Related
Ok so i've pretty much found the problem i just need some help finding the solution.
Ok so using my kernel i booted up on cursor's rom and then booted up on my super D rom and took an adb logcat of both starting up the camera. My kernel isn't the problem as it loaded cursors fine. I copied libhtc_acoustic, libcamera, libqcamera, and libcameraservice from cursors rom.
Ok so here's the difference in ADB logcat. Both roms make it to
Code:
V/QualcommCameraHardware( 41): setParameters: X mCameraState=1
fine but the next line the working one says
Code:
V/CameraThread( 491): START_PREVIEW - Camera setPreviewDisplay()
and the broken one says
Code:
V/camera ( 340): startPreview
i looked back and i found that the working one had a chunk of V/CameraThread's that the broken one didn't.
So basically i just need to figure out what file is missing that executes CameraThread (correct me if i'm wrong)
I've uploaded the logcat's if you're interested
OK so i tested with the libs from RA's rom (a donut rom for radio 6.22) and i the line that was broken in the other code seems to be working now. Could anyone running RA's rom post the logcat of them starting up the camera so i can compare? Uploading logcat now
looks like to me the problem with this one is caused by msm_camera
When it says no such file in /dev/etc. where is that? anyone know how i can take a look at that area of stuff?
Code:
E/QualcommCameraHardware( 56): startCamera X: /dev/msm_camera/control0 open failed: No such file or directory!
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=21, length=4, rc=-1, ctrlCmd.status=49168, Bad file number
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=15, length=4, rc=-1, ctrlCmd.status=49224, Bad file number
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=14, length=4, rc=-1, ctrlCmd.status=49296, Bad file number
...
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=21, length=4, rc=-1, ctrlCmd.status=50224, Bad file number
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=15, length=4, rc=-1, ctrlCmd.status=50416, Bad file number
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=14, length=4, rc=-1, ctrlCmd.status=50352, Bad file number
...
E/QualcommCameraHardware( 56): register_buf: MSM_CAM_IOCTL_(UN)REGISTER_PMEM fd -1 error Bad file number
E/QualcommCameraHardware( 56): register_buf: MSM_CAM_IOCTL_(UN)REGISTER_PMEM fd -1 error Bad file number
E/QualcommCameraHardware( 56): register_buf: MSM_CAM_IOCTL_(UN)REGISTER_PMEM fd -1 error Bad file number
E/QualcommCameraHardware( 56): register_buf: MSM_CAM_IOCTL_(UN)REGISTER_PMEM fd -1 error Bad file number
E/QualcommCameraHardware( 56): ioctl error. camfd=-1, type=1, length=28, rc=-1, ctrlCmd.status=13297, Bad file number
E/QualcommCameraHardware( 56): startPreview X initPreview failed. Not starting preview.
Thanks for your time
Sphaerophoria
Maybe sanpei could help with this. He was able to make the camera work on 6.35 radio.
did some hard searching and still no luck... i'm sure it's not a kernel problem as i tested it with other working kernels out there any chance that it could be some other file located around the system somewhere?
See, I got thinking that maybe there is some file that is specific to 32A roms that seems to make the camera work, since roms built from the AOSP (Sanpei's) or dumped from 32A models (Fender) seem to have no problem.
I'm beginning to think maybe there is more to porting that we originally thought.
skittleguy said:
See, I got thinking that maybe there is some file that is specific to 32A roms that seems to make the camera work, since roms built from the AOSP (Sanpei's) or dumped from 32A models (Fender) seem to have no problem.
I'm beginning to think maybe there is more to porting that we originally thought.
Click to expand...
Click to collapse
Ya i saw that post but didn't know how to contribute sorry ya i tried to replace the camera libs with the one from the fender but it didn't boot... maybe i'll try that again and look at the logcat's properly... i know that's not really what you were telling me to do but it just sparked my mind
same error... that's a shame
Bounty Link:
Use this to Donate to the Project Itself for all of those involved in the hardwork Jface,Doniqq, and myself
Bugs List (Last updated 9/5/11)
Code:
-FFC Squished on some versions
-FFC roatated 90 Degrees CW on V1.5 & Up
-FFC @ Full Res Video still shows green boxes (missing libs?)
Update (9/5/11): LG Cam V3.0 -Major Fixes in this one
Testing now... if all goes well expect update package shortly. 2:42AM EST
Stitch Shot: Confirmed working
Panorama Shot: Confirmed Working
Continuous Shot: Confirmed Working
Zoom while recording Video in all modes : Confirmed working
Touch to focus : Confirmed Working
Taking Pictures in portrait flipped : Confirmed working
Recording at 1080P @ 24 FPS / 720P @ 30 FPS : Confirmed Working
Download LG Cam V3.0: Here
Update (8/5/11): LGCam V1.5 - Fxied for Real This Time - for the trolls i mean the update package
Download LGCam V1.5: Here
THIS WILL NOT WORK ON CM7 OR ANYTHING BASED ON CM7/AOSP FOR NOW
Restore AOSP/OTA GB Cam
V1.4
Don't want to talk about it
Code:
V1.5 Updates:
-Fixed ZIP Package, now flashable, I promise (Damn Signtool replaced the com folder :/) :o
-Fixed 1080P @ 24FPS/30 FPS same as stock FROYO
-Fixed Zoom while recording Video
- Stock Cam Icon
- Still needs to fix FFC
-Enjoy, Report any bugs in the thread
-Donate and help me buy a bottle of Belevedere Black:)
V1.4
Burning in hell somewhere
Click to expand...
Click to collapse
flak0 said:
Hey Devs and ofcourse Doniqq first off amazing work on EB i love it. Im using the FR version. Ok so basically I am posting this thread because I figured out for sure why the LG Camera will not work on GB. It is not a lack of drivers like everyone has said. Basically when the Camera.Apk(LG Camera) is launched it looks for Libamce.so (i figured this out by reverse engineering the LG Camera and found the referrence on where it looks for the shared library libamce.so.) I went ahead and tried to push the LG Camera with the libamce.so yet still got a force close, this time the error was a reloc lbrary error looking for a _NZCamera6Connect function. I then went ahead an decompiled the libamce.so and found that it depends on libnvomx.so, then I decompiled libnvomx.so and found that it depends on libm.so, then I tried pushing all three libs to GB and still got a force close. After digging deep enough I found that libm.so depends on libcamera_client.so which I also decompiled and then I found the _NZCamera6Connect fuction is contained here. I attempted to push the libcamera_cleint.so to to GB and boot failed, then I tried editing the update-zip file to include the libcamera_client.so (From Froyo) and boot also failed. I am positive that once we get this libcamera_client.so ported from FROYO to GB the LG Camera will work. Luckily there is no dependency on the framework. This is where I need your help since I know your the dev who made EB possible or any Dev thats out there Faux, Morific Thanks.
Here is the header of the decompiled libamce.so just in case:
Click to expand...
Click to collapse
I'm no dev, but I just want to thank you for continuing to try and bring the LG cam to Gingerbread. Hopefully a dev will gladly help you out with this issue. Once again thank you for taking the time to try and get this hard headed app to work.
Sent from my LG-P999 using XDA Premium App
[depricated as of 9/5/11 - history of lgcam on gb]
Update (8/3/11): LG CAM for CM7 removed until fixed. Too many people were flashing on MIUI and CM7 Based ROMS
New Version for Stock OTA based ROMS coming out tonight.
Proposed fixes include -> 24/30 FPS @ 1080P and Zoom while video recording
Also moved some of the original OP two posts down to clean up the OP.
Update(8/2/11): LG Cam for CM 7 Beta
Below is what you have all been asking for, it is a beta of LG Cam for CM7. If you are willing to take the risk go ahead and flash BUT FIRST MAKE SURE YOU NANDROID. I have also attached CM7 Cam again if it fails to work and/or if you wish to go back. Please update the thread with any errors, logcats preferred.
Edit: Update(8/2/11 @ 4:42AM EST) below.
I was able to Port the LGE folder from GB to CM7 into the framework successfully however now when I open the CAM I am getting a null pointer exception. Anyone willing to help here please.
Code:
I/ActivityManager( 1074): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.android.camera/.ArcCamera } from pid 1279
I/ActivityManager( 1074): Start proc com.android.camera for activity com.android.camera/.ArcCamera: pid=3750 uid=10034 gids={1006, 1015}
D/ ( 984): NVRM_DAEMON(819): rt_exist=2, add client ref
D/ ( 984): set continue (1280x960)
D/ ( 984): set continue (1280x1024)
D/ ( 984): set continue (1280x1024)
D/ ( 984): set continue (1360x768)
D/ ( 984): set continue (1440x900)
D/ ( 984): set continue (1680x1050)
D/ ( 984): set BetterMode (1280x720)
D/ ( 984): set BetterMode (1920x1080)
D/ ( 984): set BetterMode (1280x720)
D/ ( 984): set BetterMode (1920x1080)
D/ ( 984): set BetterMode (1920x1080)
D/ ( 984): set BetterMode (1920x1080)
D/ ( 984): set BetterMode (1920x1080)
I/WindowManager( 1074): Setting rotation to 1, animFlags=1
I/ActivityManager( 1074): Config changed: { scale=1.0 imsi=310/260 loc=en_US touch=3 keys=1/1/2 nav=1/1 orien=2 layout=34 uiMode=17 seq=7 themeResource=null}
I/PowerWidget( 1243): Clearing any old widget stuffs
I/PowerWidget( 1243): Setting up widget
I/PowerWidget( 1243): Default buttons being loaded
I/PowerWidget( 1243): Button list: toggleWifi|toggleBluetooth|toggleGPS|toggleSound
I/PowerWidget( 1243): Setting up button: toggleWifi
I/PowerWidget( 1243): Setting up button: toggleBluetooth
I/PowerWidget( 1243): Setting up button: toggleGPS
I/PowerWidget( 1243): Setting up button: toggleSound
D/szipinf ( 3750): Initializing inflate state
I/===ArcCamera=== 1.1.0.1( 3750): Performance log:Load so2011-08-02 08:36:10.376 cost:6ms
I/===ArcCamera=== 1.1.0.1( 3750): Performance log:Launch camera
[color="blue"][size="4"]major update 7/28/11[/size]
[/color]
working lg cam on 2.3.3 ota & xborders stock rom (huge thanks to jumaaneface) once the cam is confirmed working on cm7 & aosp the bounty will be paid. I will also be looking into the actual cam app by decompiling source to see if we can fix the 1080p recording to make it record at 30 fps.
Again thanks to all the supporters and to jumaaneface who made this possible.
:d hey devs and ofcourse doniqq first off amazing work on eb i love it. Im using the fr version. Ok so basically i am posting this thread because i figured out for sure why the lg camera will not work on gb. It is not a lack of drivers like everyone has said. Basically when the camera.apk(lg camera) is launched it looks for libamce.so (i figured this out by reverse engineering the lg camera and found the referrence on where it looks for the shared library libamce.so.) i went ahead and tried to push the lg camera with the libamce.so yet still got a force close, this time the error was a reloc lbrary error looking for a [b]_nzcamera6connect[/b] function. I then went ahead an decompiled the libamce.so and found that it depends on libnvomx.so, then i decompiled libnvomx.so and found that it depends on libm.so, then i tried pushing all three libs to gb and still got a force close. After digging deep enough i found that libm.so depends on libcamera_client.so which i also decompiled and then i found the [b]_nzcamera6connect[/b] fuction is contained here. I attempted to push the libcamera_cleint.so to to gb and boot failed, then i tried editing the update-zip file to include the libcamera_client.so (from froyo) and boot also failed. I am positive that once we get this libcamera_client.so ported from froyo to gb the lg camera will work. Luckily there is no dependency on the framework. This is where i need your help since i know your the dev who made eb possible or any dev thats out there faux, morific thanks.
