Big news involving kernel modules (info inside) - Verizon Galaxy Note 3 General

Great news!
Developer jeboo from over at the Verizon S4 forum was successfully able to insert a modified stock kernel module without issue on MK2 (an older S4 build, but with Knox.)
What does this mean? Well, for one, it means that there is a possibility of kexec (custom kernels), but certain things need to be accomplished first. We need to figure out if we can exploit modified modules, as opposed to inserting a new module (which I'm not sure has been attempted yet using the put/get user exploit.) Jeboo is posting the code on github for developers out there. He is going to try on MJ7 next, as he has only attempted MK2 so far. The exploit was patched in October/November I believe, so there is a possibility MJ7 and MJE may be vulnerable. I will post the link for his github when it becomes available. Keep in mind there's much more we can accomplish besides kexec with kernel modules also.
Source: Here

Oh now that would be totally awesome the only thing I'm really missing is a fast charge kernel that would really solve the last of my problems.
ryanbg said:
Great news!
Developer jeboo from over at the Verizon S4 forum was successfully able to insert a modified stock kernel module without issue on MK2 (an older S4 build, but with Knox.)
What does this mean? Well, for one, it means that there is a possibility of kexec (custom kernels), but certain things need to be accomplished first. We need to figure out if we can exploit modified modules, as opposed to inserting a new module (which I'm not sure has been attempted yet using the put/get user exploit.) Jeboo is posting the code on github for developers out there. He is going to try on MJ7 next, as he has only attempted MK2 so far. The exploit was patched in October/November I believe, so there is a possibility MJ7 and MJE may be vulnerable. I will post the link for his github when it becomes available. Keep in mind there's much more we can accomplish besides kexec with kernel modules also.
Source: Here
Click to expand...
Click to collapse

Awesome news!! A lot of doors can be opened with that.
Sent from my SM-N900V using Tapatalk

I loved custom kernels on the Note 2 since they could be overclocked and had a lot of other useful features.
I had been wondering why the Note 3 didn't have any custom kernels, yet did have other custom ROMs.

http://forum.xda-developers.com/showthread.php?t=2578566
Sent from my SM-N900V using Tapatalk

Sweet
Sent from my SM-N900V using Tapatalk

This is good news.
Sent from my SM-N900V using Tapatalk

I don't mean to be the debby downer but... This is irrelevant, because kernel modules are disabled completely in the note 3. @ryanbg
Sent from my SM-N900V using Tapatalk

Brandonrz said:
I don't mean to be the debby downer but... This is irrelevant, because kernel modules are disabled completely in the note 3. @ryanbg
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
Hashcode stated he was looking into this... Who knows what will come from this

2swizzle said:
Hashcode stated he was looking into this... Who knows what will come from this
Click to expand...
Click to collapse
Absolutely nothing, the only thing you can do is enter kernel modules and still be able to flash; wich leaves a possibility for a kexec module could be inserted. Our kernel disables kernel modules, so no possibly for a kexec module to be inserted. And even if there was something the get/put exploit could do for us, chances are It was patched most likely on mje, or mj7. He said he'll see what he can do with this, he was talking about the s4. Even ask @Hashcode himself.
Sent from my SM-N900V using Tapatalk

Brandonrz said:
Absolutely nothing, the only thing you can do is enter kernel modules and still be able to flash; wich leaves a possibility for a kexec module could be inserted. Our kernel disables kernel modules, so no possibly for a kexec module to be inserted. And even if there was something the get/put exploit could do for us, chances are It was patched most likely on mje, or mj7. He said he'll see what he can do with this, he was talking about the s4. Even ask @Hashcode himself.
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.
"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."
From CVE-2013-6282
Verizon MJE Note 3 kernel was compiled on November 11th.
This is the exploit that jeboo is using. Here
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
Click to expand...
Click to collapse
by jeboo from his exploit thread.
It's also important to note that if this does have any success on our device, it would be advisable to not update.

ryanbg said:
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.
"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."
From CVE-2013-6282
Verizon MJE Note 3 kernel was compiled on November 11th.
This is the exploit that jeboo is using. Here
by jeboo from his exploit thread.
It's also important to note that if this does have any success on our device, it would be advisable to not update.
Click to expand...
Click to collapse
This is indeed great news. A lot of amazing devs out there! Unfortunately for me i sold my note 3 and the dev edition is back ordered :/

If I fire up a terminal the modprobe and insmod commands are both there. @Brandonrz was saying that our kernel disables kernel modules, but why then are those commands available?
I am still on MI9 and I took an MI9 boot.img, extracted its contents and loaded the zImage file into IDA but I am in unfamiliar territory here. I searched for strings with "auth" in them and didn't see anything with lkmauth. Maybe that's because loadable kernel modules are, as @Brandonrz was saying, disabled. Obviously someone with more experience and knowledge of IDA would be beneficial here.
I'm at work now, but I plan on writing a simple kernel module to try and load it using modprobe to see what kind of output I get.
I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.

I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.[/QUOTE]
Iregardless, lol, thanks for keeping up with the fight!
Sent from my SM-N900V using Tapatalk

OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.
I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.

lkspencer said:
OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.
I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.
Click to expand...
Click to collapse
I didn't want to say anything but... Sorry, I want it as much as anyone else.
Sent from my SM-N900V using Tapatalk

MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..
Sent from my SCH-I545 using XDA Premium 4 mobile app

Brandonrz said:
I didn't want to say anything but... Sorry, I want it as much as anyone else.
Sent from my SM-N900V using Tapatalk
Click to expand...
Click to collapse
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.
---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------
Surge1223 said:
MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..
Sent from my SCH-I545 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.

lkspencer said:
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.
---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------
So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.
Click to expand...
Click to collapse
Honestly I dont know if it was MJE. It was whatever was the latest Samsung open source kernel they released at the time. We tested on the dev MJ3 kernel as well and that didnt work. But you have to edit the source with your kernels info. Id say if your output from cat /proc/version is early Oct or before then maybe.

