Alright, so the root filesystem image is in /mnt/system/androidmerged.squashfs.secure
So do a temp root, copy to /mnt/storage, and then a adb pull gets it over.
The squashfs itself is offset by 256 bytes, so:
losetup -o 256 /dev/loop0 ./androidmerged.squashfs.secure
At this point, the FS can be mounted or unsquashfs can be used to extract it.
So, what's the first 256 bytes? The secure implies some type of signature, but what kind, and what else is in all those bytes?
I'm not feeling brave enough to try just grabbing the first 256 bytes and appending a modified squashfs image to it on my device just yet, but if others try please report back. (On both if it works, and if not what it takes to recover the unit.)
how big is it? can you upload it somewhere? (or would this be illegal?)
damm.. i need my 101!
chulri said:
how big is it? can you upload it somewhere? (or would this be illegal?)
damm.. i need my 101!
Click to expand...
Click to collapse
75 MB - uploading now
Edit: And up: http://hotfile.com/dl/88050103/f99f306/androidmerged.squashfs.secure.html
thx!
how would you replace the root fs image on the device?
chulri said:
how would you replace the root fs image on the device?
Click to expand...
Click to collapse
Connect via ADB, do a temproot, put the file in /mnt/storage, then copy it into /mnt/system overwriting the existing file. /mnt/storage is an ext3 filesystem mounted read/write, however I simply do not know if it will be possible to recover the unit if there is some kind of signature verification and we fail due to a modified image.
Again, someone braver then I should make this attempt and let us know how it goes.
The source did not give all that many hints, but I need to dig through in some more detail.
zelch said:
Connect via ADB, do a temproot, put the file in /mnt/storage, then copy it into /mnt/system overwriting the existing file. /mnt/storage is an ext3 filesystem mounted read/write, however I simply do not know if it will be possible to recover the unit if there is some kind of signature verification and we fail due to a modified image.
Again, someone braver then I should make this attempt and let us know how it goes.
The source did not give all that many hints, but I need to dig through in some more detail.
Click to expand...
Click to collapse
If the unit will still boot to recovery could a full wipe and reinstall of the base AOS over USB get it back up and running?
krohnjw said:
If the unit will still boot to recovery could a full wipe and reinstall of the base AOS over USB get it back up and running?
Click to expand...
Click to collapse
Recovery shouldn't be part of the FS so at worst, you'd have to do a format/firmware install.
You can do a full system wipe/format from recovery. it's not in any damageable storage by us without flashing a new recovery image.
Interesting about the front 256 bytes. It must be a signature. Not sure what good rebuilding the squashfs will do as it'll still be read only but it's a start. We could at least update the system properly and install the appropriate apps. Maybe in make some of the system dirs symlinks to writable locations possibly.
Permroot, giving us a filesystem mounted RW and not no-suid.
Ideally, I'd like to have decent support for the internal storage being ext3 without nosuid, but first we need to be able to replace the root filesystem image.
Other notes..
Looking at the hexdumps, the 256 byte chunk does not contain the start of the md5, sha1, sha224, sha256, sha384, or sha512 checksums.
The most troubling option which comes to mind is that it is the right size for a RSA 2048 bit block, hopefully not.
Anyone have ideas on how to find the initramfs image that the bootloader is feeding the kernel?
For that matter, has anyone tried taking apart the OS update images?
zelch said:
For that matter, has anyone tried taking apart the OS update images?
Click to expand...
Click to collapse
I think the aos file or the responsible installer/updater should give us a lot of information about how this stuff can be updated.
chulri said:
I think the aos file or the responsible installer/updater should give us a lot of information about how this stuff can be updated.
Click to expand...
Click to collapse
Agreed.
It looks like usr/bin/abcbox in the root filesystem has something to do with the update process.
zelch said:
Agreed.
It looks like usr/bin/abcbox in the root filesystem has something to do with the update process.
Click to expand...
Click to collapse
And it definitely is!
