[Q] Rip adb binary out of CM9 (or the like) - Android Q&A, Help & Troubleshooting

Hi,
I want't adb on my desire. I use Leedroid and there is no adb binary. So I downloaded CM9 (and other) to rip it out. But all I get if I try to start the binary on my device is:
permission denied
(also with su)
Any advice?

Try switching to superuser (su) and then type:
Code:
chmod +x /bin/adb
I'm presuming it's an issue with permissions, that should sort it.

I did and get the following:
[1] + Stopped (signal) ./adb
and after one enter
[1] Segmentation fault ./adb
I have also tried to set chmod to 777.

htzeh said:
I did and get the following:
[1] + Stopped (signal) ./adb
and after one enter
[1] Segmentation fault ./adb
I have also tried to set chmod to 777.
Click to expand...
Click to collapse
Okay, try doing the same operation using adb on a computer.
If this doesn't work, rm the adb file using adb shell, and push your own to the same directory.

On the pc adb works, I can push, shell etc.
cyr0s said:
... rm the adb file using adb shell, and push your own to the same directory.
Click to expand...
Click to collapse
with the adb from the android-sdk (on pc):
1: Syntax error: "(" unexpected
I'm feeling like :silly:
Nobody there who has the adb binary on their phone?
Maybe the strace output can help (not for me )
adb3 is the "new" from pc, adb2 is the binary from CM9
Code:
adb shell "strace /system/sd/adb3"
execve("/system/sd/adb3", ["/system/sd/adb3"], [/* 13 vars */]) = -1 ENOEXEC (Exec format error)
write(2, "strace: exec", 12strace: exec) = 12
write(2, ": ", 2: ) = 2
write(2, "Exec format error", 17Exec format error) = 17
write(2, "\n", 1
) = 1
SYS_248(0x1, 0xafd3af7f, 0xf73b60f4, 0xf73b60f4, 0x1 <unfinished ... exit status 1>
Code:
adb shell "strace /system/sd/adb2"
execve("/system/sd/adb2", ["/system/sd/adb2"], [/* 13 vars */]) = 0
syscall_983045(0xb0011a4c, 0x1, 0xb0012574, 0, 0xb0010d90, 0xb0009468, 0xbebfeb80, 0xf0005, 0xbebfeb8c, 0xb0007268, 0xb000726f, 0xb0007280, 0, 0xbebfeb20, 0xb0004e21, 0xb000121c, 0x80000010, 0xb0011a4c, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = 0
getpid() = 9707
sigaction(SIGILL, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0xb0009468) = 0
sigaction(SIGABRT, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGBUS, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGFPE, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGSEGV, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGSTKFLT, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGPIPE, {0xb000586d, [], SA_RESTART}, {SIG_DFL}, 0) = 0
getuid32() = 0
geteuid32() = 0
getgid32() = 0
getegid32() = 0
--- SIGSEGV (Segmentation fault) @ 0 (15d58) ---
sigaction(SIGUSR1, {SIG_IGN}, {SIG_DFL}, 0) = 0
SYS_224(0, 0xbebfe7c0, 0xbebfe7c0, 0) = 9707
socket(PF_UNIX, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_UNIX, [email protected]:debuggerd}, 20) = 0
write(3, "�%\0\0", 4) = 4
--- SIGCONT (Continue) @ 0 (0) ---
read(3, "", 1) = 0
close(3) = 0
sigaction(SIGSEGV, {SIG_IGN}, {0xb000586d, [], SA_RESTART}, 0) = 0
sigreturn() = ? (mask now [])
--- SIGSEGV (Segmentation fault) @ 0 (15d58) ---
+++ killed by SIGSEGV +++