Related

Bootloader Partially Locked?

I noticed that the community has not successfully made a Kernel thats works without doing a boot-loop. Could it be possible that there is E-Fusish type security measure, like the Droid 2 and X, that prevents users from loading custom kernels that Verizon implemented? Thats the only explanation I can think of why we are having issues with our Galaxy versus other carrier's versions.
Sent from my SCH-I500 using XDA App
Samsung gave us a BUNK defconfig
the bootloader's not locked, kernel isn't signed
I've got a working kernel that boots, but the accelerometer is screwed up
jt1134 said:
Samsung gave us a BUNK defconfig
the bootloader's not locked, kernel isn't signed
I've got a working kernel that boots, but the accelerometer is screwed up
Click to expand...
Click to collapse
Sorry for my next noobish question but has anybody sent an email to Samsung about getting a fixed source code or is it pointless until 2.2 drops?
Sent from my SCH-I500 using XDA App
pointless? I guess that depends on who you ask. But yes, Samsung has received much electronic mail from smartphone enthusiasts over the past few weeks.
jt1134 said:
pointless? I guess that depends on who you ask. But yes, Samsung has received much electronic mail from smartphone enthusiasts over the past few weeks.
Click to expand...
Click to collapse
I will talk to my Samsung rep to see if there is anybody I could escalate this to in their North America branch to get this fixed but highly unlikely thou.
Sent from my SCH-I500 using XDA App
@Jt
I will be back on irc tommorow, but I have the accelerometer fixed on my kernel just no wifi, bluetooth or sound still. Have you found a fix for any of these, or are you still using my config?
AFAICT everything works now. I started with your config as a base
jt1134 said:
AFAICT everything works now. I started with your config as a base
Click to expand...
Click to collapse
This is good news, no?
Very nice gang.. I will block off some time for sure to stop in and see what's shakin' this evening..
Dirrk.. what initramfs are you using? I was able to compile with yamaha_b5 and your ramdisk, then I got the no sound/orientation/etc.. However it seems when JT compiles, he uses koush's ramdisk, and gets sound (orientation still off).
If I compile with b5_yamah + koush ramdisk (from his git), Odin fails to flash every time. If I switch back to your ramdisk, odin flashes, kernel boots, etc..
Sounds like you guys are making some good progress. Thanks for your hard work. Can't wait to be able to overclock this sucker.
jt1134 said:
AFAICT everything works now. I started with your config as a base
Click to expand...
Click to collapse
Are you using a different ramdisk to get it fixed as mentioned below v
namebrandon said:
Very nice gang.. I will block off some time for sure to stop in and see what's shakin' this evening..
Dirrk.. what initramfs are you using? I was able to compile with yamaha_b5 and your ramdisk, then I got the no sound/orientation/etc.. However it seems when JT compiles, he uses koush's ramdisk, and gets sound (orientation still off).
If I compile with b5_yamah + koush ramdisk (from his git), Odin fails to flash every time. If I switch back to your ramdisk, odin flashes, kernel boots, etc..
Click to expand...
Click to collapse
Can you send me koush's ramdisk. I have been out of town working for the past few days
Dirrk said:
Can you send me koush's ramdisk. I have been out of town working for the past few days
Click to expand...
Click to collapse
Maybe JT or someone at a linux box can tar it up if you need it as an archive.. I don't have any git software here at work..
http://github.com/koush/fascinate_initramfs
namebrandon said:
Maybe JT or someone at a linux box can tar it up if you need it as an archive.. I don't have any git software here at work..
http://github.com/koush/fascinate_initramfs
Click to expand...
Click to collapse
Thanks man wow after rereading ur op it says its on koush's git lol
Quick question, i've gotten rom building down with CWM and Amon Ra but now I want to dabble in kernel modding but I want to get a general preference on where everybody started at.
Sent from my SCH-I500 using XDA App

S4 Kexec Support (Help needed) ..

