S4 Kexec Support (Help needed) .. - Verizon Samsung Galaxy S 4

Folks,
While I was reading the Safestrap discussion thread in the Developement area, I came across this post from Hashcode:
http://forum.xda-developers.com/showpost.php?p=46202168&postcount=430
He indicated that he needs help getting around the kernel module verification system for possibility of Kexec. I thought I would bring this up here in case anyone that knows about the S4 kernels may not be frequenting the Safestrap threads. If ANYONE can help Hashcode, please let him know. I know if I had the knowledge for kernels, I would be all over this helping him.
I thought this was a good place to get this seen as some may not have seen his post buried in the dev. thread for SS.
Thanks!!!

roboots21 said:
Folks,
While I was reading the Safestrap discussion thread in the Developement area, I came across this post from Hashcode:
http://forum.xda-developers.com/showpost.php?p=46202168&postcount=430
He indicated that he needs help getting around the kernel module verification system for possibility of Kexec. I thought I would bring this up here in case anyone that knows about the S4 kernels may not be frequenting the Safestrap threads. If ANYONE can help Hashcode, please let him know. I know if I had the knowledge for kernels, I would be all over this helping him.
I thought this was a good place to get this seen as some may not have seen his post buried in the dev. thread for SS.
Thanks!!!
Click to expand...
Click to collapse
Im taking the stock developer edition kernel apart now, I don't know how Hash's kexec works is he trying to hijack the kernel, load before the kernel or load after? I know how the s4 kernels work but I guess in my mind I assume Hash already knows anything that I do.

Surge1223 said:
Im taking the stock developer edition kernel apart now, I don't know how Hash's kexec works is he trying to hijack the kernel, load before the kernel or load after? I know how the s4 kernels work but I guess in my mind I assume Hash already knows anything that I do.
Click to expand...
Click to collapse
To be clear, I can work on the kexec stuff. I need a bypass for the module sha1sum check in the stock kernel. Can't load the kexec modules with that in place.

Hashcode
Keep up by the good work.
I don't know much about the kernel stuff, but maybe you could disguise the kexec module as the original sha1 sum. Basically tricking the system into thinking everything is normal?
Sent from my GT-I9505G using xda app-developers app

Hashcode let me know if there is anything I can help with. Im going to download the kernel source and see if I can find anything
Sent from my GT-N5110 using XDA Premium 4 mobile app

Jraider44 said:
I don't know much about the kernel stuff, but maybe you could disguise the kexec module as the original sha1 sum. Basically tricking the system into thinking everything is normal?
Click to expand...
Click to collapse
The SHA-1 hash attached to the module is a keyed hash. It uses a private key that Samsung owns and hopefully carefully protects. That key is used to sign the module. The resulting hash demonstrates both that the file comes from Samsung and that it hasn't been tampered with.
You could try to figure out a way to alter the new binary so that the hash still verifies, but that's a very difficult thing to do, where "very difficult" means firing up a few million computers for thousands of years to try to find a collision.
That's why hashcode is looking for a way to bypass the signature verification. That's much more likely to be practical.

Hashcode said:
To be clear, I can work on the kexec stuff. I need a bypass for the module sha1sum check in the stock kernel. Can't load the kexec modules with that in place.
Click to expand...
Click to collapse
Hash to be clear, you essentially need a entire boot.img bypass exploit since aboot checks both the ramdisk and the zimage correct? And are you planning to use the boot.img linux kernel and not the recovery kernel or both?
Sent from my SCH-I545 using xda app-developers app

Surge1223 said:
Hash to be clear, you essentially need a entire boot.img bypass exploit since aboot checks both the ramdisk and the zimage correct? And are you planning to use the boot.img linux kernel and not the recovery kernel or both?
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.

jeboo said:
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.
Click to expand...
Click to collapse
What if we just brute forced samsung's signing key. I know that would take A LONG TIME to try and crack that algorithm, but I bet we all can donate CPU cycles for the project. I have about 3 computers running that can help.
(well, that depends if it's possible to bruteforce a SHA1 check.)

tommydrum said:
What if we just brute forced samsung's signing key. I know that would take A LONG TIME to try and crack that algorithm, but I bet we all can donate CPU cycles for the project. I have about 3 computers running that can help.
(well, that depends if it's possible to bruteforce a SHA1 check.)
Click to expand...
Click to collapse
I've temporarily gotten the Dev. recovery to flash but haven't been able to repeat the the procedure as of yet. Hopefully I wasn’t hallucinating. Have been trying to repeat the result for the last 3 days...