[b]update(7/27/11): Bounty increased to $100.00 thanks to:
[quote]eleeo037037 :$10
adevilfish :$10
bakedpatato : $5.00[/quote][/b]
[b]major update (7/26/11)
since the ota is official and the lg cam is not contained i am starting a bounty at $75.00 for the first person who can figure this out. I have tried numerous attempts using different approaches to no avail. There are others in the thread who mentioned they will also put up a bounty. I alone will pay $75.00 plus whatever anyone else decides to throw in the pot. [/b]
[b]update 3 (7/22/11): Attempted again to change some files in the framework and upon boot logcat threw error for missing decl from the camera$files in the framework. I pushed the libcamera_client.so from froyo and then the messaged changed to this:
[quote]i//system/xbin/busybox( 1015): Sysctl: /etc/sysctl.conf: No such file or directory
i//system/xbin/busybox( 1015): -k: No such file or directory
i//system/xbin/busybox( 1015): [: 61m: Bad number[/b][/quote]
[b]update 2(7/22/11) : Flashing eb 1.0.5 gr v21e rom with modified framework and it failed, so i pushed libcamera_client.so and it failed, error below [/b]
[quote]- waiting for device -
--------- beginning of /dev/log/main
i/netd ( 1018): Netd 1.0 starting
--------- beginning of /dev/log/system
i/vold ( 1017): Vold 2.1 (the revenge) firing up
d/vold ( 1017): Usb_configuration switch is not enabled in the kernel
d/vold ( 1017): Volume extsdcard state changing -1 (initializing) -> 0 (no-media)
d/vold ( 1017): Volume sdcard state changing -1 (initializing) -> 0 (no-media)
d/vold ( 1017): Volume extsdcard state changing 0 (no-media) -> 1 (idle-unmounted)
w/vold ( 1017): Duplicate state (1)
d/vold ( 1017): Volume sdcard state changing 0 (no-media) -> 1 (idle-unmounted)
w/vold ( 1017): Duplicate state (1)
w/vold ( 1017): Duplicate state (1)
i/debug ( 1019): Debuggerd: Jul 15 2011 10:15:43
d/ ( 1029): Open is ok, now, we are in user_land!
D/ ( 1029): Set continue (1280x960)
d/ ( 1029): Set continue (1280x1024)
d/ ( 1029): Set continue (1280x1024)
d/ ( 1029): Set continue (1360x768)
d/ ( 1029): Set continue (1440x900)
d/ ( 1029): Set continue (1680x1050)
d/ ( 1029): Set bettermode (1280x720)
d/ ( 1029): Set bettermode (1920x1080)
d/ ( 1029): Set bettermode (1280x720)
d/ ( 1029): Set bettermode (1920x1080)
d/ ( 1029): Set bettermode (1920x1080)
d/ ( 1029): Set bettermode (1920x1080)
d/ ( 1029): Set bettermode (1920x1080)
d/kipc ( 1020): Kipc_init()
d/kipc ( 1020): Address is 127.0.0.1, port is 45211
d/kipc ( 1020): Binding...
D/kipc ( 1020): Listening...
D/kipc ( 1020): Accepting...
D/ganril ( 1020): Gan ril starting
d/ganril ( 1020): Entering main loop
d/ganat ( 1020): 65 6e 74 65 72 69 6e 67 20 6d 61 69 6e 4c 6f 6f
d/ganat ( 1020): 70 28 29
d/ganat ( 1020): Gan_at_open
d/ganpsat ( 1020): Gan_ps_at_open
d/ganat ( 1020): Additional logging enabled. Going to call readline()
d/ganat ( 1020): Readline
d/ganat ( 1020): Readline : Before read
i/ ( 1030): Screencaptured accept lsocket: 9
i/vold ( 1017): Usb_mass_storage function disabled
e/netlinkevent( 1017): Netlinkevent::findparam(): Parameter 'switch_name' not found
e/netlinkevent( 1017): Netlinkevent::findparam(): Parameter 'switch_state' not found
w/vold ( 1017): Switch /devices/virtual/switch/usb_mass_storage event missing name/state info
i/rescuestarter( 1026): Rescuestarter 6.3.274 starts
i/rescuestarter( 1026): Ready, waiting for connection
e/netlinkevent( 1017): Netlinkevent::findparam(): Parameter 'switch_name' not found
e/netlinkevent( 1017): Netlinkevent::findparam(): Parameter 'switch_state' not found
w/vold ( 1017): Switch /devices/virtual/switch/usb_mass_storage event missing name/state info
i//system/xbin/busybox( 1015): Sysctl: /etc/sysctl.conf: No such file or directory
i//system/xbin/busybox( 1015): -k: No such file or directory
i//system/xbin/busybox( 1015): [: 61m: Bad number
i/vold ( 1017): Usb_mass_storage function enabled
d/vold ( 1017): Share method ums now available
i//system/xbin/busybox( 1015): Mount: Invalid argument
i//system/xbin/busybox( 1015): Run-parts: /system/etc/init.d/10ext4tuneup exited with code 255
i//system/xbin/busybox( 1015): Starting automatic zipalign 07-22-2011 22:21:12
i//system/xbin/busybox( 1015): Zipalign: Not found
i//system/xbin/busybox( 1015): Zipalign already completed on /data/app/*.apk
i//system/xbin/busybox( 1015): Zipalign: Not found
i//system/xbin/busybox( 1015): Zipalign already completed on /system/app/accountandsyncsettings.apk
i//system/xbin/busybox( 1015): Zipalign: Not found
i//system/xbin/busybox( 1015): Zipalign already completed on /system/app/applicationsprovider.apk
i//system/xbin/busybox( 1015): Zipalign: Not found
i//system/xbin/busybox( 1015): Zipalign already completed on /system/app/bluetoothopp.apk
i//system/xbin/busybox( 1015): Zipalign: Not found
i//system/xbin/busybox( 1015): Zipalign already completed on /system/app/bluetoothpbap.apk
i//system/xbin/busybox( 1015): Zipalign: Not found[/quote]
[b]update 7/22/11 - working on patching and porting elements from the froyo framework to gb[/b]
[img]http://forum.xda-developers.com/attachment.php?attachmentid=662618&stc=1&d=1311355083[/img]
[b](7/21/11)major update: Lg releases stock gb rom v21e however lg cam is not on board. This thread will.continue until we can successfully port the lg cam to gb. [/b]
[b]update 7/20/2011:
[quote]status update: Spoke with doniqq via pm he is working hard for us (so please thank him) to port the lg cam from froyo to gb. I am going to take another stab at this tonight and check 1 more thing. For those that had/have the nexus 1, i was the one who successfully ported the cm camera to rodriguez miui when everyone thought it was impossible. I am pretty sure the framework.jar is not part of this however when i moved the cm 7 cam to miui i did modify the framework, so i will take a look at this tonight before ruling it out completely.
[/quote][/b]
[b]here is the header of the decompiled libamce.so just in case:[/b]
[quote].plt:000459f4 ;
.plt:000459f4 ; +-------------------------------------------------------------------------+
.plt:000459f4 ; | this file has been generated by the interactive disassembler (ida) |
.plt:000459f4 ; | copyright (c) 2009 by hex-rays, |
.plt:000459f4 ; | license info: B3-ada1-9d85-df |
.plt:000459f4 ; | licensed user |
.plt:000459f4 ; +-------------------------------------------------------------------------+
.plt:000459f4 ;
.plt:000459f4 ; input md5 : 2ebb5ff4c8e8cf34c40ffc3aed9e8042
.plt:000459f4
.plt:000459f4 ; ---------------------------------------------------------------------------
.plt:000459f4 ; file name : C:\users\flak0-hpn3\downloads\libamce.so
.plt:000459f4 ; format : Elf (shared object)
.plt:000459f4 ; imagebase : 8000
.plt:000459f4 ; needed library 'libcamera_client.so'
.plt:000459f4 ; needed library 'libsurfaceflinger_client.so'
.plt:000459f4 ; needed library 'libui.so'
.plt:000459f4 ; needed library 'liblog.so'
.plt:000459f4 ; needed library 'libcutils.so'
.plt:000459f4 ; needed library 'libutils.so'
.plt:000459f4 ; needed library 'libhardware.so'
.plt:000459f4 ; needed library 'libmedia.so'
.plt:000459f4 ; needed library 'libandroid_runtime.so'
.plt:000459f4 ; needed library 'libc.so'
.plt:000459f4 ; needed library 'libm.so'
.plt:000459f4 ; needed library 'libstdc++.so'
.plt:000459f4 ; needed library 'libdl.so'
.plt:000459f4 ; needed library 'libbinder.so'
.plt:000459f4 ; needed library 'libskia.so'
.plt:000459f4 ; needed library 'libicuuc.so'
.plt:000459f4 ; needed library 'libegl.so'
.plt:000459f4 ; needed library 'libnvomx.so'
.plt:000459f4 ;
.plt:000459f4 ; eabi version: 5
.plt:000459f4 ;
.plt:000459f4
[/quote][/quote]
Click to expand...
Click to collapse
anybody try contacting faux or morfic to see if they could take a look? They are both very cool guys. I can talk to them if you want.
I have a silly question? If you use titanium back up and restore the LG camera would that work? If not, why?
I contacted both of them plus numerous devs.
jdkackley said:
anybody try contacting faux or morfic to see if they could take a look? They are both very cool guys. I can talk to them if you want.
Click to expand...
Click to collapse
Sent from my LG-P999 using XDA App
ClausMontoya said:
I have a silly question? If you use titanium back up and restore the LG camera would that work? If not, why?
Click to expand...
Click to collapse
I know it wont work but I couldnt tell you why. I thought the same thing and have tried it.
bls2633 said:
I know it wont work but I couldnt tell you why. I thought the same thing and have tried it.
Click to expand...
Click to collapse
Doesn't Titanimum just back up the apk file and not the compiled shared object?
Even so it'd be scary to think that it would somehow overwrite shared objects, potentially breaking the OS.
ClausMontoya said:
I have a silly question? If you use titanium back up and restore the LG camera would that work? If not, why?
Click to expand...
Click to collapse
I believe that what has been explained above is that there are libraries that the apk depend on to function that are not available on CM7 at the moment. (I could be wrong though)
yeah it's a similar reason if you backup DSP Manager from CM7 and try to install it on stock it will basically do nothing.
hey everyone i am still waiting for some devs to respond. Doniqq said he would take a look and let me know. We are 90% to having the LG Cam on GB.
If anyone else is good with shared objects in Android let me know.
Can you post the libcamera_client.so decompiled?
In theory this should be fairly simple to compile under gingerbread.
Scyth3 said:
Can you post the libcamera_client.so decompiled?
In theory this should be fairly simple to compile under gingerbread.
Click to expand...
Click to collapse
I can post it but i don't think it will compile, Remember i used a deconplier to reveal the source.
Sent from my LG-P999 using XDA App
I'll join in on this when I get home later. Has anyone tried contacting LG? They seem pretty reasonable.
Nah he means like talking to them about the camera drivers and what not I'm sure he wont say he'd trying to convert there froyo camera app to work with gingerbread lol they should be pretty reasonable
Yeah that's what I meant. I figure if there's something we need they might be able to help us. OP PM me
Status Update: 7/20/2011 US EST
Status Update: Spoke with Doniqq via PM he is working hard for us (so please thank him) to port the LG Cam from Froyo to GB. I am going to take another stab at this tonight and check 1 more thing. For those that had/have the Nexus 1, I was the one who successfully ported the CM Camera to Rodriguez MIUI when everyone thought it was impossible. I am pretty sure the framework.jar is not part of this however when I moved the CM 7 cam to MIUI I did modify the framework, so I will take a look at this tonight before ruling it out completely.
Thank u everyone, your thank yous motivate that much more. I will keep u updated.