On a rooted device:
Code:
/usr/bin # PATH=$PATH:/tmp
/usr/bin # ln -s /usr/bin/abcbox /tmp/cramfschecker
/usr/bin # cramfschecker
USAGE: cramfschecker FILENAME
/usr/bin # cramfschecker /mnt/system/androidmerged.squashfs.secure
cramfschecker : check against 2.0.54
cramfschecker verification OK
Anyone with some ARM disassembly skills feeling up to taking abcbox apart to see how it's doing the signature check?
And so I've been digging into this, and it turns out that this is really quite similar to how the Gen 7 Archos 5 IT is locked.
The signature there is a RSA + MD5 signature, which is really the worst case as that means a 2048 bit RSA key, so we're kinda screwed there.
http://strazzere.com/blog/?p=320 has a good description of the situation on the 5IT. Getting a flash_unlock binary should be fairly trivial, so perhaps we can tamper with the key store to add additional keys.
ah zelch, this is good stuff.
i'm gonna diff the archos gpl kernel, looking for changes at mtd stuff. maybe we can build a kernel module which enables r/w access to stage1
edit: or do we already have r/w access?
This stuff is all pretty interesting to read, but if I'm reading this correctly (and it is entirely possible I'm not) it looks kind of like this device is going to be a total pain in the ass to root, and it may take a considerable amount of time for us to get there.
Can someone who is more knowledgeable on this sort of thing verify that? Thanks for all your hard work guys. It's appreciated.
its definitly not going to be that easy as other android devices were but would it be so interesting if it wouldn't be so hard to root?
While that's true, it will make it a bigger triumph when it is finally rooted, the tinkerer in me is dying to mess with roms on this device and see what it can really do once it's cracked open. Keep up the great work guys, I'm following with baited breath.
Write to stage1 appears to exist, and indeed looking at /proc/mounts /mnt/rawfs is mounted rw. Looking at the kernel source, write support should Just Work.
So, looking through /mnt/rawfs avboot is clearly the boot loader which verifies stuff, but we lack source for it.
I have absolutely no knowledge of ARM asm, and screwing this up will absolutely brick your device, quite possibly beyond repair. (And I wouldn't bet on ArchOS being willing to replace it either, I sure wouldn't.)
So, anyone with the right background willing to step in here?
I'll keep digging, perhaps we can still find the answers.
Note: avboot has some strings which reference a development kernel, this bears some additional hunting.
I still haven't got my A101, but its finally on its way to my home.
can you please upload these files and give me kind of a tree of the folder structure?
Partitions are something we usually don't need to mess with - probably shouldn't mess with. That said - to understand how things work, it would be nice to peek around and look. I have enough experience with linux to be dangerous but not enough to answer my question on the gtab. I know there are multiple partititons - clockwork mod can wipe some. I see when I do nvflash that a bunch of partitions are restored. When we repartition with clockwork we set the size of only one partition to 2040 and the swap partition to 0 - what about all the others? Now, if I use terminal emulator or can get up to what I think is the root directory. In linux I could use fdisk -l and it would show me the various partitions. It doesn't produce any output here. I'm sure I just don't understand the structure so I'm not phrasing the command properly. There is also probably another place that would clue me in as to what partitions are mounted where but I don't know it. Anyone have any ideas for me?
Hi,
I know Android is based on Linux and I have good knowledge when it comes to Linux. I also have a good understanding when it comes to Android right from the first devices...flashing roms etc. Still I am just using it on a user level and I am just guessing from those experiences what basic elements are and how Android is structured.
For once I would like to know how a typical Android phone is partitioned?
First there is the boot-element. I can flash ROMs all I want and it stays the same (in my case LG Animation). I guess this is a separate partition where a little bootloader like GRUB is located? Or is this located in the system-partition? Maybe the file boot.img? What is this? Some Mini-Linux?
Then there is for example the ClockWorkMod Recovery. Where is it located? It isn't deleted when I flash new ROMs. Is it on a separate partition? And what is it? Some Mini-Linux you can boot into?