Surge1223 said:
I've temporarily gotten the Dev. recovery to flash but haven't been able to repeat the the procedure as of yet. Hopefully I wasn’t hallucinating. Have been trying to repeat the result for the last 3 days...
Click to expand...
Click to collapse
Oh I hope you wernt hallucinating either.. that would be really cool if that worked

tommydrum said:
Oh I hope you wernt hallucinating either.. that would be really cool if that worked
Click to expand...
Click to collapse
It would be way more than cool, if you have any idea of the implications it would have.
Sent from my SCH-I545 using xda app-developers app

jeboo said:
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.
Click to expand...
Click to collapse
Yep, I was thinking of a kernel memory exploit to overwrite the verification function or the keyed hash memory.

Hashcode said:
Yep, I was thinking of a kernel memory exploit to overwrite the verification function or the keyed hash memory.
Click to expand...
Click to collapse
That'll work
Just keep in mind, a few of us are willing to donate computer power on cracking that sum if you ever want to hack up a small program/script to work on that.
Again, good work on safestrap, very "outside the box" thinking there

tommydrum said:
That'll work
Just keep in mind, a few of us are willing to donate computer power on cracking that sum if you ever want to hack up a small program/script to work on that.
Again, good work on safestrap, very "outside the box" thinking there
Click to expand...
Click to collapse
I am more than willing to donate SEVERAL computers worth of power...happy to help in any way I can.

Dollyllama said:
I am more than willing to donate SEVERAL computers worth of power...happy to help in any way I can.
Click to expand...
Click to collapse
Ill be more then willing to do the same.
Sent from my SCH-I545 using xda app-developers app

You know what would actually help? If we had people post what they had reverse engineered from the kernels so far. All this stuff is so tedious
Sent from my cm_tenderloin using xda app-developers app

Surge1223 said:
You know what would actually help? If we had people post what they had reverse engineered from the kernels so far. All this stuff is so tedious
Sent from my cm_tenderloin using xda app-developers app
Click to expand...
Click to collapse
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app

jeboo said:
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
Click to expand...
Click to collapse
Trying to see if there are any locations calling the kernel that can be exploited. im not a pro with ida either so it usually takes me awhile to get useful info out of it.
Sent from my SCH-I545 using xda app-developers app

jeboo said:
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
Click to expand...
Click to collapse
Basically what hash is trying to do is find some exploit to get away installing a modified kernel with his kexec mod... the exploit will lay in the verifications the bootloader (SHA1 checks) on the kernel. Hash specifically wants to find a glitch before the kernel checks, to be able to modify the outcome of the check. He wants it to always impersonate a legit kernel, even if it's not.

