Hey
I'm trying to decrypt the LUA files.
I'm running the game on my phone
I run this script
Code:
#!/usr/bin/env python
import frida
import sys
package_name = "com.elex.nikkigp"
def get_messages_from_js(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
jsc = """
var _address = Module.findExportByName( "libcocos2dcpp.so", "Z13xxtea_decryptPhjS_jPj");
if (null === _address)
throw 'xxtea_decrypt NOT FOUND';
Interceptor.attach (_address, {
onEnter: function (args) {
console.log("----------------BEGIN----------------");
console.log(hexdump(Memory.readByteArray(args[2], 12),{
offset: 0,
length: 12,
header: true,
ansi: true
}));
},
onLeave: function (retval) {
console.log("Decrypt:");
console.log(hexdump(Memory.readByteArray(retval, 16),{
offset: 0,
length: 16,
header: true,
ansi: true
}));
console.log("-----------------END-----------------");
}
});
"""
process = frida.get_usb_device().attach(package_name)
script = process.create_script(jsc)
script.on('message',get_messages_from_js)
script.load()
print("[*] Start Script")
sys.stdin.read()
Error xxtea_decrypt NOT FOUND
Although the xxtea_decrypt function in libcocos2dcpp yes.
Related
Hi,
I'm trying to set and retrieve properties in my native code using property_get and property_set but it doesn't seem to be working. I tried adding debug logs but they don't show up too. I'm not sure if I'm doing it all wrong but here's what I did,
I have
Code:
property_set("dm.scheme",value);
in a function in one file and
Code:
char value[PROPERTY_VALUE_MAX];
property_get("dm.scheme",value,"0");
in another file.
I modified property_service.c to this
Code:
/* White list of permissions for setting property services. */
struct {
const char *prefix;
unsigned int uid;
unsigned int gid;
} property_perms[] = {
{ "net.rmnet0.", AID_RADIO, 0 },
...
{ "service.adb.tcp.port", AID_SHELL, 0 },
{ "persist.sys.", AID_SYSTEM, 0 },
{ "persist.service.", AID_SYSTEM, 0 },
{ "persist.security.", AID_SYSTEM, 0 },
{ "dm.", AID_SYSTEM, 0},
{ NULL, 0, 0 }
};
Am I missing anything here?
I'm trying to build CM10.2 for an Allwinner A31 device. I also have an A31 dev tree for stock 4.2.2, which has the Cedarx framework I need, so I've imported it into the CM dev tree. Most things build fine without any, or much, changes but I'm getting the below error and haven't been able to fix it.
I've looked at just about everything and there doesn't seam to be a reason for the error. I have some "C" experience and I can handle some things but this is beyond my understanding.
Code:
frameworks/av/media/CedarX-Projects/CedarA/CedarARender.cpp: In member function 'android::status_t android::CedarAAudioPlayer::start(bool)':
frameworks/av/media/CedarX-Projects/CedarA/CedarARender.cpp:122:46: error: invalid conversion from 'int' to 'audio_output_flags_t' [-fpermissive]
In file included from frameworks/av/media/CedarX-Projects/CedarA/CedarARender.cpp:22:0:
frameworks/av/include/media/AudioTrack.h:168:25: error: initializing argument 6 of 'android::AudioTrack::AudioTrack(audio_stream_type_t, uint32_t, audio_format_t, audio_channel_mask_t, int, audio_output_flags_t, android::AudioTrack::callback_t, void*, int, int)' [-fpermissive]
make: *** [/home/curt/android/system/out/target/product/novo9/obj/SHARED_LIBRARIES/libCedarA_intermediates/CedarARender.o] Error 1
The CedarARender.cpp code is:
Code:
mAudioTrack = new AudioTrack(
AUDIO_STREAM_MUSIC, mSampleRate, AUDIO_FORMAT_PCM_16_BIT,
(mNumChannels == 2)
? AUDIO_CHANNEL_OUT_STEREO
: AUDIO_CHANNEL_OUT_MONO,
0, 0, &AudioCallback, this, 0); //This is line 122! The first "0".
These are the header lines referenced in the error:
Code:
AudioTrack( audio_stream_type_t streamType,
uint32_t sampleRate = 0,
audio_format_t format = AUDIO_FORMAT_DEFAULT,
audio_channel_mask_t channelMask = 0,
int frameCount = 0,
audio_output_flags_t flags = AUDIO_OUTPUT_FLAG_NONE,
callback_t cbf = NULL,
void* user = NULL,
int notificationFrames = 0,
int sessionId = 0);
The value of AUDIO_OUTPUT_FLAG_NONE is from <system/audio.h>:
Code:
typedef enum {
AUDIO_OUTPUT_FLAG_NONE = 0x0, // no attributes
AUDIO_OUTPUT_FLAG_DIRECT = 0x1, // this output directly connects a track
// to one output stream: no software mixer
AUDIO_OUTPUT_FLAG_PRIMARY = 0x2, // this output is the primary output of
// the device. It is unique and must be
// present. It is opened by default and
// receives routing, audio mode and volume
// controls related to voice calls.
