Related
*More progress 11:04pm CST 8/26/09*
Tracked down what calls the BTIP service, it's /system/lib/libandroid_runtime.so . Tried replacing it with a cupcake build, rebooted and ran into the issue where /system/framework/framework.jar is still referencing calls that were in the Hero libandroid_runtime.so . So replaced framework.jar and framework.odex from cupcake build and got the following error.
Code:
D/AndroidRuntime( 1517): >>>>>>>>>>>>>> AndroidRuntime START <<<<<<<<<<<<<<
D/AndroidRuntime( 1517): CheckJNI is OFF
I/dalvikvm( 1517): DexOpt: mismatch dep signature for '/system/framework/core.odex'
E/dalvikvm( 1517): /system/framework/framework.jar odex has stale dependencies
I/dalvikvm( 1517): Zip is good, but no classes.dex inside, and no valid .odex file in the same directory
D/libc-abort( 1517): abort() called in pid 1517
Any "educated" ideas?
*Questions & Progress 01:09pm CST 8/17/09*
So lately what I've been trying to do is find where a reference is made to actually call the BTIPS service. I've been lookiing in /system/framework and /data/app_s/Settings.apk but haven't found it yet. What I'm hoping to do is modify the file and have it call BT the same way cupcake did. Has anyone else found where a reference to "btips" is at?
Settings.apk, which is what pops up when on home screen and you hit menu->settings, only makes a call to "android:targetClass="com.android.settings.bluetooth.BluetoothSettings"
Anywho, if you find it in any system libraries or framework files let me know. Please no PM's or posts about where you "THINK" it may be at. I've already tried the random guessing stuff, now I'm going through libraries one by one trying to find it.
*Some more notes 12:30pm CST 7/24/09*
Here are some notes of interest.
There are two versions of the /system/bin/bts daemon that are floating around on the Hero builds
Code:
md5sum bts
29ffa46f12c01e3690690752b4e2d58d bts
md5sum bts
5aeaca42d67d3b3c64ceda9ee4bfec1a bts
There are also two versions of the TIInit_5.3.53.bts firmware files. One is actually just the brf6300.bin file renamed to match what Hero is looking for in /etc/firmware
Code:
md5sum TIInit_5.3.53.bts
d7a214bdb9b4fbc2b4e2dd7e3ab95df0 TIInit_5.3.53.bts
md5sum TIInit_5.3.53.bts
cb3d2ecbfc97c026a0dcceb8c959b7db TIInit_5.3.53.bts
If you run "strings" on /system/bin/bts and grep for "TII" you'll be able to tell which firmware files that version supports
Code:
TIInit_3.4.27.bts
TIInit_4.2.38.bts
TIInit_5.2.34.bts
TIInit_5.3.53.bts
TIInit_6.2.31.bts
*Nice picture illustrating BT architecture in Android 7:04pm CST 7/17/09*
*A note for ROM devs 02:27pm CST 7/17/09*
Something to note, Hero does not use any of the following legacy services and therefore they can be removed from init.rc & init.trout.rc . This is mainly something the ROM cookers should pay attention to. The btips service actually handles all of this now.
REMOVE THE FOLLOWING:
Code:
service hcid /system/bin/hcid -s -n -f /etc/bluez/hcid.conf
socket bluetooth stream 660 bluetooth bluetooth
socket dbus_bluetooth stream 660 bluetooth bluetooth
# init.rc does not yet support applying capabilities, so run as root and
# let hcid drop uid to bluetooth with the right linux capabilities
group bluetooth net_bt_admin misc
disabled
service hciattach /system/bin/hciattach -n -s 115200 /dev/ttyHS0 texas 4000000 flow
user bluetooth
group bluetooth net_bt_admin
disabled
service hfag /system/bin/sdptool add --channel=10 HFAG
user bluetooth
group bluetooth net_bt_admin
disabled
oneshot
service hsag /system/bin/sdptool add --channel=11 HSAG
user bluetooth
group bluetooth net_bt_admin
disabled
oneshot
*Found something 01:48pm CST 7/17/09*
I was looking through init.trout.rc and noticed the following lines
Code:
chown bluetooth bluetooth /sys/devices/platform/msm_serial_hs.0/serial_lock_cpu
chmod 0660 /sys/devices/platform/msm_serial_hs.0/serial_lock_cpu
This may not seem like much but this node does not actually exist in our builds. It's possible, and probably likely, that HTC modified their kernel to support the changes that were made in the bts (btips) daemon.
We all are pretty much not using the HTC kernel, we're using custom compiled kernels from JAC or Cyanogen. I tried using the RUU kernel but couldn't boot at all. Is anyone able to get their phone booting off the RUU kernel and NOT one of the custom kernels that are floating around in these ROMs? If so, can you check if this device node exists?