Related

Reverse Engineered Redbend

Presenting bmlunlock. Unlocks bml7 for writing to it via dd.
http://github.com/CyanogenMod/android_device_samsung_bmlunlock
Nice! Thanks Koush.. it's about time you did some actual work around here..
lol brandon. you know better. he pushed out 2 updates to CWM for us in less than ten minutes last night!
Yeah, I was just kidding. What really makes this useful is this bmunlock and the updated adb access via recovery. Very slick.
BHey would it be possible to use this to flash the kernel of a facinate from a mac? If so could you guys give a quick explanation of how. Us mac users are itching to get ready for roms.
If someone can do the terminal write up for the bmunlock kernel flash on windows we can probably figure out how to do it on our macs..... anyone? Please.
Well first somebody needs to cross-compile that .c source from github for android.
I don't have the tools to do that ATM, but I'll work on that.
From the README on koush's github it looks like you just run the bmunlock executable on the device, which unlocks the partition and then use dd to flash the kernel zImage contained within the tar.zip posted here: forum.xda-developers.com/showthread.php?t=787168
I'll work on this on my Fasc and post clearer instructions if I'm successful.
You rule Koush! Missing your work since i switched from the Droid to Fascinate. Thanks a lot keep it up!
I'm sorry, but what exactly is this?
If you don't know, you don't need it.
It allows devs to flash kernels directly.
adrynalyne said:
If you don't know, you don't need it.
It allows devs to flash kernels directly.
Click to expand...
Click to collapse
Well... guess I don't need it. LMFAO! ... Moving on.
The fascinate needs it.
Sent from my SCH-I500 using XDA App
keith.mcintyre26 said:
The fascinate needs it.
Sent from my SCH-I500 using XDA App
Click to expand...
Click to collapse
Redbend works as well.
Sent from my SCH-I500 using XDA App
adrynalyne said:
If you don't know, you don't need it.
It allows devs to flash kernels directly.
Click to expand...
Click to collapse
Ah. Then I don't need it. I appreciate the work Koush, but I don't know a thing about programming and I'm not a dev.
How do I compile it for the GB kernel? Do I just need to use the cross compiler?
We have an issue with the Pop Plus (GT-S5570I) flashing kernels via zip files. Sometime they do not flash at all. Others they do. It is a real pain in the butt.
Miche1asso said:
How do I compile it for the GB kernel? Do I just need to use the cross compiler?
We have an issue with the Pop Plus (GT-S5570I) flashing kernels via zip files. Sometime they do not flash at all. Others they do. It is a real pain in the butt.
Click to expand...
Click to collapse
Look at the date of the last response... 2010...
For gingerbread, you can use bmlwrite instead of redbend:
https://github.com/CyanogenMod/andr...s-common/blob/gingerbread/bmlutils/bmlwrite.c
bhundven said:
Look at the date of the last response... 2010...
For gingerbread, you can use bmlwrite instead of redbend:
https://gist.github.com/CyanogenMod...s-common/blob/gingerbread/bmlutils/bmlwrite.c
Click to expand...
Click to collapse
I know… But that is what we have in our custom ROMs and I was hoping someone could still answer, as you did.
I'll check bmlwrite. Thanks!!

Bootloader Partially Locked?

I noticed that the community has not successfully made a Kernel thats works without doing a boot-loop. Could it be possible that there is E-Fusish type security measure, like the Droid 2 and X, that prevents users from loading custom kernels that Verizon implemented? Thats the only explanation I can think of why we are having issues with our Galaxy versus other carrier's versions.
Sent from my SCH-I500 using XDA App
