Is it possible to add some missing symbols to existing shared libraries?
The stock libaudio.so on Milestone XT720 references three static strings found in the stock libmedia.so that are not common in other ROMs. Basically, the relevant parts in the original proprietaries are (via nm -D)
Code:
libaudio.so:
U _ZN7android14AudioParameter11keyFMLaunchE
U _ZN7android14AudioParameter12keyFMRoutingE
U _ZN7android14AudioParameter14keyHDMIRoutingE
Code:
libmedia.so:
0005fb68 D _ZN7android14AudioParameter11keyFMLaunchE
0005fb6c D _ZN7android14AudioParameter12keyFMRoutingE
0005fb70 D _ZN7android14AudioParameter14keyHDMIRoutingE
Code wise, we've figured out that they're just these stupid static strings
Code:
namespace android {
class AudioParameter {
static const char *keyFMLaunch;
static const char *keyFMRouting;
static const char *keyHDMIRouting;
};
const char *AudioParameter::keyFMLaunch = "FM_launch";
const char *AudioParameter::keyFMRouting = "FM_routing";
const char *AudioParameter::keyHDMIRouting ="HDMI_routing";
}; // namespace android
For example we're mostly compatible with Milestone A853's stock ROM, but Milestone A853's libmedia.so doesn't have these symbols, so we get link failure and substituting our libmedia.so causes big problems. If we use Milestone A853's libaudio.so instead, then FM radio volume control doesn't work.
AOSP/CyanogenMod don't have these symbols in libmedia either, so we've been using a forked framework/base just to stick these symbols in. I'm trying to clean up our tree and if it's possible I'd rather just stuff those symbols into libaudio.so somehow and never think about it again.
Is there some way to copy those strings from libmedia.so? I've been trying some things with the various binutils (objcopy, ld) and scouring man pages but no luck so far. I put the code above in wrapper.cpp but I can't figure out whether gcc can add to an existing .so. Any suggestions? I'm happy to read if someone knows where to point me.
I want to unpack a Boot.img file to have a look at the Kernel coding. I have been at Google-ing this for about an hour and need some help. I am using windows but could use Ubuntu if need be.
Help would be much appreciated!!!
first of all by unpacking boot.img you won't see actual kernel coding.. it will merely 0.05% give you some idea about coding stuff here..
ketut released some tools which you can find in his kernel thread [not cf-root thread]..
if you wan't code then you will have to download kernel sources from github or samsung site.. and play at own risks
Okay, it looks like I am going to install Ubuntu. I was just hoping there was some way to do it within Windows without running a V.M. or Dual boot.
yes there are two ways of installing it with wubi installer to install within windows.. and one creating separate partition of ext4 to dual boot..
wubi installer seems to be what you are looking for
I am currently looking here https://github.com/ilarrain/kernel_galaxyace/blob/gingerbread/arch/arm/mach-msm/acpuclock.c and trying to understand the references to the frequency table. I want to understand why the table goes to 1036800 (like the CM7 Kernel) but is limited to 902400. It would help if I had the CM7 Kernel source for reference. Do you know where that can be found?
I am pretty sure this is what I need to be looking at:
#ifdef CONFIG_CPU_FREQ_MSM
static struct cpufreq_frequency_table freq_table[20];
static void __init cpufreq_table_init(void)
{
unsigned int i;
unsigned int freq_cnt = 0;
/* Construct the freq_table table from acpu_freq_tbl since the
* freq_table values need to match frequencies specified in
* acpu_freq_tbl and acpu_freq_tbl needs to be fixed up during init.
*/
for (i = 0; acpu_freq_tbl.a11clk_khz != 0
&& freq_cnt < ARRAY_SIZE(freq_table)-1; i++) {
if (acpu_freq_tbl.use_for_scaling) {
freq_table[freq_cnt].index = freq_cnt;
freq_table[freq_cnt].frequency
= acpu_freq_tbl.a11clk_khz;
freq_cnt++;
}
}
/* freq_table not big enough to store all usable freqs. */
BUG_ON(acpu_freq_tbl.a11clk_khz != 0);
freq_table[freq_cnt].index = freq_cnt;
freq_table[freq_cnt].frequency = CPUFREQ_TABLE_END;
pr_info("%d scaling frequencies supported.\n", freq_cnt);
}
#endif
-SGA- said:
I am currently looking here https://github.com/ilarrain/kernel_galaxyace/blob/gingerbread/arch/arm/mach-msm/acpuclock.c and trying to understand the references to the frequency table. I want to understand why the table goes to 1036800 (like the CM7 Kernel) but is limited to 902400. It would help if I had the CM7 Kernel source for reference. Do you know where that can be found?
