[Q] Audit of Root Exploits and Unofficial Bootloaders - Android Q&A, Help & Troubleshooting

Greetings XDA Forum,
This is a general question that should be in everyone's mind who might want to root a phone or tablet or any Android or other mobile OS device:
Is this root exploit or bootloader going to be spyware and collect any and all data of mine (login credentials, keylog my every character, account/bank numbers, identity information, use your evil imagination)?
So, I searched this forum for key words like "trust root" "secure root" "security" and found nothing related to this topic.
So, how am I to trust ANY of the root exploits or bootloaders created and posted to this forum for ANY device?
Have any of the developers developed an audit process using firewall rules to ensure that a posted root exploit or bootloader does not attempt to keylog, report captured information to some obscure IP address (thief/hacker's machine of course)?
Do any of these root exploits or bootloaders or custom unofficial builds of entire android (like Cyanogenmod and the 3rd party variants) get Security Audited?
How am I to believe that the whole lot of you making the root exploits and bootloaders are not a big community of identity thieves and financial fraudsters?
Am I just supposed to trust you?
Answer me that, folks
Aknor

I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium

demkantor said:
I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium
Click to expand...
Click to collapse
Okay, I can see that on the boot loaders, but more than just a few make the root exploits and custom builds of cyanogen or android for many, many devices. So, how am I to pick apart the code of these projects when they do not provide the source code for the builds? How would I even trust those builds after they are built? They could slip some malicious code in that they intentionally do not show in the public repository for the code and no one would ever know.
Sure this sounds very paranoid, but no one has really answered how or if at all any of these builds of unofficial android or cyanogenmod or the root exploits or the bootloaders can/would be tested for malicious code.
Think of it, something as small and innocuous as a keylogger with a simple, non threatening name, and all the while, it logs your every username and password, credit card number, 3-digit security code, bank account numbers, anything. How bad would that be, eh?
Any you're not concerned these builds/exploits are not somehow security audited and we're all just supposed to trust them like blind sheep?
As more and more of these get built, it's only a matter of time before someone slips something like this into their build to take advantage of all those people who want to root their phone/tablet, or put an unofficial build of android on their device. Shame on that person who does it, of course, but to think somehow we could have audited the software and found out as a matter of course?
-- Aknor

Well there aren't that many root exploits and depending on the device you will be changing most if not all firmware and software directly after exploiting, but again just look at the code before you use it
As for keyloging etc from flashing a ROM, you would be surprised how many OEMs actually have somethings that many would consider malicious and or a brief of privacy.
As for a worry about flashing a custom ROM with bad code just stick to official builds or mod your own ROMs, no one is forcing you to flash anything in particular. But there are apps that are meant to look for malicious code. Feel free to use these to help protect you
I have flashed oh so many ROMs over the past 4 years or so and have never seen anything malicious, but I flash a lot of my own source built ROMs and mostly use ROMs on the higher end which tend to be from trusted sources such as recognized developers and people I work with. Also I'm not a paranoid person so I don't look into this sort of thing much, this means unfortunately I can't really give you much more than this
But best of luck to you and happy flashing!
Sent from my Nexus 4 using xda premium

Related

Malware in Custom Roms?