I believe booting off that kernel could be the answer to the UART clock issues I'm getting and missing devices in /sys .
NEXT
I have been toying around with the following value in init.rc that seems to affect whether or not I get an error.
Code:
/proc/sys/net/unix/max_dgram_qlen
The default is 10, the RUU release of Hero sets it to 999. If I change that to 10000 then it pauses the BT services and just sits there. If I revert to default I get the same error that I see when its set to 999. Wondering if there's a happy medium in queue length (qlen). Just me thinking out loud.
*Latest progress 11:43pm CST 7/15/09*
I wanted to post some newer results I've been having with BT debugging on Hero. I found out how to circumvent the UART disable error. This is done by having the service btips statement in init.rc to look as follows
Code:
service btips /system/bin/bts
socket bluetooth stream 666 bluetooth bluetooth
socket dbus_bluetooth stream 666 bluetooth bluetooth
group bluetooth net_bt_admin root misc
disabled
oneshot
The most important part is "oneshot" which tells Android to NOT restart the btips service after it dies. If you leave this off then it will relaunch btips service and tie up the I2C bus.
The newest error I'm getting is the inability to launch HCI. This is hopefully the LAST error before I can get BT functional! Anyways, just wanted to update everyone that I have not stopped working on bluetooth.
Code:
1247718990.888806 BTSTACK(778) INFO | UATRAN: HCI Command was not acknowledged with an event
[ vendor/ti/btips-linux/B_TIPS/btstack/hcitrans/uart/uarttran.c:298 ]
1247718990.889935 BTSTACK(778) INFO | HCI: HCI_Process detected transport failure
[ vendor/ti/btips-linux/B_TIPS/btstack/stack/hci/hci_proc.c:1596 ]
1247718990.890179 BTSTACK(778) INFO | RADIOMGR: RmgrHciCallback: 0x6
[ vendor/ti/btips-linux/B_TIPS/btstack/stack/radiomgr.c:364 ]
1247718990.890362 BTSTACK(778) INFO | RADIOMGR: HCI init failed (retrying)
[ vendor/ti/btips-linux/B_TIPS/btstack/stack/radiomgr.c:386 ]
1247718990.890484 BTSTACK(778) INFO | RADIOMGR: HCI init error
[ vendor/ti/btips-linux/B_TIPS/btstack/stack/radiomgr.c:335 ]
1247718990.890637 BTSTACK(778) INFO | ME: HCI Init complete status: 22
[ vendor/ti/btips-linux/B_TIPS/btstack/stack/me/me.c:1220 ]
1247718990.890789 BTSTACK(778) INFO | CMGR: Received event HCI_INIT_ERROR
[ vendor/ti/btips-linux/B_TIPS/btstack/profiles/common/conmgr.c:591 ]
1247718990.890942 BTSTACK(778) INFO | Dbus | inside _BTBUS_COMMON_BTL_callback with event: 6 0[ vendor/ti/btips-linux/EBTIPS/apps/btbus_wrap_common.c:62 ]
1247718990.893536 BTSTACK(778) INFO | sending dbus message from BTBUS_COMMON_BTL_callback in {vendor/ti/btips-linux/EBTIPS/apps/btbus_wrap_common.c:84}[ vendor/ti/btips-linux/EBTIPS/apps/btbus_wrap_utils.c:189 ]
1247718990.898022 BTSTACK(778) INFO | Dbus | _BTBUS_COMMON_BTL_callback signal sent: 6 0[ vendor/ti/btips-linux/EBTIPS/apps/btbus_wrap_common.c:87 ]
1247718990.898358 BTSTACK(778) FATAL | HCI Init Status Received while neither FM nor BT On in progress[ vendor/ti/btips-linux/EBTIPS/btl/ti_chip_mngr/ti_chip_mngr.c:1232 ]
1247718990.898541 BTSTACK(778) Assert | 0[ vendor/ti/btips-linux/EBTIPS/btl/ti_chip_mngr/ti_chip_mngr.c:1232 ]
1247718990.899121 BTSTACK(778) FATAL | signal 11 sent to our program from address 0xdeadbaad and code 1[ vendor/ti/btips-linux/EBTIPS/apps/btt_task.c:102 ]
I'll update this main post as I, or others, come up with progress or advancements.
The directories for this are already created in the latest Hero init.rc . Just need to create the ddb file
Code:
touch /data/btips/TI/BtDeviceDb.ddb
chmod 666 /data/btips/TI/BtDeviceDb.ddb
The results of making these changes is you are able to get ALL bluetooth services and sockets created. Bluetooth is working from the commandline, just not on the frontend where we need it.
Going to go ahead and bump this up there
Yeah, I posted in the other thread that I had talked to Haykuro about this. He told me that he got this working 100% without adding any other files; he just used the ones already in the Hero build.