Then there is the OS-Partition I can see when I install a file-explorer app in Android. I am guessing the OS itself (is this Linux or Android?) resides in /system, the user data resides in /data. Can somebody explain the main folders in this partition and what they contain?
Then there are elements like the Baseband or the RIL. Where are they located? Are they on a separate partition? Are they a Mini-Linux themselves and why aren't they changed when I flash a ROM?
In summary: I would like to understand Android better. Maybe you can answer some of my questions above or know some articles describing exactly what I want to know. I used Google and the forum search but found nothing really useful.
Cheers,
sb
Nobody got anything?
Not sure if this helps, it applies to most (if not all) Android devices:
http://androidforums.com/evo-4g-all-things-root/278898-android-partitions-kernels-explained.html
Thanks! This helped a lot. I head a similar view in my head but nothing really confirmed. There are more links to read in your link...which I will do
Hi,
I used to know a way to dump a raw range of data (i.e. specifying start/end in hex address) from a block device which I used to do from data recovery days, but I can't remember what it is. I have been googling for about an hour and it's driving me nuts! Can anybody help?
FYI, I am trying to grab data from an unknown range of data on the nand layout for the Xperia Play but this is a general linux/busybox question. For details on what I'm doing check here.
Thanks so much in advance.
EDIT: Nevermind, I've discovered that the range I'm trying to read is a protected area. Mods please close if possible.
cat is more like a parser, dd is capable of dealing with raw data.
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/
http://linux.die.net/man/1/dd
Yeah I figured it would be done with dd, though I can't find any device that represents the "entire" mtd/nand - only mtd# for existing partitions exposed by the kernel. If i could find a "root mtd" device I could use skip and count parameters of dd to read what I want.
Regardless, I don't really need help with this specifically anymore - my problem seems to be specific to the Xperia Play. I am basically trying to resize the partitions (which I did previously on the X10) and I have exposed an unknown ~100MB+ that goes between userdata and cache, but I can't read or write to it at all no matter what I do.
I think what I'm trying to get is a protected area for DRM or something which I want to shift (so I can give space from cache to userdata). I/we need to make kernel or bootloader changes for the device.
Thanks for the help anyway.
I have a Samsung and Samsung is the probably the only one brand that adopt a different partition system for mtd; but remember that dd just copies everything, free space included, if with dd you are copying a filesystem with a total of 100MB and only 40MB are in use, you end up having a 100MB image file with dd.
Yeah I know it's a raw by-sector mirror/dump tool. Well what I did was edit the kernel to only create one entire partition taking the complete nand storage and then tried to dd from that, it works for a long time then once it hits this special "protected" area around ~800MB offset it spams a lot of "I/O Error" messages but doesn't fill these with zero's or anything (using conv=noerror), then once it passes the protected area it successfully dumps the rest (which is where the cache partition for the zeus would go).
OK, I have another question now. I found that this unknown 133MB has about 53MB of data in there, somewhere in the middle, which grabs fine. But the resulting file is not 133MB so I don't know the offset. Can I use dd or another tool to grab this partition while filling I/O errors with zero's? I have googled a lot and couldn't find anything.
Nevermind *facepalm* I use conv=noerror,sync. http://www.mkssoftware.com/docs/man1/dd.1.asp
Hello,
I want to edit an ext4 file with Windows XP and and I haven't found a solution despite extensive research.
Thank you in advance !
https://www.paragon-software.com/home/extfs-windows/
Thanks but I don't want to access to an ext4 partition but I want to edit a file, like this :
http://image.gilawhost.com/14/04/24/vgg34udp.png
Then I've no clue, sorry. As far as I knew it was only partitions that are ext4, not extensions.. Must be something unique to Archos stuff perhaps.
According to this answer (specifically the part "Since Archos uses a very different (and encrypted) filesystem partitions scheme"), I would say you're not able to open that file (at least not without cracking the encrypthion Archos uses. Which would be another subject.