DISCLAIMER:
This is totally academic, and I only pose the question as that of mere curiosity.
In no way do I mean to accuse any developer here or elsewhere of intentionally or otherwise installing malicious software in our ROMs. Not trying to start a flame war or anything.
What is the possibility that a rogue ROM creator would or could install malicious content on one of our devices? What kind of things would we look for to indicate that our device may be compromised? Perhaps packet sniffing for the extra paranoid.
I am the type that, when I see something that doesn't look normal, I question it. That said, I am a very experience Linux, *BSD, and Solaris administrator; but my experience with Android is just blooming. So I might not know where to look in the Android filesystem, or know which processes may be irregular.
I did some Googling but haven't found anything to indicate this has happened before (thank God). Are there self-checks in Android to prevent this from happening? Call me paranoid, but I just like to know what's going on.
Do the "anti-virus" softwares in the App market actually help with this?
Again just curious. I heard about some apps on the Market that Google had to remotely erase. And I believe I am correct in understanding that Google isn't as restrictive with its applications as Apple.
Any takes on this?
Antivirus and Task killers all that are garbage and slow your phone down. You won't have to worry about that happening on this site.
It depends if he/she is an asshole...
The first "viruses" for android were because people were downloading paid apps on the internet, from some site in china, that had viri put into those apps that people were downloading.
Just dont get on the bad side of a dev.
adrynalyne said:
Just dont get on the bad side of a dev.
Click to expand...
Click to collapse
LOL! I'll make sure not to do that!
I know that task-killers are BS. I figured the anti-virus was a gimmick, too. As far as for self-replicating viruses on the phones I doubt that will occur.
I'm more worried about malware in the form of a sleeper-trojan that calls home with my personal phone information, or gets added to some jack-asses botnet for DDoSing.
That was a worry of mine when I first came to this site, but the dev's I download from I find quit professional. I have since just started to dig into roms trying to port them to the tb, and compare the contents and begin to see what is normally packed in the zip. I have never found a dev on this site attempt to introduce malware. I have seen some intro warz but the site immediately banned them. The site has banned devs for not giving credit were credit is due, and opening multiple accounts in a way to circumvent the system.
This site is great for all, and they do their best to keep everyone honest.
I've been here and ppcgeeks for nearly 3 and 1/2 years, both with winmo and android, and I have never had an issue. It seems that these sites really do the best they can to catch things before they happen. Personally, I can't say enough about our devs. They're great, and they do a good bit of work for people who are honestly not thankful enough to them. I personally don't think you will ever have an issue, as I haven't. And I download tons of stuff from here and other places.
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
I've always been curious of this myself. I am no advanced Linux administrator (yet), just an aspiring IT student. I would think the best people to ask would be the developers themselves, though.
funkybside said:
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
Click to expand...
Click to collapse
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Actually I believe it has happened at least twice. Once by accident, and once there may have been malicious code put into a rom that was set as bate for code thieves.
The first one was stupid, an update agent was left in the rom, and an update got pushed that loaded the phone browser to a certain site (it was not a bad site either). This effected a VERY minor few, as you had to have a certain version of a rom, and have rebooted over a very specific point in time.
The latter I will not go into as I do not know the specifics, or the validity of any of what happened.
g00s3y said:
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Click to expand...
Click to collapse
Sorry if my post offended you and no disrespect intended, but I think you are mistaken. The question of whether or not something "can happen" is fundamentally different from the question of whether or not anyone is actually doing it. Also, saying that any "experienced Linux admin should already know how to check for these things" is in poor taste; it's a personal attack that adds no value to the discussion. The idea here is to address the OPs question as a purely acedemic thought experiment; there is no implict reference to the morality of the developers here...
Perhaps we should ask the same question in a differnet way:
If net-sec researcher working at SANS wanted to test expolitation vectors against their own personal HTC Thunderbolt. Is it physically possible for them to build a custom ROM and/or Kernel such that this custom module includes malicious code that executes automatically after installed on the device?
I'd be highly surprised if anyone claims the answer is no. If the kernel itself is custom, anything the hardware can do is fair game...
Concerning the question of how to know if anything is happening, since we're talking about the firmware itself, it would be difficult to do anything in userspace with confidence. To be really sure, you'd likely need to sniff traffic (both mobile and wifi) as well as physically monitor the hardware's debug output (and perhaps even the circuit traces themselves). With a comprimized kernel, you can't trust anything running throuh the operating system's APIs.
It's very doubtful that any reputable developer on XDA would do this. Impossible? No. But XDA is the kind of place where something like this would be discovered very quickly and spread like wildfire.
Now, some unknown developer, on a random website? While I havent come across this yet, I'd say: More likely.
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
funkybside said:
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
Click to expand...
Click to collapse
I think you are right. As long as there is superuser access, then basically anyone with su can pretty much to anything to your phone.
At least that's my take on it.
I'm new to android in general and XDA in particular, so please forgive my ignroance (and yes I will try searching), but this makes me wonder: Do the established developers of custom ROMs and Kernels release their source code? I'd imagine the same terms of the GPL that require HTC to release their source would also require anyone building custom Kernels to do the same. Is this also true for ROMs?
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
nerozehl said:
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
Click to expand...
Click to collapse
Agreed that the liklihood of stuff here being questionable is low, but the simple fact that there is a non-zero risk certainly makes me think a little bit. You summed it up well and the examples are spot on - this is why I immediately wonderd if developers here are publishing the source code on their customized versions. Ignoring the GPL angle, its just good to know it's out there if it is, and by the same token, also good to know if it's not out there.
I have another question to add. I love miui, and to my understanding miui is made by Chinese developers and it is not open source, it is just translated and ported to our devices. If it is not open source, is there anyway to know for sure?
I am a little bit wary of the security, although I love the rom. I trust all of the credible devs on xda, however I don't know anything about the Chinese devs developing miui. Would the devs porting miui be able to see the malware if it isn't open source
Sent from my ADR6400L using XDA App
It is definitely possible. I read a paper a while back that I've been referencing in my own research where some researchers compiled some kernel modules to do malicious tasks in the background without knowledge of the user, mind you this was on an open source linux based phone system similar to android. Basically compiled in root kits, which replacing your kernel/rom w/ a community developed system would result in possibilities of this occurring. The primary solution to preventing these things from ending up on your phone as well as keeping the Trojans and other malware on the android market come down to the same thing knowing your publisher and being careful what permissions you allow. Like stick to kernels/roms from reputable developers on XDA, and make sure your "movie player" doesn't have access to your SMS system and you'll be fine
Mind you my own research currently is in detection of malware/malicous code & anomalous behavior. As well as hopefully prevention techniques eventually.

