was in drivers/usb/musb/musb_gadget_ep0.c. In there it was setting the address to the USB device, so just copy that code into the psfreedom_machine.c to allow setting the address, and add a similar function to be able to retreive the address.
Then add a function to return 0 or 1 depending on whether the controller supports HIGH, FULL or LOW speed mode (go to usb_gadget_register_driver for your controller, and in the first lines, it should validate the speed argument, it will tell you which ones are acceptable), set LOW speed mode to return TRUE only if FULL speed isn’t available .
Finally, add a function to return the endpoint names.. it will usually be something like ‘epXin’ and ‘epXout’ (where X is the endpoint number), or “epXin-bulk”, etc.. look at how the driver initializes its endpoints or grep for “->name” in the file to find where it sets it…
That should be enough!
Ok this is it for now with the FAQ. Next time, I’ll tell you all about my experience, what problems I encountered and how I fixed them, maybe it will help others!
Enjoy it!
KaKaRoTo
Click to expand...
Click to collapse
hope it helps
mean while over @ http://netzke.blogspot.com/
There's doesn't seem to much in development happening I've put my name down for beta testing but who knows if i get in.
Maybe if there's someone working on the netzke team build they could let us know some info.
Time for a quick update on my research.
From what I can find out about the X10 through config-files and /proc it looks like it uses the msm72k driver. By comparing that with the musb driver and looking at how PSFreedom uses musb it doesn't look impossible to get it running with the msm72k driver.
Right now I'm looking at how to get/set the device address and endpoint. Getting the endpoint name is pretty straight-forward but getting the physical address needed is slightly trickier. But I'll keep hammering away on it.
Warning: My attention-span is really short so odds are I'll keep working on this in bursts. So while there's a big chance I'll get it working soonish you shouldn't hold your breath.
Cool hope to see a update when i wake up thanks very much for your time.
I have a confirmed spot in the beta testing for the android port by netzke. I can let everyone know what it's like when it is released to beta testers.
Sent from my X10i using XDA App
Findee said:
I have a confirmed spot in the beta testing for the android port by netzke. I can let everyone know what it's like when it is released to beta testers.
Sent from my X10i using XDA App
Click to expand...
Click to collapse
Don't get your hopes up, the project is a textbook example of a scam.
It bugs me that he's raking in cash with nothing to show for it while others (like myself) are doing 12+ hour hackruns. :/
Well I haven't spent 12 hours coding, most of the time has been spent working on circumventing the limitations of the stock kernel and figuring out the hardware.
ddewbofh said:
Don't get your hopes up, the project is a textbook example of a scam.
It bugs me that he's raking in cash with nothing to show for it while others (like myself) are doing 12+ hour hackruns. :/
Well I haven't spent 12 hours coding, most of the time has been spent working on circumventing the limitations of the stock kernel and figuring out the hardware.
Click to expand...
Click to collapse
if there is anything i can do to help let me know. I have a bit of experience with stuff, but not much with android.
ddewbofh said:
Don't get your hopes up, the project is a textbook example of a scam.
It bugs me that he's raking in cash with nothing to show for it while others (like myself) are doing 12+ hour hackruns. :/
Well I haven't spent 12 hours coding, most of the time has been spent working on circumventing the limitations of the stock kernel and figuring out the hardware.
Click to expand...
Click to collapse
it does get that kinda vibe but i guess i always give people the benifet of a doubt i haven't sent over any cash to him. I feel he has got enough $15 to get in the beta is quite a sting and with 100 odd people signed up he sure has enough cash
Sent from my X10i using XDA App
http://forum.xda-developers.com/showpost.php?p=8006931&postcount=142
DISCLAIMER:
This is totally academic, and I only pose the question as that of mere curiosity.
In no way do I mean to accuse any developer here or elsewhere of intentionally or otherwise installing malicious software in our ROMs. Not trying to start a flame war or anything.
What is the possibility that a rogue ROM creator would or could install malicious content on one of our devices? What kind of things would we look for to indicate that our device may be compromised? Perhaps packet sniffing for the extra paranoid.
I am the type that, when I see something that doesn't look normal, I question it. That said, I am a very experience Linux, *BSD, and Solaris administrator; but my experience with Android is just blooming. So I might not know where to look in the Android filesystem, or know which processes may be irregular.