Related

Uid and permissions

Hi,
Quick question, as root shouldn't I have. UID 0? I'm worried that something's wrong, I appear to have full access to files etc but not true root. My UID in the root shell is 10143 and even if that gives access to most stuff Im still not rooted.
Any ideas?
Cheers
Sent from my SO-01B using XDA App
ddewbofh said:
Hi,
Quick question, as root shouldn't I have. UID 0? I'm worried that something's wrong, I appear to have full access to files etc but not true root. My UID in the root shell is 10143 and even if that gives access to most stuff Im still not rooted.
Any ideas?
Cheers
Sent from my SO-01B using XDA App
Click to expand...
Click to collapse
Scratching my head currently to figure out the same
well it seems that this method of root messes with the sh binary installed under /system/bin/ so that it launches as user root. It doesn't seem to be the case like a normal linux box you would expect.
Also wondering whats the purpose of the su binary installed at step 4. Most probably to be able to run any command with super user privileges... but doesn't seem to work that way.
For example when I execute su /system/bin/sh, I get:
/system/bin/sh: 1: Syntax error: word unexpected (expecting ")")
Still trying to figure out whats going on...
j4mm3r said:
Scratching my head currently to figure out the same
well it seems that this method of root messes with the sh binary installed under /system/bin/ so that it launches as user root. It doesn't seem to be the case like a normal linux box you would expect.
Also wondering whats the purpose of the su binary installed at step 4. Most probably to be able to run any command with super user privileges... but doesn't seem to work that way.
For example when I execute su /system/bin/sh, I get:
/system/bin/sh: 1: Syntax error: word unexpected (expecting ")")
Still trying to figure out whats going on...
Click to expand...
Click to collapse
In my case not having UID 0 wrecks havoc with some apps.
I'll try reflashing one more time but so far it looks more like the system's been modified to appear rooted rather than actually being rooted.
ddewbofh said:
In my case not having UID 0 wrecks havoc with some apps.
I'll try reflashing one more time but so far it looks more like the system's been modified to appear rooted rather than actually being rooted.
Click to expand...
Click to collapse
oh no its rooted allright... otherwise there is no way that you could write to the /system file system.
Its just that its rather unconventional. Further more I'm beginning to get concerned about controlling the root access. I mean there are references to Superuser Whitelist applications which can alert when an app tries to request root access.
Till now my attempt to download an install "Superuser Whitelist" from the market has failed because that wants to install itself with the same user id as Android System, but its apk isnt signed with the same signature, so the system rejects the installation.
Trying to find alternatives... any help guys?
j4mm3r said:
oh no its rooted allright... otherwise there is no way that you could write to the /system file system.
Its just that its rather unconventional. Further more I'm beginning to get concerned about controlling the root access. I mean there are references to Superuser Whitelist applications which can alert when an app tries to request root access.
Till now my attempt to download an install "Superuser Whitelist" from the market has failed because that wants to install itself with the same user id as Android System, but its apk isnt signed with the same signature, so the system rejects the installation.
Trying to find alternatives... any help guys?
Click to expand...
Click to collapse
It's not rooted, it's been compromised. Only if you have a proper root (aka UID 0) you can call it rooted.
And the fun continues, if I start up the adb shell I'm still logged on as the shell user with an uid of 2000. Egad!
Yeah, it's definite. We're not rooted. We have better access to system files but it's not a root, not by a long shot.
Same here. Could it be an issue with busybox?
same with mine.. so does this mean that some of us don't have it rooted? or that the original devs were wrong when they said they rooted it?
if it's the first, i'll just try again..
instigator008 said:
Same here. Could it be an issue with busybox?
Click to expand...
Click to collapse
I have no idea, but it's annoying to not have access to the init scripts. :/
ddewbofh said:
I have no idea, but it's annoying to not have access to the init scripts. :/
Click to expand...
Click to collapse
errr... why not the init scripts? you can modify any file that you want. I'm still checking the issue with the id.
I ran strace on a binary and basically its the egid which is 0 so.
Code:
# strace id
strace id
execve("/system/bin/id", ["id"], [/* 8 vars */]) = 0
syscall_983045(0x700189fc, 0, 0x7ee18da4, 0x1, 0x700189fc, 0x7ee18da0, 0x70010448, 0xf0005, 0, 0, 0, 0, 0, 0x7ee18d48, 0x700016e9, 0x7000222c, 0x10, 0x700189fc, 0, 0, 0xc764, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = 0
getpid() = 6507