Folks,
While I was reading the Safestrap discussion thread in the Developement area, I came across this post from Hashcode:
http://forum.xda-developers.com/showpost.php?p=46202168&postcount=430
He indicated that he needs help getting around the kernel module verification system for possibility of Kexec. I thought I would bring this up here in case anyone that knows about the S4 kernels may not be frequenting the Safestrap threads. If ANYONE can help Hashcode, please let him know. I know if I had the knowledge for kernels, I would be all over this helping him.
I thought this was a good place to get this seen as some may not have seen his post buried in the dev. thread for SS.
Thanks!!!
roboots21 said:
Folks,
While I was reading the Safestrap discussion thread in the Developement area, I came across this post from Hashcode:
http://forum.xda-developers.com/showpost.php?p=46202168&postcount=430
He indicated that he needs help getting around the kernel module verification system for possibility of Kexec. I thought I would bring this up here in case anyone that knows about the S4 kernels may not be frequenting the Safestrap threads. If ANYONE can help Hashcode, please let him know. I know if I had the knowledge for kernels, I would be all over this helping him.
I thought this was a good place to get this seen as some may not have seen his post buried in the dev. thread for SS.
Thanks!!!
Click to expand...
Click to collapse
Im taking the stock developer edition kernel apart now, I don't know how Hash's kexec works is he trying to hijack the kernel, load before the kernel or load after? I know how the s4 kernels work but I guess in my mind I assume Hash already knows anything that I do.
Surge1223 said:
Im taking the stock developer edition kernel apart now, I don't know how Hash's kexec works is he trying to hijack the kernel, load before the kernel or load after? I know how the s4 kernels work but I guess in my mind I assume Hash already knows anything that I do.
Click to expand...
Click to collapse
To be clear, I can work on the kexec stuff. I need a bypass for the module sha1sum check in the stock kernel. Can't load the kexec modules with that in place.
Hashcode
Keep up by the good work.
I don't know much about the kernel stuff, but maybe you could disguise the kexec module as the original sha1 sum. Basically tricking the system into thinking everything is normal?
Sent from my GT-I9505G using xda app-developers app
Hashcode let me know if there is anything I can help with. Im going to download the kernel source and see if I can find anything
Sent from my GT-N5110 using XDA Premium 4 mobile app
Jraider44 said:
I don't know much about the kernel stuff, but maybe you could disguise the kexec module as the original sha1 sum. Basically tricking the system into thinking everything is normal?
Click to expand...
Click to collapse
The SHA-1 hash attached to the module is a keyed hash. It uses a private key that Samsung owns and hopefully carefully protects. That key is used to sign the module. The resulting hash demonstrates both that the file comes from Samsung and that it hasn't been tampered with.
You could try to figure out a way to alter the new binary so that the hash still verifies, but that's a very difficult thing to do, where "very difficult" means firing up a few million computers for thousands of years to try to find a collision.
That's why hashcode is looking for a way to bypass the signature verification. That's much more likely to be practical.
Hashcode said:
To be clear, I can work on the kexec stuff. I need a bypass for the module sha1sum check in the stock kernel. Can't load the kexec modules with that in place.
Click to expand...
Click to collapse
Hash to be clear, you essentially need a entire boot.img bypass exploit since aboot checks both the ramdisk and the zimage correct? And are you planning to use the boot.img linux kernel and not the recovery kernel or both?
Sent from my SCH-I545 using xda app-developers app
Surge1223 said:
Hash to be clear, you essentially need a entire boot.img bypass exploit since aboot checks both the ramdisk and the zimage correct? And are you planning to use the boot.img linux kernel and not the recovery kernel or both?
Sent from my SCH-I545 using xda app-developers app
Click to expand...
Click to collapse
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.
jeboo said:
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.
Click to expand...
Click to collapse
What if we just brute forced samsung's signing key. I know that would take A LONG TIME to try and crack that algorithm, but I bet we all can donate CPU cycles for the project. I have about 3 computers running that can help.
(well, that depends if it's possible to bruteforce a SHA1 check.)
tommydrum said:
What if we just brute forced samsung's signing key. I know that would take A LONG TIME to try and crack that algorithm, but I bet we all can donate CPU cycles for the project. I have about 3 computers running that can help.
(well, that depends if it's possible to bruteforce a SHA1 check.)
Click to expand...
Click to collapse
I've temporarily gotten the Dev. recovery to flash but haven't been able to repeat the the procedure as of yet. Hopefully I wasn’t hallucinating. Have been trying to repeat the result for the last 3 days...
Surge1223 said:
I've temporarily gotten the Dev. recovery to flash but haven't been able to repeat the the procedure as of yet. Hopefully I wasn’t hallucinating. Have been trying to repeat the result for the last 3 days...
Click to expand...
Click to collapse
Oh I hope you wernt hallucinating either.. that would be really cool if that worked
tommydrum said:
Oh I hope you wernt hallucinating either.. that would be really cool if that worked
Click to expand...
Click to collapse
It would be way more than cool, if you have any idea of the implications it would have.
Sent from my SCH-I545 using xda app-developers app
jeboo said:
That would work (ie, loki) or a kernel memory overwrite vulnerability is needed to patch the verification function.
Click to expand...
Click to collapse
Yep, I was thinking of a kernel memory exploit to overwrite the verification function or the keyed hash memory.
Hashcode said:
Yep, I was thinking of a kernel memory exploit to overwrite the verification function or the keyed hash memory.
Click to expand...
Click to collapse
That'll work
Just keep in mind, a few of us are willing to donate computer power on cracking that sum if you ever want to hack up a small program/script to work on that.
Again, good work on safestrap, very "outside the box" thinking there
tommydrum said:
That'll work
Just keep in mind, a few of us are willing to donate computer power on cracking that sum if you ever want to hack up a small program/script to work on that.
Again, good work on safestrap, very "outside the box" thinking there
Click to expand...
Click to collapse
I am more than willing to donate SEVERAL computers worth of power...happy to help in any way I can.
Dollyllama said:
I am more than willing to donate SEVERAL computers worth of power...happy to help in any way I can.
Click to expand...
Click to collapse
Ill be more then willing to do the same.
Sent from my SCH-I545 using xda app-developers app
You know what would actually help? If we had people post what they had reverse engineered from the kernels so far. All this stuff is so tedious
Sent from my cm_tenderloin using xda app-developers app
Surge1223 said:
You know what would actually help? If we had people post what they had reverse engineered from the kernels so far. All this stuff is so tedious
Sent from my cm_tenderloin using xda app-developers app
Click to expand...
Click to collapse
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
jeboo said:
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
Click to expand...
Click to collapse
Trying to see if there are any locations calling the kernel that can be exploited. im not a pro with ida either so it usually takes me awhile to get useful info out of it.
Sent from my SCH-I545 using xda app-developers app
jeboo said:
Well, the kernel is open src, so exploits can be found there. I guess if you're trying to find a vuln in a driver, then you would need to do some reverse engineering.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
Click to expand...
Click to collapse
Basically what hash is trying to do is find some exploit to get away installing a modified kernel with his kexec mod... the exploit will lay in the verifications the bootloader (SHA1 checks) on the kernel. Hash specifically wants to find a glitch before the kernel checks, to be able to modify the outcome of the check. He wants it to always impersonate a legit kernel, even if it's not.