I did some Googling but haven't found anything to indicate this has happened before (thank God). Are there self-checks in Android to prevent this from happening? Call me paranoid, but I just like to know what's going on.
Do the "anti-virus" softwares in the App market actually help with this?
Again just curious. I heard about some apps on the Market that Google had to remotely erase. And I believe I am correct in understanding that Google isn't as restrictive with its applications as Apple.
Any takes on this?
Antivirus and Task killers all that are garbage and slow your phone down. You won't have to worry about that happening on this site.
It depends if he/she is an asshole...
The first "viruses" for android were because people were downloading paid apps on the internet, from some site in china, that had viri put into those apps that people were downloading.
Just dont get on the bad side of a dev.
adrynalyne said:
Just dont get on the bad side of a dev.
Click to expand...
Click to collapse
LOL! I'll make sure not to do that!
I know that task-killers are BS. I figured the anti-virus was a gimmick, too. As far as for self-replicating viruses on the phones I doubt that will occur.
I'm more worried about malware in the form of a sleeper-trojan that calls home with my personal phone information, or gets added to some jack-asses botnet for DDoSing.
That was a worry of mine when I first came to this site, but the dev's I download from I find quit professional. I have since just started to dig into roms trying to port them to the tb, and compare the contents and begin to see what is normally packed in the zip. I have never found a dev on this site attempt to introduce malware. I have seen some intro warz but the site immediately banned them. The site has banned devs for not giving credit were credit is due, and opening multiple accounts in a way to circumvent the system.
This site is great for all, and they do their best to keep everyone honest.
I've been here and ppcgeeks for nearly 3 and 1/2 years, both with winmo and android, and I have never had an issue. It seems that these sites really do the best they can to catch things before they happen. Personally, I can't say enough about our devs. They're great, and they do a good bit of work for people who are honestly not thankful enough to them. I personally don't think you will ever have an issue, as I haven't. And I download tons of stuff from here and other places.
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
I've always been curious of this myself. I am no advanced Linux administrator (yet), just an aspiring IT student. I would think the best people to ask would be the developers themselves, though.
funkybside said:
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
Click to expand...
Click to collapse
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Actually I believe it has happened at least twice. Once by accident, and once there may have been malicious code put into a rom that was set as bate for code thieves.
The first one was stupid, an update agent was left in the rom, and an update got pushed that loaded the phone browser to a certain site (it was not a bad site either). This effected a VERY minor few, as you had to have a certain version of a rom, and have rebooted over a very specific point in time.
The latter I will not go into as I do not know the specifics, or the validity of any of what happened.
g00s3y said:
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Click to expand...
Click to collapse
Sorry if my post offended you and no disrespect intended, but I think you are mistaken. The question of whether or not something "can happen" is fundamentally different from the question of whether or not anyone is actually doing it. Also, saying that any "experienced Linux admin should already know how to check for these things" is in poor taste; it's a personal attack that adds no value to the discussion. The idea here is to address the OPs question as a purely acedemic thought experiment; there is no implict reference to the morality of the developers here...
Perhaps we should ask the same question in a differnet way:
If net-sec researcher working at SANS wanted to test expolitation vectors against their own personal HTC Thunderbolt. Is it physically possible for them to build a custom ROM and/or Kernel such that this custom module includes malicious code that executes automatically after installed on the device?
I'd be highly surprised if anyone claims the answer is no. If the kernel itself is custom, anything the hardware can do is fair game...
Concerning the question of how to know if anything is happening, since we're talking about the firmware itself, it would be difficult to do anything in userspace with confidence. To be really sure, you'd likely need to sniff traffic (both mobile and wifi) as well as physically monitor the hardware's debug output (and perhaps even the circuit traces themselves). With a comprimized kernel, you can't trust anything running throuh the operating system's APIs.
It's very doubtful that any reputable developer on XDA would do this. Impossible? No. But XDA is the kind of place where something like this would be discovered very quickly and spread like wildfire.
Now, some unknown developer, on a random website? While I havent come across this yet, I'd say: More likely.
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
funkybside said:
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
Click to expand...