He hasn't been responding to me recently, so I can't get any more info, but when he does, I'll ask him what else we need to do to eliminate the few errors that we are getting.
amgupt01 said:
Yeah, I posted in the other thread that I had talked to Haykuro about this. He told me that he got this working 100% without adding any other files; he just used the ones already in the Hero build.
He hasn't been responding to me recently, so I can't get any more info, but when he does, I'll ask him what else we need to do to eliminate the few errors that we are getting.
Click to expand...
Click to collapse
Hmmm no other files huh, well that helps me keep my focus on what is already in the build then. Thanks, I'll keep hammering at this. I wonder why if Haykuro got bluetooth working, he didn't release Hero with the fix? Strange.
Yeah, he told me that he had Hero 2.0 (yeah, it exists along with Rosie 2.0) working 100%, but he had better Android things to do... I wonder what else Haykuro was working on (before his hard drive got wiped)
amgupt01 said:
Yeah, he told me that he had Hero 2.0 (yeah, it exists along with Rosie 2.0) working 100%, but he had better Android things to do... I wonder what else Haykuro was working on (before his hard drive got wiped)
Click to expand...
Click to collapse
Hero/Rosie 2.0 is most likely the GOLD/Production version of the Hero software whereas we have the alpha/beta version. Would be really nice to get my hands on the production version.....
Doubt he's going to ever give it to anyone.
MUST HAVE ROSIE 2.0 hahaha
i wonder where he got it from ...
maybe if we bribe him with a new phone he'lll share?
If the idiots who tricked him hadn't and people were more respecting and patient, i'll put my $0.02 in that we would have rosie 2.0 by now.
alritewhadeva said:
If the idiots who tricked him hadn't and people were more respecting and patient, i'll put my $0.02 in that we would have rosie 2.0 by now.
Click to expand...
Click to collapse
I wasnt following these forums too closely when all that happened... sorry to get off topic shafty.. just curious what happened someone pm me with the downlow? ... any way back to shafty ... gettin bt enabled "D
Made some more progress, check the main thread guys
amgupt01 said:
Yeah, he told me that he had Hero 2.0 (yeah, it exists along with Rosie 2.0) working 100%, but he had better Android things to do... I wonder what else Haykuro was working on (before his hard drive got wiped)
Click to expand...
Click to collapse
theres always ways to get info off a wiped drive, im sure he was boasting or trying to find a way to get people off his case.
as far as ontopic, i dont see why he's being a baby about all of this and should be some help on getting things fixed up. though with him gone we're getting more people giving out a helping hand.
i have a question you guys are trying to use hero bluetooth drivers? if so was'nt that for the hero phone? cant you use the drivers from ion on hero insteAD? I DUNNO NOTHING JUST SAYING
superg05 said:
i have a question you guys are trying to use hero bluetooth drivers? if so was'nt that for the hero phone? cant you use the drivers from ion on hero insteAD? I DUNNO NOTHING JUST SAYING
Click to expand...
Click to collapse
from what amgupt01 said haykuro got it working with out any additional files. so basically what ever is there, is already there, just needs some touch up apparently
dbhatesyou said:
theres always ways to get info off a wiped drive, im sure he was boasting or trying to find a way to get people off his case.
as far as ontopic, i dont see why he's being a baby about all of this and should be some help on getting things fixed up. though with him gone we're getting more people giving out a helping hand.
Click to expand...
Click to collapse
Actually, I asked him if he had it because I saw a post on the place where SuperHero is now found titled "Rosie 2.0 Is a No-Go." He seemed pretty surprised that I knew about it because he had never told anyone about it. But he told me that he had Rosie 2.0 working 100% including BT and he had gotten LED and BT on the version of Hero he released, as well. He was just pissed that people leaked his stuff so he didn't release it.
He had a bunch of stuff backed up apprently, so if he every feels like responding to me, I'm sure he could tell us what we're missing...
superg05 said:
i have a question you guys are trying to use hero bluetooth drivers? if so was'nt that for the hero phone? cant you use the drivers from ion on hero insteAD? I DUNNO NOTHING JUST SAYING
Click to expand...
Click to collapse
The bluetooth driver is located in /etc/firmware and it is the EXACT same file that is on the cupcake/ion build. You can verify by doing an md5sum on the file in the hero build and the one on the cupcake build and the sums will match up. So it looks like HTC just renamed the driver. I also looked into it further and both the HTC Hero and HTC Dream (G1) are using texas instruments chips and the /system/bin/bts daemon has support for both.
amgupt01 said:
Actually, I asked him if he had it because I saw a post on the place where SuperHero is now found titled "Rosie 2.0 Is a No-Go." He seemed pretty surprised that I knew about it because he had never told anyone about it. But he told me that he had Rosie 2.0 working 100% including BT and he had gotten LED and BT on the version of Hero he released, as well. He was just pissed that people leaked his stuff so he didn't release it.
