What is MTYPE for GSmart S1205 .
(I need becouse i`m trying install Android, if anybody can give me some tips please reply it too)
Based on htt p:/ /ww w.arm.linux.org.uk/developer/machines/ the GSmart S1205 processor mach type is 2754 (the phone has a Mediatek MT6516 / 416MHz processor).
MTYPE = Mach Type = 2754 Meditek 65XX Series mt65xx Howard Chen
But it still hangs.
Code:
[B]This is my Haret default.txt:[/B]
# Display some greeting message
print "Welcome to Handheld Reverse Engineering Tool!"
print "Some basic info about your PDA:"
print "Processor Mach Type is %d" MTYPE
print "MMU L1 descriptor table address is %08x" MMU
# MMU L1 descriptor table address is 02650000
print "Video RAM address is %08x" VRAM
# Video RAM address is 0174b000
print "Current Process ID is %d" PID
# Current Process ID is 16
#print "CPU identification register (p15 r0) is %08x" CP(15,0)
# CPU identification register (p15 r0) is 00000075
# Fill top ten scan lines (the run bar) with some color
#vfh VRAM 240*10 0x0099
# EXCEPTION while writing 00000099 to address 0174B000
set RAMADDR 0xa0000000
set MTYPE 2754
set KERNEL zImage
set initrd initrd.gz
#
# The following kernel parameters are useful
# ppp.nostart - Set ppp.nostart=1 to disable starting the ppp connection on boot
# msm_sdcc.msmsdcc_fmax - The maximum frequency (in Hz) used by the SD controller
# pm.sleep_mode - The mode used when the phone is off
# 0=Power Collapse Suspend, 1=Power Collapse, 2=Apps Sleep,
# 3=Slow Clock and Wait for Interrupt 4=Wait for Interrupt
# Default is 3, use 0 for best power savings
# board-htcvogue.panel_type - Panel type used to power the panel off and on
# 1=Hitachi 2=Topoly 3=Samsung
# clock-7x00.mddi - MDDI clock (try 0xa51 or 0xe2c)
# clock-7x00.ahb_div - Advanced Host Bus divider, default is 4
# 2 is faster but uses more power
# clock-7x00.a11 - ARM11 clock speed in MHz, best to leave this alone
# lcd.density - Defaults to 160, 128 shows more on screen
# vogue-ts.XMIN - xmin value for the touchscreen calibration. Also YMIN, XMAX, YMAX, PMIN, PMAX.
#
# Probably the only one of these you will need to change is the panel type, NZ Vogues seem to all have type 1
# US Sprint vogues usually have type 2 or 3 I think.
# Make sure you add these between the quotes on the following line and that your editor hasn't split the line up.
set cmdline "ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend"
boot
This is my Haret log:
Code:
Running WSAStartup
Starting gui
In initdialog
Found machine Generic ARM 926
executing startup.txt
HaRET(2)# print "Welcome to Handheld Reverse Engineering Tool!"
Welcome to Handheld Reverse Engineering Tool!
HaRET(3)# print "Some basic info about your PDA:"
Some basic info about your PDA:
HaRET(4)# print "MMU L1 descriptor table address is %08x" MMU
MMU L1 descriptor table address is 02650000
HaRET(5)# print "Video RAM address is %08x" VRAM
Video RAM address is 0174b000
HaRET(6)# print "Current Process ID is %d" PID
Current Process ID is 16
HaRET(11)# set RAMADDR 0xa0000000
HaRET(12)# set MTYPE 2754
HaRET(13)# set KERNEL zImage
HaRET(14)# set initrd initrd.gz
HaRET(35)# set cmdline "ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend"
HaRET(36)# boot
boot KERNEL=zImage INITRD=initrd.gz
Opening file zImage
Opening file initrd.gz
boot params: RAMADDR=a0000000 RAMSIZE=06000000 MTYPE=2754 CMDLINE='ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend'
Boot FB feedback: 1
Built virtual to physical page mapping
Allocated 663 pages (tags=54000000/053ce000 kernel=54001000/053cd000 initrd=54168000/05630000 index=54293000/0575b000)
Built kernel tags area
Built page index
Video buffer at 4C600000 sx=240 sy=400 mx=60 my=66
Video Phys FB=0174b000 Fonts=0575d064
[email protected]/0575e000 sj=54296000 stack=54294000/0575c000 data=54295000/0575d000 exec=0575e128
Reading 1469884 bytes...
Read complete
Reading 1222150 bytes...
Read complete
Launching to physical address 0575e010
Trampoline setup ([email protected]/200255f4/034465f4)
MMU setup: mmu=A6650000/02650000
Go Go Go...
You using Gsmart S1205?
I used your default.txt and nothing happens . its wirting "Booting Linux" and when bar is filled it just "freezed" . So i need to Soft Reset phone
Like i said "But it still hangs.", mine isn't working too. I think i need to recompile e newer kernel to the zImage.
