[Q] Android Masterkey Exploit Implementation Error - Android Q&A, Help & Troubleshooting

Hi guys,
I had recently started studying about Android Exploits and came across the Android Masterkey Vulnerability. I decided to try it out on my own. However to see how exactly it works I decided to test it out on the POC code provided by Poliva. However I am facing difficulties in implementation as I get the following errors while trying to install the modified apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]
while the normal apk works and installs completely.
I have tested this on Android 4.2.2 and 2.2 emulators as well as on a device running 4.2.2.
In addition I alse tested that my original apk is signed using jarsigner -verify
However the modified apk gives the following error
error java.lang.SecurityException: SHA1 digest error for res/layout/activity_main.xml
How should i proceed?

Related

[Q] Help working with AOSP Source in Eclipse

I have been trying to import the android source into Eclipse (the entire root directory along with all of the files and subdirectories) as a single project as specified here in the AOSP documentation: http://source.android.com/source/using-eclipse.html
No matter what I do though, I end up with hundreds, if not thousands of errors. I have the latest Android SDK, have tried to set the build path to use either Android 4.2 AOSP APIs or Google SDK 4.2 APIs to no avail. I have also tried importing it as an Android Project and a standard Java project. I have followed all instructions for setting up the build environment correctly and checked to make sure it builds correctly using make.
I have tried to remove the sample code packages but am met with the same result.
I usually make changes directly to the file in a simple text editor like gedit but I wanted to use Eclipse to do error checking and validation.
Anyone know how to successfully get and build the android source in Eclipse? ANY help is greatly appreciated.
P.S
I am using Mint 64bit and Eclipse Juno
My first question would be, are you able to create a new Android application project that compiles successfully?

[Q] Signing as a system app - failed to install - CyanogenMod

Hi!
I'm preparing a plugin for a vendor of ROM (a small phone manufacturer) and I need this plugin to have system permission. I've tested this on a rooted Cyanogenmod install by putting the app into /system/priv-app directory and it works.
Taking this a step further, I signed the application with Cyanogenmod platform keys from the source repository (platform.pk8 and platform.x509.pem). I've successfully verified that the key used to sign release build is indeed the one from platform.x509.pem.
When I try to install this application via "adb install" I get the following error: Failure [INSTALL_FAILED_INVALID_INSTALL_LOCATION]
Investigating further, it seems that installation of applications signed with platform key is not allowed (anymore): http://stackoverflow.com/questions/...o-install-a-platform-signed-app-to-user-space
Looking in the source of PackageManagerService.java in the current Android source[1], I don't see this restriction, but I doo see it in CyanogenMod source tree[2] with this commit[3].
The question is: is this the correct approach for non-CM ROMs? What is the preferred way to work around this for CM (apart from building a custom ROM and removing this piece of code, that is)?
Regards,
Miha.
[1]: http://grepcode.com/file/repository...android/server/pm/PackageManagerService.java/
[2]: https://github.com/CyanogenMod/andr...id/server/pm/PackageManagerService.java#L4592
[3]: https://github.com/CyanogenMod/andr...mmit/6b6ca8c8b2c11de5aed6d3df00729e69f34297f6

[Q] Issue with installing an app

Hi everyone,
I'm new on xda and I come here because I struggle to install this app on my rooted Galaxy S4 with CyanogenMod 11: "Paiement mobile (pour Orange)" (sorry, I'm new, so I cannot post urls).
In fact, this app has not been declared by the devs (on the Google Play) to be compatible with my phone, despite the fact that I have the specs to run it (NFC payment).
I asked a friend who was able to download the app to upload it on Aptoide, giving me the opportunity to download the apk on my phone (this apk is available in this thread). I tried to install it, but I get the following the error: "app not installed".
I would like to force the installation of the app. I tried many ways, like using apps that use root access on the phone, without success (for example, I tried with "System Apps Installer" on the Google Play, but I get a problem with mounting /system). I also tried to install it with the command line tool, but I get the error "[install_failed_invalid_uri]". I tried to change the permission of the /data/local directory and /data/local/tmp with ES file explorer, but it did not change anything.
In addition to this, I'm not able to enable usb debugging in the developper options (to install the apk with adb), because every time I activate the option, it becomes disabled in the following seconds.
It seems to be a little bit complicated, because I seem to have different problems, but I hope that someone here will be able to help me !
Thanks for your help,
Aquignis.
The issue is most likely Cm. They alter things so some that normally work no longer work
I suceeded to solve the "[install_failed_invalid_uri]" error in the command line tool by also changing the permissions of /data.
After that, I got another error (yes, one more, but the last) that made me discovering what's the real problem in this situation: "install_failed_missing_shared_library". By doing some researches on the web and exploring the apk, I understood that the app use a library called "org.simalliance.openmobileapi" that corresponds to the work of SIMalliance, who developped an API called "Open Mobile API", which notably enables communication with NFC sim cards and must be integrated to the build of the ROM. This system is used by many banks in Europe and has been integrated in the stock ROM of many NFC devices by the important manufacturers, but not by Cyanogenmod devs in the last stable release of CM 11 for the Galaxy S4.
Like you said it, the problem was CM
I asked them if it has been integrated in CM 12, because that is why the app is said to be incompatible with my device by Google Play which automatically checks which libraries are installed on your device (I'm waiting for their answer). The other solution would be to add the library to the CM build by myself, because it seems not to be very complicated, but I'm not qualified enough to do this !
If it is not part of aosp I wouldn't count on it being added to be honest. Not to mention most banking apps refuse to work if the Rom has root as it can cause security issues.
Yes, the root seems to be a problem with some apps according to the work of this man.
On the other hand, I think that this API is important enough to make CM devs pay attention to it, because it is used in many countries (except the USA which use only HCE, I believe). If only I was able to build it myself !