sigaction(SIGILL, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGABRT, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGBUS, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGFPE, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGSEGV, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGSTKFLT, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
sigaction(SIGPIPE, {0x70001c95, [], SA_RESTART}, {SIG_DFL}, 0) = 0
stat64("/system/lib/liblog.so", {st_mode=S_IFREG|0644, st_size=13488, ...}) = 0
open("/system/lib/liblog.so", O_RDONLY|O_LARGEFILE) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\f\20\0\000"..., 4096) = 4096
lseek(3, -8, SEEK_END) = 13480
read(3, "\0\0\274oPRE ", 8) = 8
mmap2(0x6fbc0000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6fbc0000
mmap2(0x6fbc0000, 10724, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x6fbc0000
mprotect(0x6fbc0000, 12288, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap2(0x6fbc3000, 368, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x3) = 0x6fbc3000
close(3) = 0
stat64("/system/lib/libc.so", {st_mode=S_IFREG|0644, st_size=243988, ...}) = 0
open("/system/lib/libc.so", O_RDONLY|O_LARGEFILE) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\320\242"..., 4096) = 4096
lseek(3, -8, SEEK_END) = 243980
read(3, "\0\0\340oPRE ", 8) = 8
mmap2(0x6fe00000, 290816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6fe00000
mmap2(0x6fe00000, 230024, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x6fe00000
mprotect(0x6fe00000, 233472, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap2(0x6fe39000, 8544, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x39) = 0x6fe39000
mmap2(0x6fe3c000, 42280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6fe3c000
close(3) = 0
mprotect(0x6fe00000, 233472, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
gettid() = 6507
syscall_983045(0x6fe43b10, 0, 0x40, 0, 0x6fe43c10, 0x7edf9000, 0x7ee18ba0, 0xf0005, 0, 0, 0, 0, 0, 0x7ee18b88, 0x6fe1fdc3, 0x6fe0d34c, 0x60000010, 0x6fe43b10, 0, 0, 0xc764, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = 0
mmap2(NULL, 131072, PROT_READ, MAP_SHARED, 9, 0) = 0x2aaab000
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
read(3, "\345\347\3004", 4) = 4
close(3) = 0
stat64("/system/lib/libstdc++.so", {st_mode=S_IFREG|0644, st_size=5124, ...}) = 0
open("/system/lib/libstdc++.so", O_RDONLY|O_LARGEFILE) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\234\10\0"..., 4096) = 4096
lseek(3, -8, SEEK_END) = 5116
read(3, "\0\0\320oPRE ", 8) = 8
mmap2(0x6fd00000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6fd00000
mmap2(0x6fd00000, 2860, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x6fd00000
mprotect(0x6fd00000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap2(0x6fd01000, 232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1) = 0x6fd01000
close(3) = 0
mprotect(0x6fd00000, 4096, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
stat64("/system/lib/libm.so", {st_mode=S_IFREG|0644, st_size=91056, ...}) = 0
open("/system/lib/libm.so", O_RDONLY|O_LARGEFILE) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\240\34\0"..., 4096) = 4096
lseek(3, -8, SEEK_END) = 91048
read(3, "\0\0\300oPRE ", 8) = 8
mmap2(0x6fc00000, 94208, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6fc00000
mmap2(0x6fc00000, 88856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x6fc00000
mprotect(0x6fc00000, 90112, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap2(0x6fc16000, 204, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x16) = 0x6fc16000
close(3) = 0
mprotect(0x6fc00000, 90112, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
mprotect(0x6fbc0000, 12288, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
stat64("/system/lib/libcutils.so", {st_mode=S_IFREG|0644, st_size=59308, ...}) = 0
open("/system/lib/libcutils.so", O_RDONLY|O_LARGEFILE) = 3
lseek(3, 0, SEEK_SET) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\0001\0\000"..., 4096) = 4096
lseek(3, -8, SEEK_END) = 59300
read(3, "\0\0\260oPRE ", 8) = 8
mmap2(0x6fb00000, 122880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6fb00000
mmap2(0x6fb00000, 53584, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x6fb00000
mprotect(0x6fb00000, 57344, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mmap2(0x6fb0e000, 1076, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xe) = 0x6fb0e000
mmap2(0x6fb0f000, 57732, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x6fb0f000
close(3) = 0
mprotect(0x6fb00000, 57344, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
mprotect(0x8000, 69632, PROT_READ|PROT_EXEC) = 0
getuid32() = 2000
geteuid32() = 0
open("/dev/null", O_RDWR|O_LARGEFILE) = 3
fcntl64(0, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(1, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(2, F_GETFL) = 0x2 (flags O_RDWR)
close(3) = 0
getgroups32(64, [1003, 1004, 1007, 1011, 1015, 3001, 3002, 3003]) = 8
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aacb000
mprotect(0x2aacb000, 4096, PROT_READ) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0
brk(0) = 0x1e000
brk(0x1e000) = 0x1e000
brk(0x1f000) = 0x1f000