Sent from my LG-P999 using XDA App
Its solved because i believe the reason why the LG cam won't work has been found and the culprit is the libcamera_client.so from Froyo to GingerBread. Its now requires the work of a dev to port. Just saying
Sent from my LG-P999 using XDA App
Thanks to Chuckhriczko who is also jumping on board to help.
Faux responded and respectfully informed me that he is working on several projects however if he has some spare time he will take a look for us.
Sent from my LG-P999 using XDA App
Hello folks,
This thread is about sharing tricks about porting Android on new devices, and in particular how to reverse-engineer proprietary files with specific tools. Specifically, I'll use my experience on the camera part of the HTC ChaCha as an example.
Prerequisites
Install or reinstall the stock ROM
Make sure your device is rooted. If not, you might need to unlock the bootloader (for example, with the XTC Clip for HTC phones), install ClockworkMod and finally flash the Superuser package. There are many tutorials elsewhere on this so be sure to use the search button
Install adb from the SDK and (if using Windows) the required drivers for communicating with adbd on the phone or tablet. For HTC phones, here is a direct link to the driver: http://goo-inside.me/tools/USB_driver_20101122_release.zip
Modify your PATH so that adb is in it (optional but useful)
Install the NDK. Go into clockworkmod, run "adb shell mount /system", then "adb push /opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/gdbserver /system/bin/" and finally "adb shell chmod 755 /system/bin/gdbserver".
You will need to replace the path to gdbserver above with the correct path to your NDK installation.
Make a CWM backup of the stock ROM, so that you can switch easily from between stock and your CyanogenMod / AOSP build.
Install the free evaluation version of IDA Pro, see http://www.hex-rays.com/products/ida/support/download_demo.shtml
The general idea
We mostly use binary libraries from the stock ROM, so the important part is to understand how to communicate with them properly.
Note: the exception is the Linux kernel, because we don't use binary kernels from stock ROMs in CM7 and AOSP as they are generally incompatible and lack features (overclocking, pure bluetooth stack, ...). I'll probably make another thread about hacking kernel sources.
So we have to understand how things communicate with each other & the order and content of messages that are passed between components of the system. Reading the sources of Android is generally the best way to begin, to trace the interactions from the Java side of things up to the kernel.
Reverse-engineering of APKs with apktool, dex2jar & jd-gui
I'll complete this part shortly.
Static reverse-engineering of libcamera.so
In the case of the camera, a quick analysis of the source shows the Camera application uses the android.hardware.Camera class, which is mostly a bridge to the C++ file android_hardware_Camera.cpp, itself another bridge to the libcamera_client, which in turns calls the camera service inside the process "mediaserver" through a Binder (an Android-specific IPC mechanism). This architecture in theory allows concurrent access to the camera (but who does that?)
So the actual part that talks to the hardware is in libcameraservice, loaded by mediaserver at runtime. Examining the code in CameraService.cpp shows that is communicates with the proprietary libcamera.so through a C++ interface, CameraHardwareInterface.h.
This is where the stuff from HTC in the ChaCha starts to diverge from the original Android sources. Loading libcamera.so in IDA Pro allows us to look at the actual CameraHardwareInterface virtual table. It is actually easy to locate in IDA by searching for " `vtable for'android::QualcommCameraHardware". However IDA does not automatically detect it's a table of function pointers, so use the Edit->Array with a size of 46 and an entry size of 4 (the size of a pointer).
By manually comparing the list of pointers to the CameraHardwareInterface.h in the CM7 sources, one can see two functions that can be added with the USE_GETBUFFERINFO in BoardConfig.mk define: getBufferInfo and encodeData. There is however another third function not present in CameraHardwareInterface.h, setFaceDetectionState(), just after getParameters(). Thus we have to add this function to CameraHardwareInterface.h so that the virtual table matches the one in libcamera.so.
Now it's also interesting to compare the list of symbols between libraries from different ROMs. In this case, we can try to extract the camera parameters in HTC's ROM, and see if they match the symbols in CM7. The supported list of parameters is provided in libcamera_client.so. Use the program objdump from the NDK to retrieve the list of symbols and have them sorted (if using Windows, you'll need Cygwin):
Code:
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/arm-linux-androideabi/bin/objdump -T libcamera_client-cm7.so |cut -d '_' -f 2- > sym-camera_client-cm7
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/arm-linux-androideabi/bin/objdump -T libcamera_client-htc.so |cut -d '_' -f 2- > sym-camera_client-htc
diff -u sym-camera_client-cm7 sym-camera_client-htc
There are a bunch of new interesting symbols not present in CM7. Some of them seem related to HTC's Ola face detection engine, whilst others are unknown:
Code:
+ZN7android16CameraParameters27KEY_PREVIEW_FRAME_RATE_MODEE
+ZN7android16CameraParameters16KEY_CAPTURE_MODEE
+ZN7android16CameraParameters17KEY_PICTURE_COUNTE
+ZN7android16CameraParameters27KEY_MAX_BURST_PICTURE_COUNTE
+ZN7android16CameraParameters19KEY_TOUCH_INDEX_AECE
+ZN7android16CameraParameters18KEY_TOUCH_INDEX_AFE
+ZN7android16CameraParameters16KEY_SCENE_DETECTE
+ZN7android16CameraParameters26KEY_SUPPORTED_SCENE_DETECTE
+ZN7android16CameraParameters23KEY_TAKING_PICTURE_ZOOME
+ZN7android16CameraParameters22KEY_SELECTABLE_ZONE_AFE
+ZN7android16CameraParameters32KEY_SUPPORTED_SELECTABLE_ZONE_AFE
...
Debugging libcamera.so
At this point it would be a bit time-consuming to statically check all code paths within the stock ROM to see what parameters are actually used when taking a normal picture. A easier way is to break into the setParameter function within libcamera to inspect at runtime the arguments. We'll use gdb for this.
Run "adb forward tcp:1234 tcp:1234" to forward the TCP port used by gdbserver. Then run an adb shell, then "su" to become root, then list the processes with "ps", and finally run "gdbserver :1234 --attach <pid of mediaserver>".
Not on the phone, but on the host, extract the libraries and mediaserver, then run gdb:
Code:
mkdir lib
cd lib
adb pull /system/lib
adb pull /system/bin/mediaserver
adb pull /system/bin/linker
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-gdb mediaserver
In the gdb command prompt, enter "set height 0", "set solib-search-path ./" and then "target remote 127.0.0.1:1234". gdb should then show the loading of all .so files, such as "Reading symbols from /root/chacha/system/lib/libarimedia.so...
(no debugging symbols found)...done.". Sometimes nothing is shown, if so start over (exit gdb, reattach gdbserver, restart gdb).
Now we can set breakpoints on the functions that interest us. Open libcamera.so in IDA Pro, also have a look at the list of symbols with objdump -T. The following functions are of particular interest:
Code:
_ZN7android16CameraParameters3setEPKci
_ZN7android16CameraParameters3setEPKcS2_
In the ARM binary calling convention, parameters are passed in registers r4 to r8 (instead of say, 32-bit x86 where parameters are pushed on the stack). Let's examine what they point to at runtime:
Code:
(gdb) break _ZN7android16CameraParameters3setEPKci
Breakpoint 5 at 0xaba8eef4
(gdb) break _ZN7android16CameraParameters3setEPKcS2_
Breakpoint 6 at 0xaba8ed14
(gdb) cont
Continuing.
[New Thread 923]
[Switching to Thread 923]
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
(gdb) x/1s $r4
0xaba9100c <_ZN7android16CameraParameters16KEY_PREVIEW_SIZEE>: "preview-size"
(gdb) x/1x $r5
0xafd4d6e8 <__stack_chk_guard>: 0x10997eaa
(gdb) x/1s $r5
0xafd4d6e8 <__stack_chk_guard>: "�~\231\020"
(gdb) x/1s $r6
0x411139cc: "640x384"
(gdb) x/1s $r7
0x30d0c: "h8��\210\f\003"
(gdb) x/1s $r8
0xa811d251 <__dso_handle+512417>: "�\205h\203�\ahFh�h����"
(gdb) cont
Continuing.
So we see the first parameter is passed in r4 and the second in r6. Likewise, for breakpoint 5we can examine the registers and see the parameters r7 and r5. Now let's enable logging and automatically dump the arguments each time a breakpoint is hit, then resume execution:
Code:
(gdb) set logging on
Copying output to gdb.txt.
(gdb) commands 5
Type commands for when breakpoint 5 is hit, one per line.
End with a line saying just "end".
>x/1s $r7
>x/1s $r5
>cont
>end
(gdb) commands 6
Type commands for when breakpoint 6 is hit, one per line.
End with a line saying just "end".
>x/1s $r4
>x/1s $r6
>cont
>end
Finally, here's the juicy bits we wanted
Code:
(gdb) cont
Continuing.
Breakpoint 5, 0xaba8eef4 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba9106c <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: "preview-frame-rate-values"
0x411139dc: "15"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba914a4 <_ZN7android16CameraParameters22KEY_VIDEO_FRAME_FORMATE>: "video-frame-format"
0xa7912c16 <__dso_handle+4262342>: "yuv420sp"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91030 <_ZN7android16CameraParameters18KEY_PREVIEW_FORMATE>: "preview-format"
0xa7912c16 <__dso_handle+4262342>: "yuv420sp"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91110 <_ZN7android16CameraParameters16KEY_PICTURE_SIZEE>: "picture-size"
0x411139cc: "2592x1952"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91134 <_ZN7android16CameraParameters18KEY_PICTURE_FORMATE>: "picture-format"
0xa79120a5 <__dso_handle+4259413>: "jpeg"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba911f8 <_ZN7android16CameraParameters16KEY_JPEG_QUALITYE>: "jpeg-quality"
0xa7912bb9 <__dso_handle+4262249>: "100"
... and so on
If mediaserver crashes or stop responding, as a worst case you may have to reboot the phone, as the Linux kernel doesn't always properly cleanup dead debugged processes.
Then the operation can be repeated but with CM7 instead of stock ROM, and the gdb.txt output files compared for any modifications. Now this is just the beginning, but hopefully I've showed you a taste of how to do reverse-engineering on Android and I hope it'll help make this area of work less obscure to newcomers
This post reserved for future updates, references, examples and so on.
That's amazing teaching material, thanks for that Xdbg!
Btw, I found that presentation by Defer quite interesting also: http://www.slideshare.net/deovferreira/from-stock-to-cyanogenmod-the-sony-ericsson-case . Have a look at slides 68 and next.
Thanks, xdbg!
In the past I was able to debug native libs of Swype to crack its security and of Angry Birds to get its encryption keys. It was a lot of fun ;-D
I was using similar technique to you - Angry Birds hacking is described here: http://forum.xda-developers.com/showpost.php?p=12853986&postcount=19 . But I'm totally new to native debugging, so I was using a lot of tricks and workarounds. Your technique is much more mature
Thanks again.
Brut.all said:
Thanks, xdbg!
In the past I was able to debug native libs of Swype to crack its security and of Angry Birds to get its encryption keys. It was a lot of fun ;-D
I was using similar technique to you - Angry Birds hacking is described here: http://forum.xda-developers.com/showpost.php?p=12853986&postcount=19 . But I'm totally new to native debugging, so I was using a lot of tricks and workarounds. Your technique is much more mature
Thanks again.
Click to expand...
Click to collapse
Hey very nice, defeating software protections is also a lot of fun I'm glad you find this short tutorial useful!
Unfortunately the evaluation version of IDA Pro does not contain the gdb client plugin, which would have been ideal to debug with a GUI. At the moment we'd have to either pirate it (which I of course condone) or buy it -- it costs about $400 iirc
EDIT: OMG, you're the author of apktool! I'm a huge fan, I use it all the time
tips!
Great tips! TNX!
Thx, useful info.
thank you for sharing!!! i didn't know it was possible to debug too!!!