I am pretty sure this is what I need to be looking at:
#ifdef CONFIG_CPU_FREQ_MSM
static struct cpufreq_frequency_table freq_table[20];
static void __init cpufreq_table_init(void)
{
unsigned int i;
unsigned int freq_cnt = 0;
/* Construct the freq_table table from acpu_freq_tbl since the
* freq_table values need to match frequencies specified in
* acpu_freq_tbl and acpu_freq_tbl needs to be fixed up during init.
*/
for (i = 0; acpu_freq_tbl.a11clk_khz != 0
&& freq_cnt < ARRAY_SIZE(freq_table)-1; i++) {
if (acpu_freq_tbl.use_for_scaling) {
freq_table[freq_cnt].index = freq_cnt;
freq_table[freq_cnt].frequency
= acpu_freq_tbl.a11clk_khz;
freq_cnt++;
}
}
/* freq_table not big enough to store all usable freqs. */
BUG_ON(acpu_freq_tbl.a11clk_khz != 0);
freq_table[freq_cnt].index = freq_cnt;
freq_table[freq_cnt].frequency = CPUFREQ_TABLE_END;
pr_info("%d scaling frequencies supported.\n", freq_cnt);
}
#endif
Click to expand...
Click to collapse
Why not cooper_initramfs ?
Herpderp Adreno + Tegra.
Well..For the history,To unpack boot.img,you need to use cygwin.Here is complete instruction on doing this thing freeyourandroid.com
I've made some modifications to drivers/usb/otg/msm_otg.c in order to support usb host mode for the Nexus 4: http://forum.xda-developers.com/showthread.php?t=2181820
So far, I've been building off Franco's sources, since I was using his kernel anyway. But this has its problems. I'm not looking to have to constantly keep up with Franco's nightlies. A good amount of posts from people are asking if I could compile a different kernel with the otg modifications, or if they could flash a different kernel on top. Franco's been getting requests to implement the modifications, and I didn't mean to put any onus on him.
I've been trying to do some research on creating a kernel module that could somehow hijack/hook/wrap the static functions I've made changes to in msm_otg.c. This is all way, way over my head though, and I could really use some help here. I've done some reading so far, but it hasn't gotten me anywhere. I got some good help on IRC, but am stuck again.
To get things rolling, I've manually found the address from /proc/kallsyms of static function msm_chg_detect_work to be 0xc03b4950. I'm trying to make a jump from here to my own function. I was provided make_jump_op for this purpose, although I have no understanding of how it works. Here is more or less what I've got so far (relevant bits..):
Code:
// max distance: 0x02000000
unsigned int make_jump_op(unsigned int src, unsigned int dst) {
unsigned int o;
int distance;
distance = (int)( ((long long)dst) - (((long long)src) + 8) );
if (distance > 32*1024*1024 || distance < -32*1024*1024) {
printk(KERN_ERR "distance too big!\n");
return 0; // crash, BOOOOM!
}
distance = distance / 4; // read: ">>2"
o = *((unsigned int *)(&distance)); // is there a proper way to do this, too?
o = (o & 0x00ffffff) + 0xea000000;
return o;
}
static void msm_chg_detect_work_MOD(struct work_struct *w) {
printk(KERN_INFO "TEST\n");
}
static int ziddey_otg_init(void) {
unsigned int *origcall;
printk(KERN_INFO "Loading kernel module '%s'\n", MODULE_NAME);
// 0xc03b4950: msm_chg_detect_work
origcall = (unsigned int *) 0xc03b4950;
preempt_disable();
*origcall = make_jump_op(0xc03b4950, (unsigned int)(void*)msm_chg_detect_work_MOD);
preempt_enable();
printk(KERN_INFO "Loaded kernel module '%s'\n", MODULE_NAME);
return 0;
}
Can anyone make sense of this? I get an Oops error and kernel panic.