[MOD][DEV] Enable Insecure modules on NC5 and NC1

Works on VZW and AT&T latest 4.4 kernels
Directions:
1. Flash zip
2. Open terminal and type
Code:
su
modload
Insert a a compiled and compatible module using insmod, confirm it loaded using lsmod
Download
Here's a zip of modules that work with NC5 and NC1 most made by yours truly.
https://www.dropbox.com/s/mpyeju0082c6f9m/modules.zip?dl=0
Thanks to @jeboo for the original exploit, this is his exploit but using a different method of writing over memory.
If you don't know the purpose of this then don't download.
Totally dont know the purpose and not too worried, but thanx Surge for not forgetting about us over here.
Nice work, very useful.
Nice job! Will the safestrap your working on with kexec be posted here?
Sent from my OtterX using Tapatalk
☆☆
Surge1223 said:
If you don't know the purpose of this then don't download.
Click to expand...
Click to collapse
I dont know the purpose of this but I am curious as to what its for anyway lol
Would this allow us to install safestrap? or a real recovery install? or something completely different?
RandumAccess said:
I dont know the purpose of this but I am curious as to what its for anyway lol
Would this allow us to install safestrap? or a real recovery install? or something completely different?
Click to expand...
Click to collapse
It will allow us to flash insecure modules using safestrap .. I am not a dev but trying to answer what I understand from kexec insecure modules will be compiled with the stock kernel and then flashed so we can flash aosp roms . Correct me I know I am wrong somewhere .. lol
So I've gotten quite a few messages about this asking what it does and what it's for etc. This does the same thing bypasslkm does (this is a reimplementation of bypasslkm for NC5 and NC1). You guys can read the bypasslkm thread over in AT&T S4 dev thread by jeboo to learn more.
If you have trouble getting wifi to work on a custom rom though this will allow the wifi module to load. I wanted to avoid having to say that so every Tom, **** and Harry doesn't rush in here to ask why wifi won't work on so and so's rom and why this didnt fix it.
Will this allow AOSP or unlock your bootloader? No, it will not.
Will it allow you to load modules that are compatible? Yes it will. Granted you know how to load modules (if not, Google insmod)
Surge1223 said:
So I've gotten quite a few messages about this asking what it does and what it's for etc. This does the same thing bypasslkm does (this is a reimplementation of bypasslkm for NC5 and NC1). You guys can read the bypasslkm thread over in AT&T S4 dev thread by jeboo to learn more.
If you have trouble getting wifi to work on a custom rom though this will allow the wifi module to load. I wanted to avoid having to say that so every Tom, **** and Harry doesn't rush in here to ask why wifi won't work on so and so's rom and why this didnt fix it.
Will this allow AOSP or unlock your bootloader? No, it will not.
Will it allow you to load modules that are compatible? Yes it will. Granted you know how to load modules (if not, Google insmod)
Click to expand...
Click to collapse
So does this mean we will be able to load 4.4.4 Touchwiz Roms, without changing our bootloader?
Sent from my OtterX using Tapatalk
joshuabg said:
So does this mean we will be able to load 4.4.4 Touchwiz Roms, without changing our bootloader?
Sent from my OtterX using Tapatalk
Click to expand...
Click to collapse
No, but it also doesn't mean you can't. I haven't tried to boot a 4.4.4 rom so I have no idea if they fail due to module incompatibility.
I successfully loaded the fast charge module on stock NC5 just to play around. I recognize some of the modules you have in that zip you put together like scsi_wait_scan.ko, but I was just curious what some/most of the others do. For instance I googled like crazy to find out what fuvzw.ko was and found nothing. This seriously is some awesome work! Seems like a huge step to being open once again!
shag_on_e said:
I successfully loaded the fast charge module on stock NC5 just to play around. I recognize some of the modules you have in that zip you put together like scsi_wait_scan.ko, but I was just curious what some/most of the others do. For instance I googled like crazy to find out what fuvzw.ko was and found nothing. This seriously is some awesome work! Seems like a huge step to being open once again!
Click to expand...
Click to collapse
A lot of them don't do anything theyre just tests. Lol fuvzw, just creates a temp directory in /dev/fuvzw. State.ko just adds a funny message if you type cat /proc/state in terminal. sysctbl.ko finds the system call table etc. I just put them in to show making custom modules do load.
Surge1223 said:
No, but it also doesn't mean you can't. I haven't tried to boot a 4.4.4 rom so I have no idea if they fail due to module incompatibility.
Click to expand...
Click to collapse
I tried to boot a 4.4.4 rom with the zip and modules with wiping and it didnt boot.. Went to the screen showing unsupported software.
ITR218 said:
I tried to boot a 4.4.4 rom with the zip and modules with wiping and it didnt boot.. Went to the screen showing unsupported software.
Click to expand...
Click to collapse
Was it a touchwiz based rom? What Safestrap did you use?
joshuabg said:
Was it a touchwiz based rom? What Safestrap did you use?
Click to expand...
Click to collapse
It was ROM] KTU84Q [AOSP] 【4.4.4】Dan&Ktoonsez 【CM (final) 09-16-2014】v using safestrap KTLEVZN-NCG-3.75
ITR218 said:
It was ROM] KTU84Q [AOSP] 【4.4.4】Dan&Ktoonsez 【CM (final) 09-16-2014】v using safestrap KTLEVZN-NCG-3.75
Click to expand...
Click to collapse
Thats is an AOSP rom, It will not work unless it is modified to work with safestrap or kexec is implemented to safestrap. What phone are you using?
I was trying to say that we maybe able to get a 4.4.4 Touchwiz based ROM to work.
joshuabg said:
Thats is an AOSP rom, It will not work unless it is modified to work with safestrap or kexec is implemented to safestrap. What phone are you using?
I was trying to say that we maybe able to get a 4.4.4 Touchwiz based ROM to work.
Click to expand...
Click to collapse
Honestly I just realized that information about the AOSP ROM im running the Eclipse S4 TW - v4.0.2 (6/25/14) - Real AOSP styling!! KitKat has arrived! This has been my favorite rom so far as I just got the s4 I545 and had the s3 that was rooted unlocked. I may try a touchwiz rom 4.4.4 any suggested rom ?
Just curious (and if this is a dumb question sorry in advance)... but how far off does this make us from having KEXEC on the S4 running say NC5?
AngryManMLS said:
Just curious (and if this is a dumb question sorry in advance)... but how far off does this make us from having KEXEC on the S4 running say NC5?
Click to expand...
Click to collapse
I believe its in the general section, But Surge has made a post called "If we are serious about unlocking the bootloader" and some pages into it he tells that he is starting to get kexec on the s4 and s5. I believe he is close, havent checked in a while.
bamige1 said:
I believe its in the general section, But Surge has made a post called "If we are serious about unlocking the bootloader" and some pages into it he tells that he is starting to get kexec on the s4 and s5. I believe he is close, havent checked in a while.
Click to expand...
Click to collapse
Yeah I've been following that thread. I just was unsure of how close/far aware things are with these insecure modules so I felt it was better to ask. Hopefully the kexec work on the S4/S5 can also be helpful on the Note 3. I know @hsbadr has been making some progress on things with the VZW Note 3 so we'll see.

