resolve dns as root (uid 0) ? - Android Q&A, Help & Troubleshooting

I have nexus4 and nexus7 (both are 4.3), I noticed all apps resolve dns connection as root (uid 0).
I want to know/ask, why on android, all apps resolve dns connection as root?
I block dns connection as root, then all apps can not resolve dns.
(iptables -I OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j DROP)
I also noticed, my nexus7 will resolve dns as root, if the connection blocked, then the apps will not resolve dns.
but my nexus4 will resolve dns as root first, if it blocked, then apps will resolve dns as apps-id.
why will that?
anyone have this problem?
both n4/n7 is running stock andorid 4.3 (donwload from google)
thanks.

I can confirm that something very strange is going on in Android 4.3, I'm runing the Slimrom mod and the same thing is true for me, all dns request are done as root. But to make things even stranger the dns props are set but not used, it seems like something is really broken within bioinc that makes it impossible to change dns servers on the fly.

Mine is running android stock rom for both, downloaded from google.
I still not understand, why will that.
Thanks.
Sent from my Nexus 4 using xda app-developers app

Browsing through the AOSP sources, I noticed that Android 4.3 incorporated a somewhat confusing series of commits under the heading of "dns cache per interface," which effectively causes all Bionic DNS requests to be proxied through netd. This commit is the most important element.
Here is the old implementation from Android 4.2.2:
Code:
static struct hostent *
gethostbyname_internal(const char *name, int af, res_state res)
{
const char *cp;
char *bp, *ep;
int size;
struct hostent *hp;
struct resolv_cache* cache;
[b]res_static rs = __res_get_static();[/b]
static const ns_dtab dtab[] = {
NS_FILES_CB(_gethtbyname, NULL)
{ NSSRC_DNS, _dns_gethtbyname, NULL }, /* force -DHESIOD */
{ 0, 0, 0 }
};
assert(name != NULL);
switch (af) {
case AF_INET:
size = INADDRSZ;
break;
case AF_INET6:
size = IN6ADDRSZ;
break;
default:
h_errno = NETDB_INTERNAL;
errno = EAFNOSUPPORT;
return NULL;
}
rs->host.h_addrtype = af;
rs->host.h_length = size;
[...]
h_errno = NETDB_INTERNAL;
if (nsdispatch(&hp, dtab, NSDB_HOSTS, "gethostbyname",
default_dns_files, name, strlen(name), af) != NS_SUCCESS) {
return NULL;
}
h_errno = NETDB_SUCCESS;
return hp;
Note the use of the libc resolver. The library is issuing the DNS requests directly.
By contrast, here is the new Android 4.3 implementation:
Code:
// very similar in proxy-ness to android_getaddrinfo_proxy
static struct hostent *
gethostbyname_internal(const char *name, int af, res_state res, const char *iface)
{
[b]const char *cache_mode = getenv("ANDROID_DNS_MODE");[/b]
FILE* proxy = NULL;
struct hostent *result = NULL;
[b]if (cache_mode != NULL && strcmp(cache_mode, "local") == 0) {[/b]
res_setiface(res, iface);
return gethostbyname_internal_real(name, af, res);
}
proxy = android_open_proxy();
if (proxy == NULL) goto exit;
/* This is writing to system/netd/DnsProxyListener.cpp and changes
* here need to be matched there */
if (fprintf(proxy, "gethostbyname %s %s %d",
iface == NULL ? "^" : iface,
name == NULL ? "^" : name,
af) < 0) {
goto exit;
}
if (fputc(0, proxy) == EOF || fflush(proxy) != 0) {
goto exit;
}
result = android_read_hostent(proxy);
So by default, Android 4.3 will proxy the requests through netd (owned by UID 0). This can be verified by setting DBG to 1 in system/netd/DnsProxyListener.cpp, then watching logcat:
Code:
D/DnsProxyListener( 146): argv[0]=getaddrinfo
D/DnsProxyListener( 146): argv[1]=omg.yahoo.com
D/DnsProxyListener( 146): argv[2]=^
D/DnsProxyListener( 146): argv[3]=1024
D/DnsProxyListener( 146): argv[4]=0
D/DnsProxyListener( 146): argv[5]=1
D/DnsProxyListener( 146): argv[6]=0
D/DnsProxyListener( 146): argv[7]=^
D/DnsProxyListener( 146): GetAddrInfoHandler for omg.yahoo.com / [nullservice] / [nulliface] / 1489
D/DnsProxyListener( 146): GetAddrInfoHandler, now for omg.yahoo.com / (null) / (null)
D/DnsProxyListener( 146): argv[0]=getaddrinfo
D/DnsProxyListener( 146): argv[1]=l1.yimg.com
D/DnsProxyListener( 146): argv[2]=^
D/DnsProxyListener( 146): argv[3]=1024
D/DnsProxyListener( 146): argv[4]=0
D/DnsProxyListener( 146): argv[5]=1
D/DnsProxyListener( 146): argv[6]=0
D/DnsProxyListener( 146): argv[7]=^
D/DnsProxyListener( 146): GetAddrInfoHandler for l1.yimg.com / [nullservice] / [nulliface] / 1489
D/DnsProxyListener( 146): GetAddrInfoHandler, now for l1.yimg.com / (null) / (null)
As seen in the Android 4.3 code snippet, it is possible to temporarily revert to the old behavior by setting ANDROID_DNS_MODE to "local", causing Bionic to send the request through gethostbyname_internal_real(), the old implementation. On this system, the shell user is blocked from sending network traffic via netfilter, but the root user (which owns netd) has full network access:
Code:
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ ANDROID_DNS_MODE= telnet google.com 80
telnet: can't connect to remote host (74.125.227.135): Connection refused
1|[email protected]:/ $ ANDROID_DNS_MODE=local telnet google.com 80
telnet: bad address 'google.com'
1|[email protected]:/ $
In the former case (proxied request), the application was able to look up the hostname via netd, but could not send data traffic. In the latter case (direct request), the application was not able to look up the hostname at all.
It is possible to change the systemwide default by making a tweak to system/core/rootdir/init.rc and rebuilding your kernel image:
Code:
diff --git a/rootdir/init.rc b/rootdir/init.rc
index b6d7335..d0efc46 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -47,6 +47,7 @@ loglevel 3
export ANDROID_ASSETS /system/app
export ANDROID_DATA /data
export ANDROID_STORAGE /storage
+ export ANDROID_DNS_MODE local
export ASEC_MOUNTPOINT /mnt/asec
export LOOP_MOUNTPOINT /mnt/obb
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar
Maybe there is a better way to patch existing ROMs in place.