Thank you
Code:
$ grep msm_chg_detect_work /proc/kallsyms
c03b4950 t msm_chg_detect_work
As some may know, I'm getting headaches since months (I'm not a professional dev ...) to port 3.0.8 kernel on x10.
I'm opening a new thread to talk about progress on 3.x kernel ported to the
ES209RA..
I'd like to share the work I've made since last year and involve as much people as it's possible.
I'll try to keep this thread updated with "what is working" and a "to do" or "to fix list" ...
You've been warned : this a development thread, and until kernel is "officialy" relased, flashing stuff or adding changes in kernel and flashing it on your device without knowing what you do may damage your phone.
Important notice :
This is not a thread to teach "how to port" or else ...
However when the time will come, testers will be needed, posts will be make to have report etc ...
Don't ask for ETA ...
Thanks a lot for understanding
Kernel 3.0.8 porting
Ported on X10 from msm7x30-3.0.x-nAa
Thanks to :
nAa for his sources and his thread to get serial console,
Fxp, Doomlord, Androxyde for there answer to my annoying questions about serial console ,
Achotjan, Feravolt, Scritch and all other who helped me a lot since I started this project.
The link to my repo : Tof37-Github
For now this kernel is just made to be used as a base.
What is working :
Kernel is built with almost all ES209RA drivers (I think ar6000 are missing, nothing else)
it boots
Display is (finally) working
Rom (tested with an old CM9) is booting. Also booting on CM10.1 and 4.2.2 aosp (strange display problem with aosp)
ADB is working (dmesg and logcat can be done)
Battery chatging is working, data and led color are ok too
Got rom display. (Cm10.1 maybe others) ... for a stock configuration it's not so bad ...
Bug list :
QDSP6 has to be disabled, smsm modem is reseting
Recovery key access mismatch (it works only when it wants ...)
Added needed files and lines in defconfig to build ar6000.ko.
Have to port some codes in msm_sdcc.c for plat_disable_wlan_slot and plat_enable_wlan_slot ... seems to be needed to turn wifi on and off ...
Added lines in defconfig to enable bluetooth ... still not working
maybe more I don't even know ...
To do:
Fix known bugs
Had necessary changes in ramdisk
Kernel 3.4.0
WIP ... don't fully build
Thanks Nice work
reserved :
thanks tof you are definitly change the future ofxperia x10
cheers
Achotjan
i'm ready for testing
Log for qdsp crash
Here is the log I got with qdsp6 enabled :
PHP:
[ 12.548407] ------------[ cut here ]------------
[ 12.548533] WARNING: at drivers/gpio/gpiolib.c:101 gpio_ensure_requested+0x4c/0xfc()
[ 12.548695] autorequest GPIO-149
[ 12.548766] Modules linked in:
[ 12.548864] [<c0047010>] (unwind_backtrace+0x0/0xf0) from [<c0089af4>] (warn_slowpath_common+0x4c/0x64)
[ 12.549893] [<c0089af4>] (warn_slowpath_common+0x4c/0x64) from [<c0089b8c>] (warn_slowpath_fmt+0x2c/0x3c)
[ 12.559441] [<c0089b8c>] (warn_slowpath_fmt+0x2c/0x3c) from [<c0270708>] (gpio_ensure_requested+0x4c/0xfc)
[ 12.569079] [<c0270708>] (gpio_ensure_requested+0x4c/0xfc) from [<c0270928>] (gpio_direction_output+0x74/0x158)
[ 12.579157] [<c0270928>] (gpio_direction_output+0x74/0x158) from [<c00728ec>] (analog_init+0x18/0x28)
[ 12.588348] [<c00728ec>] (analog_init+0x18/0x28) from [<c0070e40>] (q6audio_init+0x214/0x2e4)
[ 12.596855] [<c0070e40>] (q6audio_init+0x214/0x2e4) from [<c0072490>] (q6audio_open_pcm+0x20/0x200)
[ 12.605883] [<c0072490>] (q6audio_open_pcm+0x20/0x200) from [<c0072b8c>] (pcm_ioctl+0x1d0/0x3f4)
[ 12.614658] [<c0072b8c>] (pcm_ioctl+0x1d0/0x3f4) from [<c01153a8>] (do_vfs_ioctl+0x508/0x584)
[ 12.623158] [<c01153a8>] (do_vfs_ioctl+0x508/0x584) from [<c0115458>] (sys_ioctl+0x34/0x54) MODEM/AMSS has CRASHED
[ 12.631502] [<c0115458>] (sys_ioctl+0x34/0x54) from [<c0042480>] (ret_fast_syscall+0x0/0x30)
[ 12.639903] ---[ end trace 47a718f49542dde2 ]---
[ 12.690778]
[ 12.690789] SMSM: Modem SMSM state changed to SMSM_RESET.