For Gigabyte GSmart S1205 we need to compile the android-2.6.36 version, because in arch/arm/tools/mach-types file the MT65xx with the MTYPE 2754 is only there, i will try to compile it this week, hope that will work.
And not only a newer kernel is necessary, but a new HaRET compiled from source that will recognise the machine (trying to make one now).
This is not yet implemented, help needing information about MT6516 processor (GPIO table, ecc.). I will work on it.
Here i founded info
pdadb*.*net/index*.*php?m=cpu&id=a6516&c=mediatek_mt6516
remove * and paste in URL bar
Thanks, found that page a while ago, too. But would be nice to find the MT6156 processors datasheet.
For now i managed to make a patch for Haret to recognize the machine, but still it freezes:
========================================================================
Code:
diff -Naur haret/include/arch-arm.h haret-new/include/arch-arm.h
--- haret/include/arch-arm.h 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/include/arch-arm.h 2011-03-02 12:05:02.936418632 +0200
@@ -37,4 +37,7 @@
int detect();
};
+// Aliases
+class MachineMT6516 : public Machine926 {
+};
#endif // arch-arm.h
diff -Naur haret/Makefile haret-new/Makefile
--- haret/Makefile 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/Makefile 2011-03-02 12:38:27.628418500 +0200
@@ -45,7 +45,7 @@
RC = $(BASE)/bin/arm-mingw32ce-windres
RCFLAGS = -r -l 0x409 -Iinclude
-CXX = $(BASE)/bin/arm-mingw32ce-g++
+CXX = $(BASE)/bin/arm-mingw32ce-gcc
STRIP = $(BASE)/bin/arm-mingw32ce-strip
DLLTOOL = $(BASE)/bin/arm-mingw32ce-dlltool
diff -Naur haret/src/l1trace.cpp haret-new/src/l1trace.cpp
--- haret/src/l1trace.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/l1trace.cpp 2011-03-02 12:06:09.529418186 +0200
@@ -212,12 +212,12 @@
if (Bbit(insn)) {
addrsize = 1;
asm("swpb %0, %1, [%2]"
- : "=r" (readval)
+ : "=&r" (readval)
: "r" (writeval), "r" (newaddr));
} else {
addrsize = 4;
asm("swp %0, %1, [%2]"
- : "=r" (readval)
+ : "=&r" (readval)
: "r" (writeval), "r" (newaddr));
}
setReg(regs, mask_Rd(insn), readval);
diff -Naur haret/src/mach/arch-arm.cpp haret-new/src/mach/arch-arm.cpp
--- haret/src/mach/arch-arm.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/arch-arm.cpp 2011-03-02 11:59:31.285419224 +0200
@@ -35,6 +35,10 @@
{
name = "Generic ARM 926";
flushCache = cpuFlushCache_arm926;
+ arm6mmu = 0;
+ archname = "MT65XX";
+ CPUInfo[0] = L"MT6516";
+ //customStartFunc = ????;
}
int
diff -Naur haret/src/mach/arch-s3.cpp haret-new/src/mach/arch-s3.cpp
--- haret/src/mach/arch-s3.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/arch-s3.cpp 2011-03-02 12:18:06.349418721 +0200
@@ -307,7 +307,7 @@
if (SDMA_SEL) {
sdma_sel = SDMA_SEL[0];
fb_printf(fbi,"%s: SDMA_SEL=%x", __func__, sdma_sel);
- if (sdma_sel == 0xcfffffff)
+ if ((uint32)sdma_sel == 0xcfffffff)
//SDMA disabled
ctrl_count = 2;
diff -Naur haret/src/mach/machlist.txt haret-new/src/mach/machlist.txt
--- haret/src/mach/machlist.txt 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/machlist.txt 2011-03-02 12:32:53.729419070 +0200
@@ -108,6 +108,7 @@
DX900, S3c6400 ,DX900V040, DX900
X900, S3c6400 ,V900V050, ACER_ETEN_X900
M900, S3c6410 ,M900V030;GT-I8000, ACER_TEMPO_M900
+Cougar, MT6516 ,GIGABYTE gSmart, MT65XX
PLATFORM=Jupiter
Jornada820, SA ,"HP, Jornada 820", JORNADA820
diff -Naur haret/src/memcmds.cpp haret-new/src/memcmds.cpp
--- haret/src/memcmds.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/memcmds.cpp 2011-03-02 12:39:37.785419504 +0200
@@ -241,11 +241,11 @@
TRY_EXCEPTION_HANDLER {
if (bitval)
{
- *(uint32*)vaddr |= (1 << bitnr - 1);
+ *(uint32*)vaddr |= ((1 << bitnr) - 1);
}
else
{
- *(uint32*)vaddr &= ~(1 << bitnr - 1);
+ *(uint32*)vaddr &= ~((1 << bitnr) - 1);
}
} CATCH_EXCEPTION_HANDLER {
Output(C_ERROR "EXCEPTION while writing bit %d at address %p",
diff -Naur haret/tools/buildmachs.py haret-new/tools/buildmachs.py
--- haret/tools/buildmachs.py 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/tools/buildmachs.py 2011-03-02 12:04:38.641418478 +0200
@@ -58,6 +58,7 @@
#include "arch-imx.h"
#include "arch-sa.h"
#include "arch-msm.h"
+#include "arch-arm.h"
#include "mach-types.h"
#include "script.h" // runMemScript
========================================================================
And here is the Haret log:
Code:
===== HaRET pre-0.5.3-20110302_124009 =====
Setting KMode to true.