Samsung gave us a BUNK defconfig
the bootloader's not locked, kernel isn't signed
I've got a working kernel that boots, but the accelerometer is screwed up
jt1134 said:
Samsung gave us a BUNK defconfig
the bootloader's not locked, kernel isn't signed
I've got a working kernel that boots, but the accelerometer is screwed up
Click to expand...
Click to collapse
Sorry for my next noobish question but has anybody sent an email to Samsung about getting a fixed source code or is it pointless until 2.2 drops?
Sent from my SCH-I500 using XDA App
pointless? I guess that depends on who you ask. But yes, Samsung has received much electronic mail from smartphone enthusiasts over the past few weeks.
jt1134 said:
pointless? I guess that depends on who you ask. But yes, Samsung has received much electronic mail from smartphone enthusiasts over the past few weeks.
Click to expand...
Click to collapse
I will talk to my Samsung rep to see if there is anybody I could escalate this to in their North America branch to get this fixed but highly unlikely thou.
Sent from my SCH-I500 using XDA App
@Jt
I will be back on irc tommorow, but I have the accelerometer fixed on my kernel just no wifi, bluetooth or sound still. Have you found a fix for any of these, or are you still using my config?
AFAICT everything works now. I started with your config as a base
jt1134 said:
AFAICT everything works now. I started with your config as a base
Click to expand...
Click to collapse
This is good news, no?
Very nice gang.. I will block off some time for sure to stop in and see what's shakin' this evening..
Dirrk.. what initramfs are you using? I was able to compile with yamaha_b5 and your ramdisk, then I got the no sound/orientation/etc.. However it seems when JT compiles, he uses koush's ramdisk, and gets sound (orientation still off).
If I compile with b5_yamah + koush ramdisk (from his git), Odin fails to flash every time. If I switch back to your ramdisk, odin flashes, kernel boots, etc..
Sounds like you guys are making some good progress. Thanks for your hard work. Can't wait to be able to overclock this sucker.
jt1134 said:
AFAICT everything works now. I started with your config as a base
Click to expand...
Click to collapse
Are you using a different ramdisk to get it fixed as mentioned below v
namebrandon said:
Very nice gang.. I will block off some time for sure to stop in and see what's shakin' this evening..
Dirrk.. what initramfs are you using? I was able to compile with yamaha_b5 and your ramdisk, then I got the no sound/orientation/etc.. However it seems when JT compiles, he uses koush's ramdisk, and gets sound (orientation still off).
If I compile with b5_yamah + koush ramdisk (from his git), Odin fails to flash every time. If I switch back to your ramdisk, odin flashes, kernel boots, etc..
Click to expand...
Click to collapse
Can you send me koush's ramdisk. I have been out of town working for the past few days
Dirrk said:
Can you send me koush's ramdisk. I have been out of town working for the past few days
Click to expand...
Click to collapse
Maybe JT or someone at a linux box can tar it up if you need it as an archive.. I don't have any git software here at work..
http://github.com/koush/fascinate_initramfs
namebrandon said:
Maybe JT or someone at a linux box can tar it up if you need it as an archive.. I don't have any git software here at work..
http://github.com/koush/fascinate_initramfs
Click to expand...
Click to collapse
Thanks man wow after rereading ur op it says its on koush's git lol
Quick question, i've gotten rom building down with CWM and Amon Ra but now I want to dabble in kernel modding but I want to get a general preference on where everybody started at.
Sent from my SCH-I500 using XDA App