[ 12.691454] Notify: start reset
[ 14.336724]
[ 14.337405] smem: CRASH LOG
[ 14.337410] 'ERR crash log report. Version 2.
In analog_audio.c adding (like KTG .32 kernel)
PHP:
gpio_request(GPIO_HEADSET_AMP, NULL)
solved the warning ...but not the crash still having :
PHP:
[ 17.020205] [pcm_out.c:pcm_open] open
<6>[ 17.020852] [q6audio.c:q6audio_init] codecs
<6>[ 17.021094] [q6audio.c:q6audio_init] attach ADSP
<6>[ 17.128602] [dal.c:dal_attach] status = 0, name = 'DAL_AQ_AUD' dal_client d5c24000
<6>[ 17.128795] [q6audio.c:q6audio_init] INIT
<6>[ 17.130021] [q6audio.c:q6audio_init] OPEN control
<6>[ 17.540540] [q6audio.c:q6audio_init] attach ACDB
<6>[ 17.644275] [dal.c:dal_attach] status = 0, name = 'DAL_AM_AUD' dal_client d5eb5800
<6>[ 17.644442] [q6audio.c:q6audio_init] attach ADIE
<6>[ 17.644841] [dal.c:dal_attach] status = 0, name = 'DAL_AM_AUD' dal_client d5eb5400
<3>[ 17.665947]
<3>[ 17.665958] SMSM: Modem SMSM state changed to SMSM_RESET.
<3>[ 17.666632] Notify: start reset
nothing more for now
Try this in config:
Code:
CONFIG_MSM_QDSP6=y
CONFIG_MSM_AUDIO_QDSP6=y //this one wants - SND_SOC_MSM_QDSP6_INTF
# CONFIG_MSM_QDSP6_APR is not set
# CONFIG_QSD_AUDIO is not set
p.s. can you send me your 51-android.rules file.. I messed up usb permissions and adb says:
error: insufficient permissions for device
I have this:
SUBSYSTEM=="usb", SYSFS{idVendor}=="0fce", MODE="0777"
EDIT>nvm.. fixed changing device permissions to 666
FeraVolt said:
Try this in config:
Code:
CONFIG_MSM_QDSP6=y
CONFIG_MSM_AUDIO_QDSP6=y //this one wants - SND_SOC_MSM_QDSP6_INTF
# CONFIG_MSM_QDSP6_APR is not set
# CONFIG_QSD_AUDIO is not set
p.s. can you send me your 51-android.rules file.. I messed up usb permissions and adb says:
error: insufficient permissions for device
I have this:
SUBSYSTEM=="usb", SYSFS{idVendor}=="0fce", MODE="0777"
EDIT>nvm.. fixed changing device permissions to 666
Click to expand...
Click to collapse
Will try
BTW think where something is messing ... qdsp6 needs "ac" (qs6audio.c line 971)
PHP:
pr_info("[%s:%s] attach ADIE\n", __MM_FILE__, __func__);
adie = dal_attach(ADIE_DAL_DEVICE, ADIE_DAL_PORT, 0, 0, 0);
if (!adie) {
pr_err("[%s:%s] cannot attach to adie\n",
__MM_FILE__, __func__);
res = -ENODEV;
goto done;
}
if (analog_ops->init)
analog_ops->init();
res = 0;
ac_control = ac;
but ... if you look at the log on google drive (log 3.0.8 ... boot sur cm9, sans qdsp6)
you'll see that
PHP:
sysfs: cannot create duplicate filename '/class/power_supply/ac'
I think the problem is there ... if I revert this commit
it doesn't work either cause mx17040 doesn't probe as it should...
let's sleep now
How about this <mach/msm_qdsp6_audio.h>:
Code:
/* arch/arm/mach-msm/include/mach/msm_qdsp6_audio.h
*
* Copyright (C) 2009 Google, Inc.