So, any easyway to deny some apps, to resolve dns?
How apps connect to netd to resolve dns? Unix socket? Or inet socket?
Ok, what I want to do is, some apps connect through tor network and prevent dns leaks.
Thanks.
Sent from my Nexus 4 using xda app-developers app

Ok, I found it in android_open_proxy().
It look like use unix socket "/dev/socket/dnsproxyd".
So I can not use iptables to deny some apps connect to dnsproxy? right?
Any idea to prevent some apps/uid (but not all), connect to dnsproxy?
Thank you.
Sent from my Nexus 4 using xda app-developers app

I tried export ANDROID_DNS_MODE=local
but it make no different on my nexus 4
(my nexus 4 use android stock room 4.3, download from google)
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
1|[email protected]:/ $ set |grep -i dns
1|[email protected]:/ $ export ANDROID_DNS_MODE=local
[email protected]:/ $ set |grep -i dns
ANDROID_DNS_MODE=local
_='ANDROID_DNS_MODE=local'
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
any idea why will that?
thank you.

johnw.xda said:
I tried export ANDROID_DNS_MODE=local
but it make no different on my nexus 4
(my nexus 4 use android stock room 4.3, download from google)
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
1|[email protected]:/ $ set |grep -i dns
1|[email protected]:/ $ export ANDROID_DNS_MODE=local
[email protected]:/ $ set |grep -i dns
ANDROID_DNS_MODE=local
_='ANDROID_DNS_MODE=local'
[email protected]:/ $ telnet google.com
telnet: bad address 'google.com'
any idea why will that?
thank you.
Click to expand...
Click to collapse
Hmm, it looks like this change removed the logic that populates the nameserver list from the system properties. So with ANDROID_DNS_MODE=local, libc will search /system/etc/hosts but it won't actually be able to contact any nameservers:
Code:
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 localhost
;; res_setoptions("debug", "env")..
;; debug
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1.85 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.852/1.852/1.852/0.000 ms
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 google.com;; res_setoptions("debug", "env")..
;; debug
;; res_nquerydomain(google.com, <Nil>, 1, 1)
;; res_query(google.com, 1, 1)
;; res_nmkquery(QUERY, google.com, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28372
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
;; res_nquerydomain(google.com, , 1, 1)
;; res_query(google.com., 1, 1)
;; res_nmkquery(QUERY, google.com., IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41613
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
ping: unknown host google.com
[email protected] / $
There's some code in _resolv_set_nameservers_for_iface() that might help, but I don't think this gets run from ordinary command-line utilities.
Any idea to prevent some apps/uid (but not all), connect to dnsproxy?
Click to expand...
Click to collapse
You could try applying filesystem ACLs or SELinux rules to /dev/socket/dnsproxyd
Compiling setfacl with Bionic is a hassle, but you could boot e.g. a Debian ARM image in QEMU and build a binary that is statically linked with glibc. You might also need to build a kernel with CONFIG_TMPFS_POSIX_ACL=y; this setting is currently disabled on the CM10.2 grouper builds.
Other possibilities include:
Modify Bionic to reinstate the old nameserver list behavior, and modify /init.rc as above
Modify netd; you could try calling setresuid() to send out each request under the UID of the client instead of UID 0
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd

Sorry, I forgot to mention before, maybe the reason is, my busybox/telnet is compiled on debian use glibc with -static flags, so telnet/busybox does not use android's libc, and does not use dnsproxy too.
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Thank you again.
Sent from my Nexus 4 using xda app-developers app

I'm using pppwidget to access the network and I think that is affected by this DNS issues. As specific way to get network, is not aware of all this new stuff and thus unable to resolv dns queries.
johnw.xda said:
Sorry, I forgot to mention before, maybe the reason is, my busybox/telnet is compiled on debian use glibc with -static flags, so telnet/busybox does not use android's libc, and does not use dnsproxy too.
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Thank you again.
Sent from my Nexus 4 using xda app-developers app
Click to expand...
Click to collapse

johnw.xda said:
Anyway, is it possible to compile owner libc for android? Where can download android 4.3 libc source code? Do I need to setup ndk to compile it? or can I use gcc to compile it.
Did you do that before?
Click to expand...
Click to collapse
I've been building my Android 4.3 ROMs from the CM10.2 sources.
You can try building from AOSP directly (instructions here). CM builds aren't difficult, but they did require a few extra steps.
I'm not aware of a way to build Bionic standalone. Trying the obvious stuff like running "ndk-build" in that directory, or using crosstool-ng, didn't work for me. Others can jump in if they know...

cernekee said:
Hmm, it looks like this change removed the logic that populates the nameserver list from the system properties. So with ANDROID_DNS_MODE=local, libc will search /system/etc/hosts but it won't actually be able to contact any nameservers:
Code:
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 localhost
;; res_setoptions("debug", "env")..
;; debug
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1.85 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.852/1.852/1.852/0.000 ms
[email protected] / $ ANDROID_DNS_MODE=local RES_OPTIONS=debug ping -c1 google.com;; res_setoptions("debug", "env")..
;; debug
;; res_nquerydomain(google.com, <Nil>, 1, 1)
;; res_query(google.com, 1, 1)
;; res_nmkquery(QUERY, google.com, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28372
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
;; res_nquerydomain(google.com, , 1, 1)
;; res_query(google.com., 1, 1)
;; res_nmkquery(QUERY, google.com., IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41613
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; google.com, type = A, class = IN
;; res_query: send error
ping: unknown host google.com
[email protected] / $
There's some code in _resolv_set_nameservers_for_iface() that might help, but I don't think this gets run from ordinary command-line utilities.
You could try applying filesystem ACLs or SELinux rules to /dev/socket/dnsproxyd
Compiling setfacl with Bionic is a hassle, but you could boot e.g. a Debian ARM image in QEMU and build a binary that is statically linked with glibc. You might also need to build a kernel with CONFIG_TMPFS_POSIX_ACL=y; this setting is currently disabled on the CM10.2 grouper builds.
Other possibilities include:
Modify Bionic to reinstate the old nameserver list behavior, and modify /init.rc as above
Modify netd; you could try calling setresuid() to send out each request under the UID of the client instead of UID 0
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd
Click to expand...
Click to collapse
Hi,
Thanks for this analysis.
It certainly does look like 4.3 is ignoring net.dns1 value as the nameserver.
I'm running my custom dns server inside Android and now I suddenly find that it's not being queried.
I may have a small step towards solving this problem.
iptables -t nat -I OUTPUT -p udp -d 192.168.1.1 --dport 53 -j DNAT --to-destination 192.168.1.5:53
iptables -t nat -I OUTPUT -p tcp -d 192.168.1.1 --dport 53 -j DNAT --to-destination 192.168.1.5:53
This works by intercepting the DNS requests meant for the remote nameserver and redirecting it to the local DNS server.
Hope this helps someone figure it out.
There may be a way to programmatically change the active interface DNS server?
Or a way to perhaps disable the DNS proxy completely (ANDROID_DNS_MODE=local doesn't work any more as mentioned)?