He had a bunch of stuff backed up apprently, so if he every feels like responding to me, I'm sure he could tell us what we're missing...
Click to expand...
Click to collapse
The easiest thing would be to get one of the BLUEZ developers to lend a hand. They are the ones tasked with working on bluetooth for linux and obviously are doing that for free so they'd probably be nice enough to figure out what modules aren't being loaded. Anyone up for shooting them some emails?
mind giving me the emails?
alritewhadeva said:
mind giving me the emails?
Click to expand...
Click to collapse
http://www.bluez.org/development/lists/
Got BT working!
I got BT working this eve! Ok, more details are required. I really only got BT working from the linux perspective. Using tools that are built into the ADP phones that I transfered over to my G1/Hero I was able to enable BT, scan, and pair with my headset.
1) Push bttest and hcitool to the phone. I put them /data/local/tmp
2) ./bttest enable - you get a RC of 0. Also, watch logcat and you will see hciattach and hcid starting up successfully.
3) ./hcitool dev - will show you the mac address for your hardware
4) ./hcitool scan - will scan for bt devices
5) ./hcitool cc - will connect to the device that you specify.
The good news is that this shows that BT works from the driver/kernel/modules/hardware perspective. Now we just need to close the loop with the upper layers.
I've run into a little problem. The solution is probably pathetically simple and I will want to kick myself for being unable to find the answer...nevertheless I've searched for most of the afternoon.
I connect to my openvpn from xoom as follows :
Open terminal and type the following:
su
cd /pathto/myopenvpnfolder (in my case /sdcard/openvpn)
openvpn clientconfigfile.ovpn
everything connects fine and works flawlessly
The problem is that I cannot disconnect unless I reboot the xoom.
Do you know the command line for this?
I know that there is an app called 'openvpn settings' that automates this process but 1), I want to understand syntax and 2), the app will not sustain a connection and nags my notification area. Any ideas? Thank you in advance.
Sent from my Xoom using Tapatalk
No one has any idea?
Sent from my Nook Color using Tapatalk
Ok
First of all -- I tried some basic commands on my phone -- without openvpn specifically, so try some things here -- worst case scenario you will have to reboot.
I believe openvpn creates another network interface. tiwlan0 is the main networking interface on my phone (D1). Your interface my vary. The best way I can advise you to look for your interface name is to take a look at dmesg. So at the command line, type dmesg and then scroll through the output.
Here is the relevant networking connections in mine:
<6>[18427.544403] TIWLAN: 2235.055000:
<6>[18427.548034] TIWLAN: 2235.058662: -----------------------------------------
------------
<6>[18427.559783] TIWLAN: 2235.070412: Driver Version : WiLink_Driver_6.1.0.0.1
31
<6>[18427.575408] TIWLAN: 2235.086037: Firmware Version: Rev 6.1.5.44.1
<6>[18427.601867] TIWLAN: 2235.112465: Station ID : 00-26-BA-3C-62-CB
<6>[18427.625610] TIWLAN: 2235.136208: -----------------------------------------
------------
<6>[18427.644744] TIWLAN: 2235.155342:
<4>[18429.784362] wlanDrvIf_Open
<6>[18429.787628] ADDRCONF(NETDEV_UP): tiwlan0: link is not ready
<6>[18429.832733] ADDRCONF(NETDEV_CHANGE): tiwlan0: link becomes ready
<6>[18430.268096] TIWLAN: 2236.929695: configHW_to_connected: *** NEW CONNECTION
***
<7>[18440.122283] tiwlan0: no IPv6 routers present
In order to list the network IP address listed with the specific interface I then did:
ifconfig tiwlan0
Which resulted in the following:
# ifconfig tiwlan0
ifconfig tiwlan0
tiwlan0: ip 192.168.1.105 mask 255.255.255.0 flags [up broadcast running multica
st]
Now I believe openvpn will create another network adapter -- something like tun0 or tap0 depending if you are bridging or routing your vpn (which depends which is specified in your .conf file). To bring down the interface manually, all you would do (assuming your rooted):
ifconfig <interface_name> down
I borrowed these commands from this tutorial (which will help a little bit -- but be warned, android doesn't have the full network-tools implementation so some of the commands with various switches will not be complete): http://ubuntuforums.org/showthread.php?t=571188
Hopefully this will get you on the correct track!!!!
Awesome! First I want to thank you for answering...second I want to kick myself for not trying basic Linux networking commands...I made a mountain out of a mole hill! Thank you muchly again!