mprotect(0x2aacb000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x2aacb000, 4096, PROT_READ) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
getuid32() = 2000
getgid32() = 2000
write(1, "uid=2000(shell) gid=2000(shell) "..., 145uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
) = 145
mprotect(0x2aacb000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x2aacb000, 4096, PROT_READ) = 0
munmap(0x2aacb000, 4096) = 0
exit_group(0) = ?
Process 6507 detached
#
Oh wow, so much fail.
OK first of all, the image is modded to allow your shell to be root. Running 'whoami' will (should) say uid 0 and you should have the # beside cursor.
If (like me) for some reason you ran this and your root apps don't work,
1) Connect to the phone with adb
2) mount the filesystem as R/W
3) install su to /system/bin chmod it to 6755
4) Download busybox from the market
5) type su
6) type whoami (should be unknown uid 0)
all "root" apps will use the su binary to become root so as long as what I said works then all root apps should work.
Yeah, I 've done that a few times already. Any other tips?
Sent from my SO-01B using XDA App
edude03 said:
Oh wow, so much fail.
OK first of all, the image is modded to allow your shell to be root. Running 'whoami' will (should) say uid 0 and you should have the # beside cursor.
If (like me) for some reason you ran this and your root apps don't work,
1) Connect to the phone with adb
2) mount the filesystem as R/W
3) install su to /system/bin chmod it to 6755
4) Download busybox from the market
5) type su
6) type whoami (should be unknown uid 0)
all "root" apps will use the su binary to become root so as long as what I said works then all root apps should work.
Click to expand...
Click to collapse
before saying all this, can I enquire if you have tried these steps on an X10 rooted using the method in question here. I mean I fully understand what "su" means and what "busybox" is for. So your point is?
Tried a third time, to really make sure I didn't rush anything. But even with a rooted system my uid is 10143. Rather odd since I can remount /system etc.
I'll get some sleep and take a fresh look later.
Sent from my SO-01B using XDA App
I though it was evident from the "(like me)" part that I had the same issue.
Yes this is what I did on my X10 rooted using the method outlined in the other thread.
edude03 said:
I though it was evident from the "(like me)" part that I had the same issue.
Yes this is what I did on my X10 rooted using the method outlined in the other thread.
Click to expand...
Click to collapse
And I thought the "I've tried that already" bit was self explanatory.
Sent from my SO-01B using XDA App
edude03 said:
I though it was evident from the "(like me)" part that I had the same issue.
Yes this is what I did on my X10 rooted using the method outlined in the other thread.
Click to expand...
Click to collapse
ok buddy, maybe I missed the (like me) part... but both ddewbofh and me have done essentially that. And our milage varies.
lrwxr-xr-x 1 0 2000 7 Feb 21 02:48 wipe -> toolbox
-rwxr-xr-x 1 0 2000 5592 Feb 21 02:48 wiperiface
-rwxr-xr-x 1 0 2000 5432 Feb 21 02:48 wlan_tool
-rwxr-xr-x 1 0 2000 61748 Feb 21 02:48 wmiconfig
-rwxr-xr-x 1 0 2000 205288 Feb 21 02:48 wpa_supplicant
lrwxrwxrwx 1 0 0 19 Jun 28 02:29 xargs -> /system/bin/busybox
lrwxrwxrwx 1 0 0 19 Jun 28 02:29 yes -> /system/bin/busybox
lrwxrwxrwx 1 0 0 19 Jun 28 02:29 zcat -> /system/bin/busybox
lrwxrwxrwx 1 0 0 19 Jun 28 02:29 zcip -> /system/bin/busybox
lrwxrwxrwx 1 0 0 7 Jun 28 00:40 zip -> busybox
#
#
# su
su
# whoami
whoami
whoami: unknown uid 2000
#
Click to expand...
Click to collapse
j4mm3r said:
ok buddy, maybe I missed the (like me) part... but both ddewbofh and me have done essentially that. And our milage varies.
Click to expand...
Click to collapse
my uid comes up as 10330 - I thought that this was strange...
My windows cmd skills are weak (linux only user for years...) but, well, here some quick instructions:
0. Download busybox (free) from Market (newer version than in root files)
1. download su-2.1-cd-unsecure-signed.zip from h t t p : / / f o r u m.xda-developers.com/showthread.php?t=682828
2. extract it into folder of your choosing
3. open up cmd (Win+R -> enter 'cmd')
4. Enter the following:
Code:
cd the-path-to-where-you-extracted-the-root-files/ROOT/Step4
adb install the-path-to-where-you-extracted-the-su-file\system\app\Superuser.apk
adb shell mount -o remount,rw -t yaffs2 /dev/block/mtdblock2 /system
adb push the-path-to-where-you-extracted-the-su-file\system\app\Superuser.apk /sdcard/Superuser.apk
adb push the-path-to-where-you-extracted-the-su-file\system\bin\su /sdcard/su
adb shell dd if=/sdcard/su of=/system/bin/su
adb shell dd if=/sdcard/Superuser.apk of=/system/app/Superuser.apk
adb shell reboot
After the phone rebooted, check if it worked (it did for me):
Code:
adb shell
whoami
su
whoami
the first whoami should give you a random number (10k something, I think?) when using su, you'll have to confirm the program to be allowed root access on your phone (something should pop up) and the second whoami should put out uid 0
hope that helps someone
Yeah root is in unconventional way atm, thats because it acts like this.
Will be fixed
Regards