cernekee said:
Write a daemon that intercepts DNS requests intended for netd; this could use a modified version of the netd DnsProxy logic or it could pass the request through to the real netd
Click to expand...
Click to collapse
This is what I wound up doing: I copied the DnsProxyListener and Bionic resolver code into an experimental new program called "dnsproxy2", and then tweaked the logic a little bit. Sources are posted here and I'm attaching binaries to this message.
Currently it allows you to pass in a single DNS server address which will unconditionally override the OS-provided DNS servers, and when it proxies requests on behalf of an application it will change the thread's UID (Linux fsuid) to match the caller so that the traditional netfilter app/UID restrictions will be honored.
To see it in action, just do:
Code:
adb push libs/armeabi-v7a/dnsproxy2 /data/local/tmp
adb shell "su -c '/data/local/tmp/dnsproxy2 -v 8.8.8.8'"
The "-v" flag will show the DNS requests on the console.
This was tested with CM10.2. Note that Firefox appears to bypass the DNS proxy.
If this proves useful it may be worth writing a GUI installer/settings app. Another possible improvement would be to allow selectively overriding the DNS server based on the active connection.

cernekee said:
This is what I wound up doing: I copied the DnsProxyListener and Bionic resolver code into an experimental new program called "dnsproxy2", and then tweaked the logic a little bit. Sources are posted here and I'm attaching binaries to this message.
Currently it allows you to pass in a single DNS server address which will unconditionally override the OS-provided DNS servers, and when it proxies requests on behalf of an application it will change the thread's UID (Linux fsuid) to match the caller so that the traditional netfilter app/UID restrictions will be honored.
To see it in action, just do:
Code:
adb push libs/armeabi-v7a/dnsproxy2 /data/local/tmp
adb shell "su -c '/data/local/tmp/dnsproxy2 -v 8.8.8.8'"
The "-v" flag will show the DNS requests on the console.
This was tested with CM10.2. Note that Firefox appears to bypass the DNS proxy.
If this proves useful it may be worth writing a GUI installer/settings app. Another possible improvement would be to allow selectively overriding the DNS server based on the active connection.
Click to expand...
Click to collapse
Is this method still going strong? At this moment there is no app on the market that can change DNS (mobile data access).

hardKNOXbz said:
Is this method still going strong? At this moment there is no app on the market that can change DNS (mobile data access).
Click to expand...
Click to collapse
I'd suggest reading the last few pages of the CrossBreeder thread. I don't think dnsproxy2 is in the official release yet but a number of people have been experimenting with it and posting their results.

cernekee said:
I'd suggest reading the last few pages of the CrossBreeder thread. I don't think dnsproxy2 is in the official release yet but a number of people have been experimenting with it and posting their results.
Click to expand...
Click to collapse
Thank you, I'll do that.

I have created a bug for AOSP regarding broken ANDROID_DNS_MODE=local behavior:
https://code.google.com/p/android/issues/detail?id=75232

Plz try this to connect throo vpn.
This is not my work i just take it from cm11 and put it to stock rom and it work.
sshtunnel_support.zip
https://docs.google.com/file/d/0BzL6ekv_OuX2cE9uY3pfYzNmdWs/edit?usp=docslist_api

Related

[Q][Solved] Void #e and L2TP/IPSec support

Hello, there.
I installed void #e a while ago on my O1, everything went smoothly until I had to setup a VPN with L2TP/IPsec.
After poking around with adb logcat, I found that the bundled kernel (mik_os's one) missed support for NETKEY sockets, IPSec over IPv4 and PPP altogether, so I rebuilt the kernel from source adding all missing options to .config.
I flashed the new kernel, boot it and tried to start the VPN, but it failed again.
This time - however - racoon was able to set up an IPsec security association with the remote host, but pppd complained about missing PPP support in kernel:
Code:
I/racoon ( 4330): ISAKMP-SA established <scrubbed>[500]-<scrubbed>[500] spi:<scrubbed>
I/racoon ( 4330): initiate new phase 2 negotiation: <scrubbed>[500]<=><scrubbed>[500]
I/racoon ( 4330): IPsec-SA established: ESP/Transport <scrubbed>[0]-><scrubbed>[0] spi=<scrubbed>(0x<scrubbed>)
I/racoon ( 4330): IPsec-SA established: ESP/Transport <scrubbed>[500]-><scrubbed>[500] spi=<scrubbed>(0x<scrubbed>)
I/mtpd ( 4532): Tunnel established
D/mtpd ( 4532): Received ICRP (remote_session = 65060) -> Sending ICCN
D/mtpd ( 4532): Received ACK
I/mtpd ( 4532): Session established
I/mtpd ( 4532): Creating PPPoX socket
I/mtpd ( 4532): Starting pppd (pppox = 13)
I/mtpd ( 4532): Pppd started (pid = 4533)
I/pppd ( 4533): Using PPPoX (socket = 13)
E/pppd ( 4533): This system lacks kernel support for PPP. This could be because
E/pppd ( 4533): the PPP kernel module could not be loaded, or because PPP was not
E/pppd ( 4533): included in the kernel configuration. If PPP was included as a
E/pppd ( 4533): module, try `/sbin/modprobe -v ppp'. If that fails, check that
E/pppd ( 4533): ppp.o exists in /lib/modules/`uname -r`/net.
E/pppd ( 4533): See README.linux file in the ppp distribution for more details.
I/mtpd ( 4532): Received signal 17
I/mtpd ( 4532): Pppd is terminated (status = 4)
D/mtpd ( 4532): Sending STOPCCN
I/mtpd ( 4532): Mtpd is terminated (status = 36)
I double-checked /proc/conf.gz and sure enough it contains all ppp options:
Code:
# zcat /proc/config.gz | grep PPP
CONFIG_PPP=y
CONFIG_PPP_MULTILINK=y
CONFIG_PPP_FILTER=y
CONFIG_PPP_ASYNC=y
CONFIG_PPP_SYNC_TTY=y
CONFIG_PPP_DEFLATE=y
CONFIG_PPP_BSDCOMP=y
CONFIG_PPP_MPPE=y
CONFIG_PPPOE=y
CONFIG_PPPOL2TP=y
CONFIG_PPPOLAC=y
CONFIG_PPPOPNS=y
I noticed in mik_os's sources that LG also set CONFIG_ANDROID_PARANOID_NETWORK to y, while in mik_os's build it is set to n.
Does anyone know if they are related and/or if I'm running into another issue (permissions, maybe)?
Thanks in advance
Sure enough, it was CONFIG_ANDROID_PARANOID_NETWORK.
For future reference, if this option is undefined AID_NET_ADMIN and AID_NET_RAW have no special meaning for the kernel (iow, CAP_NET_ADMIN and CAP_NET_RAW are not granted to non-root processes belonging to those special groups).
Moreover, network access restrictions are completely ignored, so any application can create sockets and/or access the bluetooth stack even if its manifest does not specify the relevant permissions.