AUDIO_OUTPUT_FLAG_FAST = 0x4, // output supports "fast tracks",
// defined elsewhere
AUDIO_OUTPUT_FLAG_DEEP_BUFFER = 0x8,// use deep audio buffers
#ifdef QCOM_HARDWARE
//Qualcomm Flags
AUDIO_OUTPUT_FLAG_LPA = 0x1000, // use LPA
AUDIO_OUTPUT_FLAG_TUNNEL = 0x2000, // use Tunnel
AUDIO_OUTPUT_FLAG_VOIP_RX = 0x4000, // use this flag in combination with DIRECT to
// indicate HAL to activate EC & NS
// path for VOIP calls
AUDIO_OUTPUT_FLAG_INCALL_MUSIC = 0x8000 //use this flag for incall music delivery
#endif
} audio_output_flags_t;
My question is, why is the "0" causing an error? I tried putting "AUDIO_OUTPUT_FLAG_NONE" and "0x0" in it's place but still get the error.
Any help would be appreciate!
So, I hate to ask because I'm sure this is really simple...
I have this function that is storing a sysfs value. To save space, I have 4 different parameters sharing the function as it's basically the same function for each. I'd like to check which parameter is calling the function so that I can perform some checks depending on the parameter (ie, that each is in a logical order compared to it's neighboring values). How would I get the name of parameter that called it?
https://gist.github.com/yoinx/6a3ff00945f3ec1db230
embedded to avoid the link:
Code:
/* Frequency limit storage */
static int set_freq_limit(const char *val, const struct kernel_param *kp)
{
int ret = 0;
int i, cnt;
int valid = 0;
struct cpufreq_policy *policy;
static struct cpufreq_frequency_table *tbl = NULL;
ret = kstrtouint(val, 10, &i);
if (ret)
return -EINVAL;
policy = cpufreq_cpu_get(0);
tbl = cpufreq_frequency_get_table(0);
for (cnt = 0; (tbl[cnt].frequency != CPUFREQ_TABLE_END); cnt++) {
if (cnt > 0)
if (tbl[cnt].frequency == i)
valid = 1;
}
if (!valid)
return -EINVAL;
ret = param_set_int(val, kp);
return ret;
}
static struct kernel_param_ops freq_limit_ops = {
.set = set_freq_limit,
.get = param_get_int,
};
module_param_cb(freq_hell, &freq_limit_ops, &FREQ_HELL, 0644);
module_param_cb(freq_very_hot, &freq_limit_ops, &FREQ_VERY_HOT, 0644);
module_param_cb(freq_hot, &freq_limit_ops, &FREQ_HOT, 0644);
module_param_cb(freq_warm, &freq_limit_ops, &FREQ_WARM, 0644);
I could go even more sloppy and just duplicate this function repeatedly... But I'd rather not.
I thought kp would hold the kernel parameter... but it's a structure, not a variable... So I'm not positive what value in the structure would hold the name.
Thanks for the help.
Edit:
Would it be kp->name?
Ok, so not sure why it wouldn't work for me the other day... Which is what lead me to this post.
It was indeed kp->name, like I expected it to be. When I was trying to test it in a printk, it was causing a kernel panic though. Whatever, it worked now.
It prints out as module.param, just in case this helps anyone in the future.
*Edit*
Here's how I ended up doing this. Again, in case it helps anyone in the future.
