Is It Foolish To Install an XDA Custom ROM? - Android Q&A, Help & Troubleshooting

I've gone through several rooting procedures on the XDA forums over the years. In the most recent one I tried to root my HTC Desire C (CDMA). It turns out that I nearly hosed the phone when I installed bootloaders that some senior members on here promoted with full confidence to users, yet neglected to ask if the user had a CDMA phone.
There is a thread on the HTC Desire C where a senior member provides a hacked version of a bootloader and ROM. The user then responds (on page 2 or 3 of 11+ pages) that their phone can't get beyond the 'dev bootloader', and effectively the senior member has provided a patch which hosed at least a few phones.
Subsequent threads appear which show users in the same situation I was in after applying the XDA hacks. After hours of researching I found a workable bootloader and managed to get it flashed, and get my phone rooted. I doubt many people will be able to reproduce my results and get the phone rooted. I expect most people will give up on rooting, consider the phone locked, and just avoid going anywhere near the bootloader again.
Furthermore, the bootloader I downloaded in at least one thread for the HTC Desire C has an HTC Legal Message that causes concern on how the uploaded patch was originally obtained - i.e. was it obtained legally?
After spending ~12 hours learning all of the above, I embarked on seeing what XDA developers say is involved with creating a custom ROM. I was shocked. Even the most well-documented processes are incredibly horrid. They involve hacking binary files, fudging package names, and more sketchy procedures that any Android Engineer would expect to leave the OS in an unstable state; for example not using zipalign on system apps.
Any software engineer using binary-file hacking would expect to be unable to fix bugs in the software. To fix bugs efficiently and reliably (i.e. test and prove the bug is fixed), a software engineer needs source code.
But worst of all, the custom ROM and bootloader binaries have code that not even the author knows the origin of, as demonstrated in the Custom ROM developer guides/postings. If HTC or Google have tracking code in a binary, the custom ROM will have it too. If there is malware in the binary that might steal their passwords or other identification, the user has no way of knowing.
I've seen at least three (3) instances of supposedly popular XDA ROMs where a hacker has taken an existing ROM, hack it's binary files for the new target device, fix no bugs in the previous ROM, and introduce new ones in theirs. I've even seen ROM developers criticize other ROM developers for not fixing bugs, and then when I investigated the ROM from the complainant, I found they didn't fix any bugs either. Of course not, it appears to me the majority (all) of the hackers on XDA use binary files to create custom ROMs, with some hacking of text, XML (layouts, values, assets), and other text files - but not any actual JNI-C or Java code.
These custom ROMs are not open source. I'm skeptical they're even legally complying with the open source licenses in the original code. It is certain that any and all files used for the development of a custom ROM available from XDA are also obligated to follow the Apache2 license that governs the OS build (I'm not sure which licenses cover the bootloaders), yet it's quite difficult on XDA to find links to custom ROM source files.
That latter point makes the entire process of hacking binary files to generate a custom ROM completely untrustworthy. Contrast this with CyanogenMod which provides (or attempts to provide) techniques to build custom Android ROMs from source, and which provides a lineage of ROMs with stability ratings.
It doesn't benefit an open-source community to propagate software with bugs, lacking sources, and possibly in violation of licensing. Since this forum is not a Q&A thread, I won't ask people to stop, I'll demand it. Since that never works, I would have to wish XDA the shortest lifespan possible. Delete this thread and I'll post it elsewhere, where XDA users can't comment.

Although I agree with 95% of your post, it seems a bit harsh to condemn the entire community. Maybe you could actively participate in setting a higher standard?
Sent from my LG-MS840 using xda app-developers app

Well, lets say we have approximately 2 new persons attempting development. Which means, they are trying to be future developers which also mean, they may not know certain things on development. On the past, the standard was high because, there were only 5 devs per device and the rest the users. They never cared how the dev made the rom.
But the case today is, everybody needs to know everything. Which naturally makes them to attempt. So naturally, there are increasing number of imperfect works which will gradually get perfect when the dev gains knowledge from his experience.
And for licensing, android is made open source by google and gives permission to edit the source and release them as long as the brand "Android" is used. It never states that the Works should be opensourced always. Example: android gives source to samsung,HTC and sony. And these OEM's make use of that code and adds it own code and releases its own software on new phones. But do they provide source?No. Do they include malwares?No.
But how do you believe them that its not malacious or legal? Because you pay them $$$$ for their work and not even a $ for the custom rom developer? At last, it only depends on you and how you think.
And for CM being open source, CyanogenMod works on android source code and make custom roms (Just as OEM) and it has chosen to go open source and hence it is. But other custom roms than AOSP/AOKP people work on roms provided by OEM's. In that case, they cannot provide source though they wish to do it because, they don't have source of OEM rom. Instead, they work on dalvik code, already compiled apk, already compiled framework etc...
Hope I have made you clear?
Sent from my GT-N7000 using xda app-developers app

Catharsis much?
Sigh... (Lip bit. And, edited..)
Sent from my MB865 using XDA Premium 4 mobile app

Related

Malware in Custom Roms?