[MORTSCRIPT] Indent.mscr - A Simple Script Beautifier

Thought I should share this code snippet, because I am sure it does not exist a comparable one.
You simply copy and paste the code listet.
Code:
//
// indent.mscr
//
// © 2014 jwoegerbauer
// GPL v2
//
//
// This indent script changes the appearance of a MSCR script by inserting or deleting whitespace.
// One issue in the formatting of MortScript code is how far each line should be indented from the
// left margin. When the beginning of a statement such as IF or FOR is encountered, the indentation
// level is increased by 1 (one). Consequently when the beginning of a statement such as ENDIF or
// NEXT is encountered, the indentation level is decreased by 1 (one). The indentation (whitespace)
// is calculated as indentation level * TAB
//
// Get script file to be processed: if it's not passed as argument, a dialog will
// be shown you select the file from
fileIN = "" & argv[1]
If( fileIN EQ "" )
fileIN = SelectFile("Select script file",0,"*.mscr", ("Please select script file that should get indented"))
EndIf
If( fileIN EQ "" )
// Quit
Exit
EndIf
fileOUT = fileIN & ".indented"
fileWrites = 0
indentLevel = 0
indentExtra = 0 // only set if SWITCH ... ENDSWITCH detected
lineIN = ReadLine(fileIn)
While(NOT IsEmpty(lineIN))
fileWrites += 1
// Left trim line
idx = 1
While((SubStr(lineIN, idx, 1) EQ " ") || (SubStr(lineIN, idx, 1) EQ "^TAB^"))
idx += 1
EndWhile
lineOUT = SubStr(lineIN, idx)
// Create a copy of trimmed line and convert it to upper case
lineTMP = ToUpper(lineOUT)
// Build indentation string
indentationString = ""
If (indentLevel >= 1)
For idx = 1 To indentLevel
indentationString &= "^TAB^"
Next
EndIf
// Flags
opening = 0
closing = 0
// Ignore if it's a comment line
If((SubStr(lineIn, 1, 1) NE "#") && (SubStr(lineIn, 1, 1) NE "/"))
// Check whether to indent/unindent
opening = ((SubStr(lineTMP, 1, 2) EQ "IF") ? 1 : 0)
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 4) EQ "ELSE") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 6) EQ "ELSEIF") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP,1, 3) EQ "FOR") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 7) EQ "FOREACH") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 5) EQ "WHILE") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 6) EQ "SWITCH") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 4) EQ "CASE") ? 1 : 0)
indentExtra = (opening ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 7) EQ "DEFAULT") ? 1 : 0)
indentExtra = (opening ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 6) EQ "REPEAT") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 6) EQ "CHOICE") ? 1 : 0)
EndIf
If(NOT opening)
opening = ((SubStr(lineTMP, 1, 13) EQ "CHOICEDEFAULT") ? 1 : 0)
EndIf
If(NOT opening)
closing = ((SubStr(lineTMP, 1, 5) EQ "ENDIF") ? 1 : 0)
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 4) EQ "NEXT") ? 1 : 0)
EndIf
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 10) EQ "ENDFOREACH") ? 1 : 0)
EndIf
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 8) EQ "ENDWHILE") ? 1 : 0)
EndIf
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 9) EQ "ENDSWITCH") ? 1 : 0)
indentExtra = (closing ? -2 : 0)
EndIf
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 9) EQ "ENDREPEAT") ? 1 : 0)
EndIf
If(NOT closing)
closing = ((SubStr(lineTMP, 1, 9) EQ "ENDCHOICE") ? 1 : 0)
EndIf
EndIf
EndIf
If( closing )
// Rebuild identation string
indentLevel -= 1
// Handle SWITCH ... ENDSWITCH compound statements
If (indentExtra <> 0)
indentLevel += indentExtra
indentExtra = 0
EndIf
indentationString = ""
If (indentLevel >= 1)
For idx = 1 To indentLevel
indentationString &= "^TAB^"
Next
EndIf
EndIf
// Create line to be output
lineOUT = (indentationString & lineOUT & "^NL^")
fileAppend = ((fileWrites > 1) ? 1 : 0)
WriteFile(fileOUT, lineOUT, fileAppend)
// Force re-calculate indentation
If(opening)
// Handle SWITCH ... ENDSWITCH compound statements
If (indentExtra > 0)
indentLevel += indentExtra
indentExtra = 0
EndIf
indentLevel += 1
EndIf
lineIN = ReadLine(fileIn)
EndWhile
// Done
Exit
HTH