Code:
/* Frequency limit storage */
static int set_freq_limit(const char *val, const struct kernel_param *kp)
{
int ret = 0;
int i, cnt;
int valid = 0;
struct cpufreq_policy *policy;
static struct cpufreq_frequency_table *tbl = NULL;
ret = kstrtouint(val, 10, &i);
if (ret)
return -EINVAL;
policy = cpufreq_cpu_get(0);
tbl = cpufreq_frequency_get_table(0);
for (cnt = 0; (tbl[cnt].frequency != CPUFREQ_TABLE_END); cnt++) {
if (cnt > 0)
if (tbl[cnt].frequency == i)
valid = 1;
}
if (!valid)
return -EINVAL;
/* Perform some sanity checks on the values that we're storing
* to make sure that they're scaling linearly */
if (strcmp( kp->name, "msm_thermal.freq_warm") == 0 && i <= FREQ_HOT)
return -EINVAL;
if ( strcmp( kp->name, "msm_thermal.freq_hot") == 0 && ( i >= FREQ_WARM || i <= FREQ_VERY_HOT ))
return -EINVAL;
if ( strcmp( kp->name, "msm_thermal.freq_very_hot") == 0 && ( i >= FREQ_HOT || i <= FREQ_HELL ))
return -EINVAL;
if ( strcmp( kp->name, "msm_thermal.freq_hell") == 0 && i >= FREQ_VERY_HOT )
return -EINVAL;
/* End Sanity Checks */
ret = param_set_int(val, kp);
return ret;
}
static struct kernel_param_ops freq_limit_ops = {
.set = set_freq_limit,
.get = param_get_int,
};
module_param_cb(freq_hell, &freq_limit_ops, &FREQ_HELL, 0644);
module_param_cb(freq_very_hot, &freq_limit_ops, &FREQ_VERY_HOT, 0644);
module_param_cb(freq_hot, &freq_limit_ops, &FREQ_HOT, 0644);
module_param_cb(freq_warm, &freq_limit_ops, &FREQ_WARM, 0644);
Symptom: In a quick app, the setInterval function is used to cyclically execute the code for using canvas. However, the quick app freezes when rendering an image on a Huawei phone.
The code where the exception occurs is as follows:
JavaScript:
click0() {
this.speed = 0.3
let ctx = this.$element('canvas').getContext('2d')
setInterval(() => {
this.num0 += 2
this.noise = Math.min(0.5, 1) * this.MAX
this._draw(ctx)
this.MAX <= 200 && (this.MAX += 4)
}, 20)
},
_draw(ctx) {
this.phase = (this.phase + this.speed) % (Math.PI * 64)
ctx.clearRect(0, 0, this.width, this.height)
this._drawLine(ctx, -2, 'rgba(0, 194, 255, 0.2)')
this._drawLine(ctx, -6, 'rgba(0, 194, 255, 0.4)')
this._drawLine(ctx, 4, 'rgba(0, 194, 255, 0.6)')
this._drawLine(ctx, 2, 'rgba(0, 194, 255, 0.8)')
this._drawLine(ctx, 1, 'rgba(0, 194, 255, 1)', 4)
},
Cause Analysis:
The canvas drawing in the this._draw() method takes a long time, at least 100 ms. However, the time interval is only 20 ms. Huawei Quick App Loader will execute the code again after 20 ms, which is much shorter than 100 ms, causing the drawing to stutter.
Solution:
You can first obtain the service provider by calling the API for querying device information to determine whether the quick app is supported by Huawei Quick App Loader. If so, set the time interval to longer than 100 ms. The sample code is as follows (please refer to the red portions):
JavaScript:
onShow: function () {
var that = this
device.getInfo({
success: function (ret) {
console.log("handling success:", JSON.stringify(ret));
that.engineProvider = ret.engineProvider;
},
fail: function (erromsg, errocode) {
console.log("message:", erromsg, errocode);
}
})
},
click0() {
var that = this
this.speed = 0.3
console.log(that.engineProvider)
let ctx = this.$element('canvas').getContext('2d')
if (that.engineProvider === "huawei") {
setInterval(() => {
this.num0 += 2
this.noise = Math.min(0.5, 1) * this.MAX
this._draw(ctx)
this.MAX <= 200 && (this.MAX += 4)
}, 120)
} else {
setInterval(() => {
this.num0 += 2
this.noise = Math.min(0.5, 1) * this.MAX
this._draw(ctx)
this.MAX <= 200 && (this.MAX += 4)
}, 20)
}
},
_draw(ctx) {
this.phase = (this.phase + this.speed) % (Math.PI * 64)
ctx.clearRect(0, 0, this.width, this.height)
this._drawLine(ctx, -2, 'rgba(0, 194, 255, 0.2)')
this._drawLine(ctx, -6, 'rgba(0, 194, 255, 0.4)')
this._drawLine(ctx, 4, 'rgba(0, 194, 255, 0.6)')
this._drawLine(ctx, 2, 'rgba(0, 194, 255, 0.8)')
this._drawLine(ctx, 1, 'rgba(0, 194, 255, 1)', 4)
},
_drawLine(ctx, attenuation, color, width) {
ctx.save()
ctx.moveTo(0, 0);
ctx.beginPath();
ctx.strokeStyle = color;
ctx.lineWidth = width || 1;
var x, y;
for (var i = -this.K; i <= this.K; i += 0.01) {
x = this.width * ((i + this.K) / (this.K * 2))
y = this.height / 2 + this.noise * this._globalAttenuationFn(i) * (1 / attenuation) * Math.sin(this.F * i - this.phase)
ctx.lineTo(x, y)
}
ctx.stroke()
ctx.restore()
},
References:
Introduction to the canvas API:
https://developer.huawei.com/consumer/en/doc/development/quickApp-References/quickapp-api-canvas
Quick app materials: https://developer.huawei.com/consumer/en/doc/development/quickApp-Guides/quickapp-whitepaper
Hi all. I'm trying to compile the kernel for my HTC 5G HUB, as a first step in transforming it into a great IoT device.