DISCLAIMER:
This is totally academic, and I only pose the question as that of mere curiosity.
In no way do I mean to accuse any developer here or elsewhere of intentionally or otherwise installing malicious software in our ROMs. Not trying to start a flame war or anything.
What is the possibility that a rogue ROM creator would or could install malicious content on one of our devices? What kind of things would we look for to indicate that our device may be compromised? Perhaps packet sniffing for the extra paranoid.
I am the type that, when I see something that doesn't look normal, I question it. That said, I am a very experience Linux, *BSD, and Solaris administrator; but my experience with Android is just blooming. So I might not know where to look in the Android filesystem, or know which processes may be irregular.
I did some Googling but haven't found anything to indicate this has happened before (thank God). Are there self-checks in Android to prevent this from happening? Call me paranoid, but I just like to know what's going on.
Do the "anti-virus" softwares in the App market actually help with this?
Again just curious. I heard about some apps on the Market that Google had to remotely erase. And I believe I am correct in understanding that Google isn't as restrictive with its applications as Apple.
Any takes on this?
Antivirus and Task killers all that are garbage and slow your phone down. You won't have to worry about that happening on this site.
It depends if he/she is an asshole...
The first "viruses" for android were because people were downloading paid apps on the internet, from some site in china, that had viri put into those apps that people were downloading.
Just dont get on the bad side of a dev.
adrynalyne said:
Just dont get on the bad side of a dev.
Click to expand...
Click to collapse
LOL! I'll make sure not to do that!
I know that task-killers are BS. I figured the anti-virus was a gimmick, too. As far as for self-replicating viruses on the phones I doubt that will occur.
I'm more worried about malware in the form of a sleeper-trojan that calls home with my personal phone information, or gets added to some jack-asses botnet for DDoSing.
That was a worry of mine when I first came to this site, but the dev's I download from I find quit professional. I have since just started to dig into roms trying to port them to the tb, and compare the contents and begin to see what is normally packed in the zip. I have never found a dev on this site attempt to introduce malware. I have seen some intro warz but the site immediately banned them. The site has banned devs for not giving credit were credit is due, and opening multiple accounts in a way to circumvent the system.
This site is great for all, and they do their best to keep everyone honest.
I've been here and ppcgeeks for nearly 3 and 1/2 years, both with winmo and android, and I have never had an issue. It seems that these sites really do the best they can to catch things before they happen. Personally, I can't say enough about our devs. They're great, and they do a good bit of work for people who are honestly not thankful enough to them. I personally don't think you will ever have an issue, as I haven't. And I download tons of stuff from here and other places.
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
I've always been curious of this myself. I am no advanced Linux administrator (yet), just an aspiring IT student. I would think the best people to ask would be the developers themselves, though.
funkybside said:
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
Click to expand...
Click to collapse
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Actually I believe it has happened at least twice. Once by accident, and once there may have been malicious code put into a rom that was set as bate for code thieves.
The first one was stupid, an update agent was left in the rom, and an update got pushed that loaded the phone browser to a certain site (it was not a bad site either). This effected a VERY minor few, as you had to have a certain version of a rom, and have rebooted over a very specific point in time.
The latter I will not go into as I do not know the specifics, or the validity of any of what happened.
g00s3y said:
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Click to expand...
Click to collapse
Sorry if my post offended you and no disrespect intended, but I think you are mistaken. The question of whether or not something "can happen" is fundamentally different from the question of whether or not anyone is actually doing it. Also, saying that any "experienced Linux admin should already know how to check for these things" is in poor taste; it's a personal attack that adds no value to the discussion. The idea here is to address the OPs question as a purely acedemic thought experiment; there is no implict reference to the morality of the developers here...
Perhaps we should ask the same question in a differnet way:
If net-sec researcher working at SANS wanted to test expolitation vectors against their own personal HTC Thunderbolt. Is it physically possible for them to build a custom ROM and/or Kernel such that this custom module includes malicious code that executes automatically after installed on the device?
I'd be highly surprised if anyone claims the answer is no. If the kernel itself is custom, anything the hardware can do is fair game...
Concerning the question of how to know if anything is happening, since we're talking about the firmware itself, it would be difficult to do anything in userspace with confidence. To be really sure, you'd likely need to sniff traffic (both mobile and wifi) as well as physically monitor the hardware's debug output (and perhaps even the circuit traces themselves). With a comprimized kernel, you can't trust anything running throuh the operating system's APIs.
It's very doubtful that any reputable developer on XDA would do this. Impossible? No. But XDA is the kind of place where something like this would be discovered very quickly and spread like wildfire.
Now, some unknown developer, on a random website? While I havent come across this yet, I'd say: More likely.
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
funkybside said:
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
Click to expand...
Click to collapse
I think you are right. As long as there is superuser access, then basically anyone with su can pretty much to anything to your phone.
At least that's my take on it.
I'm new to android in general and XDA in particular, so please forgive my ignroance (and yes I will try searching), but this makes me wonder: Do the established developers of custom ROMs and Kernels release their source code? I'd imagine the same terms of the GPL that require HTC to release their source would also require anyone building custom Kernels to do the same. Is this also true for ROMs?
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
nerozehl said:
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
Click to expand...
Click to collapse
Agreed that the liklihood of stuff here being questionable is low, but the simple fact that there is a non-zero risk certainly makes me think a little bit. You summed it up well and the examples are spot on - this is why I immediately wonderd if developers here are publishing the source code on their customized versions. Ignoring the GPL angle, its just good to know it's out there if it is, and by the same token, also good to know if it's not out there.
I have another question to add. I love miui, and to my understanding miui is made by Chinese developers and it is not open source, it is just translated and ported to our devices. If it is not open source, is there anyway to know for sure?
I am a little bit wary of the security, although I love the rom. I trust all of the credible devs on xda, however I don't know anything about the Chinese devs developing miui. Would the devs porting miui be able to see the malware if it isn't open source
Sent from my ADR6400L using XDA App
It is definitely possible. I read a paper a while back that I've been referencing in my own research where some researchers compiled some kernel modules to do malicious tasks in the background without knowledge of the user, mind you this was on an open source linux based phone system similar to android. Basically compiled in root kits, which replacing your kernel/rom w/ a community developed system would result in possibilities of this occurring. The primary solution to preventing these things from ending up on your phone as well as keeping the Trojans and other malware on the android market come down to the same thing knowing your publisher and being careful what permissions you allow. Like stick to kernels/roms from reputable developers on XDA, and make sure your "movie player" doesn't have access to your SMS system and you'll be fine
Mind you my own research currently is in detection of malware/malicous code & anomalous behavior. As well as hopefully prevention techniques eventually.