A question that I believe many want an answer to.

I personally think that a bunch of people who come across custom roms for their 4.0 galaxy players ask themselves this question, "why aren't there very many roms for my device that are simply flashed through clockwork recovery?" Is it because this device is not very popular? Is it because not very many people know how to put a custom rom in a cwm package? In no way do I want to sound rude, but when I have to flash multiple things onto my device from my computer in order for the tomorto work right as well as not brick my device, it just ruins it for me. There is nothing wrong with roms that require a computer to install, but I personally think that with all those instructions that might not be too clear on what you are support to do, something is bound to go wrong.
Sent from my YP-G1 using xda app-developers app
NATO556 said:
I personally think that a bunch of people who come across custom roms for their 4.0 galaxy players ask themselves this question, "why aren't there very many roms for my device that are simply flashed through clockwork recovery?" Is it because this device is not very popular? Is it because not very many people know how to put a custom rom in a cwm package? In no way do I want to sound rude, but when I have to flash multiple things onto my device from my computer in order for the tomorto work right as well as not brick my device, it just ruins it for me. There is nothing wrong with roms that require a computer to install, but I personally think that with all those instructions that might not be too clear on what you are support to do, something is bound to go wrong.
Sent from my YP-G1 using xda app-developers app
Click to expand...
Click to collapse
This is not that it can't be done, but it the case of ics for the 4.0, it's a bug in the kernel that force us to flash a kernel from heimdall. If this bug was not here, the rom would be simply flashed with cwm. So the answer is it's not because dev don't want to do it like this, it's because they can't.
Couldn't they fix it?
Sent from my YP-G1 using xda app-developers app
NATO556 said:
Couldn't they fix it?
Sent from my YP-G1 using xda app-developers app
Click to expand...
Click to collapse
They don't fix it because they don't know what is broken, this is not a choice. This is not that easy to find what is causing a bug and to repair it. You should be a little more thankful of what you already have because without them there would be no custom rom and no recovery. If you really want it so bad just go ahead and fix it then share it with the dev and they will include it.
ti-pich said:
They don't fix it because they don't know what is broken, this is not a choice. This is not that easy to find what is causing a bug and to repair it. You should be a little more thankful of what you already have because without them there would be no custom rom and no recovery. If you really want it so bad just go ahead and fix it then share it with the dev and they will include it.
Click to expand...
Click to collapse
The problem is that the param.lfs isn't getting updated, probably because their kernel isn't compatible with Samsung's proprietary param.ko (so the bootloader still thinks you're in recovery). If it's not, there's nothing that can be done about it. If it is, they should include that module in the ramdisk. and insmod it with init.rc, and the recovery bootloop will be gone.
Mevordel said:
The problem is that the param.lfs isn't getting updated, probably because their kernel isn't compatible with Samsung's proprietary param.ko (so the bootloader still thinks you're in recovery). If it's not, there's nothing that can be done about it. If it is, they should include that module in the ramdisk. and insmod it with init.rc, and the recovery bootloop will be gone.
Click to expand...
Click to collapse
You seem to know what your're talking about, maybe you could explain this to zaclimon, the last time I tried to help him he was trying to change the onenand driver so the device have the good partirion layout. It would be nice to get rid of that bootloop.
ti-pich said:
You seem to know what your're talking about, maybe you could explain this to zaclimon, the last time I tried to help him he was trying to change the onenand driver so the device have the good partirion layout. It would be nice to get rid of that bootloop.
Click to expand...
Click to collapse
Well, that's part of it too. I think on the 4.0, the problem may be more complicated than that, due to it's storage layout, (I have the 5.0) but rest assured the devs are working on it.
Please let me know when they fix this bug what I need to do from there.
Sent from my YP-G1 using xda app-developers app
Mevordel said:
The problem is that the param.lfs isn't getting updated, probably because their kernel isn't compatible with Samsung's proprietary param.ko (so the bootloader still thinks you're in recovery). If it's not, there's nothing that can be done about it. If it is, they should include that module in the ramdisk. and insmod it with init.rc, and the recovery bootloop will be gone.
Click to expand...
Click to collapse
There's this but mostly because we change the partition (we completely ditch the j4fs support). Also the bootloaders expect to run BML/STL partitions so the bootmode isn't cleared. The thing that teamhackung made is that they created a partition named reservoir that would handle all the bad blocks. This partition is used to flash the boot partition which is the kernel one. This is still an undergoing experimentation for me but I'll try to compile a CM9 with this new type of flashing. An example of the partition layout is here:
https://github.com/CyanogenMod/andr...ung-3.0-ics/drivers/mtd/onenand/samsung_gsm.h
I may miss some things too but this is the things simplified.
Also NATO I do know how you feel about it and I'm trying to do my best (with han and oisis gone) to solve everything as soon as I can. (Don't forget that I have school too )
Sent from my Nexus 7 using Tapatalk HD
Actually most of the GB ROMs for the 4.0 are CWM flashable zips,
http://forum.xda-developers.com/showthread.php?t=1834375
http://forum.xda-developers.com/showthread.php?t=1718339 (older versions)
http://forum.xda-developers.com/showthread.php?t=1821860
http://forum.xda-developers.com/showthread.php?t=1895629
http://forum.xda-developers.com/showthread.php?t=1884557
http://forum.xda-developers.com/showthread.php?t=1719685
http://forum.xda-developers.com/showthread.php?t=1759949 (several ROMs)
http://forum.xda-developers.com/showthread.php?t=1825281
there are 2 or 3 more ROMs that are CWM zips but there based on the OLD CM7 port and with no deep sleep there not worth the time IMO (not the Porting DEVs fault, it was a known issue of the CM7 base).
NOT ENOUGH FOR YOU?
The ones that aren't are because of data corruption issues.
As for ICS, well thats been covered.
Thank you guys for all you do. I really am thankfull to have a website like this one to turn to for help.
Sent from my YP-G1 using xda app-developers app
As soon as the glitch is fixed please let me know. Another question, will there ever be an official CWM release on the player? And will Tardis_Balor update the Terra Silent Kernel once the glitch is corrected?
Sent from my YP-G1 using xda app-developers app
Also, why is hanthesolo's ethereal tomorrow not on this list?
Sent from my YP-G1 using xda app-developers app
rom*
Sent from my YP-G1 using xda app-developers app
BTW, the link for v2.0 of Icy Fusion is dead.
Sent from my YP-G1 using xda app-developers app