* Author: Brian Swetland <[email protected]>
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
* may be copied, distributed, and modified under those terms.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*/
#ifndef _MACH_MSM_QDSP6_Q6AUDIO_
#define _MACH_MSM_QDSP6_Q6AUDIO_
#define AUDIO_FLAG_READ 0
#define AUDIO_FLAG_WRITE 1
#define AUDIO_FLAG_INCALL_MIXED 2
#include <linux/wait.h>
struct audio_buffer {
dma_addr_t phys;
void *data;
uint32_t size;
uint32_t used; /* 1 = CPU is waiting for DSP to consume this buf */
uint32_t actual_size; /* actual number of bytes read by DSP */
};
struct audio_client {
struct audio_buffer buf[2];
int cpu_buf; /* next buffer the CPU will touch */
int dsp_buf; /* next buffer the DSP will touch */
int running;
int session;
wait_queue_head_t wait;
struct dal_client *client;
int cb_status;
uint32_t flags;
};
/* Obtain a 16bit signed, interleaved audio channel of the specified
* rate (Hz) and channels (1 or 2), with two buffers of bufsz bytes.
*/
struct audio_client *q6audio_open_pcm(uint32_t bufsz, uint32_t rate,
uint32_t channels, uint32_t flags,
uint32_t acdb_id);
struct audio_client *q6voice_open(uint32_t flags);
struct audio_client *q6audio_open_mp3(uint32_t bufsz, uint32_t rate,
uint32_t channels, uint32_t acdb_id);
struct audio_client *q6audio_open_dtmf(uint32_t rate, uint32_t channels,
uint32_t acdb_id);
int q6audio_play_dtmf(struct audio_client *ac, uint16_t dtmf_hi,
uint16_t dtmf_low, uint16_t duration, uint16_t rx_gain);
struct audio_client *q6audio_open_aac(uint32_t bufsz, uint32_t samplerate,
uint32_t channels, uint32_t bitrate,
uint32_t stream_format, uint32_t flags,
uint32_t acdb_id);
struct audio_client *q6audio_open_qcp(uint32_t bufsz, uint32_t min_rate,
uint32_t max_rate, uint32_t flags,
uint32_t format, uint32_t acdb_id);
struct audio_client *q6audio_open_amrnb(uint32_t bufsz, uint32_t enc_mode,
uint32_t dtx_enable, uint32_t flags,
uint32_t acdb_id);
int q6audio_close(struct audio_client *ac);
int q6voice_close(struct audio_client *ac);
int q6audio_mp3_close(struct audio_client *ac);
int q6audio_read(struct audio_client *ac, struct audio_buffer *ab);
int q6audio_write(struct audio_client *ac, struct audio_buffer *ab);
int q6audio_async(struct audio_client *ac);
int q6audio_do_routing(uint32_t route, uint32_t acdb_id);
int q6audio_set_tx_mute(int mute);
int q6audio_reinit_acdb(char* filename);
int q6audio_update_acdb(uint32_t id_src, uint32_t id_dst);
int q6audio_set_rx_volume(int level);
int q6audio_set_stream_volume(struct audio_client *ac, int vol);
int q6audio_set_stream_eq_pcm(struct audio_client *ac, void *eq_config);
struct q6audio_analog_ops {
void (*init)(void);
void (*speaker_enable)(int en);
void (*headset_enable)(int en);
void (*receiver_enable)(int en);
void (*bt_sco_enable)(int en);
void (*int_mic_enable)(int en);
void (*ext_mic_enable)(int en);
};
void q6audio_register_analog_ops(struct q6audio_analog_ops *ops);
/* signal non-recoverable DSP error so we can log and/or panic */
void q6audio_dsp_not_responding(void);
#endif
rom is not usable (EGL part in userspace has to be updated)
Click to expand...
Click to collapse
Disable MSM_ION.. I just ported it and got similar thing.. No bootanimation.. All openGles2 apps crashes.. UI glitches.. I'd like to look at how Achotjan ported it.. Maybe its foolish me..
FeraVolt said:
Disable MSM_ION.. I just ported it and got similar thing.. No bootanimation.. All openGles2 apps crashes.. UI glitches.. I'd like to look at how Achotjan ported it.. Maybe its foolish me..
Click to expand...
Click to collapse
Spent nearly the whole day with qddp problem... still crashing...