[Q] Locating task_struct::cred

Hi.
I develop an exploit for a public vulnerability. When executing in kernel mode I have to locate task_struct and cred struct and modify user ids. I take pointer to thread_info from stack, then extract pointer to task_struct, search task_struct for process name (comm field). There should be cred struct pointer before the field.
Code:
Code:
int f() //executed in kernel mode
{
unsigned int *p;
unsigned int *p3; //struct task_struct
unsigned int *cred; //struct cred
char *pc1, *pc2;
int i;
register unsigned long sp asm ("sp");
p = sp;
p = (int)p & ~(THREAD_SIZE - 1); //p points to thread_info
initial = p;
p3 = (int *)(p[3]);
task = p3; //p3 points to task_struct
state = task[0];
stack = task[1];
flags = task[3];
pc2 = (char *)p3 + 2056;
pc1 = (char *)p3 + 8;
//Now scan task_struct for comm field
for (; pc1 != pc2;)
{
if (pc1[0] == 'N' && pc1[1] == 'a' && pc1[2] == 'm' && pc1[3] == 'e')
{
pc2 = pc1;
break;
}
pc1++;
}
if (pc1 != pc2)
{
return -2;
}
cred = *(int **)(pc1 - 8); //cred points to struct cred now
...
}
The problem is that assumed cred pointer points to some strange structre. It contains uid but doesn't contain cred's magic and so on. Printing a few dword from cred pointer I see: 7, 7d0, 7d0, 7d0, 7d0, 0, 0. 0x7D0 is uid of the current process. I also dumped the task struct and it looks legit:
Code:
0 //runnable
da32a000 //stack
2 //usage
400000 //flags
0
0
1
1
78
78
78
0
c0808d2c
0
400
400000
1
d99cc3c0
0
d99cc3cc
c4123b84
1
3fb39b63
3f7
895ebf
0
c43e10f3
f2
895ebf
0
0
0
0
c4123708
0
0
d99ce710
d99ce710
0
a
4
0
0
c4123790
0
0
0
f
0
0
d99ce748
d99ce748
0
c0f41344
d99ce3d4
8c
d99ce760
d99ce760
d99ce768
d99ce768
dc585a40
dc585a40
1
3a
28
8
0
0
0
11
0
10000
800000
1
163a //pid
163a //tgid
b9dfb57
d99ce300
d99ce300
d99ce7bc
d99ce7bc
d99ce43c
d99ce43c
d99ce680
d99ce7d0
d99ce7d0
d99ce7d8
d99ce7d8
0
db51ad08
db51ad00
0
db51ad0c
db51ad00
d99ce478
db51af90
db51af80
d99ce804
d99ce804
0
0
0
0
1
0
1
0
0
0
3
11
1108
1a915a67
1108
1a915a67
ac
0
0
0
0
0
0
d99ce868
d99ce868
d99ce870
d99ce870
d99ce878
d99ce878
da456a00 //cred?
da456a00 //cred?
0 //??
65616d4e //'Name'
Any ideas what is this structure and where is cred?
Sorry for posting here, I can't post to development forum.
Thanks.
Ok, I didn't notice that magic is included only when CONFIG_DEBUG_CREDENTIALS is defined. So, there may be no magic.