Demangling compiled C++ names
I believe it can be interesting, I've just found out that you can automatically demangle compiled C++ names using c++filt:
Say you have:
Code:
export PATH=~/android/cm9/prebuilt/linux-x86/toolchain/arm-eabi-4.2.1/bin/:$PATH
then you can run:
Code:
arm-eabi-objdump -T libcamera.so | arm-eabi-c++filt
It will produce something like:
Code:
...
0000e088 g DF .text 00000b8c android::QualcommCameraHardware::initDefaultParameters()
00000000 DF *UND* 00000000 android::CameraParameters::setPreviewFrameRate(int)
00000000 DF *UND* 00000000 android::CameraParameters::setPreviewFormat(char const*)
00000000 DO *UND* 00000000 android::CameraParameters::KEY_SUPPORTED_PREVIEW_FRAME_RATES
00000000 DO *UND* 00000000 android::CameraParameters::KEY_VIDEO_FRAME_FORMAT
...
This is very nice! Thanks for sharing this information with us
i'm stuck here! what's the problem?
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
0x4019eacc in __ioctl () from libc.so
Code:
media 4719 1 37452 9616 ffffffff 4019eacc T /system/bin/mediaserver
root 4735 2 0 0 c0195f74 00000000 S kworker/u:3
system 4736 210 318980 38056 ffffffff 4002e868 S com.android.settings:remo
te
app_17 4755 210 306468 37164 ffffffff 4002e868 S com.htc.calendar
app_17 4770 210 303944 37248 ffffffff 4002e868 S com.htc.bgp
app_175 4796 210 317960 42636 ffffffff 4002e868 S com.google.android.apps.m
aps:NetworkLocationService
app_175 4821 210 309512 38256 ffffffff 4002e868 S com.google.android.apps.m
aps:FriendService
app_11 4842 210 305784 35312 ffffffff 4002e868 S com.android.bluetooth
app_199 4868 210 301900 36220 ffffffff 4002e868 S com.vital.TouchScreenTune
root 4904 2 0 0 c0195f74 00000000 S kworker/u:1
root 4905 2 0 0 c0195f74 00000000 S kworker/0:2
root 4912 283 872 444 c0109558 400942b4 S /system/bin/sh
root 4917 4912 872 444 c0109558 400232b4 S sh
root 4927 2 0 0 c0195f74 00000000 S kworker/u:2
root 4953 2 0 0 c0195f74 00000000 S kworker/0:0
root 4955 4917 1052 380 00000000 4003b898 R ps
[email protected]:/ # gdbserver :1234 --attach 4719
gdbserver :1234 --attach 4719
Attached; pid = 4719
Listening on port 1234
Remote debugging from host 127.0.0.1
libthread_db:td_ta_new: Probing system for platform bug.
libthread_db:td_ta_new: Running as root, nothing to do.
Code:
(gdb) set height 0
(gdb) set solib-search-path ./
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
0x4019eacc in __ioctl () from libc.so
(gdb) info sharedlibrary
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
From To Syms Read Shared Object Library
0xb0001000 0xb00068b4 Yes (*) C:\Users\Fabiano\ones\system\lib/linker
0x4019e420 0x401cc704 Yes (*) libc.so
0x400d9934 0x400d9a3c Yes (*) libstdc++.so
0x40093f70 0x400a3db8 Yes (*) libm.so
0x4003c028 0x4003d574 Yes (*) liblog.so
0x400abab0 0x400b48c4 Yes (*) libcutils.so
0x400232e0 0x40034100 Yes (*) libz.so
0x40217ce0 0x4022c580 Yes (*) libutils.so
0x40319570 0x40331368 Yes (*) libstlport.so
0x402ef330 0x402fd078 Yes (*) libGLESv2_dbg.so
0x402c498c 0x402d4250 Yes (*) libEGL.so
0x4008f22c 0x4008fb50 Yes (*) libwpa_client.so
0x40338928 0x4033a6ec Yes (*) libhostapd_client.so
0x400d25c8 0x400d4f90 Yes (*) libnetutils.so
0x400c9910 0x400cd48c Yes (*) libhardware_legacy.so
0x4007aba8 0x4008a220 Yes (*) libpixelflinger.so
0x400d76cc 0x400d78c4 Yes (*) libhardware.so
0x40473300 0x40473720 Yes (*) libemoji.so
0x404774e0 0x404a7260 Yes (*) libjpeg.so
0x400dce88 0x400eabf0 Yes (*) libexpat.so
0x40373960 0x4043dc4c Yes (*) libskia.so
0x404c3fa0 0x404cda1c Yes (*) libbinder.so
0x404d6744 0x404d6dfc Yes (*) libgenlock.so
0x402ad8f0 0x402b60e4 Yes (*) libui.so
0x404dc8b8 0x404ed490 Yes (*) libsonivox.so
0x406278d8 0x40627d24 Yes (*) libgabi++.so
0x40554610 0x405e8ef0 Yes (*) libicuuc.so
0x4067e564 0x4067f8f4 Yes (*) libGLESv2.so
0x40686794 0x40688700 Yes (*) libmemalloc.so
0x40681afc 0x4068208c Yes (*) libQcomUI.so
0x40665400 0x40670c58 Yes (*) libgui.so
0x4063c958 0x40641464 Yes (*) libcamera_client.so
0x40690ad8 0x40693cdc Yes (*) libstagefright_foundation.so
0x406db640 0x407a3610 Yes (*) libicui18n.so
0x4026a070 0x40284ae4 Yes (*) libmedia.so
0x4004ce90 0x400668ec Yes (*) libsrscorehtc.so
0x407bab54 0x407bb560 Yes (*) libeffects.so
0x407bec00 0x407bf030 Yes (*) libpowermanager.so
0x407c5014 0x407c5cd4 Yes (*) libdumppcm.so
0x400020a8 0x40002b38 Yes (*) libsrsprocessing.so
0x40115980 0x40134a28 Yes (*) libaudioflinger.so
0x407d08f4 0x407d4470 Yes (*) libcameraservice.so
0x40841d78 0x4084d14c Yes (*) libvorbisidec.so
0x4097b6a0 0x409e4040 Yes (*) libcrypto.so
0x40a2665c 0x40a3eb60 Yes (*) libssl.so
0x4091fc48 0x4093ea00 Yes (*) libnativehelper.so
0x40a4e790 0x40a8ff00 Yes (*) libsqlite.so
0x40b5fcc4 0x40b605f0 Yes (*) libqc-opt.so
0x40abc000 0x40b35e44 Yes (*) libdvm.so
0x40b64fe4 0x40b669f4 Yes (*) libGLESv1_CM.so
0x40b685e8 0x40b69210 Yes (*) libETC1.so
0x400ef498 0x400ef9d4 Yes (*) libnfc_ndef.so
0x40b6bedc 0x40b6c724 Yes (*) libusbhost.so
0x40b71e78 0x40ba3cc4 Yes (*) libharfbuzz.so
0x40bb6cc0 0x40bcc548 Yes (*) libhwui.so
0x40bd3b54 0x40bd3d74 Yes (*) libtilerenderer.so
0x40bdbecc 0x40be58fc Yes (*) libbluetooth.so
0x40bd59b8 0x40bd62ec Yes (*) libbluedroid.so
0x40bf7a68 0x40c12c6c Yes (*) libdbus.so
0x40895bc0 0x408e6838 Yes (*) libandroid_runtime.so
0x40ddddb0 0x40dde680 Yes (*) libstagefright_yuv.so
0x40dedb64 0x40df3320 Yes (*) libdrmframework.so
0x40efabf8 0x40efc7c0 Yes (*) libdiag.so
0x40e5001c 0x40e5e7d8 Yes (*) libaudcal.so
0x40e00a60 0x40e045e4 Yes (*) libacdbloader.so
0x40df8af8 0x40dfd49c Yes (*) libalsa-intf.so
0x40fd0708 0x411052dc Yes (*) libchromium_net.so
0x41187764 0x4118a6d0 Yes (*) libstagefright_amrnb_common.so
0x411935c4 0x4119367c Yes (*) libstagefright_enc_common.so
0x411961f0 0x41199194 Yes (*) libstagefright_avc_common.so
0x40c810f8 0x40d6cb04 Yes (*) libstagefright.so
0x411c5c54 0x411ca5f8 Yes (*) libstagefright_omx.so
0x407fe590 0x40825dec Yes (*) libmediaplayerservice.so
0x4000db48 0x4000f03c Yes (*) libbeatscorehtc.so
0x411a1210 0x411a91e4 Yes (*) audio.primary.default.so
0x411adc78 0x411af048 Yes (*) libhtc_acoustic.so
0x411b37f8 0x411b6024 Yes (*) alsa.default.so
0x413e19c0 0x413e2834 Yes (*) libbt-aptx-4.0.3.so
0x413e7a08 0x413e81f8 Yes (*) libpower.so
0x415f48b0 0x41600a64 Yes (*) audio.a2dp.default.so
0x411b9aa4 0x411b9cf0 Yes (*) libstagefrighthw.so
0x413eaf14 0x413ec8b4 Yes (*) libOmxCore.so
0x4162c308 0x4175edf0 Yes (*) libaricentomxplugin.so
0x413f1820 0x413f23fc Yes (*) libstagefright_soft_vorbisdec.so
0x41523398 0x415252a0 Yes (*) libgemini.so
0x41500570 0x4151dcfc Yes (*) libmmjpeg.so
0x41528bc0 0x4152a1f8 Yes (*) libsysutils.so
0x41533668 0x415337f8 Yes (*) libjnigraphics.so
0x41e7f330 0x41ea5ca4 Yes (*) libOlaEngine.so
0x4152eff8 0x41530dd8 Yes (*) libcameraface.so
0x41535348 0x41535358 Yes (*) libsurfaceflinger_client.so
0x419d9fa8 0x41a95550 Yes (*) libcamerapp.so
0x41e4dd78 0x41e67894 Yes (*) camera.msm8960.so
0x4153d948 0x4154357c Yes (*) audio_policy.default.so
(*): Shared library is missing debugging information.
(gdb)
Hi Fabiano,
Looks good to me. Did you try to simply resume execution of mediaserver with "cont"?
:good: Thank you! It was so simple...
I'm curious: why we attach mediaserver? Because it needs library "libcameraservice.so", and "libcameraservice.so" needs "libcamera_client.so", so when mediaserver is started, it loads all library needed and we can debug them?
An other question, for example, I want to change values at 0x1635aa0: "5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31"
What is mapped at 0x1635aa0? (I think that these values are stored in the kernel, but I'm not sure. Is there a way to check?)
I was searching here \drivers\media\video\msm\sensors\s5k3h2yx_v4l2.c (since HTC One S uses a s5k3h2yx sensor and build config point to that file)
s5k3h2yx_v4l2.c is attached belowe as s5k3h2yx.txt, i'm on the right way, or these value are not here?