Old KMode was 0
Finished initializing output
Loading dynamically bound functions
Function 'AllocPhysMem' in library 'coredll' at 0x3f62364
Function 'FreePhysMem' in library 'coredll' at 0x3f623d0
Function '[email protected]@[email protected]@[email protected]' in library 'gx' at 0x2023a38
Function '[email protected]@YAHXZ' in library 'gx' at 0x2023e78
Function '[email protected]@YAPAXXZ' in library 'gx' at 0x20232f4
Function '[email protected]@YAHXZ' in library 'gx' at 0x20233b8
Function 'LoadLibraryExW' in library 'coredll' at 0x3f6250c
Function 'NLedSetDevice' in library 'coredll' at 0x3f89b2c
Function 'GetSystemPowerStatusEx2' in library 'coredll' at 0x3f68e90
Function 'SleepTillTick' in library 'coredll' at 0x3f6242c
Function 'CreateToolhelp32Snapshot' in library 'toolhelp' at 0x262605c
Function 'CloseToolhelp32Snapshot' in library 'toolhelp' at 0x262607c
Function 'Process32First' in library 'toolhelp' at 0x2626148
Function 'Process32Next' in library 'toolhelp' at 0x26261b4
Function 'Module32First' in library 'toolhelp' at 0x2626348
Function 'Module32Next' in library 'toolhelp' at 0x26263b8
Function 'Heap32ListFirst' in library 'toolhelp' at 0x2626454
Function 'Heap32ListNext' in library 'toolhelp' at 0x26264dc
Function 'Heap32First' in library 'toolhelp' at 0x2626574
Function 'Heap32Next' in library 'toolhelp' at 0x2626628
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'clkregim'
Detecting current machine
Trying to detect machine (Plat='PocketPC' OEM='GIGABYTE gSmart')
Wince reports processor: core=MediaTek name=MT6516 cat= vend=MediaTek Inc
Looking at machine Alpine
Looking at machine Apache
Looking at machine AximX50
Looking at machine AximX5
Looking at machine Beetles
Looking at machine Blueangel
Looking at machine Himalaya
Looking at machine Magician
Looking at machine Universal
Looking at machine H1910
Looking at machine H1940
Looking at machine RX1950
Looking at machine H2200
Looking at machine H3600b
Looking at machine H3700
Looking at machine H3800
Looking at machine H3900
Looking at machine H4000
Looking at machine H4300
Looking at machine H5000
Looking at machine H6340
Looking at machine HX2000
Looking at machine HX4700
Looking at machine Sable
Looking at machine Wizard
Looking at machine Hermes
Looking at machine Trinity
Looking at machine Athena
Looking at machine G500
Looking at machine Artemis
Looking at machine Herald
Looking at machine Prophet
Looking at machine RX3000
Looking at machine Treo700wx
Looking at machine Treo850w
Looking at machine Treo850e
Looking at machine e310
Looking at machine e740
Looking at machine Acer_n30
Looking at machine Mio_P550
Looking at machine Kaiser
Looking at machine Loox5xx
Looking at machine Loox400
Looking at machine MioA701
Looking at machine Wallaby
Looking at machine Raphael
Looking at machine SGH_i900
Looking at machine Leo
Looking at machine Topaz
Looking at machine Rhodium
Looking at machine Jornada9xx0
Looking at machine Acer_S200
Looking at machine M800
Looking at machine X800
Looking at machine DX900
Looking at machine X900
Looking at machine M900
Looking at machine Cougar
Detecting ram size
WinCE reports memory size 100663296 (phys=77144064 store=130306048)
Mapping mmu table
Build L1 reverse map
Found 397 uncached and 397 cached L1 mappings (ignored 1).
Not registering command IGPIO
Not registering command WG|PIO
Not registering command GPLR
Not registering command GPDR
Not registering command GAFR
Not registering command GPIO
Not registering command GPIOST
Registering command LOADLIBRARYEX
Registering command NLEDSET
Not registering command TRACE
Not registering command TRACEMASK
Not registering command TRACE2
Not registering command TRACETYPE
Not registering command TRACE2TYPE
Not registering command TRACEFORWATCH
Not registering command INSN
Not registering command INSNREENABLE
Not registering command INSNREG1
Not registering command INSNREG2
Not registering command INSN2
Not registering command INSN2REENABLE
Not registering command INSN2REG1
Not registering command INSN2REG2
Registering command KILL
Registering command PS
Registering command LSMOD
Registering command ADDR2MOD
Not registering command AC97
Not registering command ATIDBG
Not registering command EIM
Not registering command GPIO
Not registering command WB|ANK
Not registering command GPLR
Not registering command GPDR
Not registering command GPPUD
Not registering command GPSDR
Not registering command GPSPUD
Not registering command GPIOS
Not registering command GPIOSOUT
Not registering command GPIOST
Not registering command MSMCLKKHZ
Initializing for machine 'Cougar'
HaRET(1)# Welcome, this is HaRET pre-0.5.3-20110302_124009 running on WindowsCE v5.2
Minimal virtual address: 0x10000, maximal virtual address: 0x7fffffff
Detected machine Cougar/MT65XX (Plat='PocketPC' OEM='GIGABYTE gSmart')
CPU is ARM ARM arch 5TEJ stepping 5 running in system mode
Enter 'HELP' for a short command summary.