[Q] Creating Kernel Source Not Kernel from source!!!!!!!!

Hello Everybody,
I just wanted the ICS for my device as we are still running on GB and which is awful thing for an Dual-Core,Tegra-2 device(Micromax A85 a rebranded Mobile of K-Touch w700/Cherry Magnum 2X).We tried to create a ICS for our device but we failed as we are not having kernel sources for our device and they haven't released kernel for any device.
And so i started asking developers that can they help us and the only answer i got was no and they kept saying no way , your situation is hopeless and all that.
And Now I Just Wanted to know That when a mobile is manufactured first time they didn't have any kernel source for it they create it for the device or develop it for the device and when they can develop it then why we can't develop it as we all are humans and what they can do i can do.So Please Tell me now how to create kernels not that you can't,nothing can be done.And I think that Xda Is A Great Site and now i wanna know that are there real developers or there are some kind of script kiddies present in Xda.
Now Show me What developers have got and i know deep inside my mind that there are developers which can help me.They are just needed to be discovered.!!!!!
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
mg its GPL v2.0
mg2195 said:
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
Click to expand...
Click to collapse
It's GPL my friend.
But to answer OP's question, taking the Linux kernel and configuring it to boot on a phone/tablet takes a HUGE amount of effort and time. This is something that paid developers do for companies like HTC or Samsung. It usually requires a whole team of developers who work on it months, or even years before the release of the device. Even then, the developers still continue to improve on the kernel and the manufacturer can release an OTA update. I'm not saying that it's impossible, but it is a task that is definitely not worth it. It's just better to ask the company for the kernel sources.