Is it just me...

or does anyone else feel like we dont have enough aosp love? I mean we have miui, cm7, had decks(went ghostbusters on us) and empiire(heard he got grounded for molesting his hard drive.) I understand theirs still kinks to be worked out but everything is Sense. Just wanted to see who else felt this way. PLEASE DONT COME IN AND START A PARAGRAPH WAR, I read enough in high school.
Temari x Shikamaru
Evervolv exists.
il Duce said:
Evervolv exists.
Click to expand...
Click to collapse
Link please. Ive been hunting it.
Temari x Shikamaru
Talked to shift on twitter yesterday, he said CM7 is being worked on. I honestly think what it is that people are happy with their phones just the way they are, so it brings less crowd. While it is smaller than the original Evo, there is still a pretty big following. Plus, this is just a US phone, so when comparing the Sensation with us is like apple and oranges. We just got mike and androidrevolution! Which is great.
Sent from my PG86100 using xda premium
PatrickHuey said:
Talked to shift on twitter yesterday, he said CM7 is being worked on. I honestly think what it is that people are happy with their phones just the way they are, so it brings less crowd. While it is smaller than the original Evo, there is still a pretty big following. Plus, this is just a US phone, so when comparing the Sensation with us is like apple and oranges. We just got mike and androidrevolution! Which is great.
Sent from my PG86100 using xda premium
Click to expand...
Click to collapse
Its not just US. Theres gsm models for overseas.
Temari x Shikamaru
The problem is, most AOSP ROM's(99.99%) are based off CM kernel source, so with no update to CM, there's no update to other AOSP ROM's. Many devs might want to wait until a few more bugs are worked out of CM before they start kanging. Once we get an RC1 or a stable CM release, you may see more AOSP love.
Can the gsm users get some aosp love? Any roms?
Sent from my Evo 3D GSM...bring on the AOSP!!!
housry23 said:
The problem is, most AOSP ROM's(99.99%) are based off CM kernel source, so with no update to CM, there's no update to other AOSP ROM's. Many devs might want to wait until a few more bugs are worked out of CM before they start kanging. Once we get an RC1 or a stable CM release, you may see more AOSP love.
Click to expand...
Click to collapse
This man is right. Most AOSP is done by Cyanogenmod devs and kanged from there. I can guarantee you when they come out with a CM7 RC, there will magically be other AOSP roms.
housry23 said:
The problem is, most AOSP ROM's(99.99%) are based off CM kernel source, so with no update to CM, there's no update to other AOSP ROM's. Many devs might want to wait until a few more bugs are worked out of CM before they start kanging. Once we get an RC1 or a stable CM release, you may see more AOSP love.
Click to expand...
Click to collapse
Your right. I forgot about that.
Temari x Shikamaru
housry23 said:
The problem is, most AOSP ROM's(99.99%) are based off CM kernel source, so with no update to CM, there's no update to other AOSP ROM's. Many devs might want to wait until a few more bugs are worked out of CM before they start kanging. Once we get an RC1 or a stable CM release, you may see more AOSP love.
Click to expand...
Click to collapse
I have complained about this over and over, and will continue to complain in multiple threads until more people see the point I make and support that. Using someone else's kernel and/or ROM as a base for their "new" ROM isn't all bad all the time. It is analogous to game development on a PC using another developer's graphics/game engine (only with permission and proper credit of course!!). It saves time, and in some cases help that particular engine to advance, but it slows down new technological advancement in the industry as a whole.
Developers need to start honing their skills, start attempting to bring a ROM to the public that they built from the ground up, that includes a kernel build from the ground up too. Doing this eliminates such a large collection of ROMs that are all essentially the same, and because of the open source nature of Android it brings new technological advances to the public faster. It also raises the bar, the standard. The public will begin to expect more out of Android, and this in turn creates more motivation for a newer, better Android.
I think some developers have lost sight of the purpose and nature of open source information and products. Instead of hijacking someone's source code, and using it as a base for a new ROM with a new name, and small amount of new features, development should be done that conforms to the original intent and purpose of open source. Work together with a developer that has created a ROM [from the ground up] that is most similar to the product you want to create. Improve the ROM as a team, make bug fixes and enhancement to the existing ROM. That is what open source was meant to do. This will prevent a forum list of 32 half assed roms, and replace it with 10 really good yet unique roms.
If you can't find an existing ROM, a Dev team that has different ideas of what make a ROM good, or there is no ROM that exists that is similar enough to your vision of the product then, and only then should you develop something new.
I realize my views aren't going to match up with everyone else, but I am sure a happy medium could be found that produces a situation better than what we have now. Thanks for letting me rant, and for reading my thoughts!
Sad Panda said:
I have complained about this over and over, and will continue to complain in multiple threads until more people see the point I make and support that. Using someone else's kernel and/or ROM as a base for their "new" ROM isn't all bad all the time. It is analogous to game development on a PC using another developer's graphics/game engine (only with permission and proper credit of course!!). It saves time, and in some cases help that particular engine to advance, but it slows down new technological advancement in the industry as a whole.