Keycode_HOME don't work in custom ROM

I have a STB Android with a custom android ROM in which the virtual home key (keycode_HOME) don't work. These are the traces of logcat
03-30 23:37:28.872 D / WindowManager (3694): keycode = 3 interceptKeyTq screenIsOn keyguardActive = true = false = 2000000 policyFlags isWakeKey = false
03-30 23:37:28.872 I / WindowManager (3694): mapkey no map key list
03-30 23:37:28.872 D / WindowManager (3694): interceptKeyTi keyCode = 3 down = false repeatCount = 0 mHomePressed keyguardOn = true = true = false Canceled
03-30 23:37:28.872 W / ContextImpl (3694): Calling a method in the system without a qualified user process: android.app.ContextImpl.sendBroadcast: 1067 com.android.internal.policy.impl.PhoneWindowManager.interceptKeyBeforeDispatching: com.android.server.wm.InputMonitor.interceptKeyBeforeDispatching 1939 352 com.android.server.input.InputManagerService.interceptKeyBeforeDispatching: 1408 dalvik.system.NativeStart.run: -2
I do not have the source code of the kernel.
Any ideas?

Allwinner A23 Tablet: Launching Camera App freezes Tablet.

Hello i changed the Rom on my Tablet to :
PH_A76h_android4.4_v2.0_800x480-auto-gc2035-gc0308-wifi5990p-20141211a.img
Everything works okay, but not the Camera.
The Tablet has 2 Cameras Front and Back with 0,3 Mpixels each.
The are on the same Cable going from the Mainboard to the FrontCam and then to the Back Camera.
When i launch the App the Tablet freezes.. Sometimes it resets itself after an Minute or so (not always)
BTW:
I have saved the Data of the Nand-Partitions with the old Firmware (if you need some infos/settings/config from them)
I also have changed the script0.bin from the old Firmware to fex and changed everything in DragonFaces SystemConfiguration like it was in the Script0.bin from the original Firmware.
Here is the Block i Changed in System-Editor:
Code:
;--------------------------------------------------------------------------------
;vip (video input port) configuration
;vip_used: 0:disable 1:enable
;vip_mode: 0:sample one interface to one buffer 1:sample two interface to one buffer
;vip_dev_qty: The quantity of devices linked to capture bus
;vip_dev(x)_isp_used 0: not use isp 1:use isp
;vip_dev(x)_fmt: 0:yuv 1:bayer raw rgb
;vip_dev(x)_stby_mode: 0:not shut down power at standby 1:shut down power at standby
;vip_dev(x)_vflip: flip in vertical direction 0:disable 1:enable
;vip_dev(x)_hflip: flip in horizontal direction 0:disable 1:enable
;vip_dev(x)_iovdd: camera module io power handle string, pmu power supply
;vip_dev(x)_iovdd_vol: camera module io power voltage, pmu power supply
;vip_dev(x)_avdd: camera module analog power handle string, pmu power supply
;vip_dev(x)_avdd_vol: camera module analog power voltage, pmu power supply
;vip_dev(x)_dvdd: camera module core power handle string, pmu power supply
;vip_dev(x)_dvdd_vol: camera module core power voltage, pmu power supply