[Bounty Discussion] Bootloader bounty discussion thread

In order to help make openyoureyes life a little easier, feel free to discuss your issues with the Bootloader here. Please pledge to the Bootloader unlock bounty to motivated the talented individuals to keep this phone from being locked down. Link is here: http://forum.xda-developers.com/showthread.php?t=2359090
I for one have gained so much knowledge and help from this thread, I gladly donated. Also support your Devs that give you the roms that make our phones awesome.
Thread is long overdue...too much crap in the other thread.
Thanks for opening this. I for one am pretty content with my S4 overall..... but only because I'm running darkslide ME7.
I feel terrible for those of you who are unable to run custom roms. The bigger issue here for all of us is what will be coming in the future? Will I buy another Samsung device after this debacle? I'm not sure.
I have been contemplating leaving Verizon for T-Mobile because of this nightmare...
I think the lesson to learn here is to never buy a locked device again, and never buy a flagship phone in its debut...because the company is just going to release a developer edition a month later and give us all the shaft.
My .02 cents
Sent from my SCH-I545 using xda premium
I read something on here about "do not flash the latest update" less than 1 minute after starting the update. I actually contemplated doing a battery pull in the middle of it. In the end I just let it ride. Hope I made the right decision.
I wonder how many people that said "I'm willing to lose root, I'm just going to take the update" are now trying to return their phones or *****ing about not having root.
slak? said:
I read something on here about "do not flash the latest update" less than 1 minute after starting the update. I actually contemplated doing a battery pull in the middle of it. In the end I just let it ride. Hope I made the right decision.
Click to expand...
Click to collapse
I got mine a week ago and did the same thing. Going to take it back to Microcenter and exchange for a White one just to try and get MDK.
lycwolf said:
I got mine a week ago and did the same thing. Going to take it back to Microcenter and exchange for a White one just to try and get MDK.
Click to expand...
Click to collapse
Microcenter is the greatest place on earth.
Sent from my SCH-I545 using Tapatalk 2
Guys its happening again. Stop having conversion. The devs dont care where you got your phone or how it is or if youre going to return it. Keep this discussion to a minimal otherwise just go back to the original forum or pm each other but unless you found how to unlock bootloader or recovery or you are adding to the bounty then dont reply to anything else or post anything here. We are trying to keep this short, clean and easy for devs. Thanks.
Sent from my SCH-I545 using xda app-developers app
zagan131313 said:
Guys its happening again. Stop having conversion. The devs dont care where you got your phone or how it is or if youre going to return it. Keep this discussion to a minimal otherwise just go back to the original forum or pm each other but unless you found how to unlock bootloader or recovery or you are adding to the bounty then dont reply to anything else or post anything here. We are trying to keep this short, clean and easy for devs. Thanks.
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
why post bounty in here when theres a thread for that? majority of ppl coming here are not "devs".. its suppose to be discussion so the duscussion isnt in the bounty thread.. talking about being on me7 is directly related to bounty thread as ppl are anxiously hoping/waiting for an awesome dev to help us. but imo, itd b harder for openyoureyes to now search through two threads to track the bounty $.. good job!
Sent from my SCH-I545 using xda app-developers app
zagan131313 said:
Guys its happening again. Stop having conversion. The devs dont care where you got your phone or how it is or if youre going to return it. Keep this discussion to a minimal otherwise just go back to the original forum or pm each other but unless you found how to unlock bootloader or recovery or you are adding to the bounty then dont reply to anything else or post anything here. We are trying to keep this short, clean and easy for devs. Thanks.