Developers need to start honing their skills, start attempting to bring a ROM to the public that they built from the ground up, that includes a kernel build from the ground up too. Doing this eliminates such a large collection of ROMs that are all essentially the same, and because of the open source nature of Android it brings new technological advances to the public faster. It also raises the bar, the standard. The public will begin to expect more out of Android, and this in turn creates more motivation for a newer, better Android.
I think some developers have lost sight of the purpose and nature of open source information and products. Instead of hijacking someone's source code, and using it as a base for a new ROM with a new name, and small amount of new features, development should be done that conforms to the original intent and purpose of open source. Work together with a developer that has created a ROM [from the ground up] that is most similar to the product you want to create. Improve the ROM as a team, make bug fixes and enhancement to the existing ROM. That is what open source was meant to do. This will prevent a forum list of 32 half assed roms, and replace it with 10 really good yet unique roms.
If you can't find an existing ROM, a Dev team that has different ideas of what make a ROM good, or there is no ROM that exists that is similar enough to your vision of the product then, and only then should you develop something new.
I realize my views aren't going to match up with everyone else, but I am sure a happy medium could be found that produces a situation better than what we have now. Thanks for letting me rant, and for reading my thoughts!
Click to expand...
Click to collapse
Damn. Such a long read. It was good though.
Temari x Shikamaru
knowledge561 said:
Damn. Such a long read. It was good though.
Temari x Shikamaru
Click to expand...
Click to collapse
I'm sorry, I originally had hoped for a much shorter post. I always try to get the thoughts in my head out "on paper" in the shortest, most efficient and least complex manner. This is my vision of a more free, "open source" world though. I think the freedom of information could be applied to many facets of society that would create a better future for all of us, and still preserve the competition that drives a more peaceful, better, cheaper, faster world. Sorry again!
Sad Panda said:
I have complained about this over and over, and will continue to complain in multiple threads until more people see the point I make and support that. Using someone else's kernel and/or ROM as a base for their "new" ROM isn't all bad all the time. It is analogous to game development on a PC using another developer's graphics/game engine (only with permission and proper credit of course!!). It saves time, and in some cases help that particular engine to advance, but it slows down new technological advancement in the industry as a whole.
Developers need to start honing their skills, start attempting to bring a ROM to the public that they built from the ground up, that includes a kernel build from the ground up too. Doing this eliminates such a large collection of ROMs that are all essentially the same, and because of the open source nature of Android it brings new technological advances to the public faster. It also raises the bar, the standard. The public will begin to expect more out of Android, and this in turn creates more motivation for a newer, better Android.
I think some developers have lost sight of the purpose and nature of open source information and products. Instead of hijacking someone's source code, and using it as a base for a new ROM with a new name, and small amount of new features, development should be done that conforms to the original intent and purpose of open source. Work together with a developer that has created a ROM [from the ground up] that is most similar to the product you want to create. Improve the ROM as a team, make bug fixes and enhancement to the existing ROM. That is what open source was meant to do. This will prevent a forum list of 32 half assed roms, and replace it with 10 really good yet unique roms.
If you can't find an existing ROM, a Dev team that has different ideas of what make a ROM good, or there is no ROM that exists that is similar enough to your vision of the product then, and only then should you develop something new.
I realize my views aren't going to match up with everyone else, but I am sure a happy medium could be found that produces a situation better than what we have now. Thanks for letting me rant, and for reading my thoughts!
Click to expand...
Click to collapse
The problem is that people don't always give credit where credit is due, which is one of the reasons some people don't like sharing stuff. I mean, let's say I made this awesome mod and let everybody use it. Then some kitchen dev comes along, kangs the **** out of it, doesn't mention me in his rom, and slaps a gigantic DONATE button at the bottom of his signature. It's frustrating.
Now I'm all about open source. I won't use a rom that doesn't post the source. That's the exact reason I won't use MIUI.
SolsticeZero said:
The problem is that people don't always give credit where credit is due, which is one of the reasons some people don't like sharing stuff. I mean, let's say I made this awesome mod and let everybody use it. Then some kitchen dev comes along, kangs the **** out of it, doesn't mention me in his rom, and slaps a gigantic DONATE button at the bottom of his signature. It's frustrating.
Now I'm all about open source. I won't use a rom that doesn't post the source. That's the exact reason I won't use MIUI.
Click to expand...
Click to collapse
I fully understand your frustration. I am a software engineer too so I know what you are going through. I have not yet begun developing for Android, but will. There is a little bit of a problem here that could easily be solved, and the community has a responsibility to protect the intellectual property rights that you and every other developer like you is entitled to. In fact it is a right that is protected by the integrity of the constitution of the united states, and many other countries and law enforcement around the world. This is a failure that not just developers, mods, and admins have, but a responsibility and failure that every user at xda shares no matter who they are.