[EXPERIMENTAL] [PHP SCRIPT] WIFI-MAC Spoofer v1.1

Hi.
I wasn't too sure, if I should post this into the development area, I think it fits more into general.
Introduction
According to this thread, I tried to write a little script which lets one spoof his wi-fi MAC address unindependently from any adb shell or usb connection. It's very experimental and might not work that properly. If I try it at home, my router somehow shuts down any incoming wi-fi connection in the whole network and turns the internet off. :/ But the script itself actually SEEMS to change the MAC address (according to what the wi-fi settings say).
I am not responsible for any damage to your phone. However, you can reset the changed MAC address anyway, if something bad happens.
Please note, that you are only allowed to use this script in those networks where you have the permission to do so. Especially the use of the "MAC takeover" function might be illegal in different networks.
Requirements
You will need SL4A (Android Scripting Environment) and PFA (PHP for Android). Check out: http://www.phpforandroid.net/#requirements
The script
PHP:
<?php
// config: config-file and tmp-file
$cnf = "/etc/wl/nvram.txt";
$tmp = "/sdcard/nvram-tmp.txt";
// this is my very dirty solution to replace the actual config file with a new edited one. root needed. might not work everywhere.
$cmd = 'su -c "mount -o rw,remount -t yaffs2 /dev/block/mtdblock4 /system; mv -f \"'.$tmp.'\" \"'.$cnf.'\"; chmod 644 \"'.$cnf.'\"; mount -o ro,remount -t yaffs2 /dev/block/mtdblock4 /system"';
// access android api
require_once("Android.php");
$droid = new Android();
// get config file src
$src = file_get_contents($cnf);
// check, if mac address was already spoofed before
preg_match("|macaddr=([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2})|i", $src, $res);
$spoofed = false;
$macaddr = "13:57:9B:DF:13:37";
if(isset($res[1]))
{
$spoofed = true;
$macaddr = $res[1];
}
// pre-configurations
$title = "LG-OO-P500 MAC Spoofer";
$action = "start";
// main loop for actions
while(true)
{
switch($action)
{
// start
case "start":
$msg = "Your MAC address is currently set on default.";
// currently spoofed mac address?
if($spoofed)
{
$msg = "Your currently spoofed MAC address is: ".$macaddr;
}
$droid->makeToast($msg);
// create dialog
$droid->dialogCreateAlert($title);
$droid->dialogSetItems(array("Change MAC address", "MAC takeover", "Reset MAC address", "Exit"));
$droid->dialogShow();
// determine next action
$res = $droid->dialogGetResponse();
$actions = array("spoof", "scan", "reset", "exit");
$action = $actions[$res["result"]->item];
$droid->dialogDismiss();
break;
// spoof and reset action
case "spoof": case "scan": case "reset":
// get user input for new mac addr
switch($action)
{
case "spoof":
while(true)
{
$res = $droid->dialogGetInput($title, "Insert new MAC address", $macaddr);
$macaddr = strtoupper($res["result"]);
if(preg_match("|[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}|i", $macaddr))
{
break;
}
$droid->makeToast("Invalid MAC address. (example: 00:00:00:00:00:00 to FF:FF:FF:FF:FF:FF)");
}
$rpl = "macaddr=".$macaddr;
break;
case "scan":
$droid->dialogCreateSpinnerProgress("Now scanning network...");
// scan for MACs and filter ip and MAC addresses from the output
exec("arp -a", $out);
preg_match_all("|\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) at ([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2})|i", strtoupper(implode("\r\n", $out)), $res);
$droid->dialogDismiss();
// create new array
$arr = array();
for($i = 0; $i != count($res[1]); $i++)
{
$arr["list"][] = $res[1][$i]."\n=> ".$res[2][$i];
$arr["ip"][] = $res[1][$i];
$arr["mac"][] = $res[2][$i];
}
$droid->dialogCreateAlert("Found ".count($arr)." individuals... please choose:");
$droid->dialogSetItems($arr["list"]);
$droid->dialogShow();
$res = $droid->dialogGetResponse();
$rpl = "macaddr=".$arr["mac"][$res["result"]->item];
break;
case "reset": default:
$rpl = null;
break;
}
// edit src
($spoofed || empty($rpl)) ? $src = rtrim(preg_replace("|macaddr=.*|i", $rpl, $src)) : $src = rtrim($src)."\n".$rpl;
// disable wifi
$droid->toggleWifiState(false);
// save tmp file
$h = fopen($tmp, "w");
fwrite($h, $src);
fclose($h);
// overwrite with root privileges
exec($cmd);
$droid->makeToast("Operation complete.");
$action = "exit";
break;
// exit
case "exit":
// enable wlan and exit
$droid->toggleWifiState(true);
$droid->exit();
exit();
break;
}
}
I am really not sure, if it is going to work for you. I tested it under devoid #forever (CM7, 2.3.4). Maybe other ROMs and other smartphones are going to behave different. And to be honest, for me it didn't work that good either until now.
If you are having trouble, you can also try to reboot after spoofing.
Have fun trying.
Is this all this about adding macaddr in nvram.txt as we had this discussion earlier.
Nice work.
Sent from my LG-P500 using XDA Premium App
I added another very experimental function which I named "MAC takeover". It allows the user to scan the network for all connected MAC addresses and afterwards display and finally spoof one of those addresses.
The whole script might be buggy, so tell me if something doesn't work properly.
Please note, that you are only allowed to use this script in those networks where you have the permission to do so. Especially the use of the "MAC takeover" function might be illegal in different networks.
See the changes above in the source code.
Is this all this about adding macaddr in nvram.txt as we had this discussion earlier.
Click to expand...
Click to collapse
Yup, but it makes things a lot easier, because you just need your phone to change the MAC address. Additionally it has something like an interface.
I have a bash script somewhere doing the same (except for takeover... nasty boy ). Will post it when I find it. Should be a hell lot easier to use (just bash, no weird stuff needed.)
This is actually quite easy as well, you just need PHP installed on android. However, I'm also very interested in that bash script, please share!