Running WSAStartup
Starting gui
In initdialog
Found machine Cougar
executing startup.txt
HaRET(1)# set RAMSIZE 0x08000000
HaRET(2)# set RAMADDR 0x08000000
HaRET(3)# set MTYPE 2754
HaRET(4)# set FBDURINGBOOT 0
HaRET(5)# set KERNEL zImage
HaRET(6)# set INITRD initrd.gz
HaRET(7)# set CMDLINE "debug rootdelay=10 root=/dev/ram0 console=tty0 mem=128M ppp.nostart=0 lcd.density=120 pm.sleep_mode=0 no_console_suspend"
HaRET(10)# print "Some basic info about your PDA:"
Some basic info about your PDA:
HaRET(11)# print "Processor Mach Type is %d" MTYPE
Processor Mach Type is 2754
HaRET(12)# print "MMU L1 descriptor table address is %08x" MMU
MMU L1 descriptor table address is 02650000
HaRET(13)# print "Video RAM address is %08x" VRAM
Video RAM address is 0174b000
HaRET(14)# print "Current Process ID is %d" PID
Current Process ID is 22
HaRET(18)# boot
boot KERNEL=zImage INITRD=initrd.gz
Opening file zImage
Opening file initrd.gz
boot params: RAMADDR=08000000 RAMSIZE=08000000 MTYPE=2754 CMDLINE='debug rootdelay=10 root=/dev/ram0 console=tty0 mem=128M ppp.nostart=0 lcd.density=120 pm.sleep_mode=0 no_console_suspend'
Boot FB feedback: 0
Built virtual to physical page mapping
Allocated 1109 pages (tags=0x54500000/0567d000 kernel=0x54501000/0567c000 initrd=0x54825000/05963000 index=0x54950000/05a8e000)
Built kernel tags area
Built page index
Tags will be at offset 0x00000100 (0xf00)
Kernel will be at offset 0x00008000 (0x323a48)
Initrd will be at offset 0x00508000 (0x12a606)
[email protected]/05a92000 sj=0x54954278 stack=0x54952000/05a90000 data=0x54953000/05a91000 exec=05a923b8
Reading 3291720 bytes...
Read complete
Reading 1222150 bytes...
Read complete
Launching to physical address 05a92288
Trampoline setup ([email protected]/2c02b994/02ccc994)
MMU setup: mmu=0xa6650000/02650000
Go Go Go...
So your Gsmart S1205 working propertly?
MrXLR8 said:
So your Gsmart S1205 working propertly?
Click to expand...
Click to collapse
Like I said "but still it freezes" . When it will work I will write it in bold, i put data here for other people to see and maybe help me in getting the needed data to build Haret for GSmart S1205 / MT6516/MTK6516 processor, the last Android Kernel (or at least the last Linux Kernel has drivers for this processor), but I need GPIO table and specific IRQs.
so? got anything working? its like month ago
), no, because the android kernel source code for the MT6516 processor is only in China, and I haven't found anyone that would share it (they don't care about license of the kernel), only found compiled kernel, i'm trying to create a source code from the processor's datasheet (more than 1500 pages) and from assembler code found in the compiled kernel. So, will take a long long time. Maybe it doesn't worth to run Android on this type of processor, who knows....
I managed to extract the make config of the kernel compilation and initramfs.cpio
can i help you with something , or can you leave your email or skype?
s1205 Android
Hello. I, too, on the s1205 was unable to run. If you can please let know about your successes. Thanks in advance.
I don't suppose you could point me in the direction of a copy of the datasheet? I'm trying to make some changes on a different MT6516-based device, and I reckon a look at that datasheet could help somewhat. But the only copies I've found are on chinese forums that require some kind of virtual currency to download...
jh3141 said:
I don't suppose you could point me in the direction of a copy of the datasheet? I'm trying to make some changes on a different MT6516-based device, and I reckon a look at that datasheet could help somewhat. But the only copies I've found are on chinese forums that require some kind of virtual currency to download...
Click to expand...