[Kernel] BeastMode Modified Stock 1.1 for SM-N915W8 (Canadian Note Edge)

Here's a kernel for the Canadian variant of the Note Edge with root support, init.d, and added TCP Congestion methods via defconfig and ramdisk edits.
Prereq:
-Have a means to get back to stock software. This includes an Odin flashable TAR or a recovery flashable ROM.
-[size=+2]Make sure you have a BACKUP![/size]. I cannot stress this enough. While I am certain you won't run into any trouble with the kernel, it's always good to have a backup of your system (including kernel[boot in twrp]) beforehand.
Instructions:
-Download SuperSU beta from here
-Download the kernel: BeastMode 1.1 for the Galaxy Note Edge (Canada, SM-N915W8)
Place both the kernel and SuperSU beta onto your internal or external storage.
Reboot into TWRP.
Flash kernel.
Flash SuperSU.
Reboot and profit.
-Know a bit of knowledge about how to restore your system or what this root enabled kernel will provide. I won't be able to reply to PMs asking me questions. You should know a bit about what you're doing before you do it.
Source code: This uses the Sprint source code, which is available in the Stockish ROM thread.
I'll test for you, I'm going to the docs now but when I get home I'll gladly be the guinea pig (currently have not taken the 5.1.1 update) I understand you may not have the answer(s) to the following questions but I'm just wondering the following: does/will the unofficial Xposed mod work with 5.1.1, will/does ViPER4Android work on 5.1.1, is your kernel selinux-Permissive (?), other than that I'm confident that you and I can overcome/workaround "noob" situations, (I have my edge working perfectly right now but I'm not only doing this for me it's our whole small community (SM-N915P), I'll be losing access to Emotion kernel (totally am not happy about that), but anyway before I take the update is it at all possible to just flash the 5.1.1 modem, firmware, etc (and as long as my bootloader remains at 5.0.1 I can ODIN back or did samsung destroy that luxury for us too)
dinaps86 said:
I'll test for you, I'm going to the docs now but when I get home I'll gladly be the guinea pig (currently have not taken the 5.1.1 update) I understand you may not have the answer(s) to the following questions but I'm just wondering the following: does/will the unofficial Xposed mod work with 5.1.1, will/does ViPER4Android work on 5.1.1, is your kernel selinux-Permissive (?), other than that I'm confident that you and I can overcome/workaround "noob" situations, (I have my edge working perfectly right now but I'm not only doing this for me it's our whole small community (SM-N915P), I'll be losing access to Emotion kernel (totally am not happy about that), but anyway before I take the update is it at all possible to just flash the 5.1.1 modem, firmware, etc (and as long as my bootloader remains at 5.0.1 I can ODIN back or did samsung destroy that luxury for us too)
Click to expand...
Click to collapse
hah, great questions and let me start out by saying .....i made a huge noob mistake :'(
Xposed doesn't work with touchwiz on 5.1.1.....yet (i didn't bother reading before i got excited about 5.1.1 on the note 4)
Not sure if viper works
On the Note 4, you cannot downgrade at all after taking 5.1.1 (made that mistake when I was on a downgradeable bootloader and kitkat...)
I'm currently using CM because I cannot use touchwiz without xposed and i cannot fathom using this phone without my modules.
So yeah, I went from the perfect phone ......to crap. I wish we still had someone providing leaks. An engineering bootloader would probably solve all of this.
I would love to test it but not ready til they get xposed working first
ill test it pm link pls
Hi Freeza, I'll like to test the Kernel. Thanks.
Thanks Freeza...testing now.
Freeza i test the kernel
So far I've had 3 random phone reboots.
i want to test it ...
---------- Post added at 11:49 AM ---------- Previous post was at 11:37 AM ----------
can anyone provide me the link ?
Tester on 5.1.1 here
Sent from my SM-N915P using XDA Premium HD app
where is the link for beta kernel ?
I would be willing to test.
freeza said:
hah, great questions and let me start out by saying .....i made a huge noob mistake :'(
Xposed doesn't work with touchwiz on 5.1.1.....yet (i didn't bother reading before i got excited about 5.1.1 on the note 4)
Not sure if viper works
On the Note 4, you cannot downgrade at all after taking 5.1.1 (made that mistake when I was on a downgradeable bootloader and kitkat...)
I'm currently using CM because I cannot use touchwiz without xposed and i cannot fathom using this phone without my modules.
So yeah, I went from the perfect phone ......to crap. I wish we still had someone providing leaks. An engineering bootloader would probably solve all of this.
Click to expand...
Click to collapse
@freeza: Thanks for responding to our request to mod the Edge kernel. I'm with you--I can't use the phone without Xposed. Here's to hoping that Xposed will support TW LP 5.1.1 soon....
Hi Freeza....Appreciate your work in providing a test kernel for 5.1.1 and root, and am more than willing to test it out. I am a very long time phone tester and never permanately bricked a phone proud to say. :good:
freeza said:
hah, great questions and let me start out by saying .....i made a huge noob mistake :'(
Xposed doesn't work with touchwiz on 5.1.1.....yet (i didn't bother reading before i got excited about 5.1.1 on the note 4)
Not sure if viper works
On the Note 4, you cannot downgrade at all after taking 5.1.1 (made that mistake when I was on a downgradeable bootloader and kitkat...)
I'm currently using CM because I cannot use touchwiz without xposed and i cannot fathom using this phone without my modules.
So yeah, I went from the perfect phone ......to crap. I wish we still had someone providing leaks. An engineering bootloader would probably solve all of this.
Click to expand...
Click to collapse
Hey freeza u mind messaging me that kernel I just want to extract it and compare it to Emotion kernel and stock 5.0.1 kernel
Hey freeza. As I'm testing out root on a Note Edge on 5.1.1 myself I've come across something that may be of note to you. I've gotten permissive SELinux and root. But the baseband is unknown, the phone gets no signal, and it reboots after about a minute of being booted into android. I've tracked it down to the TIMA RKP settings but that's as far as I've gotten. Hope this gives you some tips on where to look to iron out any issues you come across. If I solve the issue beforehand I'll post back.
I want Test it..
Freeza,
And testers just wanted to see what the status is and if this kernel will help. Im getting about worried about being 2 updates behind especially when one is to fix the stagefright update.
Im in a tricky place as i need my phone rooted for work, but cant keep a vulnerability like that open...
Does this kernel work?
Thanks,
Adan
Sent from my SM-N915P using XDA Free mobile app
would like to test
would like to test