First off; not to offend any MIUI developers that may be watching, but if you are developing for Android you need to be using a license that is open, and your source needs to be open too. This is especially true if you are using xda as a distribution medium, but sadly while xda has said they encourage, and want every development to be open source they are not forcing the matter. This is a failure I think. It also makes MIUI look suspicious too, as there isn't a way to verify if their source is uniquely theirs'. I personally believe xda should not allow software that is not open source to be distributed. If google didn't keep the open source principle when they acquired Android roms like MIUI would NOT exist! It is highly unethical to take the base ROM from google because it is open source, and then close the source. That is wrong wrong wrong! It is also illegal! You can not redistribute the Android OS even if you have made changes and then close the source and not maintain the software license google has on place.
Second; I believe as a user of xda it is your duty to maintain the integrity of the principles of xda, and Android. Don't support closed source works, voice your disgust so that xda sees the will of its users, that the over whelming majority wants things to remain open source. Tattle your ass off if someone has broke the copyright law and used someone's work without permission and credit.
It is important to keep both xda and Android running on the same principles it started with. Don't let this keep happening guys! This is very serious, a lot of developers are breaking the law doing what they are doing!
Sad Panda said:
I have complained about this over and over, and will continue to complain in multiple threads until more people see the point I make and support that. Using someone else's kernel and/or ROM as a base for their "new" ROM isn't all bad all the time. It is analogous to game development on a PC using another developer's graphics/game engine (only with permission and proper credit of course!!). It saves time, and in some cases help that particular engine to advance, but it slows down new technological advancement in the industry as a whole.
Developers need to start honing their skills, start attempting to bring a ROM to the public that they built from the ground up, that includes a kernel build from the ground up too. Doing this eliminates such a large collection of ROMs that are all essentially the same, and because of the open source nature of Android it brings new technological advances to the public faster. It also raises the bar, the standard. The public will begin to expect more out of Android, and this in turn creates more motivation for a newer, better Android.
I think some developers have lost sight of the purpose and nature of open source information and products. Instead of hijacking someone's source code, and using it as a base for a new ROM with a new name, and small amount of new features, development should be done that conforms to the original intent and purpose of open source. Work together with a developer that has created a ROM [from the ground up] that is most similar to the product you want to create. Improve the ROM as a team, make bug fixes and enhancement to the existing ROM. That is what open source was meant to do. This will prevent a forum list of 32 half assed roms, and replace it with 10 really good yet unique roms.
If you can't find an existing ROM, a Dev team that has different ideas of what make a ROM good, or there is no ROM that exists that is similar enough to your vision of the product then, and only then should you develop something new.
I realize my views aren't going to match up with everyone else, but I am sure a happy medium could be found that produces a situation better than what we have now. Thanks for letting me rant, and for reading my thoughts!
Click to expand...
Click to collapse
Or learn to code yourself and create roms from the ground up. Most devs do what they do for themselves first, and allow us to ride on their coattails. Not a bad ride if your like me and have no coding skills. Otherwise, I doubt your plea is going to convince a dev to do anything more or less then they do now, unless it interest them personally.
I do agree with you though. I'm coming from Android on the Touch Pro 2 where a small group of devs are building EVERYTHING from scratch. From the modems to the light sensor. It's a huge job done out of love for the hardware, for fun, and a passion for coding.
knowledge561 said:
Link please. Ive been hunting it.
Temari x Shikamaru
Click to expand...
Click to collapse
he links only via twitter posts and in his IRC, send him a tweet. iirc still in beta, but he does some nice ROMs
Serren said:
Or learn to code yourself and create roms from the ground up. Most devs do what they do for themselves first, and allow us to ride on their coattails. Not a bad ride if your like me and have no coding skills. Otherwise, I doubt your plea is going to convince a dev to do anything more or less then they do now, unless it interest them personally.
I do agree with you though. I'm coming from Android on the Touch Pro 2 where a small group of devs are building EVERYTHING from scratch. From the modems to the light sensor. It's a huge job done out of love for the hardware, for fun, and a passion for coding.
Click to expand...
Click to collapse
Thank you for your comment and support. I don't disagree with you. If you steal a loaf of bread to feed yourself, is it any less of a crime than to steal a loaf of bread to feed you and your family and friends? Or is it the same or worse?