Code:
0x4061d958 0x40622464 Yes (*) libcamera_client.so
Breakpoint 2, 0x4063649e in android::CameraParameters::set(char const*, char const*) () from libcamera_client.so
x1/s
r4 0x40639af0 <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: "preview-frame-rate-values"
r5 0x153c99c: "X¿[email protected](Tc\001\a"
r6 0x41ec2e08: ""
r7 0x426de95c: "`Yc\001\030Yc\001¨émBèXc\001àWc\001Ð1c\001¸Wc\001\220Wc\001hWc\001ÀVc\001hVc\001Tå¤A\030Vc\001ØUc\001\220Uc\001hUc\001ÜxëAøTc\001ÐTc\001¨Tc\001\200Tc\001HQc\001hSc\[email protected]\001¸Rc\001àQc\001HQc\001\001"
r8 0x1635aa0: "5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31"
x1/x
r4 0x40639af0 <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: 0x70
r5 0x153c99c: 0x58
r6 0x41ec2e08: 0x00
r7 0x426de95c: 0x60
r8 0x1635aa0: 0x35
now i know for sure that these value are not hardcoded in the libs since 0x1635aa0 is out of libs memory zone:
Code:
From To Syms Read Shared Object Library
0xb0001000 0xb00068b4 Yes (*) C:\Program Files (x86)\Android\android-ndk-r8b\toolchains\arm-linux-androideabi-4.4.3\prebuilt\windows\bin/linker
0x4014b420 0x40179704 Yes (*) libc.so
0x40190934 0x40190a3c Yes (*) libstdc++.so
0x40193f70 0x401a3db8 Yes (*) libm.so
0x4013c028 0x4013d574 Yes (*) liblog.so
0x40070ab0 0x400798c4 Yes (*) libcutils.so
0x400132e0 0x40024100 Yes (*) libz.so
0x401eece0 0x40203580 Yes (*) libutils.so
0x402d7570 0x402ef368 Yes (*) libstlport.so
0x402ad330 0x402bb078 Yes (*) libGLESv2_dbg.so
0x4028298c 0x40292250 Yes (*) libEGL.so
0x4000e22c 0x4000eb50 Yes (*) libwpa_client.so
0x4008e928 0x400906ec Yes (*) libhostapd_client.so
0x400955c8 0x40097f90 Yes (*) libnetutils.so
0x40005910 0x4000948c Yes (*) libhardware_legacy.so
0x402fdba8 0x4030d220 Yes (*) libpixelflinger.so
0x400106cc 0x400108c4 Yes (*) libhardware.so
0x4004a300 0x4004a720 Yes (*) libemoji.so
0x404474e0 0x40477260 Yes (*) libjpeg.so
0x4047ce88 0x4048abf0 Yes (*) libexpat.so
0x40346960 0x40410c4c Yes (*) libskia.so
0x404a7fa0 0x404b1a1c Yes (*) libbinder.so
0x40046744 0x40046dfc Yes (*) libgenlock.so
0x400358f0 0x4003e0e4 Yes (*) libui.so
0x404bd8b8 0x404ce490 Yes (*) libsonivox.so
0x406088d8 0x40608d24 Yes (*) libgabi++.so
0x40535610 0x405c9ef0 Yes (*) libicuuc.so
0x4065f564 0x406608f4 Yes (*) libGLESv2.so
0x40667794 0x40669700 Yes (*) libmemalloc.so
0x40662afc 0x4066308c Yes (*) libQcomUI.so
0x40646400 0x40651c58 Yes (*) libgui.so
0x4061d958 0x40622464 Yes (*) libcamera_client.so
0x40671ad8 0x40674cdc Yes (*) libstagefright_foundation.so
0x406bc640 0x40784610 Yes (*) libicui18n.so
0x40241070 0x4025bae4 Yes (*) libmedia.so
0x401b5e90 0x401cf8ec Yes (*) libsrscorehtc.so
0x40043b54 0x40044560 Yes (*) libeffects.so
0x4079cc00 0x4079d030 Yes (*) libpowermanager.so
0x407a3014 0x407a3cd4 Yes (*) libdumppcm.so
0x407a90a8 0x407a9b38 Yes (*) libsrsprocessing.so
0x400be980 0x400dda28 Yes (*) libaudioflinger.so
0x407b48f4 0x407b8470 Yes (*) libcameraservice.so
0x40825d78 0x4083114c Yes (*) libvorbisidec.so
0x4095f6a0 0x409c8040 Yes (*) libcrypto.so
0x40a0a65c 0x40a22b60 Yes (*) libssl.so
0x40903c48 0x40922a00 Yes (*) libnativehelper.so
0x40a32790 0x40a73f00 Yes (*) libsqlite.so
0x40b43cc4 0x40b445f0 Yes (*) libqc-opt.so
0x40aa0000 0x40b19e44 Yes (*) libdvm.so
0x40b48fe4 0x40b4a9f4 Yes (*) libGLESv1_CM.so
0x40b4c5e8 0x40b4d210 Yes (*) libETC1.so
0x40b4f498 0x40b4f9d4 Yes (*) libnfc_ndef.so
0x40b51edc 0x40b52724 Yes (*) libusbhost.so
0x40b57e78 0x40b89cc4 Yes (*) libharfbuzz.so
0x40b9ccc0 0x40bb2548 Yes (*) libhwui.so
0x40bb9b54 0x40bb9d74 Yes (*) libtilerenderer.so
0x40bc1ecc 0x40bcb8fc Yes (*) libbluetooth.so
0x40bbb9b8 0x40bbc2ec Yes (*) libbluedroid.so
0x40bdda68 0x40bf8c6c Yes (*) libdbus.so
0x40879bc0 0x408ca838 Yes (*) libandroid_runtime.so
0x40dc3db0 0x40dc4680 Yes (*) libstagefright_yuv.so
0x40dd3b64 0x40dd9320 Yes (*) libdrmframework.so
0x40ee0bf8 0x40ee27c0 Yes (*) libdiag.so
0x40e3601c 0x40e447d8 Yes (*) libaudcal.so
0x40de6a60 0x40dea5e4 Yes (*) libacdbloader.so
0x40ddeaf8 0x40de349c Yes (*) libalsa-intf.so
0x40fb6708 0x410eb2dc Yes (*) libchromium_net.so
0x4116d764 0x411706d0 Yes (*) libstagefright_amrnb_common.so
0x411795c4 0x4117967c Yes (*) libstagefright_enc_common.so
0x4117c1f0 0x4117f194 Yes (*) libstagefright_avc_common.so
0x40c670f8 0x40d52b04 Yes (*) libstagefright.so
0x411a6c54 0x411ab5f8 Yes (*) libstagefright_omx.so
0x407e2590 0x40809dec Yes (*) libmediaplayerservice.so
0x41193b48 0x4119503c Yes (*) libbeatscorehtc.so
0x41187210 0x4118f1e4 Yes (*) audio.primary.default.so
0x41197c78 0x41199048 Yes (*) libhtc_acoustic.so
0x413b17f8 0x413b4024 Yes (*) alsa.default.so
0x413ca9c0 0x413cb834 Yes (*) libbt-aptx-4.0.3.so
0x413d0a08 0x413d11f8 Yes (*) libpower.so
0x415e98b0 0x415f5a64 Yes (*) audio.a2dp.default.so
0x413d3aa4 0x413d3cf0 Yes (*) libstagefrighthw.so
0x413d5f14 0x413d78b4 Yes (*) libOmxCore.so
0x41621308 0x41753df0 Yes (*) libaricentomxplugin.so
0x413dc820 0x413dd3fc Yes (*) libstagefright_soft_vorbisdec.so
0x414f0398 0x414f22a0 Yes (*) libgemini.so
0x415c5570 0x415e2cfc Yes (*) libmmjpeg.so
0x414f5bc0 0x414f71f8 Yes (*) libsysutils.so
0x41500668 0x415007f8 Yes (*) libjnigraphics.so
0x41ca6330 0x41cccca4 Yes (*) libOlaEngine.so
0x414fbff8 0x414fddd8 Yes (*) libcameraface.so
0x41502348 0x41502358 Yes (*) libsurfaceflinger_client.so
0x41dcdfa8 0x41e89550 Yes (*) libcamerapp.so
0x419cdd78 0x419e7894 Yes (*) camera.msm8960.so
0x41535948 0x4153b57c Yes (*) audio_policy.default.so
Hi!
You can check the memory map by printing /proc/<your process pid>/maps, such as:
Code:
~ $ cat /proc/`pidof a.out`/maps
00400000-00401000 r-xp 00000000 08:02 6337054 /home/abc/a.out
00600000-00601000 rw-p 00000000 08:02 6337054 /home/abc/a.out
7ffff7a56000-7ffff7bd3000 r-xp 00000000 08:02 13642881 /lib/x86_64-linux-gnu/libc-2.13.so
...
As far as modifying data goes, it is fairly easy to do when you whan to write one byte or one word, for example "set *(char *)$MYREGISTER=0xff"
You can write a larger piece of data with the command restore (you need a writable place, like the stack). As an illustration of restoring the truth:
Code:
~ $ cat a.c
#include <stdio.h>
int f(int i1, int i2, char *c)
{
printf("You better believe me: %s\n", c);
return 0;
}
int main(void)
{
return f(1, 2, "HTC is not evil");
}
~ $ gcc a.c
~ $ echo "HTC is evil" >raw
~ $ gdb a.out
GNU gdb (GDB) 7.4.1-debian
[...]
(gdb) break f
Breakpoint 1 at 0x400510
(gdb) run
Starting program: /home/abc/a.out
Breakpoint 1, 0x0000000000400510 in f ()
(gdb) x/1s $rdx
0x400627: "HTC is not evil"
(gdb) print $rsp-0x1000
$2 = (void *) 0x7fffffffd370
(gdb) restore raw binary 0x7fffffffd370
Restoring binary file raw into memory (0x7fffffffd370 to 0x7fffffffd37c)
(gdb) set $rdx=0x7fffffffd370
(gdb) cont
Continuing.
You better believe me: HTC is evil
By the way, the value of interest to you could come (in theory) from lots of places, but most likely the Camera app, of some place in the framework. Consider disassembling both to check the contents.
Already done (everything is in Java at this level so it can be decompiled almost to source code, so it's the first thing i did), framework just contains Google APIs that call *.so lib functions, and just explodes a full string to single values (but full string is sent by libs)
camera apps (or other apps as well) can only set supported parameters by calling Google APIs (that call libs), if i want to set a non standard value, libs check the value and reply with an error (unsupported parameter, changing it to a default one). So values are stored in low level.
Maybe values are in the libs, but i don't know how some structs are stored in low level assembly, maybe i cannot find them because of my ignorance
In some open source camera HAL libs (for other phones but should be similar) i found some structs like these:
Code:
const char *preview_sizes =
"1280x720,800x480,768x432,720x480,640x480,576x432,480x320,384x288,352x288,320x240,240x160,176x144";
const char *video_sizes =
"1280x720,800x480,720x480,640x480,352x288,320x240,176x144";
const char *preferred_size = "640x480";
const char *preview_frame_rates = "30,27,24,15";
const char *preferred_frame_rate = "15";
const char *frame_rate_range = "(15,30)";
or
Code:
const char CameraHardware::supportedPictureSizes [] = "640x480,352x288,320x240";
const char CameraHardware::supportedPreviewSizes [] = "640x480,352x288,320x240";
const supported_resolution CameraHardware::supportedPictureRes[] = {{640, 480} , {352, 288} , {320, 240} };
const supported_resolution CameraHardware::supportedPreviewRes[] = {{640, 480} , {352, 288} , {320, 240} };
typedef struct {
size_t width;
size_t height;
} supported_resolution;
I see! You could try having a look at the stack to identify the caller hierarchy up to the JNI, and also in IDA Pro check the xref to the function. At some point the values will be generated. It is possible that the string itself is constructed from an array of dwords, so checking for the little-endian hexadecimal dwords in the .so could be useful.
Regarding structs, it might be easier to identify them in IDA Pro, however I'm not sure it is possible to create a struct type in gdb (by default it will use the symbols, but for proprietary libs there are none...).
Note there is support for gdbserver in IDA Pro, which allows you to trace the code you have annotated. It is much nicer than the text interface of gdb, however the gdb client plugin in IDA can be flaky at times. Note that in this case, you'll want to loader mediaserver then load any additional .so in IDA to be able to trace them all. In addition, it would be a good idea to disable ASLR (IDA Pro doesn't handle library randomization too well). Run "echo 0 > /proc/sys/kernel/randomize_va_space"
Thank you again for all useful info!
It seems that strings are built by some "string" functions, so I think you are right, but it's a bit hard with static analysis.
Now I'm trying to connect IDA Pro with gdb, but I'm stuck with a connection error:
Plan B: I can remove lib checks when setting parameters, but it's an hacky solution, I prefer clean solutions...