Custom Rom Security

I asked so many times and got no response... could someone explain me IF custom roms are secure or not? Im mainly talking about google account security.
Sent from Nexus HD
Up
Yes! You are even more secure with a custom room than with stock. You are perfectly fine. (Unless you download a rom on Windows from an untrusted dev and it contains a virus.) But that is highly unlikely. And only download Roms that people say "work"
~~~~~~~~~~~~~~~~~~~~~
Samsung galaxy s2
Rom: Jedi knight 6
kernel: Jedi kernel 2
~~~~~~~~~~~~~~~~~~~~~
And you thought celebrities weren't smart! =P
But thing i was thinking is :
Ok lets say... htc, could potentialy put an keylogger to soft BUT if ppl see it, well, they sell no more phones.
But a dev could put an keyloger and even if some one eventualy will find it, nothink happens, he dont get money from what he is doing and he also could be anonymous...
Possible, yes, but most devs here don't have any such nasty intentions. They're much more scrupulous than companies, mainly because they're doing it for the fun of it or as a hobby, out of their interest, and are not looking for profit. Donations are just a way for people to show their support and encourage development. You don't usually see a dev going around asking people for donations.
Sent from my Desire HD using xda premium
Yea... i understand however i just dont want to wake up one day and see that some one have access to my google account and i basicly lost all my apps, mail, G+... im sure you understand, it's pretty scary. Other than Custom Roms, i fear that some think like aahk (which i used to root my Desire HD) maybe source of future account security problems (also because they moved from xda).
Well if you're that paranoid then you shouldn't use custom ROMs or anything here on xda.
But that's not really a problem, because hardly any devs will do those kind of things. Also many devs completely open source their projects, and many of the big projects like CM and AOKP are open source too, with their source code fully viewable by anyone. So if anything funny was there in the code, people will find it. Custom ROMs are actually safer than stock in my opinion because they're very clean (google 'Carrier IQ'). Also, it is your responsibility as a user to be sure of what you're flashing/installing on your device. If you install some shady looking thing, then yes you might end up with problems, but if you read properly through the thread of what you're installing, read other people's posts and experiences and then go ahead, you'll have no problem. :thumbup:
AAHK is an excellent tool for unlocking the DHD. The developer attn1 was at one time a CM maintainer for this phone too. The reason he went away from xda was because of some argument with moderators. Most of the people here are anything but stupid. We wouldn't go around recommending AAHK to unlock the phone if it was insecure. Some amount of common sense and trust is required if you want to be part of this community and try out all the great ROMs and stuff. If you're that untrustworthy of even reputed developers, then you're better off with stock (though like I said, not safer. Read about Carrier IQ).
Also, regarding your concerns about Google accounts and services, some of the ROMs here like the Sense ROMs come with all the Google apps included, while most of the AOSP ROMs like CM, AOKP, codefireX need the Google apps (gapps) package to be flashed separately after flashing the ROM. The Google apps zip contains all the stuff from the initial Google setup of the phone to the parts required to sync Google account data and other stuff like Google Talk and Gmail. These are all closed source apps made by Google, so it's not possible to modify them and insert any code for nefarious purposes. They come as-is from Google. So regardless of which ROM they're being used with, they cannot be tampered with and your Google account data will always be safe unless you are victim to an email phishing scam or something like that.
Sent from my Desire HD using xda premium

Is It Foolish To Install an XDA Custom ROM?

I've gone through several rooting procedures on the XDA forums over the years. In the most recent one I tried to root my HTC Desire C (CDMA). It turns out that I nearly hosed the phone when I installed bootloaders that some senior members on here promoted with full confidence to users, yet neglected to ask if the user had a CDMA phone.
There is a thread on the HTC Desire C where a senior member provides a hacked version of a bootloader and ROM. The user then responds (on page 2 or 3 of 11+ pages) that their phone can't get beyond the 'dev bootloader', and effectively the senior member has provided a patch which hosed at least a few phones.
Subsequent threads appear which show users in the same situation I was in after applying the XDA hacks. After hours of researching I found a workable bootloader and managed to get it flashed, and get my phone rooted. I doubt many people will be able to reproduce my results and get the phone rooted. I expect most people will give up on rooting, consider the phone locked, and just avoid going anywhere near the bootloader again.