About display I think memory allocation is not perfect... disabling triple buffer ended with no display but booting rom...
will see that tonight...
Sent from my XT890 using xda app-developers app
Some news ...
Have just made a new build with latest adreno drivers ... and voilà !!!
Rom still not usable (flickering, ... ) but things are going on the good way
Tof37 said:
Some news ...
Have just made a new build with latest adreno drivers ... and voilà !!!
Rom still not usable (flickering, ... ) but things are going on the good way
Click to expand...
Click to collapse
Very nice . Can we have latest dmesg & logcat? And.. maybe you can somehow capture how it's flickering.. To undrstand where the dog lies.. :good:
FeraVolt said:
Very nice . Can we have latest dmesg & logcat? And.. maybe you can somehow capture how it's flickering.. To undrstand where the dog lies.. :good:
Click to expand...
Click to collapse
I'll upload the ftf file tonight and the logs as well.
Sent from my XT890 using xda app-developers app
This is awesome work Tof!
RE: this flickering issue.. I recall Scritch had similar issues when first porting CM10..
http://forum.xda-developers.com/showpost.php?p=34720912&postcount=32
Not sure what Rom you're loading, but perhaps this needs implementing or reversing if you've already included it?
Also: http://forum.xda-developers.com/showpost.php?p=34770510&postcount=37 for slightly more detail.
FeraVolt said:
Very nice . Can we have latest dmesg & logcat? And.. maybe you can somehow capture how it's flickering.. To undrstand where the dog lies.. :good:
Click to expand...
Click to collapse
Here is a link to the ftf file with 3.0.8 kernel booting on cm9 rom : here (to flash at your own risk on unlocked bootloader only )
Got a log and dmesg in google drive (check your gmail )
EDIT : don't mind about ro.config.disable_hw_accel=false in build.prop ... just something I thought it should be useful ... but no
blueowl0708 said:
This is awesome work Tof!
RE: this flickering issue.. I recall Scritch had similar issues when first porting CM10..
http://forum.xda-developers.com/showpost.php?p=34720912&postcount=32
Not sure what Rom you're loading, but perhaps this needs implementing or reversing if you've already included it?
Also: http://forum.xda-developers.com/showpost.php?p=34770510&postcount=37 for slightly more detail.
Click to expand...
Click to collapse
I have to check that ... I remember this patch ... but took the same msm diplay drivers ... will look Thanks
Tof37 said:
Here is a link to the ftf file with 3.0.8 kernel booting on cm9 rom : here
I have to check that ... I remember this patch ... but took the same msm diplay drivers ... will look Thanks
Click to expand...
Click to collapse
I thought the patch was for CM10 specifically - so if you're running CM9 while testing......... worth a look anyway!
blueowl0708 said:
I thought the patch was for CM10 specifically - so if you're running CM9 while testing......... worth a look anyway!
Click to expand...
Click to collapse
if you look at kernel .29 git in cmx10 repo, we managed to use the same kernel on ics and JB ......
Tof37 said:
if you look at kernel .29 git in cmx10 repo, we managed to use the same kernel on ics and JB ......
Click to expand...
Click to collapse
Fair does... just a thought
Basically, there has been an app ported to Android that allows even unrooted(stock) devices to deliver a bootrom exploit to the Nintendo Switch via USB-OTG and a USB cable (or C-to-C). USB 3.0 (xHCI) devices have no issues and deliver the exploit just fine. Apparently it is not even a USB 2.0 problem but rather how the EHCI performs, as certain USB 2.0 phones actually have the xHCI controller and can run the exploit just fine. What happens is that although it can detect the connected Switch in Tegra Recovery Mode, it just doesn't do anything and gives an error in the logs, "SUMBITURB failed".
On Linux desktop systems it is similar, but the exploit can still work with a kernel patch provided by a hacking group that discovered the exploit in the first place:
Code:
--- linux-4.14.27/drivers/usb/host/ehci-hcd.c.old 2018-04-17 18:00:00.000000000 +0000
+++ linux-4.14.27/drivers/usb/host/ehci-hcd.c 2018-04-17 18:00:00.000000000 +0000
@@ -873,14 +873,6 @@
INIT_LIST_HEAD (&qtd_list);
switch (usb_pipetype (urb->pipe)) {
- case PIPE_CONTROL:
- /* qh_completions() code doesn't handle all the fault cases
- * in multi-TD control transfers. Even 1KB is rare anyway.