EDIT: I missed "adb forward tcp:1234 tcp:1234" :/
now i got "irs_recv: Timeout" error
EDIT 2: Attached! (switched from arm/android debugger to gdb)
EDIT 3: I don't know how to set breakpoint, if I try to set with F2, process never stops, if I try to set it via console i got an error...
pirlano said:
Thank you again for all useful info!
It seems that strings are built by some "string" functions, so I think you are right, but it's a bit hard with static analysis.
Now I'm trying to connect IDA Pro with gdb, but I'm stuck with a connection error:
Plan B: I can remove lib checks when setting parameters, but it's an hacky solution, I prefer clean solutions...
EDIT: I missed "adb forward tcp:1234 tcp:1234" :/
now i got "irs_recv: Timeout" error
EDIT 2: Attached! (switched from arm/android debugger to gdb)
EDIT 3: I don't know how to set breakpoint, if I try to set with F2, process never stops, if I try to set it via console i got an error...
Click to expand...
Click to collapse
Glad to know! I'll write a short tutorial of gdbserver +IDA a bit later using mediaserver as an example, in two different cases: first one with symbols, second out without.
xd.bx said:
Glad to know! I'll write a short tutorial of gdbserver +IDA a bit later using mediaserver as an example, in two different cases: first one with symbols, second out without.
Click to expand...
Click to collapse
Alright, so I'm running into the same issue when trying to trigger a breakpoint and trace stuff. On the other hand gdb works fine. /methink IDA Pro's internal gdb client is not that good. In fact it would be rather nice to have an open-source replacement for this piece of software, one that makes stepping through proprietary code less of a chore.
I have been buliding some kernels recently, but have been unable to get the wifi working.
I have tried it having the modules included in initramfs/lib/modules when ramdisk is created and i do mkbootimg, and have also tried just putting all the modules in the flash zip in /system/lib/modules, and excluded it from build process. Both result in no Wifi [Edit, putting the newly built correct modules in my working folders /lib/modules fixed wifi, must not have done it correctly before)
basic overview of what I've done (after zImage compile)
I use "./unpack-bootimg.pl boot.img" to pull the "ramdisk-contents" from the stock kernel, I renamed that folder "initramfs" and threw it in a folder along with my mkbootimg binary, and my zImage I just compiled.
I put the newly created modules from zImage build in my initramfs/libs/modules with
find -name '*.ko' -exec cp -av {} [path to desired folder] \;
I navigate to the initramfs folder and
find .|cpio -o -H newc > ../ramdisk
cd ..
gzip ramdisk
./mkbootimg --kernel ./zImage --ramdisk ./ramdisk.gz --board smdk4x12 --base 0x10000000 --pagesize 2048 --ramdiskaddr 0x11000000 -o boot.img
the resultant boot.img boots fine and shows all other changes, just cant seem to get the wifi working. Anyone have idea for getting wifi working on our Note 2 kernel builds?
Edit: I re-tried and this time it worked. Not sure what was different. Copied the newly created modules into my ramdisk folder (for me was /initramfs/lib/modules) and created my ramdisk.gz etc. made the boot.img and it's all good. The difference must've been having the correct modules in place prior to creating the ramdisk.cpio(then .cpio.gz).
Mods please move if you feel this is in wrong section now etc. Found the answer, thank you
It's only in the wrong section if you don't share what you did wrong, and how you fixed it.
Facing an almost similiar issue over here with the wifi modules. For me, I found that my boot.img is itself too large for initramfs to accomodate the compiled modules (optimization was off). So I put them in system/lib/modules and tried to insmod them.
Using the sbin's insmod gives me this:
Code:
[[email protected] android]$adb shell
[email protected]:/ $ su
[email protected]:/ # insmod /system/lib/modules/dhd.ko
insmod: init_module '/system/lib/modules/dhd.ko' failed (No such file or directory)
255|[email protected]:/ # busybox insmod /system/lib/modules/dhd.ko
insmod: can't insert '/system/lib/modules/dhd.ko': unknown symbol in module, or unknown parameter
2|[email protected]:/ #
I've turned off module versioning, and am not sure why there's a symbol error.
Droidzone said:
Facing an almost similiar issue over here with the wifi modules. For me, I found that my boot.img is itself too large for initramfs to accomodate the compiled modules (optimization was off). So I put them in system/lib/modules and tried to insmod them.
Using the sbin's insmod gives me this:
Code:
[[email protected] android]$adb shell
[email protected]:/ $ su
[email protected]:/ # insmod /system/lib/modules/dhd.ko
insmod: init_module '/system/lib/modules/dhd.ko' failed (No such file or directory)
255|[email protected]:/ # busybox insmod /system/lib/modules/dhd.ko
insmod: can't insert '/system/lib/modules/dhd.ko': unknown symbol in module, or unknown parameter
2|[email protected]:/ #
I've turned off module versioning, and am not sure why there's a symbol error.
Click to expand...
Click to collapse
Add --strip-debug into the LDFLAGS_MODULE of the main makefile and make sure the modules went through second stage compilation. The OS probably forwards some parameters and you can't just insmod it.
I fixed that issue..
The real reason is something queer and interesting. It was because I'd defined GREP_OPTIONS defined as '--color -in'. This seemed to interfere with the kernel scripts. Once the var was unset, problem was solved.
However the inability to load the module persists.
My main kernel has the version name "3.0.31-g5d44d80-dirty", and the vermagic of module seems to be "3.0.31-gc299ec6 SMP preempt mod_unload modversions ARMv7 p2v8".
This obviously leads to version mismatch, and inability to load the module. Do you know why this happens? The kernel and module were used from the same compilation session. In fact I havent even changed the version name in .config.
dmesg during insmod gives this error code which narrows down the issue:
Code:
c0 dhd: version magic '3.0.31-gc299ec6 SMP preempt mod_unload modversions ARMv7 p2v8 ' should be '3.0.31-g5d44d80-dirty SMP preempt mod_unload ARMv7 '
EDIT:
Maybe I had made a script error and forgot to replace the original kernel/module..That error has disappeared to be replaced by the former issue-unable to insert module. Module was compiled with debug symbols.
Insmod reports:
insmod: init_module '/system/lib/modules/dhd.ko' failed (No such file or directory)
Modprobe reports:
modprobe: chdir(3.0.31-ge52b835-dirty): No such file or directory
Kernel reports:
Code:
c0 dhd: Unknown symbol _GLOBAL_OFFSET_TABLE_ (err 0)
Trying to narrow it down to the source file. I'm expecting that some function has 'forgotten' to export symbol.
I'm wondering whether this is just me, or is Samsung source dump supposed to have these kind of errors on defconfig. First they "forget" to include cypress drivers. Now errors related to symbol export.
EDIT2:
Still no more closer to finding the cause of the error. Did a grep and these are the only things I found:
Code:
[[email protected] kernel_IN]$grep --color -inr '_GLOBAL_OFFSET_TABLE_' * | grep -v 'Binary file'
arch/powerpc/boot/crt0.S:42: addis r11,r10,(_GLOBAL_OFFSET_TABLE_-p_base)@ha
arch/powerpc/boot/crt0.S:43: lwz r11,(_GLOBAL_OFFSET_TABLE_-p_base)@l(r11)
arch/m32r/boot/compressed/head.S:39: seth r3, #high(_GLOBAL_OFFSET_TABLE_+8)
arch/m32r/boot/compressed/head.S:40: or3 r3, r3, #low(_GLOBAL_OFFSET_TABLE_+12)
arch/s390/kernel/module.c:149: "_GLOBAL_OFFSET_TABLE_") == 0)
arch/avr32/kernel/module.c:104: "_GLOBAL_OFFSET_TABLE_") == 0)
scripts/mod/modpost.c:565: if (strcmp(symname, "_GLOBAL_OFFSET_TABLE_") == 0)
System.map:49417:c0b4f468 d _GLOBAL_OFFSET_TABLE_
The relevant segment of scripts/mod/modpost.c:
Code:
static int ignore_undef_symbol(struct elf_info *info, const char *symname)
{
/* ignore __this_module, it will be resolved shortly */
if (strcmp(symname, MODULE_SYMBOL_PREFIX "__this_module") == 0)
return 1;
/* ignore global offset table */
if (strcmp(symname, "_GLOBAL_OFFSET_TABLE_") == 0)
return 1;
Edit3: Solved.
AndreiLux said:
Add --strip-debug into the LDFLAGS_MODULE of the main makefile and make sure the modules went through second stage compilation. The OS probably forwards some parameters and you can't just insmod it.
Click to expand...
Click to collapse
I'd like to thank you for this information - this cut my dhd.ko from 4.6 MB to around 550 kB - and my resulting kernel as a result. Fully expect this will now get my kernel working as it should.
Droidzone said:
I fixed that issue..
The real reason is something queer and interesting. It was because I'd defined GREP_OPTIONS defined as '--color -in'. This seemed to interfere with the kernel scripts. Once the var was unset, problem was solved.
However the inability to load the module persists.
My main kernel has the version name "3.0.31-g5d44d80-dirty", and the vermagic of module seems to be "3.0.31-gc299ec6 SMP preempt mod_unload modversions ARMv7 p2v8".
This obviously leads to version mismatch, and inability to load the module. Do you know why this happens? The kernel and module were used from the same compilation session. In fact I havent even changed the version name in .config.
dmesg during insmod gives this error code which narrows down the issue:
Code:
c0 dhd: version magic '3.0.31-gc299ec6 SMP preempt mod_unload modversions ARMv7 p2v8 ' should be '3.0.31-g5d44d80-dirty SMP preempt mod_unload ARMv7 '
EDIT:
Maybe I had made a script error and forgot to replace the original kernel/module..That error has disappeared to be replaced by the former issue-unable to insert module. Module was compiled with debug symbols.
Insmod reports:
insmod: init_module '/system/lib/modules/dhd.ko' failed (No such file or directory)
Modprobe reports:
modprobe: chdir(3.0.31-ge52b835-dirty): No such file or directory
Kernel reports:
Code:
c0 dhd: Unknown symbol _GLOBAL_OFFSET_TABLE_ (err 0)
Trying to narrow it down to the source file. I'm expecting that some function has 'forgotten' to export symbol.
I'm wondering whether this is just me, or is Samsung source dump supposed to have these kind of errors on defconfig. First they "forget" to include cypress drivers. Now errors related to symbol export.
EDIT2:
Still no more closer to finding the cause of the error. Did a grep and these are the only things I found:
Code:
[[email protected] kernel_IN]$grep --color -inr '_GLOBAL_OFFSET_TABLE_' * | grep -v 'Binary file'
arch/powerpc/boot/crt0.S:42: addis r11,r10,(_GLOBAL_OFFSET_TABLE_-p_base)@ha
arch/powerpc/boot/crt0.S:43: lwz r11,(_GLOBAL_OFFSET_TABLE_-p_base)@l(r11)
arch/m32r/boot/compressed/head.S:39: seth r3, #high(_GLOBAL_OFFSET_TABLE_+8)
arch/m32r/boot/compressed/head.S:40: or3 r3, r3, #low(_GLOBAL_OFFSET_TABLE_+12)
arch/s390/kernel/module.c:149: "_GLOBAL_OFFSET_TABLE_") == 0)
arch/avr32/kernel/module.c:104: "_GLOBAL_OFFSET_TABLE_") == 0)
scripts/mod/modpost.c:565: if (strcmp(symname, "_GLOBAL_OFFSET_TABLE_") == 0)
System.map:49417:c0b4f468 d _GLOBAL_OFFSET_TABLE_
The relevant segment of scripts/mod/modpost.c:
Code:
static int ignore_undef_symbol(struct elf_info *info, const char *symname)
{
/* ignore __this_module, it will be resolved shortly */
if (strcmp(symname, MODULE_SYMBOL_PREFIX "__this_module") == 0)
return 1;
/* ignore global offset table */
if (strcmp(symname, "_GLOBAL_OFFSET_TABLE_") == 0)
return 1;
Edit3: Solved.