I think either way it isn't ethical. People need to think less about themselves I think. I must reiterate and clarify so I am not misunderstood. I don't think it is inherently bad to be using a ROM as your base, but it is wrong to then close the source of a previously open piece of work and/or not maintain the original license, and give credit in every spot it should be given in. That would include its distribution, the license, the source code itself, and any where else that you put your own version, app info, and copyright notice. Am I wrong?
Sad Panda said:
I fully understand your frustration. I am a software engineer too so I know what you are going through. I have not yet begun developing for Android, but will. There is a little bit of a problem here that could easily be solved, and the community has a responsibility to protect the intellectual property rights that you and every other developer like you is entitled to. In fact it is a right that is protected by the integrity of the constitution of the united states, and many other countries and law enforcement around the world. This is a failure that not just developers, mods, and admins have, but a responsibility and failure that every user at xda shares no matter who they are.
First off; not to offend any MIUI developers that may be watching, but if you are developing for Android you need to be using a license that is open, and your source needs to be open too. This is especially true if you are using xda as a distribution medium, but sadly while xda has said they encourage, and want every development to be open source they are not forcing the matter. This is a failure I think. It also makes MIUI look suspicious too, as there isn't a way to verify if their source is uniquely theirs'. I personally believe xda should not allow software that is not open source to be distributed. If google didn't keep the open source principle when they acquired Android roms like MIUI would NOT exist! It is highly unethical to take the base ROM from google because it is open source, and then close the source. That is wrong wrong wrong! It is also illegal! You can not redistribute the Android OS even if you have made changes and then close the source and not maintain the software license google has on place.
Second; I believe as a user of xda it is your duty to maintain the integrity of the principles of xda, and Android. Don't support closed source works, voice your disgust so that xda sees the will of its users, that the over whelming majority wants things to remain open source. Tattle your ass off if someone has broke the copyright law and used someone's work without permission and credit.
It is important to keep both xda and Android running on the same principles it started with. Don't let this keep happening guys! This is very serious, a lot of developers are breaking the law doing what they are doing!
Click to expand...
Click to collapse
Let me preface this by saying that I agree with you..
However android is meant to be open source, the license that they use (Apache) does not require it.. The reason they chose the Apache license was to give people the freedom to choose (their words). So technically people like miui don't have to post source for anything other than kernel (which is GPL).
This link has some good info on it.
http://source.android.com/source/licenses.html
But even CM doesn't have to provide source, which in recent history they haven't while starting builds.. We can't demand source, when the licensing doesn't demand, but that doesn't mean we still can't prove direct kang. The reason I have android over anything else is the freedom it gives and the open nature of it.
Edit: and you should always credit someone if you are using their work, and also have their permission. I was referring to general source from android itself, not from each other.
_______________________
No d3rp left behind - ranger61878
The problem is, nobody wants to start a ROM from the ground up, and the people that do are already involved into team projects (CM/MIUI). It takes a long time to create a ROM from the ground up that utilizes all of a phone's hardware properly. Look how long it took CM to get 4G onto the EVO 4G, and that was a team of highly skilled individuals practically reverse engineering code to do it.
Now imagine all of the copy and paste kitchen users here trying to accomplish that. It just won't happen lol.
That's why we have pretty much the same thing in different colors. It kind of sucks, but hey, HTC did the majority of the work, and if something already works good enough, the average person will be fine with and use that.
Yeah, it does slow down the evolution and innovation of Android as a whole, but you have to put some of the blame on OEMs for pushing out 45 different phones a year. Nobody is going to be encouraged to create something from the ground up for a phone that will be replaced and obsolete by the time they're finished.
The G1 is the prime example of a great phone that got tons of developer support, tons of new things, and tons of unique ROMs. But that was the beginning, and I doubt that's ever going to happen again.
HTC all but pushed this EVO 3D out, and forgot about it. They've released a good 19 phones since then at the rate they're going, most of us will have moved on to the next one in a few months. Sad but true.
That is why I have stuck with and will probably continue to use a Stock ROM, modified to my liking and stripped. There isn't much else you can hope for. 3D has failed to really take off like HTC and the rest of us wanted. There is no motivation for any of the teams out there to focus on reverse engineering their ROMs to use 3D. MIUI to this day hasn't bothered with WiMAX and with good reason. Sprint all about blatantly announced its slow death in favor of LTE. It would have been a waste of time for the MIUI team to implement it. Kudos to Team Win and CM for gracing us with it on the EVO 4G. But, hindsight has probably made people mad that all of their time and energy went into something that's getting canned.
Alot of good points freeza. These are paragraphs I like to read.
Temari x Shikamaru