Click to collapse
I think you are right. As long as there is superuser access, then basically anyone with su can pretty much to anything to your phone.
At least that's my take on it.
I'm new to android in general and XDA in particular, so please forgive my ignroance (and yes I will try searching), but this makes me wonder: Do the established developers of custom ROMs and Kernels release their source code? I'd imagine the same terms of the GPL that require HTC to release their source would also require anyone building custom Kernels to do the same. Is this also true for ROMs?
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
nerozehl said:
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
Click to expand...
Click to collapse
Agreed that the liklihood of stuff here being questionable is low, but the simple fact that there is a non-zero risk certainly makes me think a little bit. You summed it up well and the examples are spot on - this is why I immediately wonderd if developers here are publishing the source code on their customized versions. Ignoring the GPL angle, its just good to know it's out there if it is, and by the same token, also good to know if it's not out there.
I have another question to add. I love miui, and to my understanding miui is made by Chinese developers and it is not open source, it is just translated and ported to our devices. If it is not open source, is there anyway to know for sure?
I am a little bit wary of the security, although I love the rom. I trust all of the credible devs on xda, however I don't know anything about the Chinese devs developing miui. Would the devs porting miui be able to see the malware if it isn't open source
Sent from my ADR6400L using XDA App
It is definitely possible. I read a paper a while back that I've been referencing in my own research where some researchers compiled some kernel modules to do malicious tasks in the background without knowledge of the user, mind you this was on an open source linux based phone system similar to android. Basically compiled in root kits, which replacing your kernel/rom w/ a community developed system would result in possibilities of this occurring. The primary solution to preventing these things from ending up on your phone as well as keeping the Trojans and other malware on the android market come down to the same thing knowing your publisher and being careful what permissions you allow. Like stick to kernels/roms from reputable developers on XDA, and make sure your "movie player" doesn't have access to your SMS system and you'll be fine
Mind you my own research currently is in detection of malware/malicous code & anomalous behavior. As well as hopefully prevention techniques eventually.
Sorry first off I'm not sure if this is the right forum. Was thinking developers but there was an ominous warning at the top of that one so I decided not to take the chance.
The question is can Linux be installed on an Android based device natively? I'm aware of chroot enviroments and have done those. I also found this http://forum.xda-developers.com/showthread.php?t=981688 which is slightly cooler but it's still an AUFS based chroot mount. I found the same question asked here http://forum.xda-developers.com/showthread.php?t=1272964 but there was no answer and I didn't want to zombie the thread. Google searches didn't turn up anything useful either.
While I'm thinking the question is fairly device agnostic my device is a Droid 2 Global. I'm getting ready to replace it soon but I'm thinking it might make a nice little embedded system. From what I've read about my device in particular it's got some type of "lock" that disallows the use of other kernels but I am not afraid of recompiling the kernel for my device with additional needed modules for file systems or whatever. I have done this in the past.
I'm not super picky on the distro, but given a choice I guess I'd go with Debian (hardly ever changes so I can just check for security updates once a week or so and otherwise forget about it).
I wouldn't expect anyone to be able to answer this directly as I'm sure it'd be a novel. I'm more hoping someone might have a link to a guide or something that I just completely failed to locate.
So I kept digging and I found this: http www dot htc-linux.org forwardslash wiki forwardslash index.php. As the link suggests it's focused towards HTC devices but between it and some other links on there I think I can work with it.
I'll mark the thread as [SOLVED], but since it ended up being fairly useless (sorry) go ahead and delete if it amuses you to do so, any passing admin.
Ubuntu is coming out with an official version for Android soon.
Sent from my ADR6425LVW
I Am Marino said:
Ubuntu is coming out with an official version for Android soon.
Sent from my ADR6425LVW
Click to expand...
Click to collapse
This is probably your best answer. The Ubuntu build that runs on top of Android for webtop/lapdock purposes is running from the same kernel as Android is according to what I've heard. They will be providing the source so we'll see what the community can do with it.
It is possible on some Android devices, such as the Transformer and Desire.
But the Droid 2 Global, having a locked bootloader and the inability to install custom kernels, is not able to use native Linux.
If you want an Android device that is able to use native Linux do some research to find the one that fits you best.