Click to expand...
Click to collapse
How to Solved? Too detailed can you tell us a little bit?
wctliu said:
How to Solved? Too detailed can you tell us a little bit?
Click to expand...
Click to collapse
Used another toolchain.
Droidzone said:
Used another toolchain.
Click to expand...
Click to collapse
another toolchain????
Which version?
I uesd these:
/home/wctliu/toolchains/arm-eabi-4.4.3/bin/arm-eabi-
/home/wctliu/arm-2009q3/bin/arm-none-linux-gnueabi-
Which will cause the problem to occur?
wctliu said:
another toolchain????
Which version?
I uesd these:
/home/wctliu/toolchains/arm-eabi-4.4.3/bin/arm-eabi-
/home/wctliu/arm-2009q3/bin/arm-none-linux-gnueabi-
Which will cause the problem to occur?
Click to expand...
Click to collapse
Did you see and do the changes AndreiLux mentioned above to the makefile. That can be the difference of whether you get useable wifi modules. Simple place to start if your getting a working kernel but no wifi
Sent from my SPH-L900 using xda premium
sleshepic said:
Did you see and do the changes AndreiLux mentioned above to the makefile. That can be the difference of whether you get useable wifi modules. Simple place to start if your getting a working kernel but no wifi
Sent from my SPH-L900 using xda premium
Click to expand...
Click to collapse
YES i do it .
you can see this:
http://forum.xda-developers.com/showthread.php?t=2193358
and now, it's no wifi no exfat.
AndreiLux said:
Add --strip-debug into the LDFLAGS_MODULE of the main makefile and make sure the modules went through second stage compilation. The OS probably forwards some parameters and you can't just insmod it.
Click to expand...
Click to collapse
That is correct, the OS does pass parameters to the module when loading.
An example (from CM) can be seen at: https://github.com/CyanogenMod/andr...common/blob/cm-10.1/BoardCommonConfig.mk#L122
I cannot get Wifi to work either. I have the same exact problem as Droidzone with the "_GLOBAL_OFFSET_TABLE_" error.
I have checked that:
"LDFLAGS_MODULE = --strip-debug" is set in Makefile.
I'm using the 4.7 toolchain, but just tried the 4.6 to no avail.
Any help would be much appreciated.
Update: I was able to get it working by using CFLAGS_MODULE=-fno-pic as suggested in this guide.
Solved
I was running in the same issues. I solved my problem adding these to my kernel makefile:
LDFLAGS_MODULE = --strip-debug
CFLAGS_MODULE = -fno-pic
forfivo said:
I was running in the same issues. I solved my problem adding these to my kernel makefile:
LDFLAGS_MODULE = --strip-debug
CFLAGS_MODULE = -fno-pic
Click to expand...
Click to collapse
There must be something else goin on in my setup as this does not work for me to getting working WiFi. What is your build process?
Edit: or if you wouldn't mind shoot in me your kernel I'd be interested if it something small I'm missing like updater script etc
Edit2: I feel sometimes in android doing the same thing twice results in separate results. Crazy thx
Hey sorry to bump this. Not sure if anyone still remembers I have the same problem with my GT-B5330.
Even though I set in my kernel/Makefile :
CFLAGS_MODULE = -fno-pic
LDFLAGS_MODULE = --strip-debug
After building the kernel from source I get the dhd.ko file, copy it to ramdisk/lib/modules and then repack it with the zimage generated by the build.
Then i dd the newly created boot.img to the kernel partition.
lsmod doesnt show dhd.ko
and the file exists in system/lib/modules/dhd.ko
Toolchain arm-eabi-4.6
DroidFreak32 said:
Hey sorry to bump this. Not sure if anyone still remembers I have the same problem with my GT-B5330.
Even though I set in my kernel/Makefile :
CFLAGS_MODULE = -fno-pic
LDFLAGS_MODULE = --strip-debug
After building the kernel from source I get the dhd.ko file, copy it to ramdisk/lib/modules and then repack it with the zimage generated by the build.
Then i dd the newly created boot.img to the kernel partition.
lsmod doesnt show dhd.ko
and the file exists in system/lib/modules/dhd.ko
Toolchain arm-eabi-4.6
Click to expand...
Click to collapse
Are you able to test manually starting using insmod? If so, what is the result?
garwynn said:
Are you able to test manually starting using insmod? If so, what is the result?
Click to expand...
Click to collapse
I cannot insmod the module I get : /system/lib/module/dhd.ko invalid argument
DroidFreak32 said:
I cannot insmod the module I get : /system/lib/module/dhd.ko invalid argument
Click to expand...
Click to collapse
Can't get to my Linux env at the moment, but will follow up on this. Might even see if someone is willing to test for me.
garwynn said:
Can't get to my Linux env at the moment, but will follow up on this. Might even see if someone is willing to test for me.
Click to expand...
Click to collapse
Thanks man
Also I forgot to mention I use arm eabi 4.4.3 if that matters.
Hi everyone.
As people are aware, upgrading to Android 8.0 Oreo broke the functionality of Bluetooth for users with the MD725 Type 2 Bluetooth module. I have now found the driver file that will likely repair all lost Bluetooth functionality - the sdsdk file. This should also fix any external USB WiFi/Bluetooth devices that use the MD725 Type 2 module.
I have tested this on my MTCD HA unit running Hal9k's Oreo ROM and can confirm that the following features now work:
- A2DP
- Calling
- Call History
- Contact sync
Note: This fix requires root access.
Installation Instructions:
1. Download the attached sdsdk.zip file.
2. From the sdsdk.zip file, extract the "sdsdk" file.
4. Copy the sdsdk file to a USB drive or SD Card to be plugged into your headunit
5. Install a Root file explorer.
6. Copy the sdsdk file from your external storage device to the location:
Code:
/system/bin
7. Reboot your headunit.
The working sdsdk file is from the MTCD_HA_20170726 ROM provided by @f1x in their "Solution for the bluetooth echo v2":
https://forum.xda-developers.com/an...neral/px5-solution-bluetooth-echo-v2-t3661284
I hope that this fix works for you!
@Malaysk perhaps you can try to incorporate this fix in your rom if tested to work OK?
Sent from my G8141 using Tapatalk
The command "ps | grep sdsdk" just returns the line(s) containing sdsdk (grep command) from the running processes list (ps command). So I think that that step is not necessary.
Also where did you find a working sdsdk for android 8, substituting the one from android 6 was tried before and did not work.
Regardless I will try to flash my android 6 HU to HALK's Oreo to comfirm this working on a MTCD KGL (v2.83)
switchboy said:
The command "ps | grep sdsdk" just returns the line(s) containing sdsdk (grep command) from the running processes list (ps command). So I think that that step is not necessary.
Also where did you find a working sdsdk for android 8, substituting the one from android 6 was tried before and did not work.
Regardless I will try to flash my android 6 HU to HALK's Oreo to comfirm this working on a MTCD KGL (v2.83)
Click to expand...
Click to collapse
Okay, I've removed that part of the step. I had a feeling it wasn't necessary but left it in.
The working sdsdk is from the MTCD_HA_20170726 ROM, which was collected by @f1x for the "Bluetooth echo solution".
Thanks! Please reply with your results!
I am afraid it did not work for me. Added the files to 'system/bin/'
Gave the the file 777 permission just to be sure (read write execute)
Did a reboot, no luck
As you can see sdsdk is not running when I search for it with 'ps | grep sdsdk'
I added photographs of the situation.
This is a fresh upgrade to HALK's Oreo rom from Android 6.0 do i need to select the MD725 as my BT adapter somewhere? Because that might be causing my issues? I will check the factory setting later (although they should not have been touched and BT was working on android 6)
It will have to be another time though. It's getting cold now that it is dark and I don't want to burn petrol while waiting on the HU. Already used a bit too much battery power while waiting on the update process.
Edit:
OP, did you also install the libraries (.lib files) provided by f1x? That might be the reason why it did not work and sdsdk doesn't run on my system right now.
hello . i have mtcd px5 , MX , Bluetooth MD725 type 2 , i am now at malaysk rom 6 v7 , want to ask if this fix will work with me ? till now i didn't try android 8 because of Bluetooth problem ?
Have been playing around with this idea some more. First off I checked if for some reason the Bluetooth adapter in the factory settings was changed. So I double checked and it was still set to MD725. So that was not the reason why sdsdk is not running. Secondly I thought maybe sdsdk is missing other files it depends on to run so I went ahead and made sure I copied the .lib files and the .ini file from f1x to the right folders and made sure all of them were executable. After that I did a reboot of my device and nothing. The Bluetooth name and pin are not populated in the settings menu and the process sdsdk is still not in the running processes list. This could either mean:
- The process sdsdk isn't started by the system on boot and we need a way to start it manually
- The process sdsdk is started but crashes soon after being started because it is still missing dependencies
- The implementation of sdsdk is not compatible with android 8 anymore (which would mean the end of the line for this approach)
After these tests I was a bit disappointed and had ran out of time for today. I need some way to check if sdsdk is doing anything and if so what it is actually doing. So on a PC my next logical step will be to try and run the program manually from the command line and see if it spits out an error. If it does I might be able to solve the problem.
Because of digging work by f1x we know that the init.hct.rc script does contain the commands to start sdsdk: (so this makes the first scenario unlikely)
Code:
on property:bt.md725.type=1
start gocsdk
service gocsdk /system/bin/gocsdk
class main
user root
group root
disabled
seclabel u:r:shell:s0
on property:bt.md725.type=2
start sdsdk
service sdsdk /system/bin/sdsdk
class main
user root
group root
disabled
seclabel u:r:shell:s0
I think the second scenario is the most likely scenario and sdsdk is missing the right (versions) of other files the program depends on. So we need to figure out what those files are. Furtermore I think the simple terminal command '/system/bin/sdsdk' probably wont start the service in a way that is useful for the OS, however I am hoping it wil output a usefull error code. So that will be the fist thing I will try next time I got some spare time to play with the HU.
Unfortunately I am a bit of a Windows guy and hobby developer (with limited C++, PHP and Java knowledge) so my Linux knowledge is limited. I would love to be able to decompile sdsdk to see what it actually does that might make fixing this software mess a bit easier. At this point I am not expecting a manufacturer to do it for us. As for now I just making guesses why it doesn't work and I don't like that.
switchboy said:
- The process sdsdk is started but crashes soon after being started because it is still missing dependencies
Click to expand...
Click to collapse
You can test this by, first, running '/system/bin/sdsdk' in a terminal. Even if this step works, I would see the missing libraries by running 'ldd /system/bin/sdsdk'. The assumption in the 'ldd' step is that the binary gets libraries dynamically attached to it when it runs, as opposed to coming packaged with the binary.