[DEV][EXYNOS][Discussion] Kernel 80% bug and other samsung "features"

Hey,
I've been thinking about starting development of a kernel on S8+, but I've heard that there are issues such as charge not going above 80% and some other stuff I don't even remember anymore but I did read about it.
Can somebody point me to patch to allow over 80% charge with tripped knox or is this issue non existent with latest source?
What other things would I need to do to have a kernel working just like stock minus knox features?
How would I go about "deknoxing" kernel?
How can I trick kernel to say that knox isn't tripped?
Sorry if that's not the right section but I couldn't really find a better place to ask this while getting a good amount of replies. If this isn't the right section, mods, please move it. First samsung device I've ever owned so I'm stepping into new grounds for me aswell.
olokos said:
Hey,
I've been thinking about starting development of a kernel on S8+, but I've heard that there are issues such as charge not going above 80% and some other stuff I don't even remember anymore but I did read about it
Can somebody point me to patch to allow over 80% charge with tripped knox or is this issue non existent with latest source?
What other things would I need to do to have a kernel working just like stock minus knox features?
How would I go about "deknoxing" kernel?
How can I trick kernel to say that knox isn't tripped?
Sorry if that's not the right section but I couldn't really find a better place to ask this while getting a good amount of replies. If this isn't the right section, mods, please move it. First samsung device I've ever owned so I'm stepping into new grounds for me aswell.
Click to expand...
Click to collapse
I'm not 100% convinced it's in the kernel. Meerly swapping the abl.elf combo with the stock one your device refused to boot but will charge to 100%. This happens when I have the combo boot.img and the stock abl, so.
In everything for SD can be stock firmware except abl, devcfg, recovery, and boot. This is how I package my firmware for both my samfail installs and my just better firmware standalone.
Basicallay, unless you have Samsung private key, you won't be making kernels that solve that problem for the people in which it matters.
Oh, and answering the patch question: nothing in their released kernel source has anything on this. And whatever abl is it's closed source and looks encrypted, so we haven't gotten far that direction either
olokos said:
Hey,
I've been thinking about starting development of a kernel on S8+, but I've heard that there are issues such as charge not going above 80% and some other stuff I don't even remember anymore but I did read about it.
Can somebody point me to patch to allow over 80% charge with tripped knox or is this issue non existent with latest source?
What other things would I need to do to have a kernel working just like stock minus knox features?
How would I go about "deknoxing" kernel?
How can I trick kernel to say that knox isn't tripped?
Sorry if that's not the right section but I couldn't really find a better place to ask this while getting a good amount of replies. If this isn't the right section, mods, please move it. First samsung device I've ever owned so I'm stepping into new grounds for me aswell.
Click to expand...
Click to collapse
It all depends on what s8+ model you have to better answer your question. The snapdragon version in USA has locked bootloaders so we can't use custom kernels. The kernel we are forced to use is a factory kernel that has selinux set to permissive on boot. this allows security to be relaxed enough for root to work. On exynos version, they have unlocked bootloaders. they can flash custom kernels and recovery.
I'm talking about exynos version. Is 80% battery bug related only to snapdragon devices?
I know that I can't get knox back, that's due to efuse popping the moment we trip knox, I was just talking about faking it in download mode etc.
Yeah, 80% is rooted US Snapdragon S8/S8+ right now. Maybe part abl.elf, part boot.img responsible; abl may start it and hands the baton to sbin healthd binary, which then utilizes the inbuilt scaling of the kernel battery driver.
---------- Post added at 04:14 PM ---------- Previous post was at 03:42 PM ----------
The funny thing is I would never have purchased an S8+ if US carrier ones were Exynos, because Exynos doesn't perform as well in truly custom rooms due to Samsung not releasing Exynos source code--or so I've heard. Kind of ironic, I guess: purchase something that would perform better in truly custom ROMs for that very reason, but soon discover is completely unable to be utilized with any truly custom ROM!
olokos said:
I'm talking about exynos version. Is 80% battery bug related only to snapdragon devices?
I know that I can't get knox back, that's due to efuse popping the moment we trip knox, I was just talking about faking it in download mode etc.
Click to expand...
Click to collapse
knox stats can somewhat be hidden in rom, but download can't be fooled. it checks by sending voltage to efuse with it knows what it should be.
MrSteelX said:
knox stats can somewhat be hidden in rom, but download can't be fooled. it checks by sending voltage to efuse with it knows what it should be.
Click to expand...
Click to collapse
What do you mean? What does misrepresenting 0x1 in download mode help with?
You can absolutely fool download mode, and as it turns out it's not very smart tLll.
Samfail will forever proof of that
partcyborg said:
What do you mean? What does misrepresenting 0x1 in download mode help with?