Sent from my DROIDX using Tapatalk
have you seen this? interestiong reading...
http://whiteboard.ping.se/Android/Debian
Itbelikedat said:
have you seen this? interestiong reading...
http://whiteboard.ping.se/Android/Debian
Click to expand...
Click to collapse
I tried it a small time ago. Everything works but zygote and its forks fail to start, perhaps due to mount namespaces implementation on Android, but I'm not sure. Seeking a way out for this but not successful so far due to lack of knowledge.
Hi everyone
I have an LG Optimus Vu device and due to LG's tremendous support for this phone, the operating system is still ICS and the kernel version is 2.6.39 (even the I/O scheduler for this phone is set to noop, and there aren't any alternatives :| ). It could be all good and well if there aren't hundreds of crashes appearing every day about different applications, which is driving me crazy. I've searched and searched and it seems that there are no custom ROMs for this phone, nor is there any custom recovery application. I could barely find an application to root this phone.
To get to the point; I'm considering to make a custom ROM for this phone, but I am a noob in these kind of stuff.
I have the kernel source and the original ROM zip file. Since the original OS version is 4.0.4, is it possible to bring the required proprietary drivers from the original and use it in a newer Android version like 4.4.x?
Can I use Google's recent Tegra 3 kernel (3.10) and port those LG specific drivers from the older kernel?
Am I even starting this process in the correct way?
Any help is appreciated.
set-0 said:
Hi everyone
I have an LG Optimus Vu device and due to LG's tremendous support for this phone, the operating system is still ICS and the kernel version is 2.6.39 (even the I/O scheduler for this phone is set to noop, and there aren't any alternatives :| ). It could be all good and well if there aren't hundreds of crashes appearing every day about different applications, which is driving me crazy. I've searched and searched and it seems that there are no custom ROMs for this phone, nor is there any custom recovery application. I could barely find an application to root this phone.
To get to the point; I'm considering to make a custom ROM for this phone, but I am a noob in these kind of stuff.
I have the kernel source and the original ROM zip file. Since the original OS version is 4.0.4, is it possible to bring the required proprietary drivers from the original and use it in a newer Android version like 4.4.x?
Can I use Google's recent Tegra 3 kernel (3.10) and port those LG specific drivers from the older kernel?
Am I even starting this process in the correct way?
Any help is appreciated.
Click to expand...
Click to collapse
Hate to be the bearer of bad news, but you're pretty much stuck. LG has locked the bootloader on it and has said they have no plans on unlocking it. Since the phone is around a year and a half old or older, I'd imagine they aren't going to change their minds all of a sudden for the relatively small amount of people still using the phone.
http://forum.xda-developers.com/showthread.php?t=2055272 - discussion about your phone here
FYI
What is a bootloader?
The bootloader is the first thing that starts up when a phone is turned on. At its most basic level, a bootloader is the low-level software on your phone that keeps you from breaking it. It is used to check and verify the software running on your phone before it loads. Think of it like a security guard scanning all the code to make sure everything is in order. If you were to try to load software onto the phone that was not properly signed by the device vendor, the bootloader would detect that and refuse to install it on the device.
When we speak about locked bootloaders, the context is often used to give meaning to the term “locked.” Almost all phones ship from the factory with locked bootloaders, but some are encrypted as well. It is this encryption that most reports are referring to when using the term “locked.” If a bootloader is encrypted, users can’t unlock it to load custom software of any sort. The device will be restricted to running software ROMs provided by the manufacturer.
Now, there are ways to unlock or circumvent bootloaders in special situations, but with ones that have no dev support like yours, it's pretty much a lost cause and most likely way beyond your capabilities to figure out without spending 100s of hours of learning about Android stuff. This is not a knock on you or anything of the sort, but it is what it is. It is a very difficult thing to figure out encrypted bootloaders even for the most experienced android developers and hackers and depending on how they are encrypted, there just might not be a way (ask the older Moto phones, especially from VZW).
es0tericcha0s said:
Hate to be the bearer of bad news, but you're pretty much stuck. LG has locked the bootloader on it and has said they have no plans on unlocking it. Since the phone is around a year and a half old or older, I'd imagine they aren't going to change their minds all of a sudden for the relatively small amount of people still using the phone.