Sent from my Xoom using Tapatalk
Dollyllama said:
Awesome! First I want to thank you for answering...second I want to kick myself for not trying basic Linux networking commands...I made a mountain out of a mole hill! Thank you muchly again!
Sent from my Xoom using Tapatalk
Click to expand...
Click to collapse
hey im a noob....I have a openvpn server at home but I cannot figure out exactly how to use it on the XOOM or on my Atrix. Could you be kind enough to give me step by step guide to use openvpn on Xoom, when you get time. Thank you so much.
Hi,
I currently try to follow these instructions...
http://mobisocial.stanford.edu/news...together-by-hacking-connectivityservice-java/
Very hard for me. Don't know what to do.
The goal of COIN project is to use WiFi and 3G connections simultaneously. So it conflicts with the policy of Connectivity Service, but there is no configuration to edit the policy, and it is hard coded. You can find the clue in ConnectivityService.java:handleConnect function.
Our current solution is quite brutal, which is to mask the eyes of Connectivity Service by modifying its message handler entry like the following:
// must be stateless – things change under us.
private class MyHandler extends Handler {
@Override
public void handleMessage(Message msg) {
NetworkInfo info;
//added by COIN to disable Connectivity Service
int networkState = 8; //not any following state
/*use static google dns server for wifi and 3g*/
if (msg.what == NetworkStateTracker.EVENT_STATE_CHANGED) {
SystemProperties.set(“net.dns1″, “8.8.8.8″);
SystemProperties.set(“net.dns2″, “8.8.4.4″);
bumpDns();
}
//////////////////////////////////////////////
//switch (msg.what) {
switch (networkState) {
case NetworkStateTracker.EVENT_STATE_CHANGED:
info = (NetworkInfo) msg.obj;
int type = info.getType();
…..
And then compile the modified ConnectivityService.java in the android source code tree, you can get an new services.jar file in framework directory. Replace the existing services.jar on the cell phone with the following adb commands, then reboot the phone
adb shell “mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system”
adb shell “chmod 0777 /system/framework”
adb push services.jar /system/framework
adb shell “chmod 0644 /system/framework/services.jar”
adb shell “chmod 0755 /system/framework”
Click to expand...
Click to collapse
Does he mean I have to compile the whole Android source code again?
So I would need to learn first, how to compile Android, then change this file, compile Android, copy file?
Instant of adb shell, could I also use root explorer?
How device dependant is this? Or how android version dependant?
Could someone offer the compiled file?
No answer yet.
I believe so. This is actually what compelled me to go learn to compile android by myself-- the constant switching between 3g and wifi in a semi-strong wifi zone sucks. For now I am starting with CM7 since it is so popular.
Yes you would need to compile the whole OS and it will only work on an AOSP rom. It will also be very version dependent.
Please let me know if it worked ! I probably don't think it will. Read this on the page:
Pallas Says:
April 13, 2012 at 5:58 am
are you sure the packets are going thru both interfaces?
I think it doesn’t work, simply because you would need two default gateways, leading to some hard problems:
- how does the system choose where to send the packets?
- for outgoing packets: unless the two connections have both statically assigned public IP addresses, which is very unlikely, you will end up with two differently NATed paths, and the client will refuse packets coming from two different ip addresses on the same connection.
- for incoming packets: to let the client send packets to both interfaces, you would need to send them from both interfaces with different source ip addresses: it will not work, the client will get confused. and anyway you would need support at the application level.
to solve all this, you’d need to:
- make an ad-hoc application which understands all this and can send chuncks to both interfaces, then merge all the returning chunks. you’d need support at the application level: for example you’d need http byte range support on both client and server
- divide “equally” the single specific connections thru the two gateways. this may work but it’s pretty hard if you do not have access to advanced routing and traffic shaping at the kernel level. may be possible on a phone with custom compiled aosp rom and modified kernel
gouthamsn said:
Please let me know if it worked ! I probably don't think it will. Read this on the page:
Pallas Says:
April 13, 2012 at 5:58 am
are you sure the packets are going thru both interfaces?
I think it doesn’t work, simply because you would need two default gateways, leading to some hard problems:
- how does the system choose where to send the packets?
- for outgoing packets: unless the two connections have both statically assigned public IP addresses, which is very unlikely, you will end up with two differently NATed paths, and the client will refuse packets coming from two different ip addresses on the same connection.
- for incoming packets: to let the client send packets to both interfaces, you would need to send them from both interfaces with different source ip addresses: it will not work, the client will get confused. and anyway you would need support at the application level.
to solve all this, you’d need to:
- make an ad-hoc application which understands all this and can send chuncks to both interfaces, then merge all the returning chunks. you’d need support at the application level: for example you’d need http byte range support on both client and server
- divide “equally” the single specific connections thru the two gateways. this may work but it’s pretty hard if you do not have access to advanced routing and traffic shaping at the kernel level. may be possible on a phone with custom compiled aosp rom and modified kernel
Click to expand...