Click to collapse
If you need just datasheet, I've found some docs. Can send you if you need.
how about rom extraction
hi guys, how about figuring out how to extract the flash.bin for gsmart s1205? anyone?
http://forum.xda-developers.com/showthread.php?t=708746
i don't know if this can help you, but i found a PDA with MT6516 processor, and it has android, the link to the firmware/driver ht*tp://ww*w.vkam*obi.com/a5000_refresh.rar (remowe the *)
neocska said:
i don't know if this can help you, but i found a PDA with MT6516 processor, and it has android, the link to the firmware/driver ht*tp://ww*w.vkam*obi.com/a5000_refresh.rar (remowe the *)
Click to expand...
Click to collapse
Hello. I, too have s1205 but not unable to run. If you can please let know about your successes. Thanks in advance.
Rom extraction - only from spec cable:
1. Pinout special contacts under accu:
From left to right: 1- Gnd, 2- Tx, 3-Rx, next symmetric 4 - Rx, 5 - Tx, 6 - Gnd
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Connect s1205 with Serial->USB to comp.
2. Flasher:
h..p://4pda.ru/forum/dl/post/1011438/SP_Flash_Tool_v1.1110.00_new_mcp.7z
3. run flasher
2. go to tab "Read back"
3. remove all task button "remove"
4. press button "Add"
5. 2 Click on stroke - select where save dump, press "save", in textbox "Length" - write 0х10000000
6. On tab "baudrate" select speed (std 115200 b/s, can 460?)
7. See in comp manag number of com port of cable and write this number in number port in flasher.
8. Press "Read back" and get rom(1) file without ext.
Do not start memory test in flasher!!! it's destroy you s1205.
I have nexus4 and nexus7 (both are 4.3), I noticed all apps resolve dns connection as root (uid 0).
I want to know/ask, why on android, all apps resolve dns connection as root?
I block dns connection as root, then all apps can not resolve dns.
(iptables -I OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j DROP)
I also noticed, my nexus7 will resolve dns as root, if the connection blocked, then the apps will not resolve dns.
but my nexus4 will resolve dns as root first, if it blocked, then apps will resolve dns as apps-id.
why will that?
anyone have this problem?
both n4/n7 is running stock andorid 4.3 (donwload from google)
thanks.
I can confirm that something very strange is going on in Android 4.3, I'm runing the Slimrom mod and the same thing is true for me, all dns request are done as root. But to make things even stranger the dns props are set but not used, it seems like something is really broken within bioinc that makes it impossible to change dns servers on the fly.
Mine is running android stock rom for both, downloaded from google.
I still not understand, why will that.
Thanks.
Sent from my Nexus 4 using xda app-developers app
Browsing through the AOSP sources, I noticed that Android 4.3 incorporated a somewhat confusing series of commits under the heading of "dns cache per interface," which effectively causes all Bionic DNS requests to be proxied through netd. This commit is the most important element.
Here is the old implementation from Android 4.2.2:
Code:
static struct hostent *
gethostbyname_internal(const char *name, int af, res_state res)
{
const char *cp;
char *bp, *ep;
int size;
struct hostent *hp;
struct resolv_cache* cache;
[b]res_static rs = __res_get_static();[/b]
static const ns_dtab dtab[] = {
NS_FILES_CB(_gethtbyname, NULL)
{ NSSRC_DNS, _dns_gethtbyname, NULL }, /* force -DHESIOD */
{ 0, 0, 0 }
};
assert(name != NULL);
switch (af) {
case AF_INET:
size = INADDRSZ;
break;
case AF_INET6:
size = IN6ADDRSZ;
break;
default:
h_errno = NETDB_INTERNAL;
errno = EAFNOSUPPORT;
return NULL;
}
rs->host.h_addrtype = af;
rs->host.h_length = size;
[...]
h_errno = NETDB_INTERNAL;
if (nsdispatch(&hp, dtab, NSDB_HOSTS, "gethostbyname",
default_dns_files, name, strlen(name), af) != NS_SUCCESS) {
return NULL;
}
h_errno = NETDB_SUCCESS;
return hp;
Note the use of the libc resolver. The library is issuing the DNS requests directly.