...
Now, there are ways to unlock or circumvent bootloaders in special situations, but with ones that have no dev support like yours, it's pretty much a lost cause and most likely way beyond your capabilities to figure out without spending 100s of hours of learning about Android stuff. This is not a knock on you or anything of the sort, but it is what it is. It is a very difficult thing to figure out encrypted bootloaders even for the most experienced android developers and hackers and depending on how they are encrypted, there just might not be a way (ask the older Moto phones, especially from VZW).
Click to expand...
Click to collapse
Two thumbs up for the detailed reply.
Shame really. The phone was released in November 2012 but there wasn't a single OS update...
I guess I would have to give up on that, but I'm interested in system level developments for both Android and desktop systems. Any idea where to start?
set-0 said:
Two thumbs up for the detailed reply.
Shame really. The phone was released in November 2012 but there wasn't a single OS update...
I guess I would have to give up on that, but I'm interested in system level developments for both Android and desktop systems. Any idea where to start?
Click to expand...
Click to collapse
Yea, it does suck. That's one of the downfalls to making 8 million different phones. You have no incentive ($$$), no interest, and no manpower to be able to update them all in a reasonable fashion. But it's not like LG is alone. All of the manufacturers have had decent phones just...disappear in regards to updates or anything of the sort.
As far as getting started, there is a ton of info right here on XDA:
http://xda-university.com/
Modify hashes?
Hi!
Sorry for digging out a dead thread, but for the p895 probably all threads are more or less dead...
I wonder if it is really necessary to decrypt the bootloader. Since it must be able to boot different versions of the stock roms, it would probably only calculate a hash value of some files and compare that to a value stored elsewhere.
By comparing different versions of stock roms it might be possible to get some information about what files are hashed. If it is a standard hash algorithm and the comparison value the bootloader uses is stored in plain text (hope....!) there might be an atack vector in
comparing several known plain texts.
I also noticed, that the p895 has a "software integrity check" in the hidden menu that shows has values for some (a lot) of files. these hash values are likely already calculated when entering that menu option (i am pretty certain because they show immediately), so they might belong to the files checked at boot time and also hint to the hash algorith used.
The idea is to calculate a hash value for the custom rom and put it in the appropriate place so the bootloader thinks of the rom as an update.
These are just vage ideas, but i have no intention whatsoever to buy a new phone anytime soon and I guess I could as well spend "some" time tinkering and learning the tech details...
thank you!
I'm currently running an 8.9" HDX with a working AOSP - thanks to all the help I got on this forum and specifically followed this thread:
http://forum.xda-developers.com/showthread.php?t=2582773
but the main applications that I now need to use for work are iOS only (don't ask... NOT happy) so I'm back to carrying an iPad around everywhere and as such I'm going to sell my HDX. Before I do that I need to return it back to stock... I found a number of threads referencing how to do this but wanted to be extra careful. At present I'm just running Safestrap with a second ROM slot that I boot with all the non-standard stuff, I got there via SuperSU.
What's the right sequence of de-activates / un-installs / magic incantations to get this thing back to "boring, stock" just like it would come from Amazon? Is it as simple as re-enabling over-the-air updates and letting it "fix" itself? Or do I need to specifically back out some of the safestrap/superSU stuff first?
Help? (and THANKS)
ljwobker said:
I'm currently running an 8.9" HDX with a working AOSP - thanks to all the help I got on this forum and specifically followed this thread:
http://forum.xda-developers.com/showthread.php?t=2582773
but the main applications that I now need to use for work are iOS only (don't ask... NOT happy) so I'm back to carrying an iPad around everywhere and as such I'm going to sell my HDX. Before I do that I need to return it back to stock... I found a number of threads referencing how to do this but wanted to be extra careful. At present I'm just running Safestrap with a second ROM slot that I boot with all the non-standard stuff, I got there via SuperSU.
What's the right sequence of de-activates / un-installs / magic incantations to get this thing back to "boring, stock" just like it would come from Amazon? Is it as simple as re-enabling over-the-air updates and letting it "fix" itself? Or do I need to specifically back out some of the safestrap/superSU stuff first?
Help? (and THANKS)
Click to expand...