A MUST-READ for aspiring ROM "Developers"

This article appeared today on the main page of XDA and I feel that it's a very important lesson for any/all new ROM devs.
Sage Advice from Cyanogen Still Valid Today
http://www.xda-developers.com/android/sage-advice-from-cyanogen-still-valid-today/
Excerpt:
He had this advice to offer for those looking to make their own Android ROMs:
Stop. Write an app or two first, learn how the system works from a developer standpoint. Learn some Java. Read the developer documentation. Learn how to use Git. Then learn how to build AOSP from source. Read the porting guides, and learn how the build system works….. Now try to put your new found skills to work on enhancing the platform by writing code or making theme overlays. And share! And put that s**t on your resume. There is a *ton* of information out there but any kind of “step-by-step rom cooking guide” is going to be a complete fail- it’s too broad of a subject.​As XDA has grown right along with the meteoric rise of Android, so has a desire of users to create their own ROMs, kernels, themes, and so on. Much of this work classifies as “original development,” but there’s been a growing trend to what many are calling “derivative development.” This category covers most of ROMs based on stock releases from the manufacturers, applying patches and scripts aimed at optimization, theming and/or removing stock applications, and using “kitchens” that run a stock release through a list of scripts and then repackage as a recovery-flashable update.zip. This is what Cyanogen was expressing frustration about—shortcuts being taken to achieve a product that differs only slightly from stock (derived) and pushed out instead of building from source and delving into the core of Android and making something truly original.
XDA-Developers exists first and foremost for developers. It’s at the core of who we are; it’s in our blood; and it’s in the air we breathe. There is a place for derivative works—they provide an entry to the scene which can help to introduce people to the wonders of Android. But let’s not stop there. Don’t be satisfied with just creating yet another derivative of someone else’s work. Instead, follow Cyanogen’s sage advice and learn about Android from the ground up, and create something truly original and innovative.
Click to expand...
Click to collapse
Guess I should continue with this hello world app... haha
Op just explained 99% of our roms lol
Repackage, rename, reskin and ask for donations. Rinse lather and repeat. Now your a dev!
Ha.
True software developers understand the wisdom of code reuse.
So ,in my opinion, if a fledgling developer takes a set of code and applies addons, makes a few setting changes then calls it a ROM and provides users benefit...then they are on the path.
Sent from my SAMSUNG-SGH-I717 using Tapatalk 2
andrawer said:
Ha.
True software developers understand the wisdom of code reuse.
So ,in my opinion, if a fledgling developer takes a set of code and applies addons, makes a few setting changes then calls it a ROM and provides users benefit...then they are on the path.
Sent from my SAMSUNG-SGH-I717 using Tapatalk 2
Click to expand...
Click to collapse
Even if they fail to write a single line of original code?
I'm with cyanogen on this one...
saddly alll this is sementic
if the world of android was perfect then this would be true .by perfect i mean everything being open source ...
but if everything was open source we woudlnt have things like arc touchwizz blurr or sense , it is my opinion and shared by many others that android would be very boring if we only had aosp .
what does a coder brings to touchwiz sense or blurr device ?
the market is filled with cool apps and launcher .. 99% of them coders will make apps for android and wont bother with anything else
that brings me to my next point . building from source means on top of aosp , or in my terms vanilla android .. many devs love vanilla and its fine but what about those who dont ?
99% of the rom on xda are just that : either source compiled with apps added or stock deodex rom with a theme and apps added ..
here is the but , and before i say it i wanna say everyone is entitled to his opinion and im not bashing anyone ,
without guys like me who just hack the code and spend countless hours looking at what the code is actually doing and port the nice stuff from sense to TW or form CM to TW and RE (reverse engineer all these nice codes) 99% percent of the android devices would be boring because lets face it there is only one aosp device / year..
so from what Cyanogen is saying we should all buy a gnex and stop supporting those that make android close source,
but wait without them , many things woudlnt be in CM in the first place , what is cm without all these kangs? a glorified aosp ?
ok maybe im pushing but you get my drift...
how many true innovations by Cyanogen vs them Proprietary UI ?
fun fact the head (or ex ) of Cyanoen now works at samsung and help make touchwiz better (close source)
what about miui , they have so many innovations , and they dont share any of there code ..
so as I said there is no black or white here
thats what android is all about make your own thing play with it call it yours and make it a hobby , and maybe just maybe others will like it ...
I have seen way to many devs get god like status on xda for deodexing a rom and injecting voodoo in there kernel (for example)
i ve seen crazy talented themers have there work taken by others be ignored by the community and then vanished , and everyday we see a kik ass true developper on here and treat him like hes a nobody , because he doesnt have or because we havent heard of his rom .....
i completely understand where cm is coming form but my opinion differs slightly ..
@op kik ass thread (as I never read the front page)
Hard to build an i717 ROM from scratch with all of the proprietary bits, Samsung framework, etc, as most of that is proprietary as DAGr8 says. AOSP/AOKP works, but lacking some SPen functions and still relying heavily on a binary kernel as there are no kernel sources for ICS yet.
Hopefully the kernel situation changes, and we're back to the normal business of everything except the proprietary blobs that have to get copied from a stock ROM......
It'd be nice if all required code was released, but for some reason such things tend to be considered proprietary. Oh well.
Thanks OP. I also don't read the frontpage near often enough.
I like what Cyanogen is saying, and agree with his points from his developer point of view. I also agree with DAGr8 and his points. The fact is that Android gives us so many choices and has so many options for exploration. I think that's why so many of us have moved to the Android ecosystem. There is enough room for everyone. Android is the most prevalent mobile OS in the world for a reason. We can all have our opinions. We can all have what we want on our devices. And there are more and more people willing and able to jump in and try to build. Call them developers, or hackers, or derivators. It doesn't matter to me. They all add value to Android.