By contrast, here is the new Android 4.3 implementation:
Code:
// very similar in proxy-ness to android_getaddrinfo_proxy
static struct hostent *
gethostbyname_internal(const char *name, int af, res_state res, const char *iface)
{
[b]const char *cache_mode = getenv("ANDROID_DNS_MODE");[/b]
FILE* proxy = NULL;
struct hostent *result = NULL;
[b]if (cache_mode != NULL && strcmp(cache_mode, "local") == 0) {[/b]
res_setiface(res, iface);
return gethostbyname_internal_real(name, af, res);
}
proxy = android_open_proxy();
if (proxy == NULL) goto exit;
/* This is writing to system/netd/DnsProxyListener.cpp and changes
* here need to be matched there */
if (fprintf(proxy, "gethostbyname %s %s %d",
iface == NULL ? "^" : iface,
name == NULL ? "^" : name,
af) < 0) {
goto exit;
}
if (fputc(0, proxy) == EOF || fflush(proxy) != 0) {
goto exit;
}
result = android_read_hostent(proxy);
So by default, Android 4.3 will proxy the requests through netd (owned by UID 0). This can be verified by setting DBG to 1 in system/netd/DnsProxyListener.cpp, then watching logcat:
Code:
D/DnsProxyListener( 146): argv[0]=getaddrinfo
D/DnsProxyListener( 146): argv[1]=omg.yahoo.com
D/DnsProxyListener( 146): argv[2]=^
D/DnsProxyListener( 146): argv[3]=1024
D/DnsProxyListener( 146): argv[4]=0
D/DnsProxyListener( 146): argv[5]=1
D/DnsProxyListener( 146): argv[6]=0
D/DnsProxyListener( 146): argv[7]=^
D/DnsProxyListener( 146): GetAddrInfoHandler for omg.yahoo.com / [nullservice] / [nulliface] / 1489
D/DnsProxyListener( 146): GetAddrInfoHandler, now for omg.yahoo.com / (null) / (null)
D/DnsProxyListener( 146): argv[0]=getaddrinfo
D/DnsProxyListener( 146): argv[1]=l1.yimg.com
D/DnsProxyListener( 146): argv[2]=^
D/DnsProxyListener( 146): argv[3]=1024
D/DnsProxyListener( 146): argv[4]=0
D/DnsProxyListener( 146): argv[5]=1
D/DnsProxyListener( 146): argv[6]=0
D/DnsProxyListener( 146): argv[7]=^
D/DnsProxyListener( 146): GetAddrInfoHandler for l1.yimg.com / [nullservice] / [nulliface] / 1489
D/DnsProxyListener( 146): GetAddrInfoHandler, now for l1.yimg.com / (null) / (null)
As seen in the Android 4.3 code snippet, it is possible to temporarily revert to the old behavior by setting ANDROID_DNS_MODE to "local", causing Bionic to send the request through gethostbyname_internal_real(), the old implementation. On this system, the shell user is blocked from sending network traffic via netfilter, but the root user (which owns netd) has full network access:
Code:
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ ANDROID_DNS_MODE= telnet google.com 80
telnet: can't connect to remote host (74.125.227.135): Connection refused
1|[email protected]:/ $ ANDROID_DNS_MODE=local telnet google.com 80
telnet: bad address 'google.com'
1|[email protected]:/ $
In the former case (proxied request), the application was able to look up the hostname via netd, but could not send data traffic. In the latter case (direct request), the application was not able to look up the hostname at all.
It is possible to change the systemwide default by making a tweak to system/core/rootdir/init.rc and rebuilding your kernel image:
Code:
diff --git a/rootdir/init.rc b/rootdir/init.rc
index b6d7335..d0efc46 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -47,6 +47,7 @@ loglevel 3
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export ANDROID_STORAGE /storage
+ export ANDROID_DNS_MODE local
export ASEC_MOUNTPOINT /mnt/asec
export LOOP_MOUNTPOINT /mnt/obb
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
Maybe there is a better way to patch existing ROMs in place.
So, any easyway to deny some apps, to resolve dns?
How apps connect to netd to resolve dns? Unix socket? Or inet socket?
Ok, what I want to do is, some apps connect through tor network and prevent dns leaks.
Thanks.
Sent from my Nexus 4 using xda app-developers app
Ok, I found it in android_open_proxy().
It look like use unix socket "/dev/socket/dnsproxyd".
So I can not use iptables to deny some apps connect to dnsproxy? right?
Any idea to prevent some apps/uid (but not all), connect to dnsproxy?
Thank you.
Sent from my Nexus 4 using xda app-developers app
I tried export ANDROID_DNS_MODE=local
but it make no different on my nexus 4
(my nexus 4 use android stock room 4.3, download from google)
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
1|[email protected]:/ $ set |grep -i dns
1|[email protected]:/ $ export ANDROID_DNS_MODE=local
[email protected]:/ $ set |grep -i dns
ANDROID_DNS_MODE=local
_='ANDROID_DNS_MODE=local'
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
any idea why will that?
thank you.
johnw.xda said:
I tried export ANDROID_DNS_MODE=local
but it make no different on my nexus 4
(my nexus 4 use android stock room 4.3, download from google)
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
1|[email protected]:/ $ set |grep -i dns
1|[email protected]:/ $ export ANDROID_DNS_MODE=local
[email protected]:/ $ set |grep -i dns
ANDROID_DNS_MODE=local
_='ANDROID_DNS_MODE=local'
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
any idea why will that?
thank you.
Click to expand...
Click to collapse
Hmm, it looks like this change removed the logic that populates the nameserver list from the system properties. So with ANDROID_DNS_MODE=local, libc will search /system/etc/hosts but it won't actually be able to contact any nameservers:
Code:
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 localhost
;; res_setoptions("debug", "env")..
;; debug
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1.85 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.852/1.852/1.852/0.000 ms
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 google.com;; res_setoptions("debug", "env")..