UnsatisfiedLinkError : Android 6+ compatibility for legacy apk ? (dlopen failed)

Hello XDA World
I have a third-party legacy app that works on Android up to 5.1, that is no longer maintained and I only have the apk and not the source code.
On Android 6+ the following error occurs : java.lang.UnsatisfiedLinkError: dlopen failed: cannot locate symbol "_ZN7android6Parcel13writeString16EPKtj"
It seems to be the same error that was investigated and solved by mickybart on the post https://forum.xda-developers.com/showpost.php?p=63288490&postcount=2863 for another app.
Unfortunately I don't really have the background and skills to understand and solve this error myself.
My questions are :
- Is there a way to solve this missing symbol issue for a third-party app without having the source code of the app ?
- would this require disassembling and reverse engineering the app ?
- or would it be possible to add some library to Android 6+ that would restore the missing symbol ?
- or using some kind of wrapper around the app to provide the missing link ?
- if one of the above solutions is possible, would it be possible to install / run the app without rooting the phone ?
- or would this require to be root or to build a custom AOSP / LineageOS rom to insert the missing symbol / library ?
Any help, idea, hint are welcome
Thank you !
Additional questions
The missing function / symbol seems to be inside libbinder.so
Do you have more information about this library ? How critical is it for the whole system ?
Do you think there is any chance of success replacing the Android 6+ library in /system/lib with an older lib version from Android 5.1 if I got root access to the phone or using TWRP file manager ?
Would this risk to totally brick the phone ? If replacing the lib doesn't work, would I be able to revert to the old config ?
Also, is there a way in Android to force an app to use another lib than the regular one stored in /system/lib ?
something like changing the path or the name of the lib, or like in windows, copying the dll inside the folder of the app ... :silly:
Thank you !
Hello again,
so of course, as expected replacing Android 6 libbinder.so with an Android 5 libbinder.so doesn't work
the phone stayed stuck at boot logo, but it was possible to replace back the old library with twrp file manager
Yet, the issue is still there ... how can I get a libbinder.so library on Android 6+ without the missing symbol issue ?
I suppose that my best option, would be to get the source code of the libbinder.so for my targeted android version and compile it with the modifications committed by mickybart on github : [github.com/mickybart/android_frameworks_native/commit/8e9d34326128ec2b39e543e016ec21342d1c3deb] (sorry can't post external links as new user)
But I'm totally noob at compiling android, I would really appreciate someone's help : I know there are tutorials to compile a full Lineage or CyanogenMod rom ... but it takes dozens of GB to download and lot of hours to install and then to build the full rom
I only need to download / modify / compile a single library and eventually its dependencies ?
Do you know a way to do it ?
Or a better way to fix the missing symbol issue described in first post ?
Thank you.

Need tech advice before archeology

Hi everyone,
I own a PonoPlayer which is running Android 2.3 (ARM v7 / Cortex A8). I'd like to perform some software upgrades but sadly the device is not running adb.
I'd like some tech advice before going deeper, just to make sure I'm using the proper approach and not wasting my time
Disclaimer: I read everything I could find about the Pono (there's some old thread about it on this forum) but that didn't really help.
What I already tried:
Because I'm more a developper and vulnerability researcher I started by what I'm comfortable with: looking for vulnerabilities. I decompiled the main APK (player-release.apk) but found nothing obviously exploitable.
The last available firmware update is version 1.0.6. The upgrade bundle is clearly based on that : https://github.com/Lekensteyn/make-gapps-zip
Decompressing the archive using apktool shows:
boot.img
META-INF (which contains META-INF/com/google/android/updater-script)
recovery
system
The update bundle seems to be signed using the test-keys found on the above repository. So I tried to forge a fake 1.0.7 update bundle by simply unpacking 1.0.6 and repacking + signing. This fails, the player detects the 1.0.7 update bundle, tries to perform the upgrade and is stuck. Obviously, someting wrong happens but since I've no log or any kind of remote access, there's no way for me to debug.
Next step:
I plan to setup a Android 2.3 emulator, running a dummy ARMv7 image and use it to load the 1.0.6 legit update bundle. Thus I would have something close to the real Player image.
From this, I would be able to load my 1.0.7 fake update and see what goes wrong.
I this something obvious that I'm missing? I this the proper approach?
Thanks for any advice!
Allright, here's my own follow up !
I ended up finding how to create an OTA package for the Pono Player.
Basically, I start from the last known firmware (1.0.6), patch it and re-bundle it.
Hopefully, the Pono Player uses the Android test keys ...
My main issue (for the last 4 years..) was that the whole OTA package is signed, not just its contents, by adding a specially crafted zip comment.
This can be enabled by using the "-w" option of the signapk command.
I've successfully updated the licences.txt (let's start small ) file on the device.
All the required scripts for unpacking/repacking an OTA package are available here: https://github.com/NothNoth/PonoPwn

Categories

Resources