Click to collapse
(Probably for your Interest
This project works on a MultiPath-TCP Implementation (follow link to mptcp.info.ucl.ac.be). The hard times you get is compiling the Kernel with the additional files. This Protocol can only work effectively for download Purposes if the Server also has a MPTCP Kernel running. But on the other Hand you can shut down a single connection without loosing the active Connection (Downloads are not interrupted and improved Bandwidth Capacity if your Server is MPTCP-Ready)
Until now this Protocol is only working for Homeservers or similar Projects, where you have full access to the Server and the working Kernel of the system.
I am currently working on implementation of the Protocol for my Bachelor Thesis. I already compiled a working Kernel (Glados Nexus S) and now i'm working on keeping both Interfaces active. I hope this Tut can help me...
Has anybody tried other approaches to this topic? I tried manually loading the wifi-module and configuring it, but i only managed to ping via one Interface.
You managed to make it work?
bagers said:
No answer yet.
Click to expand...
Click to collapse
You managed to make it work? i want to make it also for my master thesis
I don't have much time to look into it at the moment, but for those of you who tether either internet or bluetooth you should look into getting NAT going on your phone. This requires root as far as I know.
You can use iptables (comes with our kernels), ipchains, netfilter, or what ever else passes for NAT/firewall these days on linux. I'll probably end up compiling a ipchains binary here in the next couple weeks if I don't find one (I haven't been able to as of yet)
That will solve the problem of detection via originating address.
To bypass deep packet inspection, look into an encrypted VPN solution. There are some free ones out there, or you can try something like what Giganews offers. Depending on how AT&T does things, this could also potentially speed up your service because many ISPs give VPNs higher QOS priority. This could also be a bad thing because they could decide you need to be on the enterprise plan. Use at your own risk. If you really want to get crazy, tunnel a VPN through an SSL proxy.
One other thing that will help that will help in general is to install any firewall program. Here are a couple I found on the market (sorry can't link yet):
com.wemobs.internetfirewall
com.mm.plugins.contactsprotect.droidwall1
com.dexters.andfirewall
com.googlecode.droidwall.free
I have not tested any, but they all appear to allow you to pick and choose which applications can access the internet. What better way to make sure no applications are phoning home without permission.
These may or may not turn on the NAT functionality for you.
YMMV, but I hope this helps someone
I think tor has some android proxy service, should help.
Highlights
100% open source (GPLv2+)
No ads
One-click connection (batch mode)
Supports RSA SecurID and TOTP software tokens
Keepalive feature to prevent unnecessary disconnections
Compatible with ARMv7, x86, and MIPS devices
No root required
Based on the popular OpenConnect Linux package
Click to expand...
Click to collapse
Requirements
Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
An account on a suitable VPN server
Click to expand...
Click to collapse
Downloads
Binaries are attached to this post under the downloads tab.
Google Play: https://play.google.com/store/apps/details?id=app.openconnect
Source code: https://github.com/cernekee/ics-openconnect
F-Droid: https://f-droid.org/repository/browse/?fdid=app.openconnect
Click to expand...
Click to collapse
(note that the F-Droid binaries are signed by a different key than the official releases)
Changelog
Code:
v1.11 - 2015/02/21
- Fix "Unknown compression type 0" errors when CSTP and DTLS use
different compression settings
Older changelogs:
Code:
v1.10 - 2015/02/08
- Fix CSD script problem on Lollipop (bug #1)
- Fix IPv6 address display on status window (bug #2)
- Enable LZ4 compression support
- Identify as a mobile client when Android or iOS is selected
- Update to OpenConnect v7.04+, GnuTLS 3.2.21
v1.02 - 2014/09/02
- Fix regression on certificate handling
v1.01 - 2014/08/29
- Add Spanish translations (thanks to teosoft)
- Fix regression on CSD scripts starting with "#!/bin/sh"
- Improve error messages on broken ROMs that throw exceptions when
starting a VpnService
- Fix intermittent fragment-related crashes on ICS
v1.00 - 2014/08/10
- Fix problems storing >8kB certificates on some ROMs
- Clean up seldom-used menu items and move some options into General Settings
or About
- Integrate Xposed module for bypassing the VPN confirmation dialog
- Switch to ACRA for problem reporting
v0.96 - 2014/07/06
- Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
https://code.google.com/p/android/issues/detail?id=70916
- Fix navigation anomalies (weird Back button behavior) seen after
re-entering OpenConnect from one of the Notifications
v0.95 - 2014/06/14
- Show the auth dialog <message> text in case it contains useful information
- Add German translations (thanks to Ingo Zansinger <[email protected]>)
- Add Chinese translations
- Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy
- Clean up a bunch of lint warnings and unused strings/files
- Try to generate a human-readable profile name when adding a new VPN
v0.91 - 2014/06/01
- Fix bugs involving saved authgroups
- Fix batch mode error handling
- Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466
v0.9 - 2014/04/26
- Add new "Send feedback" screen
- Add new "SecurID info" screen for RSA soft token users