;; debug
;; res_nquerydomain(google.com, <Nil>, 1, 1)
;; res_query(google.com, 1, 1)
;; res_nmkquery(QUERY, google.com, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28372
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
;; res_nquerydomain(google.com, , 1, 1)
;; res_query(google.com., 1, 1)
;; res_nmkquery(QUERY, google.com., IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41613
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
ping: unknown host google.com
[email protected] / $
There's some code in _resolv_set_nameservers_for_iface() that might help, but I don't think this gets run from ordinary command-line utilities.
Any idea to prevent some apps/uid (but not all), connect to dnsproxy?
Click to expand...
Click to collapse
You could try applying filesystem ACLs or SELinux rules to /dev/socket/dnsproxyd
Compiling setfacl with Bionic is a hassle, but you could boot e.g. a Debian ARM image in QEMU and build a binary that is statically linked with glibc. You might also need to build a kernel with CONFIG_TMPFS_POSIX_ACL=y; this setting is currently disabled on the CM10.2 grouper builds.
Other possibilities include:
Modify Bionic to reinstate the old nameserver list behavior, and modify /init.rc as above
Modify netd; you could try calling setresuid() to send out each request under the UID of the client instead of UID 0
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd
Sorry, I forgot to mention before, maybe the reason is, my busybox/telnet is compiled on debian use glibc with -static flags, so telnet/busybox does not use android's libc, and does not use dnsproxy too.
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Thank you again.
Sent from my Nexus 4 using xda app-developers app
I'm using pppwidget to access the network and I think that is affected by this DNS issues. As specific way to get network, is not aware of all this new stuff and thus unable to resolv dns queries.
johnw.xda said:
Sorry, I forgot to mention before, maybe the reason is, my busybox/telnet is compiled on debian use glibc with -static flags, so telnet/busybox does not use android's libc, and does not use dnsproxy too.
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Thank you again.
Sent from my Nexus 4 using xda app-developers app
Click to expand...
Click to collapse
johnw.xda said:
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Click to expand...
Click to collapse
I've been building my Android 4.3 ROMs from the CM10.2 sources.
You can try building from AOSP directly (instructions here). CM builds aren't difficult, but they did require a few extra steps.
I'm not aware of a way to build Bionic standalone. Trying the obvious stuff like running "ndk-build" in that directory, or using crosstool-ng, didn't work for me. Others can jump in if they know...
cernekee said:
Hmm, it looks like this change removed the logic that populates the nameserver list from the system properties. So with ANDROID_DNS_MODE=local, libc will search /system/etc/hosts but it won't actually be able to contact any nameservers:
Code:
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 localhost
;; res_setoptions("debug", "env")..
;; debug
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1.85 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.852/1.852/1.852/0.000 ms
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 google.com;; res_setoptions("debug", "env")..
;; debug
;; res_nquerydomain(google.com, <Nil>, 1, 1)
;; res_query(google.com, 1, 1)
;; res_nmkquery(QUERY, google.com, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28372
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
;; res_nquerydomain(google.com, , 1, 1)
;; res_query(google.com., 1, 1)
;; res_nmkquery(QUERY, google.com., IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41613
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
ping: unknown host google.com
[email protected] / $
There's some code in _resolv_set_nameservers_for_iface() that might help, but I don't think this gets run from ordinary command-line utilities.
You could try applying filesystem ACLs or SELinux rules to /dev/socket/dnsproxyd
Compiling setfacl with Bionic is a hassle, but you could boot e.g. a Debian ARM image in QEMU and build a binary that is statically linked with glibc. You might also need to build a kernel with CONFIG_TMPFS_POSIX_ACL=y; this setting is currently disabled on the CM10.2 grouper builds.
Other possibilities include:
Modify Bionic to reinstate the old nameserver list behavior, and modify /init.rc as above
Modify netd; you could try calling setresuid() to send out each request under the UID of the client instead of UID 0
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd
Click to expand...
Click to collapse
Hi,
Thanks for this analysis.
It certainly does look like 4.3 is ignoring net.dns1 value as the nameserver.
I'm running my custom dns server inside Android and now I suddenly find that it's not being queried.
I may have a small step towards solving this problem.
iptables -t nat -I OUTPUT -p udp -d 192.168.1.1 --dport 53 -j DNAT --to-destination 192.168.1.5:53
iptables -t nat -I OUTPUT -p tcp -d 192.168.1.1 --dport 53 -j DNAT --to-destination 192.168.1.5:53
This works by intercepting the DNS requests meant for the remote nameserver and redirecting it to the local DNS server.
Hope this helps someone figure it out.
There may be a way to programmatically change the active interface DNS server?
Or a way to perhaps disable the DNS proxy completely (ANDROID_DNS_MODE=local doesn't work any more as mentioned)?
cernekee said:
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd
Click to expand...
Click to collapse
This is what I wound up doing: I copied the DnsProxyListener and Bionic resolver code into an experimental new program called "dnsproxy2", and then tweaked the logic a little bit. Sources are posted here and I'm attaching binaries to this message.