Feel free to paste the output and I can help interpret it. I would do this myself, but at the rate at which I'm going, I won't get to it until next year
P.S. you may need to find a binary for ldd on Android. Termux has an ability to get such, just type in the command, and if it knows it can download a binary for a missing program, then it will tell you how to do it
I dont have acces to my headunit at the moment. The wife has taken the car for a drive. So I did the next best thing and used readelf on a ubuntu vm to try and find dependencies of the sdsdk binairy. Here is the raw output:
Code:
@Butterfly:~/Desktop$ readelf -And sdsdk
Dynamic section at offset 0xbe65c contains 33 entries:
Tag Type Name/Value
0x00000003 (PLTGOT) 0xbfd84
0x00000002 (PLTRELSZ) 1248 (bytes)
0x00000017 (JMPREL) 0x9bc0
0x00000014 (PLTREL) REL
0x00000011 (REL) 0x2cb0
0x00000012 (RELSZ) 28432 (bytes)
0x00000013 (RELENT) 8 (bytes)
0x6ffffffa (RELCOUNT) 3551
0x00000015 (DEBUG) 0x0
0x00000006 (SYMTAB) 0x148
0x0000000b (SYMENT) 16 (bytes)
0x00000005 (STRTAB) 0x1258
0x0000000a (STRSZ) 4590 (bytes)
0x00000004 (HASH) 0x2448
0x00000001 (NEEDED) Shared library: [libtinyalsa.so]
0x00000001 (NEEDED) Shared library: [libmedia.so]
0x00000001 (NEEDED) Shared library: [libutils.so]
0x00000001 (NEEDED) Shared library: [libbinder.so]
0x00000001 (NEEDED) Shared library: [liblog.so]
0x00000001 (NEEDED) Shared library: [libstdc++.so]
0x00000001 (NEEDED) Shared library: [libm.so]
0x00000001 (NEEDED) Shared library: [libc.so]
0x00000001 (NEEDED) Shared library: [libdl.so]
0x0000001a (FINI_ARRAY) 0xbc3b8
0x0000001c (FINI_ARRAYSZ) 8 (bytes)
0x00000019 (INIT_ARRAY) 0xbc3c0
0x0000001b (INIT_ARRAYSZ) 36 (bytes)
0x00000020 (PREINIT_ARRAY) 0xbc3e4
0x00000021 (PREINIT_ARRAYSZ) 0x8
0x00000016 (TEXTREL) 0x0
0x0000001e (FLAGS) TEXTREL BIND_NOW
0x6ffffffb (FLAGS_1) Flags: NOW
0x00000000 (NULL) 0x0
Displaying notes found in: .note.gnu.gold-version
Owner Data size Description
GNU 0x00000009 NT_GNU_GOLD_VERSION (gold version)
Version: gold 1.11
Attribute Section: aeabi
File Attributes
Tag_CPU_name: "ARM v7"
Tag_CPU_arch: v7
Tag_CPU_arch_profile: Application
Tag_ARM_ISA_use: Yes
Tag_THUMB_ISA_use: Thumb-2
Tag_FP_arch: VFPv3
Tag_Advanced_SIMD_arch: NEONv1
Tag_ABI_PCS_GOT_use: GOT-indirect
Tag_ABI_PCS_wchar_t: 4
Tag_ABI_FP_denormal: Needed
Tag_ABI_FP_exceptions: Needed
Tag_ABI_FP_number_model: IEEE 754
Tag_ABI_align_needed: 8-byte
Tag_ABI_enum_size: int
Tag_ABI_HardFP_use: Deprecated
Tag_ABI_optimization_goals: Aggressive Speed
Tag_CPU_unaligned_access: v6
Tag_ABI_FP_16bit_format: IEEE 754
Tag_DIV_use: Not allowed
Tag_Virtualization_use: TrustZone
It would seem that the only libs this file depends on are the following:
Code:
0x00000001 (NEEDED) Shared library: [libtinyalsa.so]
0x00000001 (NEEDED) Shared library: [libmedia.so]
0x00000001 (NEEDED) Shared library: [libutils.so]
0x00000001 (NEEDED) Shared library: [libbinder.so]
0x00000001 (NEEDED) Shared library: [liblog.so]
0x00000001 (NEEDED) Shared library: [libstdc++.so]
0x00000001 (NEEDED) Shared library: [libm.so]
0x00000001 (NEEDED) Shared library: [libc.so]
0x00000001 (NEEDED) Shared library: [libdl.so]
So now we need the right version of these in /system/lib/ and it might work.
EDIT:
I also ran this command on gocsdk:
Code:
0x00000001 (NEEDED) Shared library: [libbinder.so]
0x00000001 (NEEDED) Shared library: [libmedia.so]
0x00000001 (NEEDED) Shared library: [libutils.so]
0x00000001 (NEEDED) Shared library: [liblog.so]
0x00000001 (NEEDED) Shared library: [libstdc++.so]
0x00000001 (NEEDED) Shared library: [libm.so]
0x00000001 (NEEDED) Shared library: [libc.so]
0x00000001 (NEEDED) Shared library: [libdl.so]
So it seems that libtinyalsa.so might be our missing file!
sdsdk needs it and gocsdk doesn't.
Edit 2:
Okay I've extracted the missing files from a recent android 6 ROM which had working BT on my unit. I've created an archive with all the files that I think are missing in android 8 in their respective folders. Copy and paste to the right folders on your unit and set permissions to 777 for each file (you'll need a root browser for this). I've hadn't had time to test it for myself but this will hopefully fix this mess.
Edit 3:
Well it seems that the missing files I gathered up aren't complete yet. I can comfirm that 'sdsdk' is indeed crashing because it is missing dependencies. Executing the file from terminal is generating this error message.
"CANNOT LINK EXECUTABLE 'sdsdk' has text relocations"
Sadly I am currently at a loss getting the name and paths out of 'sdsdk' with readelf.
Edit 4:
After more reading it would seem that google disabled text relocations for applications running in userland. So this error seems logical since I was running the terminal in userland .
Hello Switchboy, i did put the files in the locations as showed in youre zip file.
It does not work on my HU.
The sdsdk executable is currently not working because of text relocations which aren't allowed in Android in userland anymore. So we either need to find a way to run sdsdk outside userland or find an sdsdk executable without text relocations. A version from android 7 might work.
See attached logcat
switchboy said:
The sdsdk executable is currently not working because of text relocations which aren't allowed in Android in userland anymore. So we either need to find a way to run sdsdk outside userland or find an sdsdk executable without text relocations. A version from android 7 might work.
See attached logcat
Click to expand...
Click to collapse
Great detailed summary and investigation into the issue.
Thanks for taking the time and sharing with the forums.
Until these blobs are updated or other software solution is found, we may have found a supplier for genuine GOC-MD-725.
Update
Not deterred, I managed to find a version of sdsdk without text relocations. I actually just took it out of the Android 7 rom for PX3, figuring that support for text relocations in userland was dropped by then. It turns out, I was right. ‘readelf –d sdsdk’ did not show the dreaded ‘0x00000016 (TEXTREL) 0x0’ anymore.
Hooray!
Therefore, after checking the shared library list and not seeing any new libraries I went ahead and overwrote my old version of sdsdk with this one. I rebooted the device and… nothing.
After reviewing, the logcat to find out what went wrong the following error messages repeats a couple of times:
Code:
libc ( 1008): CANNOT LINK EXECUTABLE "/system/bin/sdsdk": cannot locate symbol "_ZN7android10AudioTrackC1E19audio_stream_type_tj14audio_format_tjj20audio_output_flags_tPFviPvS4_ES4_i15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tiiPK18audio_attributes_tbf" referenced by "/system/bin/sdsdk"...
11-19 14:46:00.787 F/libc ( 1008): Fatal signal 6 (SIGABRT), code -6 in tid 1008 (sdsdk)
11-19 14:46:00.829 F/DEBUG ( 1013): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-19 14:46:00.829 F/DEBUG ( 1013): Build fingerprint: 'Android/px5/px5:8.0.0/OPR5.170623.007/hct08091121:userdebug/test-keys'
11-19 14:46:00.829 F/DEBUG ( 1013): Revision: '0'
11-19 14:46:00.829 F/DEBUG ( 1013): ABI: 'arm'
11-19 14:46:00.829 F/DEBUG ( 1013): pid: 1008, tid: 1008, name: sdsdk >>> /system/bin/sdsdk <<<
11-19 14:46:00.829 F/DEBUG ( 1013): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
11-19 14:46:00.830 F/DEBUG ( 1013): Abort message: 'CANNOT LINK EXECUTABLE "/system/bin/sdsdk": cannot locate symbol "_ZN7android10AudioTrackC1E19audio_stream_type_tj14audio_format_tjj20audio_output_flags_tPFviPvS4_ES4_i15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tiiPK18audio_attributes_tbf" referenced by "/system/bin/sdsdk"...'
11-19 14:46:00.830 F/DEBUG ( 1013): r0 00000000 r1 000003f0 r2 00000006 r3 00000008
11-19 14:46:00.830 F/DEBUG ( 1013): r4 000003f0 r5 000003f0 r6 ffe4d100 r7 0000010c
11-19 14:46:00.830 F/DEBUG ( 1013): r8 f70b0010 r9 ffe4d3a8 sl f70fcd90 fp ffe4e3b4
11-19 14:46:00.830 F/DEBUG ( 1013): ip 00000000 sp ffe4d0f0 lr f7164bc7 pc f716ede8 cpsr 200f0010
11-19 14:46:00.839 F/DEBUG ( 1013):
11-19 14:46:00.839 F/DEBUG ( 1013): backtrace:
11-19 14:46:00.839 F/DEBUG ( 1013): #00 pc 00066de8 /system/bin/linker (__dl_tgkill+12)
11-19 14:46:00.839 F/DEBUG ( 1013): #01 pc 0005cbc3 /system/bin/linker (__dl_abort+54)
11-19 14:46:00.839 F/DEBUG ( 1013): #02 pc 00018641 /system/bin/linker (__dl___libc_fatal+24)
11-19 14:46:00.839 F/DEBUG ( 1013): #03 pc 0000fcb5 /system/bin/linker (__dl___linker_init+1956)
11-19 14:46:00.839 F/DEBUG ( 1013): #04 pc 00014d50 /system/bin/linker (_start+4)
11-19 14:46:00.858 W/NativeCrashListener( 499): Couldn't find ProcessRecord for pid 1008
Therefore, I assume that one of the libs sdsdk is depended on were updated and now is not quite compatible anymore. I am a bit hesitant to start altering system audio libraries willy-nilly because then I might start to break the audio subsystem of the rom. So unless I can find a version of sdsdk that is compatible with the audio subsystem of android 8 we are stuck at the moment.
Since the MD725 type 2 is a chip used in a lot of BT dongles as well there must be a device out there currently running android Oreo. I cant think of any reason why an sdsdk ripped from such firmware would not work on our Oreo installment. We just have to find it.
I love your persistence!
Did you also copy over the associated libraries? Typically, one can copy over the entire web of libraries required by a specific binary, and use those only for such binary, while leaving the rest of the system libraries alone. However, such solution may make things work, but may break integrations that Android may have had.
If only we had the source code ........
Seems like https://source.android.com/reference/hal/structaudio__policy may references audio_offload_info_t.... I'll take a look. I might as well just scrape all the symbols to get a layout of what's calling what
If only we had the sourcecode of sdsdk I could debug it against current libraries rewrite it a bit and then compile a working version.
@switchboy I am really impressed with the level of debugging and research you went into! Thank you!!
It makes it more confusing that my BlueTooth works for around 30 minutes or so (or until I end a call) before my phone disconnects (but the HU still thinks it is connected).
marchnz said:
Great detailed summary and investigation into the issue.
Until these blobs are updated or other software solution is found, we may have found a supplier for genuine GOC-MD-725.
Click to expand...
Click to collapse
I am very interested in this supplier!
jimimatthews said:
@switchboy I am really impressed with the level of debugging and research you went into! Thank you!!
It makes it more confusing that my BlueTooth works for around 30 minutes or so (or until I end a call) before my phone disconnects (but the HU still thinks it is connected).
Click to expand...
Click to collapse
Could you by any chance upload the sdsdk which is in your bin folder on the hu? To double check if it is the same one from the OP.
jimimatthews said:
I am very interested in this supplier!
Click to expand...
Click to collapse
Check the md725 module 1 and 2 swap thread
I'm getting a similar issue with my Bluetooth.
A2DP, Call History and Contact Sync all work
but Calling does not work properly. People can hear me, but I cannot hear them through my speakers.
I'm using an AVIN PX5
MCU version: MTCE_GS_V2.94_3 Sep 13 2018 11:26:51
I'm wondering if any MCU updates are available to resolve this issue?