[script] reliable interface stats

[script] reliable interface stats
pro: reliable, works on any Linux; low battery consumption; runs only when necessary
contra: no GUI
prerequisites: script manager able to trigger on network changes
root is not needed, because the script uses the readable-for-all /proc/net/dev interface to gather statistics.
My problem was that I could not find any app that would give me the megabytes sent from/to the device. They would either ignore GPRS, WiFi or count from reboot to reboot, display stupid ads or cost even money without delivering. I'm on a data flatrate with throttling from 200MB up, and I only want to know how much I already "spent".
The following script should run on network changes, but it can be run at any time. You get more data entries in the log files for the various active interfaces when running it more often.
EDIT: it turns out the "network change" event works perfectly for interface wlan0, but not for pdp0, which happens to be the GPRS/G2/G3/G4 packet interface. Maybe "Tasker" does better than "Script Manager" with this, try and find out. What will always work is manual mode: after using an interface, run the script. This will enter the numbers from any interface that traffic into the respective log.
The script is run with zero or one argument. If given, it can be the name of an interface or the string "all" to get just a readout of the current counters of all interfaces that had traffic without logging anything.
The output is lines with bytes, data packets, errornous and dropped packets for "rx" (received) and "tx" (transmitted) for all or the selected interfaces. Without arguments all active interfaces are logged to separate files in /sdcard/. If you want to change this directory or the names or the date format, well, it should be easy to adapt.
Note that this first script does only data gathering as to the byte counts and it must run on network events. See below for the script(s) that do evaluation according to date to find out how much to go until throttling.
Code:
#!/system/bin/sh
want_if="${1:-*}"
all=""
case "-${want_if}" in
-all)
want_if="*"; all=all;
;;
esac
log_prefix="/mnt/sdcard/interface-stats"
now="$(date '+%d.%m.%y-%H:%M:%S')"
# rx: bytes packets errs drop fifo frame compressed multicast
# tx: bytes packets errs drop fifo colls carrier compressed
# lo: 4944 74 0 0 0 0 0 0 4944 74 0 0 0 0 0 0
# wlan0: 42447725 41554 302 0 0 0 0 0 3280981 33753 0 0 0 0 0 0
while read intf rb rp re rd x x x x tb tp te td rest
do
case "-${intf}" in
-${want_if:-*}:)
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
intf_="${intf%:}"
echo "${intf} ${stats}"
[ -z "${all}" ] &&
echo "${now} ${stats}" >> "${log_prefix}-${intf_}.txt"
;;
esac
done < /proc/net/dev
exit 0
Here's the script to output the megabytes. It gets zero, one or two arguments, the first being a date pattern that needs to match the dates in the log file, the second the name of said logg.
An optional third argument, if given, gives debug output. Use only if the number doesn't look plausible.
It doesn't need any special privileges and can be run anytime.
If less than one megabyte has been hit so far, then the output is the number of bytes. Due to limitations of "awk" there can still be decimals in the output!
Code:
# /home/ino/interface-stats.sh _date: 20120225-2103_
# vim: set filetype=sh ts=4:
# -*- mode: sh; -*-
#
# <url:man:1 awk>
# sample:
#
# 25.02.12-02:28:28 rx: 182909647 374371 462 0 tx: 681742703 542899 0 0
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
#
# at around noon the device was rebooted, so the stats start at low
# values.
#
# algorithm:
#
# initialize old-accumulator and offset to zero.
#
# since received and transmitted bytes are accumulated by the kernel,
# the script has to just store the sum of the received and transmitted
# bytes into an accumulator, unless the current value is less than the
# running count. this happens after a reboot. so store this first low
# value into $offset, store the old accumulator and keep the running game
# until either the next reboot or EOF. now
# accumulator = old-accumulator + accumulator - offset.
awk_prog='
BEGIN {
debug = debug > 0
accu=0
accu_old=0
offset=0
accu_sum=0
# megabytes
mb_scaler=1024*1024
# field definitions
rx_bytes=3
rx_packets=4
rx_errors=5
rx_dropped=6
tx_bytes=8
tx_packets=9
tx_errors=10
tx_dropped=11
# date pattern
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
pat_date_dflt = "[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9]"
pat_date = length(pat_date) == 0 ? pat_date_dflt : pat_date
}
function dbg(x) {
if (debug > 0) print("debug: " x);
}
# no particular validity check: if there are 11 fields and the first one
# matches the date the user is after, we will use the record.
(NF == 11) && ($1 ~ pat_date) {
dbg("select line: " $0)
accu_sum = $rx_bytes + $tx_bytes
if (accu_sum < accu) {
dbg("break: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
accu_old = accu
offset = accu_sum
accu = accu_sum
} else {
accu = accu_sum
}
}
END {
dbg("eof: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
if (accu > mb_scaler) accu = (accu / mb_scaler) "MB"
print(accu)
}
'
debug=0
log_prefix="/mnt/sdcard/interface-stats"
dates="${1:-.}"
want_if="${2:-wlan0}"
debug="${3+1}"
input="${log_prefix}-${want_if}.txt"
awk -v pat_date="${dates}" -v debug="${debug}" "${awk_prog}" "${input}"
And finally this one is for quick inspection of a logg. Gets the name of an interface as argument if needed. Again it needs no privileges and is appropriate for use as a SMwidget.
Code:
#!/system/bin/sh
want_if="${1:-wlan0}"
log_prefix="/mnt/sdcard/interface-stats"
logg="${log_prefix}-${want_if}.txt"
[ -r "${logg}" ] &&
while read tim rx rb rp re rd tx tb tp te td rest
do
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
echo "${tim} ${stats}"
done < "${logg}"
exit 0
Does somebody know what tags to brace code with in order to keep formatting intact? To me all my stuff has no indentation and lines seem to break at other points than just and only newlines!
EDIT: just found out that there's no problem in the web view, it's just the "forum runner" that can't render what the "\[ code \]" tag generates.
Well, as an alternative, what's the least-hassle file dump?

[Q&A] [2.2+][ROOT][1.3.4.1] AFWall+ IPTables Firewall [21 Aug 2014]