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
This is the discussion thread. Perhaps you meant to say that in the actual bounty thread.
JUST A THEORY!!
I just came over from tmobile GS2 t989 unaware of the bs going on with ME7.
With the limted amont of research this is my theory.
Could I odin the md2 kernel on my me7 device dl a rooted mdk rom rename it update.zip and flash it in stock recovery then flash the mdk kernel to reset it so I can root it with custom recovery
Sent from my SCH-I545 using xda app-developers app
biglil1 said:
JUST A THEORY!!
I just came over from tmobile GS2 t989 unaware of the bs going on with ME7.
With the limted amont of research this is my theory.
Could I odin the md2 kernel on my me7 device dl a rooted mdk rom rename it update.zip and flash it in stock recovery then flash the mdk kernel to reset it so I can root it with custom recovery
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
You can't Odin back to any previous kernel at all. That's the main issue with this ME7 update
biglil1 said:
JUST A THEORY!!
I just came over from tmobile GS2 t989 unaware of the bs going on with ME7.
With the limted amont of research this is my theory.
Could I odin the md2 kernel on my me7 device dl a rooted mdk rom rename it update.zip and flash it in stock recovery then flash the mdk kernel to reset it so I can root it with custom recovery
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
i think that would have been discovered already lol.. once updated to me7 as far as i kno you cant odin anything back to mdk.. just renaming the file doesnt change the contents of it
Sent from my SCH-I545 using xda app-developers app
The most I can think of to make this thing work is to somehow change the requirements that this update looks for in recovery, bootloader, etc. But that's up to the devs as i have no knowledge in android developing
How come we dont have a recovery yet? i understand an unlock but isn't a recovery easier to make too? i remember all the other phones i had ( droid 2, razr maxx) The recovery came out right when the root did.
elliwigy said:
..... just renaming the file doesnt change the contents of it
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
It's to my understanding in order to flash in stock recovery u have to rename the file to update.zip; I understand that it doesnt change the contents of that file but (correct me if I'm wrong) but thats the only way stock recovery will recognize it.
Thank you for your explanation appreciate it
Sent from my SCH-I545 using xda app-developers app
biglil1 said:
It's to my understanding in order to flash in stock recovery u have to rename the file to update.zip; I understand that it doesnt change the contents of that file but (correct me if I'm wrong) but thats the only way stock recovery will recognize it.
Thank you for your explanation appreciate it
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
it would most likely give status 7 or error out.. theres more to it than renaming the file to get it to flash through stock recovery...
Sent from my SCH-I545 using xda app-developers app
resurektz said:
How come we dont have a recovery yet? i understand an unlock but isn't a recovery easier to make too? i remember all the other phones i had ( droid 2, razr maxx) The recovery came out right when the root did.
Click to expand...
Click to collapse
Droid 2 had a bootstrap, if I recall.
Not sure about razr maxx.
Since you need it to boot INTO the recovery, you need to be able to unlock the bootloader and change how it boots up.
Some devices have vulnerabilities with the bootloader that allow it to be bypassed, like a bootstrap etc.
Phatdawg said:
Droid 2 had a bootstrap, if I recall.
Not sure about razr maxx.
Since you need it to boot INTO the recovery, you need to be able to unlock the bootloader and change how it boots up.
Some devices have vulnerabilities with the bootloader that allow it to be bypassed, like a bootstrap etc.
Click to expand...
Click to collapse
Razr maxx has safestrap its different then the other recoveries.
Question, is the bounty a "good faith" or is there some account for it?
Sent from my SCH-I545 using xda app-developers app