You can absolutely fool download mode, and as it turns out it's not very smart tLll.
Samfail will forever proof of that
Click to expand...
Click to collapse
It helps with nothing apart for the looks. I've also heard that in some services they just check it like that and based on this they tell you if you still have warranty or not, so why not?
Question is how to fake it or where's the code regarding this located.
jhofseth said:
Yeah, 80% is rooted US Snapdragon S8/S8+ right now. Maybe part abl.elf, part boot.img responsible; abl may start it and hands the baton to sbin healthd binary, which then utilizes the inbuilt scaling of the kernel battery driver.
---------- Post added at 04:14 PM ---------- Previous post was at 03:42 PM ----------
The funny thing is I would never have purchased an S8+ if US carrier ones were Exynos, because Exynos doesn't perform as well in truly custom rooms due to Samsung not releasing Exynos source code--or so I've heard. Kind of ironic, I guess: purchase something that would perform better in truly custom ROMs for that very reason, but soon discover is completely unable to be utilized with any truly custom ROM!
Click to expand...
Click to collapse
Exynos variants are the ones with unlocked bootloader and sources, there we have now AOSP ROM under alpha development and custom ROMs
Sent from my SM-N950F using Tapatalk
jhofseth said:
Yeah, 80% is rooted US Snapdragon S8/S8+ right now. Maybe part abl.elf, part boot.img responsible; abl may start it and hands the baton to sbin healthd binary, which then utilizes the inbuilt scaling of the kernel battery driver.
---------- Post added at 04:14 PM ---------- Previous post was at 03:42 PM ----------
The funny thing is I would never have purchased an S8+ if US carrier ones were Exynos, because Exynos doesn't perform as well in truly custom rooms due to Samsung not releasing Exynos source code--or so I've heard. Kind of ironic, I guess: purchase something that would perform better in truly custom ROMs for that very reason, but soon discover is completely unable to be utilized with any truly custom ROM!
Click to expand...
Click to collapse
Well you heard incorrectly. Android/touchwiz are based off the Linux kernel. Linux kernel is licensed under the gpl, gpl (GNU public license) makes providing the source code for any project making use of gpl'd software mandatory.
Technically they don't have to give the source away for free, but given gpl anyone who purchased it could then offer it for free legally. Samsung's hands are tied when it comes to this. Companies have been taken to court by the fsf/eff and lost in the past.
Sure they could hire a team of lawyers and fight it for years, bit at the cost of losing whatever credibility they have left with the Android community.
Also what "sources" do you speak of? Kernel source? That's been out for ages. "Drivers"? Part of the Linux kernel, see above.
Do mean some kind of touchwiz ui toolkit? Most custom roms dont do tw anyway and aosp is wide open, so I'm not sure why that would matter a lot
From what I've heard defconfig changes are enough to do "deknoxing".
What about faking knox status? How would I go about faking it in kernel itself?
maybe outdated link
partcyborg said:
Well you heard incorrectly. Android/touchwiz are based off the Linux kernel. Linux kernel is licensed under the gpl, gpl (GNU public license) makes providing the source code for any project making use of gpl'd software mandatory.
Technically they don't have to give the source away for free, but given gpl anyone who purchased it could then offer it for free legally. Samsung's hands are tied when it comes to this. Companies have been taken to court by the fsf/eff and lost in the past.
Sure they could hire a team of lawyers and fight it for years, bit at the cost of losing whatever credibility they have left with the Android community.
Also what "sources" do you speak of? Kernel source? That's been out for ages. "Drivers"? Part of the Linux kernel, see above.
Do mean some kind of touchwiz ui toolkit? Most custom roms dont do tw anyway and aosp is wide open, so I'm not sure why that would matter a lot
Click to expand...
Click to collapse
https://www.xda-developers.com/samsung-exynos-and-aosp-explained-a-story-of-betrayal/
This is probably outdated now. In the past Samsung has done stuff like say they could choose GPL or BSD and choose BSD.
jhofseth said:
https://www.xda-developers.com/samsung-exynos-and-aosp-explained-a-story-of-betrayal/
This is probably outdated now. In the past Samsung has done stuff like say they could choose GPL or BSD and choose BSD.
Click to expand...
Click to collapse
Yea that really sucks that they pull that ****. Unfortunately the eff/fff are the only organizations that have the resources necessary to successfully prosecute a gpl violation case. It's been done before but it's costly and time consuming so I think it's typically a method of last resort so when these companies drag their feet they get away with it as they publish something eventually and it's hard to conclusively prove its not complete unless something glaringly obvious is missing. Ususally at least what gets put out is usually enough to at least build a pure oss implementation.
Fun fact: the SN-G950U kernel source as published by Samsung doesn't even compile as is :laugh: there are silly syntax/include errors in a few places. There is also a zip file inside that looks to be another copy of at least part of the kernel source with VZW in its name but the actual zipfile is corrupted lol. It's too bad that there aren't requirements on how it gets released, just that the code is somehow available.