Currently it allows you to pass in a single DNS server address which will unconditionally override the OS-provided DNS servers, and when it proxies requests on behalf of an application it will change the thread's UID (Linux fsuid) to match the caller so that the traditional netfilter app/UID restrictions will be honored.
To see it in action, just do:
Code:
adb push libs/armeabi-v7a/dnsproxy2 /data/local/tmp
adb shell "su -c '/data/local/tmp/dnsproxy2 -v 8.8.8.8'"
The "-v" flag will show the DNS requests on the console.
This was tested with CM10.2. Note that Firefox appears to bypass the DNS proxy.
If this proves useful it may be worth writing a GUI installer/settings app. Another possible improvement would be to allow selectively overriding the DNS server based on the active connection.
cernekee said:
This is what I wound up doing: I copied the DnsProxyListener and Bionic resolver code into an experimental new program called "dnsproxy2", and then tweaked the logic a little bit. Sources are posted here and I'm attaching binaries to this message.
Currently it allows you to pass in a single DNS server address which will unconditionally override the OS-provided DNS servers, and when it proxies requests on behalf of an application it will change the thread's UID (Linux fsuid) to match the caller so that the traditional netfilter app/UID restrictions will be honored.
To see it in action, just do:
Code:
adb push libs/armeabi-v7a/dnsproxy2 /data/local/tmp
adb shell "su -c '/data/local/tmp/dnsproxy2 -v 8.8.8.8'"
The "-v" flag will show the DNS requests on the console.
This was tested with CM10.2. Note that Firefox appears to bypass the DNS proxy.
If this proves useful it may be worth writing a GUI installer/settings app. Another possible improvement would be to allow selectively overriding the DNS server based on the active connection.
Click to expand...
Click to collapse
Is this method still going strong? At this moment there is no app on the market that can change DNS (mobile data access).
hardKNOXbz said:
Is this method still going strong? At this moment there is no app on the market that can change DNS (mobile data access).
Click to expand...
Click to collapse
I'd suggest reading the last few pages of the CrossBreeder thread. I don't think dnsproxy2 is in the official release yet but a number of people have been experimenting with it and posting their results.
cernekee said:
I'd suggest reading the last few pages of the CrossBreeder thread. I don't think dnsproxy2 is in the official release yet but a number of people have been experimenting with it and posting their results.
Click to expand...
Click to collapse
Thank you, I'll do that.
I have created a bug for AOSP regarding broken ANDROID_DNS_MODE=local behavior:
https://code.google.com/p/android/issues/detail?id=75232
Plz try this to connect throo vpn.
This is not my work i just take it from cm11 and put it to stock rom and it work.
sshtunnel_support.zip
https://docs.google.com/file/d/0BzL6ekv_OuX2cE9uY3pfYzNmdWs/edit?usp=docslist_api
Hi and first thank you for reading my question!
I have a device, which gives me an output of essentially just a RS232 serial signal (1200 baud, 8 databits, no parity bits, one stop bit). This output comes in to my android phone via the 3.5mm audio jack.
I want to store every data bit into a variable, display or calculate something and when the next bits come in, it should override the variable.
I know exactly what to do with it after I thave the databits in variables but I have no idea on how to do the basic input / stream / read from audio jack thing...
More informations about my signal The payload is transmitted in 9 byte packets:
Code:
1: command byte as ASCII character ('I','A','S','L','R','C' or ' ')
2-6: time in ASCII chars (2:34:56)
7: checksum (64 + sum of time digits)
8: CR (carriage return, ASCII code 0x0D)
9: LF (line feed, ASCII code 0x0A)
I also think I have to store the input into a buffer and then read the signals from the buffer... But how do I write serial input from audio jack into a buffer?
Maybe something like this will work:
Code:
try
{
int N = AudioRecord.getMinBufferSize(8000,AudioFormat.CHANNEL_IN_MONO,AudioFormat.ENCODING_PCM_16BIT);
recorder = new AudioRecord(AudioSource.MIC, 1200, AudioFormat.CHANNEL_IN_MONO, AudioFormat.ENCODING_PCM_16BIT, N*10);
track = new AudioTrack(AudioManager.STREAM_MUSIC, 1200,
AudioFormat.CHANNEL_OUT_MONO, AudioFormat.ENCODING_PCM_16BIT, N*10, AudioTrack.MODE_STREAM);
recorder.startRecording();
track.play();
/*
* Loops until something outside of this thread stops it.
* Reads the data from the recorder and writes it to the audio track for playback.
*/
while(!stopped)
{
Log.i("Map", "Writing new data to buffer");
short[] buffer = buffers[ix++ % buffers.length];
N = recorder.read(buffer,0,buffer.length);
track.write(buffer, 0, buffer.length);
}
}
catch(Throwable x)
{
Log.w("Audio", "Error reading voice audio", x);
}
/*
* Frees the thread's resources after the loop completes so that it can be run again
*/
finally
{
recorder.stop();
recorder.release();
track.stop();
track.release();
}
}
Please help me, thank you!