Click to collapse
Depends on how you used SafeStrap. If you ONLY installed in the stock rom, then an update likely would do it. If you installed safestrap a second time from the working rom-slot as well, then updates won't work, because the BL & Kernel CANNOT be flashed.
The best thing is to remove all wifi connections with "forget network", then go into safe strap & activate stock rom. Then go back to the boot options & delete the rom-slot you created. Boot back into stock partition, uninstall Safestrap & then reconnect to wifi & check for updates.
I would HIGHLY recommend you follow my directions about forgetting nearby, if not all, wifi networks. If you turn wifi off in a slot, but not in stock, or vice versa, it can cause boot issues , as well as wifi issues.
I would not return it to stock. That device could go for a premium right now to other users simply because you can get AOSP and so many cannot yet.
EniGmA1987 said:
I would not return it to stock. That device could go for a premium right now to other users simply because you can get AOSP and so many cannot yet.
Click to expand...
Click to collapse
Why would it go for a premium? It is absolutely 100% rootable. It has not been patched against the VolumeManager/vold ASEC exploit. In fact, I am nearly certain the bootloader can bed unlocked from my investigation. Unfortunately that part is beyond my abilities & exceeds the time I would need to get caught up on the msm89xx+ SoC, but I would just about bet the farm that it can be done.
GSLEON3 said:
Why would it go for a premium? It is absolutely 100% rootable. It has not been patched against the VolumeManager/vold ASEC exploit. In fact, I am nearly certain the bootloader can bed unlocked from my investigation. Unfortunately that part is beyond my abilities & exceeds the time I would need to get caught up on the msm89xx+ SoC, but I would just about bet the farm that it can be done.
Click to expand...
Click to collapse
Because when I posted that we had no root, and it was still a "hopefully sometime soon" with 9/10 of the HDX's on a version that couldnt be rooted.
It is nice that we have one Chinese method now and that you might get something soon, though I think you are suddenly pretty full of yourself on these forums with the little bit of knowledge you gained recently. Much better people at this have not been able to get the bootloader cracked. But best of luck to you.
EniGmA1987 said:
Because when I posted that we had no root, and it was still a "hopefully sometime soon" with 9/10 of the HDX's on a version that couldnt be rooted.
It is nice that we have one Chinese method now and that you might get something soon, though I think you are suddenly pretty full of yourself on these forums with the little bit of knowledge you gained recently. Much better people at this have not been able to get the bootloader cracked. But best of luck to you.
Click to expand...
Click to collapse
Actually, the little time I've been around is well over a decade. This ain't my first username. Secondly, there is already an ASEC based root that WAS created by someone better with this stuff than me, so it's not full of myself, it is FACT. I am rooted, have been each & every time, without blocking anything & without having to sacrifice connectivity, another FACT. Coincidentally, the reason it was never published, well I'd venture a guess that it's because of stupid posts & self-entitled people ignorantly writing or PM'ing to insist that things be done for them on their terms. Another fact, it was that kind of crap that made me leave this forum a few months ago. So, I don't know what "better people" you are talking about that have failed at it, but I do know the better people that have done it.
Another fact, anyone at all can read & discover just how small the patch for the ASEC vulnerability was. It doesn't take a genius to then decompile the vold & search for the that one event which was used to patch it, which subsequently tells all you need to know.
GSLEON3 said:
Actually, the little time I've been around is well over a decade. This ain't my first username. Secondly, there is already an ASEC based root that WAS created by someone better with this stuff than me, so it's not full of myself, it is FACT. I am rooted, have been each & every time, without blocking anything & without having to sacrifice connectivity, another FACT. Coincidentally, the reason it was never published, well I'd venture a guess that it's because of stupid posts & self-entitled people ignorantly writing or PM'ing to insist that things be done for them on their terms. Another fact, it was that kind of crap that made me leave this forum a few months ago. So, I don't know what "better people" you are talking about that have failed at it, but I do know the better people that have done it.
Another fact, anyone at all can read & discover just how small the patch for the ASEC vulnerability was. It doesn't take a genius to then decompile the vold & search for the that one event which was used to patch it, which subsequently tells all you need to know.
Click to expand...
Click to collapse
lol. I am glad you know your FACTS. No need to act so butthurt.