Q: Can somebody point me to patch to allow over 80% charge with tripped knox or is this issue non existent with latest source?
A: This is only on Snapdragon variants. Due locked BL you cant even use a custom kernel.
Q: What other things would I need to do to have a kernel working just like stock minus knox features?
A: I dont understand this question. What would there be broken? You need a different libsecurestorage lib to fix WiFi/Hotspot + disable securestorage from default.prop & You need modded camera firmware files by geiti94 or jesec.
Other than that toolchains could break VoLTE (according to some other kernel devs), so stick to Google's 4.9 tc. You have enough kernels out there for the E8995 to see yourself what needs fixing (i.e. camera etc.).
Q: How would I go about "deknoxing" kernel?
A: Disable it from defconfig; tima, knox, rkp etc.
Q: How can I trick kernel to say that knox isn't tripped?
A: Use resetprop in ramdisk with an init script that will fake the knox status into 0x0. Or just code it inside the cmdline of the kernel and dont worry about resetprop ever again.
Noxxxious said:
Q: Can somebody point me to patch to allow over 80% charge with tripped knox or is this issue non existent with latest source?
A: This is only on Snapdragon variants. Due locked BL you cant even use a custom kernel.
Q: What other things would I need to do to have a kernel working just like stock minus knox features?
A: I dont understand this question. What would there be broken? You need a different libsecurestorage lib to fix WiFi/Hotspot + disable securestorage from default.prop & You need modded camera firmware files by geiti94 or jesec.
Other than that toolchains could break VoLTE (according to some other kernel devs), so stick to Google's 4.9 tc. You have enough kernels out there for the E8995 to see yourself what needs fixing (i.e. camera etc.).
Q: How would I go about "deknoxing" kernel?
A: Disable it from defconfig; tima, knox, rkp etc.
Q: How can I trick kernel to say that knox isn't tripped?
A: Use resetprop in ramdisk with an init script that will fake the knox status into 0x0. Or just code it inside the cmdline of the kernel and dont worry about resetprop ever again.
Click to expand...
Click to collapse
The above isnt quite true. The combination factory image results in max 80% charge for all devices including exynos. The difference is because the exynos isn't bootloader locked the permissive selinux and dm-verity off for system aren't necessary for root like they are for snapdragon.
For example, a root that does not trip Knox like SamFail will require using the combo rom which will be 80% max charge.
So 80% max or 0x1, you pick
Re: knox
I'm not sure what the above poster is referring to, but getting rid of knox with the combo kernel is as simple as changing a few build.prop lines and removing some system apps. Sure there are still files on the machine that have the word knox in them, but knox the security tool is completely gone, it does not even appear in your about phone section. Absolutely no other software or other functionality is affected. This is how every sampwnd and samfail root user has their device configured.
partcyborg said:
The above isnt quite true. The combination factory image results in max 80% charge for all devices including exynos. The difference is because the exynos isn't bootloader locked the permissive selinux and dm-verity off for system aren't necessary for root like they are for snapdragon.
For example, a root that does not trip Knox like SamFail will require using the combo rom which will be 80% max charge.
So 80% max or 0x1, you pick
Re: knox
I'm not sure what the above poster is referring to, but getting rid of knox with the combo kernel is as simple as changing a few build.prop lines and removing some system apps. Sure there are still files on the machine that have the word knox in them, but knox the security tool is completely gone, it does not even appear in your about phone section. Absolutely no other software or other functionality is affected. This is how every sampwnd and samfail root user has their device configured.
Click to expand...
Click to collapse
There is no choice in 80% max or 0x1 because OP wants to create a custom kernel, therefore no factory binary boot.img will be used that limits your cap.
Also the question states how to deknox the kernel and not the rom.
Noxxxious said:
There is no choice in 80% max or 0x1 because OP wants to create a custom kernel, therefore no factory binary boot.img will be used that limits your cap.
Also the question states how to deknox the kernel and not the rom.
Click to expand...
Click to collapse
Lol then there is no option at all for snapdragon, as custom kernels are not possible.
partcyborg said:
Lol then there is no option at all for snapdragon, as custom kernels are not possible.
Click to expand...
Click to collapse
Yep, title of the thread states Exynos so I dunno where all the snapdragon talk came from
Anyway I hope that the OP knows enough now to start his journey. Goodluck!
Noxxxious said:
Yep, title of the thread states Exynos so I dunno where all the snapdragon talk came from
Anyway I hope that the OP knows enough now to start his journey. Goodluck!
Click to expand...
Click to collapse
Lol what journey? As stated here these "features" don't exist
@partcyborg it's a nice way of saying that I can now start development as all my questions were answered by @Noxxxious
Cheers mate!

Categories

Resources