- Allow changing settings and using other menu options (about, SecurID,
send feedback, etc.) while connected
- Update FAQ and provide some links to relevant XDA posts
v0.81 - 2014/04/06
- Fix potential issue recognizing certificates stored in VPN profiles
created with <= v0.7
v0.8 - 2014/04/02
- Fix hangs after reconnect if DTLS is disabled
- Fix incorrect storage of PKCS#12 certificates
- Remove unnecessary passphrase prompts on unencrypted certificates
- Add a workaround for ASA certificate request quirks
- Fix FC when attempting to import an OpenVPN profile
v0.7 - 2014/03/08
- Update GnuTLS to address CVE-2014-0092
- Fix FC and other misbehavior on IPv6 connections
- Update to libopenconnect 5.99+
- Fix/delete several broken translations
- Minor improvements to the auth form UI
- Switch curl from OpenSSL to GnuTLS and remove advertising clauses
v0.6 - 2014/02/09
- First release in Google Play Store
- Change to new "big O" launcher icon
- Avoid displaying error alerts if the user terminated the connection
- Try to make the libopenconnect build process more robust, and strip *.so
files to conserve space
v0.5 - 2014/02/01
- Fix "living dead" connections (can't pass data after reconnection due to
DTLS parameter mismatches)
- Add FAQ tab in response to user feedback
- Move log window into a tab
- Reorganize action bar so that the most important items (Status/Log/FAQ)
are tabs, and less important items (Settings/About) are in the menu
- Fix KeepAlive socket errors on KitKat devices
- Other UI and documentation fixes
- Add split tunnel configuration options
- Improve icons
v0.2 - 2014/01/18
- Allow SecurID token import via URI or text file
- Newly reworked "status" tab with uptime, error alerts, IP addresses,
etc.
- Fix a couple of bugs involving screen rotation / activity redraw on
the log window
- Prompt for hostname instead of profile name when adding a new VPN, to
help avoid "empty hostname" mistakes
- Numerous other UI improvements and fixes
- Remove "reconnect on boot" until it works properly
- Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"
Click to expand...
Click to collapse
FAQ
Q: What is this app used for?
A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.
If in doubt, check with your I.T. administrator to see if a suitable service is available.
Q: How do I get started?
A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.
Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.
Q: How do I authenticate using an SSL client certificate?
A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:
P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.
Single PEM/CRT/CER file: same as above.
Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.
When finished, delete the certificate files from external storage so they cannot be stolen by other apps.
If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.
Q: Will OpenConnect work with non-AnyConnect VPNs?
A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.
Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?
A: OpenConnect supports SSL VPN (CSTP + DTLS) only.
Q: How do I import a SecurID software token?
A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.
If you have an "sdtid" XML file, copy it to /sdcard and then import it.
Q: Is it possible to skip all login prompts when connecting?
A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.
The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.
Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.
Q: How do I improve battery life while the VPN is up?
A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.
Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.
Q: How do I use OpenConnect with AFWall+?
A: There are a few caveats to keep in mind when using an Android firewall with VPN:
* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.
Q: Are any apps incompatible with VPN?
A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.
Q: Under what circumstances will OpenConnect request root?
A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.
Based on user feedback and testing, future releases may autodetect these conditions.
Q: How do I send a problem report?
A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.
Click to expand...
Click to collapse
TODO
Translations - I will set up the necessary infrastructure if there are volunteers
Compatibility testing
Add x509 certificate parsing/validation in the profile editor
Enable Android keystore support
Proxy support
Split tunnel DNS?
Click to expand...
Click to collapse
MISC
Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link
XDA:DevDB Information
OpenConnect, App for the Android General
Contributors
cernekee
Source Code: https://github.com/cernekee/ics-openconnect
Version Information
Status: Testing
Created 2014-01-18
Last Updated 2015-02-21
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
msm88now said:
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
Click to expand...
Click to collapse
Sometimes an MTU or TCP MSS problem could cause this symptom. What kind of gateway are you connecting to? Are you the admininstrator?
Older versions of KitKat did have an MSS problem; I think 4.4.1+ is OK: https://code.google.com/p/android/issues/detail?id=61948
There are a few other outstanding problems on <= 4.4.2: http://www.androidpolice.com/2014/0...n-routing-fixes-are-planned-for-some-of-them/
Do you see the same problem connecting from other systems, like a Windows PC, or even the Cisco AnyConnect Android app?
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide. that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
msm88now said:
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide.