Q&A for [2.2+][ROOT][1.3.4.1] AFWall+ IPTables Firewall [21 Aug 2014]
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [2.2+][ROOT][1.3.4.1] AFWall+ IPTables Firewall [21 Aug 2014]. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
Which app to enable for streaming?
I'm running in whitelist mode and would like to enable a browser to watch streaming videos. Enabling the browser was obvious but when I click on something to watch a stream I get a Error message about not being able to download the file. Can you let me know which App I need to whitelist for this to work. I tried whitelisting "Media Server" but that did not help.
Thanks.
xraken said:
I'm running in whitelist mode and would like to enable a browser to watch streaming videos. Enabling the browser was obvious but when I click on something to watch a stream I get a Error message about not being able to download the file. Can you let me know which App I need to whitelist for this to work. I tried whitelisting "Media Server" but that did not help.
Thanks.
Click to expand...
Click to collapse
try allowing "Download Manager"
That did not work. The exact message is "Error reading video file". This works when firewall is off, so I just need to find the 'thing' that needs to be white listed.
---------- Post added at 03:27 PM ---------- Previous post was at 03:14 PM ----------
Sorry, made a noob mistake. Did not realize I needed to select "Apply filters" for it to take effect. Thanks, works as expected now.
Hi, I am hoping someone can help me to get T-Mobile MMS working with a DNSqache an app by xda member tdhite that uses polipo as a proxy and caches DNS requests and allows you to select the DNS provider of your choice.
When DNSqache is activated it runs this script
run killall dnsqache
run rm -f "/data/data/com.tdhite.dnsqache/var/dnsqache.pid"
run "/data/data/com.tdhite.dnsqache/bin/dnsqache" "--conf-file=/data/data/com.tdhite.dnsqache/conf/dnsqache.conf"
setprop "dnsqache.status" running
run chmod 644 "/data/data/com.tdhite.dnsqache/var/dnsqache.log"
run iptables "-t" nat "-N" dnsqache
run iptables "-t" nat "-A" dnsqache "-p" tcp "--dport" "53" "--destination" "8.8.8.8" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" udp "--dport" "53" "--destination" "8.8.8.8" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" tcp "--dport" "53" "--destination" "8.8.4.4" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" udp "--dport" "53" "--destination" "8.8.4.4" "-j" RETURN
run "iptables -t nat -A dnsqache -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
run "iptables -t nat -A dnsqache -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
run iptables "-t" nat "-I" OUTPUT "-j" dnsqache​
I posted following in the DNSqache thread but no luck yet.
OK if anyone who is knowledgeable can help it would be great.​
On T-Mobile when an MultiMediaMessage is sent or received it will not go through if the DNS has changed. I think it is because the IP is a private IP so the only dnsservers that can access it are tmobiles. I have sent MMS with a "network connections" app that shows what connection is made by app, android system etc....​
The DNS servers that are stock TMobile are​
dns1:10.177.0.34,dns2:10.176.83.140​
With the following APN​
APN for T-Mobile LTE
>fast.t-mobile.com
>MMSC:
>http://mms.msg.eng.t-mobile.com/mms/wapenc
>MMS proxy:
>blank
>MMS proxy port:
>blank​
When an MMS is sent from myself to myself with standard DNS settings.
Android system connects to 10.177.0.34
then Android system and Messaging app connect to one of a few IPS that are the same for both for each message the IP's were all on port 80 were 10.176.75.129 or 10.176.75.130 or 10.184.75.130 or 10.184.75.129. Then the message is received.​
I tried editing the APN to one one of the IP addresses above thinking that the phone might send the MMS if does not have to use a lookup service and connects directly to T-Mobile's IPs like this
>MMSC:
>10.176.75.129
>MMS proxy:
>blank
>MMS proxy port:
>blank​
Send the MMS and it goes through and in network connections it shows the same connections to the IPs as when the MMSC was a domain name.​
Then I attempt to send MMS with DNSqache activated with both Google and Opendnsservers selected it does not send the MMS and will not receive MMS.​
I also tried the APN with TMObile MMS PROXY set to 216.155.165.50 port 8080 and the MMS messages go through as long as DNSqache is not active the same as if the there was nothing in MMS proxy.​
With this information can does anyone know if there is something that can be done still get MMS working with DNSqache active. In DNSqache, with polipo proxy selected I entered all the IP addresses that MMS was connecting to and the mms proxy address and that also didn't work.​
Update/edit: In adaway I set a redirect for mms.msg.eng.t-mobile.com to 10.176.75.129. And When I send the message it sends it successfully, but doesn't receive it, when it would just create an error without the redirect.​
If I set DNSqache to use One Google and one T-Mobile DNS as the one of the DNS server with DNSqache it sends and receives the message. But what I want to do is just use Google or OpenDNS cache DNS without using T-mobiles except for the android messaging apps and possibly android system as this are the apps that make connections when sending/receiving MMS or possibly just when anything on any app that is coming from or going to *.t-mobile.com* uses T-mobiles DNS while the rest if the phone uses DNSqache.
Hopefully that covers everything but if you need a log from anything I can get it.
Problem with "Smart Network" on Lollipop
Hi:
I'm running AFWall+ on a stock and rooted Nexus 5 with Lollipop (LRX21O). I'm having an issue where the "smartnetwork" feature thinks that the wifi connection is down because it's getting blocked by AFWall+. Looking at the logcat, this is what happens if AFWall+ is enabled (note I inserted an extra "t" in htttp because otherwise the forum software thinks i'm trying to post a link and won't let me):
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Probably not a portal: exception java.net.UnknownHostException: Unable to resolve host "clients3.google.com": No address associated with hostname
and if AFWall+ is not enabled I get this:
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): isCaptivePortal: ret=204 headers={null=[HTTP/1.1 204 No Content], Content-Length=[0], Content-Type=[text/html; charset=UTF-8], Date=[Wed, 19 Nov 2014 03:15:12 GMT], Server=[GFE/2.0], X-Android-Received-Millis=[1416366905558], X-Android-Response-Source=[NETWORK 204], X-Android-Sent-Millis=[1416366905422]}
On my phone process 782 is system_server owned by user "system":
Code:
system 782 196 1875652 151224 ffffffff 00000000 S system_server
And in the iptables rules, system is allowed to access the network while on wifi:
Code:
Chain afwall-wifi-wan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match root
RETURN all -- anywhere anywhere owner UID match system
Thus, I'm pretty perplexed as to why the system might think wifi isn't working. Of course when it does that, it forces all traffic to go over mobile data which means I can never use the wifi connection -- not exactly good
.
Anyone else having this issue? Any suggestions?
daxvex said:
Hi:
I'm running AFWall+ on a stock and rooted Nexus 5 with Lollipop (LRX21O). I'm having an issue where the "smartnetwork" feature thinks that the wifi connection is down because it's getting blocked by AFWall+. Looking at the logcat, this is what happens if AFWall+ is enabled (note I inserted an extra "t" in htttp because otherwise the forum software thinks i'm trying to post a link and won't let me):
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Probably not a portal: exception java.net.UnknownHostException: Unable to resolve host "clients3.google.com": No address associated with hostname
and if AFWall+ is not enabled I get this:
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): isCaptivePortal: ret=204 headers={null=[HTTP/1.1 204 No Content], Content-Length=[0], Content-Type=[text/html; charset=UTF-8], Date=[Wed, 19 Nov 2014 03:15:12 GMT], Server=[GFE/2.0], X-Android-Received-Millis=[1416366905558], X-Android-Response-Source=[NETWORK 204], X-Android-Sent-Millis=[1416366905422]}
On my phone process 782 is system_server owned by user "system":
Code:
system 782 196 1875652 151224 ffffffff 00000000 S system_server
And in the iptables rules, system is allowed to access the network while on wifi:
Code:
Chain afwall-wifi-wan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match root
RETURN all -- anywhere anywhere owner UID match system
Thus, I'm pretty perplexed as to why the system might think wifi isn't working. Of course when it does that, it forces all traffic to go over mobile data which means I can never use the wifi connection -- not exactly good
.
Anyone else having this issue? Any suggestions?
Click to expand...
Click to collapse
BTW, I have narrowed it down. I'm not sure if this is a bug or not. When I have LAN controlled enabled, then it produces this little chain snippet:
Code:
Chain afwall-wifi-fork (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Which is obviously bad. If I disable LAN control, it produces the right chain contents
Code:
Chain afwall-wifi-fork (2 references)
target prot opt source destination
afwall-wifi-wan all -- anywhere anywhere
Looking at the code, the suspicious snippet is
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
where if for some reason Android L slightly changed the way the netmask is being extracted, it might extract to blank and result in an empty netmask. I'm not setup to compile and there are no logging hooks so I can't go any further.
Is this a bug? can anyone with a development environment look into this?
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
ukanth said:
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
Click to expand...
Click to collapse
BTW, I'm seeing this on a Nexus 5. Not sure if that will make a difference or not.
Issue with orwall
I installed orbot and since then, every time I reboot the iptables are not there (any app can get to internet) and have to reapply them with AFWall+.
I have since uninstalled orbot, but still the same issue. Does anyone know what could be done so AFWall+ roots remain after reboot?
Proposed Fix for Connectivity Bug for Android L
ukanth said:
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
Click to expand...
Click to collapse
I finally found some time to setup a dev environment. It seems that in Android L, the system service will try to connect to one of Google's services whenever WIFI becomes present to see if the WIFI interface actually has connectivity. If you enable LAN control, AFwall conservatively rejects all packets to the LAN interface when it thinks there's no WIFI connection (see the last else block below0
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
Thus there is a race. If the system checks for connectivity before AFWall has had a chance to start letting packets through the wifi connection, then the system will mistakenly think the WIFI connection is bad and continue to send all packets to cellular data. I suspect if you tried to replicate this bug on an N7, you would fail.
The solution is pretty simple, you need to loosen it up so even when the wifi connection looks down, you still let the system service and root send packets on wifi. Thus you replace:
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
with
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner root -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner system -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
I have been testing for a bit and it seems to work. Can the developer please review this and if ok with it, commit the fix and update so I can go back to using the version on Google Play. Replying to this thread to let me know when it's done would be most appreciated as well. Thanks! (and thanks for providing this great app!).
cant receive files using superbeam
I am not able to receive files using superbeam after installing AFwall+. I am able to send them though. Am not able to receive files using superbeam with wifi of the two (sending phone and my -receiving-phone) ON. But if both the phones are connected to the same Wifi network , i am able to receive files using superbeam . I uninstalled AFWALL+ and superbeam is working normally even when phones are not connected to a wifi network.
Whats the fix?
afwall blocking vpn unless disable,connect,disconnect,enable,connect,connect. ...
Hi there and happy holidays everyone
Hope someone can point Mr in the right direction or to a threat more appropriate for this.
Trying to set up VPN on my S4 with latest cm11 nightly, successful so far but...
Only after I disable afw after reboot of phone, then connect, then disconnect, then enable afw ... And then I can keep it enabled and connect/disconnect VPN ad much as I like .... Until next reboot of phone.
Here is what I do:
. boot phone
. try vpn connect - fails.
AFW+ log entry:
___
AppID :0
Application's Name: (root) - Applications running as root
Total Packets Blocked:1
[UDP]IP.of.my.vpntarget:500(1)
___
. disable - enable afw+ (just to see if a dis-enable cycle would solve it already - no)
. try connect vpn
. still blocking with same message
. !disable! afw+ by widget on homescreen
. try connect w/ afw !off!: vpn connects okay
. disconnect vpn
. !enable! afw+ by widget
. try connect vpn w/ afw !ON! :vpn connects okay [emoji3]
...and thereafter as often as I want until reboot.
Huh???
Any ideas? Can't bring up enough google-foo to find cause/solution on this, sorry! Wy would it need this "connect once without afw+"? And how do I get it to work straight away?
Brgds
L^2
afwall fix for superbeam
This is a solution to the problem reorted below.
Markuzy said:
I've reported an issue with Wifi Direct using the SuperBeam app on github.
Shall post it here as well for your info and anyone who is interested.
Superbeam will fail if the sending device has AFWall+ installed and is in White list mode.
How to replicate:
1) Set whitelist mode in firewall
2) Select all checkboxes; in theory it should allow all apps
3) Share a file with Superbeam to trigger wifi direct.
4) Superbeam will fail to send any selected file.
My workaround:
1) Set to blacklist mode in firewall
2) Either leave all unchecked or just check your blacklist apps; in my case, I reversed the checkboxes from my whitelist mode.
3) Share a file with Superbeam to trigger wifi direct.
4) Superbeam will successfully send the selected file.
OR
1) Disable firewall.
2) Follow steps 3-4 from above.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Hi Markuzy, I had the same problem as you. I could only get Superbeam working when AFWall+ was disabled. I've found a solution using Custom Scripts from AFWall+ wiki page.
https://github.com/ukanth/afwall/wiki/CustomScripts
This was the script that worked for me. Replace IP with IP of destination Device. Fing is a great app for displaying all connected device ip's on the wireless network.
Code:
# Necessary at the beginning of each script!
IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables
# Now add your rules...
# Always allow connections to 192.168.0.1, no matter the interface
$IPTABLES -A "afwall" --destination "192.168.0.1" -j RETURN
Cheers
DNS blocked to USB tethered PC
First off, this is on an HTC One M8 Dev Edition (Sense) Lollipop release. Phone is S-off if matters. I am running AFWall+ 1.3.4.1 (Latest from the Play store).
The problem is that DNS requests appear to be blocked for USB tethering, no matter how I configure iptables. Something is ignoring/misconfiguring -11 (kernel), because when I checked the logs, they showed that process -11 (kernel) was blocked from sending UDP (DNS) to the tethered IP address. However, I specifically enabled the kernel, as well as -12 (tethering DHCP & DNS) and root apps for good measure.
However, it is JUST DNS. If I use an onboard terminal to nslookup the name, say "nslookup form.xda-developers.com", I can use the IP address from the tethered machine just fine. (well, I can't for XDA because it immediately redirects, which hangs on DNS lookup...) It appears that TCP isn't being blocked, just UDP. Further, local apps have no problem accessing the network in any way - it's just the USB tethered PC that is having trouble. I have not tried WiFi tethering yet.
I will add that I started with DroidWall, and migrated to AFWall+ when I found DroidWall wasn't listing all of the system services. I note that because I am still seeing references to droidwall in the iptables rule set. I'm not clear on how I can completely blow away the rules and start fresh (I thought enable/disable the firewall did that?)
I can clear up the problem by disabling the firewall entirely.
How to use real multi user?
Half answer:
Ok, I found out what's going on. The app is installed as uid u0_a123(10123). In the other users it runs as uids u10_a123(1010123) and u11_a123(1110123). AFwall is not aware of these uids and so I can't allow them. I guess you should either have an app-list per user, or a user list per app. Unless you want to deal with the switching (and to my preference) this should be maintained by the main user only.
Original question:
I have several AFwall profiles, for specific apps to which I want to rarely permit internet. You alternately refer to this as multi user, but I feel that's a totally different thing, as follows:
Now I have gone multi user (androidcoliseum.com/2014/01/how-to-enable-multi-user-profiles-on.html) and have created restricted Android profiles to run the same app in parallel with different settings.
The FW whitelistings that work in my main user, seem to disappear when I switch. I tried granting AFwall to the other profile (which was allowed), but your app is nonetheless not visible in the restricted profile. Probably the required root permission runs counter to the idea of restriction.
The dirty solution is to turn off the FW before switching, but I hate to do that. If it could be automated with tasker, that would be better than nothing, but anyway I couldn't figure out how. Any enlightenment or solution?
The FAQ mentions making it a system app, which would then hover above individual users? You don't elaborate why you discourage that.
Galaxy S3, CM11 november snapshot.
Lollipop and AFWALL+: No Wifi Location
Hello all,
after I have run Lollipop on my Nexus 5 for some time, I installed AFWALL+
After I set up the whitelist so that most thinks are working I figured out that the Wifi based Location is not working. Maps just displays me a very coarse Location when within a building.
When I now disable the firewall or even uninstall AFWALL+ the location service is still not working.
Has anyone similar issues or an solution?
daxvex said:
I finally found some time to setup a dev environment. It seems that in Android L, the system service will try to connect to one of Google's services whenever WIFI becomes present to see if the WIFI interface actually has connectivity. If you enable LAN control, AFwall conservatively rejects all packets to the LAN interface when it thinks there's no WIFI connection (see the last else block below0
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
Thus there is a race. If the system checks for connectivity before AFWall has had a chance to start letting packets through the wifi connection, then the system will mistakenly think the WIFI connection is bad and continue to send all packets to cellular data. I suspect if you tried to replicate this bug on an N7, you would fail.
The solution is pretty simple, you need to loosen it up so even when the wifi connection looks down, you still let the system service and root send packets on wifi. Thus you replace:
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
with
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner root -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner system -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
I have been testing for a bit and it seems to work. Can the developer please review this and if ok with it, commit the fix and update so I can go back to using the version on Google Play. Replying to this thread to let me know when it's done would be most appreciated as well. Thanks! (and thanks for providing this great app!).
Click to expand...
Click to collapse
Have you had any response to this? Is it responsible for the wifi - exclamation mark issue?
Sent from my Nexus 4 using Tapatalk
What is the proper way to uninstall this app?
No response. Also the problem came back despite these changes and I haven't had time to debug further.
Sent from my Nexus 5 using XDA Free mobile app