[Q] Creating Kernel Source Not Kernel from source!!!!!!!!

Hello Everybody,
I just wanted the ICS for my device as we are still running on GB and which is awful thing for an Dual-Core,Tegra-2 device(Micromax A85 a rebranded Mobile of K-Touch w700/Cherry Magnum 2X).We tried to create a ICS for our device but we failed as we are not having kernel sources for our device and they haven't released kernel for any device.
And so i started asking developers that can they help us and the only answer i got was no and they kept saying no way , your situation is hopeless and all that.
And Now I Just Wanted to know That when a mobile is manufactured first time they didn't have any kernel source for it they create it for the device or develop it for the device and when they can develop it then why we can't develop it as we all are humans and what they can do i can do.So Please Tell me now how to create kernels not that you can't,nothing can be done.And I think that Xda Is A Great Site and now i wanna know that are there real developers or there are some kind of script kiddies present in Xda.
Now Show me What developers have got and i know deep inside my mind that there are developers which can help me.They are just needed to be discovered.!!!!!
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
mg its GPL v2.0
mg2195 said:
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
Click to expand...
Click to collapse
It's GPL my friend.
But to answer OP's question, taking the Linux kernel and configuring it to boot on a phone/tablet takes a HUGE amount of effort and time. This is something that paid developers do for companies like HTC or Samsung. It usually requires a whole team of developers who work on it months, or even years before the release of the device. Even then, the developers still continue to improve on the kernel and the manufacturer can release an OTA update. I'm not saying that it's impossible, but it is a task that is definitely not worth it. It's just better to ask the company for the kernel sources.

[Q] Audit of Root Exploits and Unofficial Bootloaders

Greetings XDA Forum,
This is a general question that should be in everyone's mind who might want to root a phone or tablet or any Android or other mobile OS device:
Is this root exploit or bootloader going to be spyware and collect any and all data of mine (login credentials, keylog my every character, account/bank numbers, identity information, use your evil imagination)?
So, I searched this forum for key words like "trust root" "secure root" "security" and found nothing related to this topic.
So, how am I to trust ANY of the root exploits or bootloaders created and posted to this forum for ANY device?
Have any of the developers developed an audit process using firewall rules to ensure that a posted root exploit or bootloader does not attempt to keylog, report captured information to some obscure IP address (thief/hacker's machine of course)?
Do any of these root exploits or bootloaders or custom unofficial builds of entire android (like Cyanogenmod and the 3rd party variants) get Security Audited?
How am I to believe that the whole lot of you making the root exploits and bootloaders are not a big community of identity thieves and financial fraudsters?
Am I just supposed to trust you?
Answer me that, folks
Aknor
I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium
demkantor said:
I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium
Click to expand...
Click to collapse
Okay, I can see that on the boot loaders, but more than just a few make the root exploits and custom builds of cyanogen or android for many, many devices. So, how am I to pick apart the code of these projects when they do not provide the source code for the builds? How would I even trust those builds after they are built? They could slip some malicious code in that they intentionally do not show in the public repository for the code and no one would ever know.
Sure this sounds very paranoid, but no one has really answered how or if at all any of these builds of unofficial android or cyanogenmod or the root exploits or the bootloaders can/would be tested for malicious code.
Think of it, something as small and innocuous as a keylogger with a simple, non threatening name, and all the while, it logs your every username and password, credit card number, 3-digit security code, bank account numbers, anything. How bad would that be, eh?
Any you're not concerned these builds/exploits are not somehow security audited and we're all just supposed to trust them like blind sheep?
As more and more of these get built, it's only a matter of time before someone slips something like this into their build to take advantage of all those people who want to root their phone/tablet, or put an unofficial build of android on their device. Shame on that person who does it, of course, but to think somehow we could have audited the software and found out as a matter of course?
-- Aknor
Well there aren't that many root exploits and depending on the device you will be changing most if not all firmware and software directly after exploiting, but again just look at the code before you use it
As for keyloging etc from flashing a ROM, you would be surprised how many OEMs actually have somethings that many would consider malicious and or a brief of privacy.
As for a worry about flashing a custom ROM with bad code just stick to official builds or mod your own ROMs, no one is forcing you to flash anything in particular. But there are apps that are meant to look for malicious code. Feel free to use these to help protect you
I have flashed oh so many ROMs over the past 4 years or so and have never seen anything malicious, but I flash a lot of my own source built ROMs and mostly use ROMs on the higher end which tend to be from trusted sources such as recognized developers and people I work with. Also I'm not a paranoid person so I don't look into this sort of thing much, this means unfortunately I can't really give you much more than this
But best of luck to you and happy flashing!
Sent from my Nexus 4 using xda premium

Categories

Resources