It has a Snapdragon 855 SOC and runs Android 9.0.
After more than a week of work, I tried out a mostly correct environment and solved most of problems by myself, but there are still some issues that are bothering me.
I'm not expecting anyone to helping me solve problems hand by hand, but just hoping someone experienced in similar devices(Pixel 4; Mi 9; OnePlus 7, etc...) will give me some clues. Thanks!
1. Device Tree Compiler Warning
At the beginning, I got lots of warnings about"Warning (reg_format)" in various of nodes. I managed to resolve these warnings by carefully adding `#address-cells` and `#size-cells` in their parent node. Except for the following two.
Code:
Warning (reg_format): "reg" property in /[email protected]/__overlay__/qcom,[email protected] has invalid length (4 bytes) (#address-cells == 2, #size-cells == 1)
Warning (reg_format): "reg" property in /[email protected]/__overlay__/qcom,[email protected] has invalid length (4 bytes) (#address-cells == 2, #size-cells == 1)
Take smb1390 for example, its content is shown as below:
Code:
#include <dt-bindings/interrupt-controller/irq.h>
smb1390: qcom,[email protected] {
compatible = "qcom,i2c-pmic";
reg = <0x10>;
#address-cells = <1>;
#size-cells = <0>;
interrupt-parent = <&spmi_bus>;
interrupts = <0x2 0xC5 0x0 IRQ_TYPE_LEVEL_LOW>;
interrupt_names = "smb1390";
interrupt-controller;
#interrupt-cells = <3>;
qcom,periph-map = <0x10>;
status = "disabled";
smb1390_revid: qcom,revid {
compatible = "qcom,qpnp-revid";
reg = <0x100>;
};
smb1390_charger: qcom,charge_pump {
compatible = "qcom,smb1390-charger";
qcom,pmic-revid = <&smb1390_revid>;
interrupt-parent = <&smb1390>;
status = "disabled";
qcom,core {
interrupts = <0x10 0x0 IRQ_TYPE_EDGE_BOTH>,
<0x10 0x1 IRQ_TYPE_EDGE_BOTH>,
<0x10 0x2 IRQ_TYPE_EDGE_BOTH>,
<0x10 0x3 IRQ_TYPE_EDGE_BOTH>,
<0x10 0x4 IRQ_TYPE_EDGE_BOTH>,
<0x10 0x5 IRQ_TYPE_EDGE_RISING>,
<0x10 0x6 IRQ_TYPE_EDGE_RISING>,
<0x10 0x7 IRQ_TYPE_EDGE_RISING>;
interrupt-names = "switcher-off-window",
"switcher-off-fault",
"tsd-fault",
"irev-fault",
"vph-ov-hard",
"vph-ov-soft",
"ilim",
"temp-alarm";
};
};
};
and it is included by sm8150-qrd.dtsi, sm8150-sdx50m-qrd.dtsi and sm8150-mtp.dtsi like this
Code:
&qupv3_se4_i2c {
#include "smb1390.dtsi"
#include "smb1355.dtsi"
};
Code:
&smb1390 {
pinctrl-names = "default";
pinctrl-0 = <&smb_stat_default>;
status = "ok";
};
&smb1390_charger {
io-channels = <&pm8150b_vadc ADC_AMUX_THM2>;
io-channel-names = "cp_die_temp";
status = "ok";
};
searching qupv3_se4_i2c I got this in sm8150-audio-rt5-xb.dtsi (RTX is the codename of HTC 5G HUB)
Code:
&soc{
/* TI config for spk chip */
[email protected] { /* qupv3_se4_i2c */
#address-cells = <1>;
#size-cells = <0>;
[email protected] {
...
};
};
};
I believe tas2557s is an unrelated device so I ignored the details of this.
So, where is the problem?
2. vmlinux warning at the end of compilation
Code:
WARNING: EXPORT symbol "gsi_write_channel_scratch" [vmlinux] version generation failed, symbol will not be versioned.
Fortunately, they were only warnings instead of errors. So I was still able to complete the entire compilation process.
If these problems are hard to fix easily, I'd like to know if I can safely ignore them.
My build environment:
Ubuntu 14.04 in docker
aarch64-linux-android-4.9
clang-4691093
DTC from AOSP 9.0.0. when I run "dtc -v", it told me "1.4.2"
You can get kernel source code from here