Furthermore, the bootloader I downloaded in at least one thread for the HTC Desire C has an HTC Legal Message that causes concern on how the uploaded patch was originally obtained - i.e. was it obtained legally?
After spending ~12 hours learning all of the above, I embarked on seeing what XDA developers say is involved with creating a custom ROM. I was shocked. Even the most well-documented processes are incredibly horrid. They involve hacking binary files, fudging package names, and more sketchy procedures that any Android Engineer would expect to leave the OS in an unstable state; for example not using zipalign on system apps.
Any software engineer using binary-file hacking would expect to be unable to fix bugs in the software. To fix bugs efficiently and reliably (i.e. test and prove the bug is fixed), a software engineer needs source code.
But worst of all, the custom ROM and bootloader binaries have code that not even the author knows the origin of, as demonstrated in the Custom ROM developer guides/postings. If HTC or Google have tracking code in a binary, the custom ROM will have it too. If there is malware in the binary that might steal their passwords or other identification, the user has no way of knowing.
I've seen at least three (3) instances of supposedly popular XDA ROMs where a hacker has taken an existing ROM, hack it's binary files for the new target device, fix no bugs in the previous ROM, and introduce new ones in theirs. I've even seen ROM developers criticize other ROM developers for not fixing bugs, and then when I investigated the ROM from the complainant, I found they didn't fix any bugs either. Of course not, it appears to me the majority (all) of the hackers on XDA use binary files to create custom ROMs, with some hacking of text, XML (layouts, values, assets), and other text files - but not any actual JNI-C or Java code.
These custom ROMs are not open source. I'm skeptical they're even legally complying with the open source licenses in the original code. It is certain that any and all files used for the development of a custom ROM available from XDA are also obligated to follow the Apache2 license that governs the OS build (I'm not sure which licenses cover the bootloaders), yet it's quite difficult on XDA to find links to custom ROM source files.
That latter point makes the entire process of hacking binary files to generate a custom ROM completely untrustworthy. Contrast this with CyanogenMod which provides (or attempts to provide) techniques to build custom Android ROMs from source, and which provides a lineage of ROMs with stability ratings.
It doesn't benefit an open-source community to propagate software with bugs, lacking sources, and possibly in violation of licensing. Since this forum is not a Q&A thread, I won't ask people to stop, I'll demand it. Since that never works, I would have to wish XDA the shortest lifespan possible. Delete this thread and I'll post it elsewhere, where XDA users can't comment.
Although I agree with 95% of your post, it seems a bit harsh to condemn the entire community. Maybe you could actively participate in setting a higher standard?
Sent from my LG-MS840 using xda app-developers app
Well, lets say we have approximately 2 new persons attempting development. Which means, they are trying to be future developers which also mean, they may not know certain things on development. On the past, the standard was high because, there were only 5 devs per device and the rest the users. They never cared how the dev made the rom.
But the case today is, everybody needs to know everything. Which naturally makes them to attempt. So naturally, there are increasing number of imperfect works which will gradually get perfect when the dev gains knowledge from his experience.
And for licensing, android is made open source by google and gives permission to edit the source and release them as long as the brand "Android" is used. It never states that the Works should be opensourced always. Example: android gives source to samsung,HTC and sony. And these OEM's make use of that code and adds it own code and releases its own software on new phones. But do they provide source?No. Do they include malwares?No.
But how do you believe them that its not malacious or legal? Because you pay them $$$$ for their work and not even a $ for the custom rom developer? At last, it only depends on you and how you think.
And for CM being open source, CyanogenMod works on android source code and make custom roms (Just as OEM) and it has chosen to go open source and hence it is. But other custom roms than AOSP/AOKP people work on roms provided by OEM's. In that case, they cannot provide source though they wish to do it because, they don't have source of OEM rom. Instead, they work on dalvik code, already compiled apk, already compiled framework etc...
Hope I have made you clear?
Sent from my GT-N7000 using xda app-developers app
Catharsis much?
Sigh... (Lip bit. And, edited..)
Sent from my MB865 using XDA Premium 4 mobile app