Click to expand...
Click to collapse
I don't see this university's VPN requesting a certificate (i.e. SSL client cert). It just asks for a group/username/password.
Are you getting an error that says that the gateway is not licensed for mobile, after you enter your password?
that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
Click to expand...
Click to collapse
Can you grab a packet capture when you're seeing the connectivity failures, and email me the result? e.g.
Code:
adb push tcpdump /data/local/tmp
adb shell
cd /data/local/tmp
su
chmod 755 tcpdump
./tcpdump -n -i tun0 -w out.pcap
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
that's way I'm using smoothconnect and now openconnect on my both andriod phones.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
did I explain my problem clearly? is it an Ipv6 problem? I'm really confused and frustrated
msm88now said:
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
Click to expand...
Click to collapse
OK. This is because the Cisco mobile clients look for an "X-CSTP-License: accept" header from the gateway after authenticating, to see if the operator has paid extra to support the Cisco mobile client. libopenconnect-based clients (including SmoothConnect) do not require this header.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
Click to expand...
Click to collapse
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
cernekee said:
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
Click to expand...
Click to collapse
Hi,
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
msm88now said:
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
Click to expand...
Click to collapse
Do you have a friend who is familiar with ADB, rooting phones, etc. who might be able to help out in person?
You could also try something like Shark for Root, or follow this video. Make sure you capture on the tun0 interface so that we can see what is happening on the VPN tunnel. If you capture from the wifi interface you'll still see traffic, but everything will be encrypted so it will not be possible to diagnose the failure.
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
msm88now said:
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
Click to expand...
Click to collapse
According to this trace (partial screenshot attached), the Note 3 is advertising an MSS of 1460 bytes on IPv4 TCP connections. This looks abnormally high for a VPN interface; the other direction is using an MSS of 1380, which looks more realistic. The MSS for IPv4 would normally be the tun0 MTU minus 40 bytes. I am assuming this means the MSS is being computed from the 1500-byte wlan0/eth0 MTU, not the smaller tun0 MTU.
When Google fixed the MSS bug in Android 4.4.1, they left the following comments in the changelog:
Code:
commit ca5b4e8d0d8219273ecf0961ed6e8c47ab5d798a
Author: JP Abgrall <[email protected]>
Date: Wed Nov 20 17:27:01 2013 -0800
SecondaryTableController: force the MSS to match pmtu on TCP SYN
Without this change, the VPN sets up a tun/ppp that needs a small
MTU, and during TCP SYN the MSS will end up matching the outgoing iface
MTU which is potentially too big.
This leads to connection flakiness. The wrong MSS is visible by
tcpdump-ing on the tun/ppp device.
With this change, the MSS now is correct.
[b]It requires the kernel to be configured with
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
If kernel is not configured, it silently fails.[/b]
Bug: 11579326
Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2), but the kernel may be missing the TCPMSS target. If you see an error when running this command as root, it probably means that kernel support is missing:
Code:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
cernekee;
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2) said:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
[/code]
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
Click to expand...
Click to collapse
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
msm88now said:
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
Click to expand...
Click to collapse
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Code:
su
iptables -t mangle -nxvL
cernekee said:
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Click to expand...
Click to collapse
here is the output after some bad sites access, I also repeated the provisos code during an openconnect session. hope it will help us.
msm88now said:
here is the output after some bad sites access
Click to expand...
Click to collapse
Hmm, on my KitKat device I have an st_mangle_POSTROUTING chain which does the TCPMSS clamping:
Code:
Chain st_mangle_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
I did not see this in your output. Maybe Samsung is using an outdated version of netd.
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
Code:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If not, post the new "iptables -t mangle -nxvL" output so we can look at the traffic counters.
Also can you attach your /system/bin/netd binary?
Thanks.
cernekee;
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
[code said:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Click to expand...
Click to collapse
are kidding me!! it really worked. after I run the the code I tried to access all the bad sites and all of them worked!! but not as fast as my other mobil SG2. I noticed that it takes noticably much longer to access them. but still, It worked and It's fantastic!!
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly? despite the re-entering issue I'm very happy that I finally can use internet on my note3 again thanks to you cernekee.
msm88now said:
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly?
Click to expand...
Click to collapse
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
cernekee said:
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
Click to expand...
Click to collapse
here I attached them.
I posted a problem report on Samsung's support forum:
http://developer.samsung.com/forum/...&messageId=259244&listLines=15&startId=zzzzz~
Works like a charm with the lastest Slimkat on Nexus 4. Thanks a lot !
Just add a widget to one click connect from the launcher and it will be the best VPN apps that I've use.
Today I've a Tasker task to launch Anyconnect with uri and simulate touchs screen to automate my connection.
@ edit :
Is there a way to don't have the attached screen ?