Big news involving kernel modules (info inside)

Great news!
Developer jeboo from over at the Verizon S4 forum was successfully able to insert a modified stock kernel module without issue on MK2 (an older S4 build, but with Knox.)
What does this mean? Well, for one, it means that there is a possibility of kexec (custom kernels), but certain things need to be accomplished first. We need to figure out if we can exploit modified modules, as opposed to inserting a new module (which I'm not sure has been attempted yet using the put/get user exploit.) Jeboo is posting the code on github for developers out there. He is going to try on MJ7 next, as he has only attempted MK2 so far. The exploit was patched in October/November I believe, so there is a possibility MJ7 and MJE may be vulnerable. I will post the link for his github when it becomes available. Keep in mind there's much more we can accomplish besides kexec with kernel modules also.
Source: Here
Oh now that would be totally awesome the only thing I'm really missing is a fast charge kernel that would really solve the last of my problems.
ryanbg said:
Great news!
Developer jeboo from over at the Verizon S4 forum was successfully able to insert a modified stock kernel module without issue on MK2 (an older S4 build, but with Knox.)
What does this mean? Well, for one, it means that there is a possibility of kexec (custom kernels), but certain things need to be accomplished first. We need to figure out if we can exploit modified modules, as opposed to inserting a new module (which I'm not sure has been attempted yet using the put/get user exploit.) Jeboo is posting the code on github for developers out there. He is going to try on MJ7 next, as he has only attempted MK2 so far. The exploit was patched in October/November I believe, so there is a possibility MJ7 and MJE may be vulnerable. I will post the link for his github when it becomes available. Keep in mind there's much more we can accomplish besides kexec with kernel modules also.
Source: Here
Click to expand...
Click to collapse
Awesome news!! A lot of doors can be opened with that.
Sent from my SM-N900V using Tapatalk
I loved custom kernels on the Note 2 since they could be overclocked and had a lot of other useful features.
I had been wondering why the Note 3 didn't have any custom kernels, yet did have other custom ROMs.
http://forum.xda-developers.com/showthread.php?t=2578566
Sent from my SM-N900V using Tapatalk
Sweet
Sent from my SM-N900V using Tapatalk
This is good news.
Sent from my SM-N900V using Tapatalk
I don't mean to be the debby downer but... This is irrelevant, because kernel modules are disabled completely in the note 3. @ryanbg
Sent from my SM-N900V using Tapatalk
Brandonrz said:
I don't mean to be the debby downer but... This is irrelevant, because kernel modules are disabled completely in the note 3. @ryanbg
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
Hashcode stated he was looking into this... Who knows what will come from this
2swizzle said:
Hashcode stated he was looking into this... Who knows what will come from this
Click to expand...
Click to collapse
Absolutely nothing, the only thing you can do is enter kernel modules and still be able to flash; wich leaves a possibility for a kexec module could be inserted. Our kernel disables kernel modules, so no possibly for a kexec module to be inserted. And even if there was something the get/put exploit could do for us, chances are It was patched most likely on mje, or mj7. He said he'll see what he can do with this, he was talking about the s4. Even ask @Hashcode himself.
Sent from my SM-N900V using Tapatalk
Brandonrz said:
Absolutely nothing, the only thing you can do is enter kernel modules and still be able to flash; wich leaves a possibility for a kexec module could be inserted. Our kernel disables kernel modules, so no possibly for a kexec module to be inserted. And even if there was something the get/put exploit could do for us, chances are It was patched most likely on mje, or mj7. He said he'll see what he can do with this, he was talking about the s4. Even ask @Hashcode himself.
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.
"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."
From CVE-2013-6282
Verizon MJE Note 3 kernel was compiled on November 11th.
This is the exploit that jeboo is using. Here
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
Click to expand...
Click to collapse
by jeboo from his exploit thread.
It's also important to note that if this does have any success on our device, it would be advisable to not update.
ryanbg said:
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.
"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."
From CVE-2013-6282
Verizon MJE Note 3 kernel was compiled on November 11th.
This is the exploit that jeboo is using. Here
by jeboo from his exploit thread.
It's also important to note that if this does have any success on our device, it would be advisable to not update.
Click to expand...
Click to collapse
This is indeed great news. A lot of amazing devs out there! Unfortunately for me i sold my note 3 and the dev edition is back ordered :/
If I fire up a terminal the modprobe and insmod commands are both there. @Brandonrz was saying that our kernel disables kernel modules, but why then are those commands available?
I am still on MI9 and I took an MI9 boot.img, extracted its contents and loaded the zImage file into IDA but I am in unfamiliar territory here. I searched for strings with "auth" in them and didn't see anything with lkmauth. Maybe that's because loadable kernel modules are, as @Brandonrz was saying, disabled. Obviously someone with more experience and knowledge of IDA would be beneficial here.
I'm at work now, but I plan on writing a simple kernel module to try and load it using modprobe to see what kind of output I get.
I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.
I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.[/QUOTE]
Iregardless, lol, thanks for keeping up with the fight!
Sent from my SM-N900V using Tapatalk
OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.
I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.
lkspencer said:
OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.
I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.
Click to expand...
Click to collapse
I didn't want to say anything but... Sorry, I want it as much as anyone else.
Sent from my SM-N900V using Tapatalk
MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..
Sent from my SCH-I545 using XDA Premium 4 mobile app
Brandonrz said:
I didn't want to say anything but... Sorry, I want it as much as anyone else.
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.
---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------
Surge1223 said:
MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.
lkspencer said:
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.
---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------
So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.
Click to expand...
Click to collapse
Honestly I dont know if it was MJE. It was whatever was the latest Samsung open source kernel they released at the time. We tested on the dev MJ3 kernel as well and that didnt work. But you have to edit the source with your kernels info. Id say if your output from cat /proc/version is early Oct or before then maybe.

Categories

Resources