[Q] Custom ROM for LG Optimus Vu (P895)

Hi everyone
I have an LG Optimus Vu device and due to LG's tremendous support for this phone, the operating system is still ICS and the kernel version is 2.6.39 (even the I/O scheduler for this phone is set to noop, and there aren't any alternatives :| ). It could be all good and well if there aren't hundreds of crashes appearing every day about different applications, which is driving me crazy. I've searched and searched and it seems that there are no custom ROMs for this phone, nor is there any custom recovery application. I could barely find an application to root this phone.
To get to the point; I'm considering to make a custom ROM for this phone, but I am a noob in these kind of stuff.
I have the kernel source and the original ROM zip file. Since the original OS version is 4.0.4, is it possible to bring the required proprietary drivers from the original and use it in a newer Android version like 4.4.x?
Can I use Google's recent Tegra 3 kernel (3.10) and port those LG specific drivers from the older kernel?
Am I even starting this process in the correct way?
Any help is appreciated.
set-0 said:
Hi everyone
I have an LG Optimus Vu device and due to LG's tremendous support for this phone, the operating system is still ICS and the kernel version is 2.6.39 (even the I/O scheduler for this phone is set to noop, and there aren't any alternatives :| ). It could be all good and well if there aren't hundreds of crashes appearing every day about different applications, which is driving me crazy. I've searched and searched and it seems that there are no custom ROMs for this phone, nor is there any custom recovery application. I could barely find an application to root this phone.
To get to the point; I'm considering to make a custom ROM for this phone, but I am a noob in these kind of stuff.
I have the kernel source and the original ROM zip file. Since the original OS version is 4.0.4, is it possible to bring the required proprietary drivers from the original and use it in a newer Android version like 4.4.x?
Can I use Google's recent Tegra 3 kernel (3.10) and port those LG specific drivers from the older kernel?
Am I even starting this process in the correct way?
Any help is appreciated.
Click to expand...
Click to collapse
Hate to be the bearer of bad news, but you're pretty much stuck. LG has locked the bootloader on it and has said they have no plans on unlocking it. Since the phone is around a year and a half old or older, I'd imagine they aren't going to change their minds all of a sudden for the relatively small amount of people still using the phone.
http://forum.xda-developers.com/showthread.php?t=2055272 - discussion about your phone here
FYI
What is a bootloader?
The bootloader is the first thing that starts up when a phone is turned on. At its most basic level, a bootloader is the low-level software on your phone that keeps you from breaking it. It is used to check and verify the software running on your phone before it loads. Think of it like a security guard scanning all the code to make sure everything is in order. If you were to try to load software onto the phone that was not properly signed by the device vendor, the bootloader would detect that and refuse to install it on the device.
When we speak about locked bootloaders, the context is often used to give meaning to the term “locked.” Almost all phones ship from the factory with locked bootloaders, but some are encrypted as well. It is this encryption that most reports are referring to when using the term “locked.” If a bootloader is encrypted, users can’t unlock it to load custom software of any sort. The device will be restricted to running software ROMs provided by the manufacturer.
Now, there are ways to unlock or circumvent bootloaders in special situations, but with ones that have no dev support like yours, it's pretty much a lost cause and most likely way beyond your capabilities to figure out without spending 100s of hours of learning about Android stuff. This is not a knock on you or anything of the sort, but it is what it is. It is a very difficult thing to figure out encrypted bootloaders even for the most experienced android developers and hackers and depending on how they are encrypted, there just might not be a way (ask the older Moto phones, especially from VZW).
es0tericcha0s said:
Hate to be the bearer of bad news, but you're pretty much stuck. LG has locked the bootloader on it and has said they have no plans on unlocking it. Since the phone is around a year and a half old or older, I'd imagine they aren't going to change their minds all of a sudden for the relatively small amount of people still using the phone.
...
Now, there are ways to unlock or circumvent bootloaders in special situations, but with ones that have no dev support like yours, it's pretty much a lost cause and most likely way beyond your capabilities to figure out without spending 100s of hours of learning about Android stuff. This is not a knock on you or anything of the sort, but it is what it is. It is a very difficult thing to figure out encrypted bootloaders even for the most experienced android developers and hackers and depending on how they are encrypted, there just might not be a way (ask the older Moto phones, especially from VZW).
Click to expand...
Click to collapse
Two thumbs up for the detailed reply.
Shame really. The phone was released in November 2012 but there wasn't a single OS update...
I guess I would have to give up on that, but I'm interested in system level developments for both Android and desktop systems. Any idea where to start?
set-0 said:
Two thumbs up for the detailed reply.
Shame really. The phone was released in November 2012 but there wasn't a single OS update...
I guess I would have to give up on that, but I'm interested in system level developments for both Android and desktop systems. Any idea where to start?
Click to expand...
Click to collapse
Yea, it does suck. That's one of the downfalls to making 8 million different phones. You have no incentive ($$$), no interest, and no manpower to be able to update them all in a reasonable fashion. But it's not like LG is alone. All of the manufacturers have had decent phones just...disappear in regards to updates or anything of the sort.
As far as getting started, there is a ton of info right here on XDA:
http://xda-university.com/
Modify hashes?
Hi!
Sorry for digging out a dead thread, but for the p895 probably all threads are more or less dead...
I wonder if it is really necessary to decrypt the bootloader. Since it must be able to boot different versions of the stock roms, it would probably only calculate a hash value of some files and compare that to a value stored elsewhere.
By comparing different versions of stock roms it might be possible to get some information about what files are hashed. If it is a standard hash algorithm and the comparison value the bootloader uses is stored in plain text (hope....!) there might be an atack vector in
comparing several known plain texts.
I also noticed, that the p895 has a "software integrity check" in the hidden menu that shows has values for some (a lot) of files. these hash values are likely already calculated when entering that menu option (i am pretty certain because they show immediately), so they might belong to the files checked at boot time and also hint to the hash algorith used.
The idea is to calculate a hash value for the custom rom and put it in the appropriate place so the bootloader thinks of the rom as an update.
These are just vage ideas, but i have no intention whatsoever to buy a new phone anytime soon and I guess I could as well spend "some" time tinkering and learning the tech details...
thank you!

Categories

Resources