;vip_dev(x)_afvdd: camera module vcm power handle string, pmu power supply
;vip_dev(x)_afvdd_vol: camera module vcm power voltage, pmu power supply
;x indicates the index of the devices which are linked to the same capture bus
;fill voltage in uV, e.g. iovdd = 2.8V, vip_devx_iovdd_vol = 2800000
;fill handle string as below:
;axp22_eldo3
;axp22_dldo4
;axp22_eldo2
;fill handle string "" when not using any pmu power supply
;--------------------------------------------------------------------------------
[csi0]
vip_used = 1
vip_mode = 0
vip_dev_qty = 2
vip_csi_pck = port:PE00<2><default><default><default>
vip_csi_mck = port:PE01<2><default><default><default>
vip_csi_hsync = port:PE02<2><default><default><default>
vip_csi_vsync = port:PE03<2><default><default><default>
vip_csi_d0 = port:PE04<2><default><default><default>
vip_csi_d1 = port:PE05<2><default><default><default>
vip_csi_d2 = port:PE06<2><default><default><default>
vip_csi_d3 = port:PE07<2><default><default><default>
vip_csi_d4 = port:PE08<2><default><default><default>
vip_csi_d5 = port:PE09<2><default><default><default>
vip_csi_d6 = port:PE10<2><default><default><default>
vip_csi_d7 = port:PE11<2><default><default><default>
vip_dev0_mname = "siv121d"
vip_dev0_lane = 1
vip_dev0_twi_id = 2
vip_dev0_twi_addr = 102
vip_dev0_isp_used = 0
vip_dev0_fmt = 0
vip_dev0_stby_mode = 0
vip_dev0_vflip = 0
vip_dev0_hflip = 0
vip_dev0_iovdd = "axp22_dldo3"
vip_dev0_iovdd_vol = 2800000
vip_dev0_avdd = "axp22_ldoio0" vip_dev0_avdd_vol = 2800000
vip_dev0_dvdd = "axp22_eldo2" vip_dev0_dvdd_vol = 1800000
vip_dev0_afvdd = ""
vip_dev0_afvdd_vol = 2800000
vip_dev0_power_en =
vip_dev0_reset = port:PE14<1><default><default><0>
vip_dev0_pwdn = port:PE15<1><default><default><1>
vip_dev0_flash_en = port:PB00<1><default><default><0>
vip_dev0_flash_mode =
vip_dev0_af_pwdn =
vip_dev1_mname = "siv121d"
vip_dev1_lane = 1
vip_dev1_twi_id = 2
vip_dev1_twi_addr = 102
vip_dev1_isp_used = 0
vip_dev1_fmt = 0
vip_dev1_stby_mode = 0
vip_dev1_vflip = 0
vip_dev1_hflip = 0
vip_dev1_iovdd = "axp22_dldo3"
vip_dev1_iovdd_vol = 2800000
vip_dev1_avdd = "axp22_ldoio0"
vip_dev1_avdd_vol = 2800000
vip_dev1_dvdd = "axp22_eldo2"
vip_dev1_dvdd_vol = 1800000
vip_dev1_afvdd = ""
vip_dev1_afvdd_vol = 2800000
vip_dev1_power_en =
vip_dev1_reset = port:PE16<1><default><default><0>
vip_dev1_pwdn = port:PE17<1><default><default><1>
vip_dev1_flash_en = port:PB00<1><default><default><0>
vip_dev1_flash_mode =
vip_dev1_af_pwdn =
[camera_list_para]
camera_list_para_used = 0
ov7670 = 0
gc0308 = 1
gt2005 = 0
hi704 = 0
sp0838 = 0
mt9m112 = 0
mt9m113 = 0
gc2035 = 1
ov2655 = 0
hi253 = 1
gc0307 = 0
mt9d112 = 0
ov5640 = 0
ov5647 = 0
gc2015 = 0
ov2643 = 0
gc0329 = 0
gc0309 = 0
s5k4ec = 0
siv121d = 0
siv120d = 0
I also copied camera.cfg from the old /system/etc to the new installation.
But still freezes don't know what to do now.
Please help.

Categories

Resources