- */
- if (urb->transfer_buffer_length > (16 * 1024))
- return -EMSGSIZE;
- /* FALLTHROUGH */
- /* case PIPE_BULK: */
default:
if (!qh_urb_transaction (ehci, urb, &qtd_list, mem_flags))
return -ENOMEM;
The author of the Android port had also written a Python "hotpatch" script for desktop Linux systems:
Code:
#!/usr/bin/env python3
import os
"""
Cursed Code.
This code literally patches your kernel memory, proceed at your own risk.
Tested on Ubuntu 17.10 and Arch, x86_64. Should work on other distros, maybe even other architectures!
Run fusee-launcher.py with the "--override-checks" argument.
If you'd rather patch your drivers properly:
https://github.com/fail0verflow/shofel2/blob/master/linux-ehci-enable-large-ctl-xfers.patch
"""
ksyms = {
line[2]: int(line[0], 16)
for line in
map(lambda l: l.strip().split(),
open("/proc/kallsyms", "r").readlines())}
print(hex(ksyms["ehci_urb_enqueue"]))
patch_c = """
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/pgtable.h>
static u32 ORIG_MAX = 16*1024;
static u32 NEW_MAX = 0x1000000;
/* borrowed from MUSL because I'm lazy AF */
static char *fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
{
uint32_t nw = n[0]<<24 | n[1]<<16 | n[2]<<8 | n[3];
uint32_t hw = h[0]<<24 | h[1]<<16 | h[2]<<8 | h[3];
for (h+=3, k-=3; k; k--, hw = hw<<8 | *++h)
if (hw == nw) return (char *)h-3;
return 0;
}
static pte_t* (*lookup_addr)(unsigned long, unsigned int*) = (void *) PLACE2;
static void set_addr_rw(unsigned long addr) {
unsigned int level;
pte_t *pte = lookup_addr(addr, &level);
set_pte_atomic(pte, pte_mkwrite(*pte));
}
int init_module(void) {
void * ehci_urb_enqueue_start = (void *) PLACEHOLDER;
u32 * patch_addr;
printk(KERN_INFO "Patch module loaded\\n");
patch_addr = (u32 *) fourbyte_memmem(ehci_urb_enqueue_start, 0x400, (void *)&ORIG_MAX);
if (patch_addr == NULL) {
printk(KERN_INFO "Failed to find patch site :(\\n");
return -1;
}
printk(KERN_INFO "patch_addr: 0x%px\\n", patch_addr);
set_addr_rw((unsigned long)patch_addr);
*patch_addr = NEW_MAX;
printk(KERN_INFO "Patching done!\\n");
return -1;
}
""".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2", hex(ksyms["lookup_address"]))
makefile = """
obj-m += patch.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
"""
with open("patch.c", "w") as patchfile:
patchfile.write(patch_c)
with open("Makefile", "w") as mf:
mf.write(makefile)
os.system("make")
print("About to insert patch module, 'Operation not permitted' means it probably worked, check dmesg output.")
os.system("insmod patch.ko")
I tried to see if running it in Termux would do anything but I got the following error:
Code:
0x0
Traceback (most recent call last):
File "ehci_patch.py", line 70, in <module>
" " ".replace("PLACEHOLDER", hex(ksyms["ehci_urb_enqueue"])).replace("PLACE2" hex(ksyms["lookup_address"]))
KeyError: 'lookup_address'
I know that script isn't meant for use on Android anyway but maybe it can lead to a solution. The author of it does not know how to go about it at this time either, but believes an entire recompile of the kernel would be necessary. I am hoping that something like a systemless Magisk module would be the easiest solution for users but do not know if that is possible. I am only guessing it might be possible to create a Magisk module because of audio drivers like VIPER4Android. If indeed a custom kernel is needed, does anyone know how to go about it? It could be difficult to implement for everyone because not everyone has a device where the source to the kernel is available, etc. I am willing, however, to test anything on my tablet which is USB 2.0 and gives the error in the app. Any advice for how to go about this will be greatly appreciated.
I feel ya man, i need this stuff too. NXLoader doesn't work on my Galaxy Grand Prime (G530T) and i really need it to Dx