[Ugoos X3 and probably a lot of other devices, and even NAS devices] [Solved] Why samba/smb transfer rate is slow despite a gigabit Ethernet port ?

Hello everyone,
For my first thread, I won't ask a question, I will post a solution.
I have recently acquired a second-hand Ugoos X3 device, which is quite a good device.
But I have been really frustrated upon testing it after unboxing it, because despite the fact that this device advertises for the ability of having a Gigabit ethernet port and a builtin samba server, my tests showed a max 11,4 MiB/s instead of rather a 114 MiB/s.
I started to identify the reason, with a vast amount of Googling. After realizing how many people on earth already been through this (mostly unsolved) issue, and after testing the good gigabit-readiness of my Ethernet cable, I dug into the rabbit hole of the system.
I then discovered the root causes, and you won't like it :
- the smbd binary dates from 2005
- the smb.conf is counter-optimized and dates from this 2005 era
See for yourself:
Code:
/data/system/samba_________________ug # ./smbd -V
Version 3.0.20a
Code:
[global]
interfaces = wlan0 eth0 eth1 eth2
min protocol = SMB2
bind interfaces only = yes
workgroup = WORKGROUP
server string = Samba on Android mediacenter
netbios name = mybox
#remote announce = 255.255.255.255
encrypt passwords = yes
security = SHARE
restrict anonymous = 0
load printers = no
printcap name = /dev/null
disable spoolss = yes
deadtime = 5
delete readonly = yes
nt acl support = no
inherit permissions = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=64000 SO_RCVBUF=64000 SO_KEEPALIVE
local master = no
unix extensions = yes
[internal storage]
vfs objects = fake_perms
comment = mybox /sdcard
path = /sdcard
force user = root
read only = no
writable = yes
guest ok = yes
A lot of directives in this config file are totally deprecated, and the "socket options" is responsible for capping at 11,4 MiB/s.
So after having spent this vast amount of time finding the issue, I took some to patch.
Here's my solution.
0) Root your device
1) Download the Termux compiled package of your device architecture of the "samba" package : https://grimler.se/termux-packages-24/pool/main/s/samba/
2) On your device, replace the smbd binary with the Termux one, at this location : "/data/system/samba_________________ug"
3) Replace the original "smb.conf" (same directory than previous) configuration with this one (which by way the contains security hardening features and support SMBv2 which allows not installing SMBv1 on Windows...)
Code:
[global]
lock dir = /data/local/tmp/lock/
state directory = /data/local/tmp/state/
ncalrpc dir = /data/local/tmp/ncalrpc/
interfaces = wlan0 eth0 eth1 eth2
server min protocol = SMB2
bind interfaces only = yes
workgroup = WORKGROUP
server string = Samba on Android mediacenter
netbios name = mybox
server role = standalone server
security = user
map to guest = Bad Password
usershare allow guests = yes
load printers = no
printcap name = /dev/null
disable spoolss = yes
deadtime = 5
delete readonly = yes
nt acl support = no
inherit permissions = yes
local master = no
disable netbios = yes
smb ports = 445
lm announce = no
multicast dns register = no
[internal storage]
vfs objects = fake_perms
comment = mybox /sdcard
path = /sdcard
force user = root
read only = no
writable = yes
guest ok = yes
4) Edit the "smbd" binary calling line in the "samba-rc" launching script, with this one
Code:
$PRE/smbd -D -s /data/system/samba_________________ug/smb.conf
Reboot your device, you now have a best-of-breed samba server and configuration.
A simple but heartful message to Ugoos: update the packages you use in your image ! We need more up-to-date binaries and configuration from your products ! Provide firmwares that does not require to make people do insecure stuff such as installing SMBv1 client on their client !
I am really grateful to these resources which helped a lot:
- https://lafibre.info/nas/perfs-moisies-avec-samba/ (sorry, in french, use google translate)
- https://serverfault.com/questions/470650/samba-configuration-for-public-shares/700449#700449
- https://blog.hiebl.cc/posts/why-your-samba-config-does-not-work/
Hello. According to your instructions with file replacement and line editing, the server becomes inoperable. The server activation checkbox is not activated in the ugoos settings. Please describe the actions in more detail or upload files for replacement.
Hello @Nereal-NeSkill,
As of step 1), try to perform a "pkg install samba" first with Termux.
Then, can you perform a "./samba-rc start" and paste here the output ?
Was a bit skeptical replacing daemon but It works great!

Categories

Resources