Database Info

Android with Wifi Thread - Cooler wifi

Update:
handsets are becoming very hot when wifi is used, you can make them use less power by using the rootfs.img provided, changes where made to tiwlan.ini during testing which keeps the wifi on active even when not in use, this version has reverted the changes and now power saving can be used once more.
http://drop.io/coolerwifikaiser
Aims:
Wakelocks?
Looks like this thread has served its purpose

Wow, are you actually doing all of these commands through the phone? >_<
I really want to see wifi rollin on android too, can't wait to load the ol' Tilt up with it.

the '-f' option
Hi,
a short question, you wrote...
Code:
'wpa_supplicant -f -Dtiwlan0 -itiwlan0 -c/data/misc/wifi/wpa_supplicant.conf &'
...and I've allready seen this in different ohter posts, but I don't know what the '-f' option effects.
I allready browsed the manpages an this option ins't listed. I just tried the command without this statement and it also worked (but did not create the output '-Dtiwlan0' to '/data/local/tmp'). But wlan also doesn't work...

For Polaris users who might need this info:
First things first, make sure wlan works in Windows Mobile. This seems to be the procedure for getting the wlan into do something in Android. It seems to be very similar to the wifi tethering guides on the G1.
Custom Kernel
We need a kernel, the kernel config produced by make vogue_defconfig ARCH=arm leaves the wireless extensions disabled, so this might the cause of the missing mac address in ifconfig. Current attempts to produce a kernel with these extensions have caused the settings dialogues and ifconfig to hang, Ctrl+C does not force an exit. I'll continue to investigate this.
Tiwlan kernel module
I've found another version of the tiwlan driver, other than the one that is currently in git master which loads the firmware and gives the ok - OK
Download Update: This driver skipped checks, ignore it
so lets see if we can merge this with the newer driver to get a working one.
Initial Variables
Code:
setprop wifi.interface tiwlan0
WLan Commands
Modprobe Method:
Code:
mkdir -p /lib/modules/`uname -r`
cp /sdcard/wlan.ko /lib/modules/`uname -r`/
Insmod Method:
Code:
insmod /sdcard/wlan.ko
Tiwlan0 Mac address: No
Required Output: TIWLAN: Driver loaded
WLAN_Loader
Code:
wlan_loader -f /sdcard/Fw1251r1c.bin -e /proc/calibration -i /sdcard/tiwlan.ini
Tiwlan0 Mac address: No
Required Output: Set property wlan.driver.status = ok - Ok
ifconfig -a might need to show a mac address at this point, i'm still not sure when ifconfig -a gets the mac address info
Code:
wpa_supplicant -ddK -Dtiwlan0 -itiwlan0 -c/sdcard/wpa_supplicant.conf &
ifconfig -a must show a mac address or the next step will error out, you can assign one using the following command, just change it to mac address you see in windows. However simply assigning one with this command might not be enough, it could be the sign of a bigger problem.
Code:
ifconfig tiwlan0 hw ether 00:00:00:00:00:00
Code:
ifconfig tiwlan0 192.168.1.100 netmask 255.255.255.0
ifconfig tiwlan0 up
Log Collecting:
Dmesg - Its a ring buffer so as new info is added old info will be removed, you need to run the command right after insmod or modprobe to see if it worked ok.
Code:
[B]dmesg|grep -i wlan[/B]
TIWLAN: Found SDIO controller (vendor 0x104c, device 0x9066)
TIWLAN: Driver initialized (rc 0)
TIWLAN: 1251 PG [B]1.1[/B]
TIWLAN: Driver loaded
If i'm right The kaiser has 1.1. the G1 has 1.2, its a reference to the chip used.
Logcat
You can run logcat at the start to keep a log of everything the machine has done since android has started. If you run it like this it will keep logging to the file as you run other commands so when you boot back to WM and sync you can open the file in an editor like Notepad++ and see what happened. This is the first thing i run when i get to the root shell
Code:
logcat -f /sdcard/debuglog.txt &
After running the wlan_loader you can run this to check it worked ok:
Code:
[B]grep -i 'wlan' /sdcard/debuglog.txt[/B]
D/wlan_loader( 395): adapter tiwlan0, eeprom /proc/calibration, init /sdcard/tiwlan.ini, firmware /sdcard/Fw1251r1c.bin
D/wlan_loader( 395): Configuring adapter
D/wlan_loader( 395): Adapter configuration rc = 0
D/wlan_loader( 395): Starting configMge
D/wlan_loader( 395): ConfigMge start rc = 0
D/wlan_loader( 395): Driver configured
D/wlan_loader( 395): Firmware loaded and running OK
D/wlan_loader( 395): Set property wlan.driver.status = ok - Ok
i did once end up with the ok - Ok but it was hit and miss, and i've ended up with all sorts from ok - Fail to fail - Ok to fail - Fail but ifconfig has never shown a mac address on its own
Email to...
The terminal emulator in android should have an option in the menu to email everything you've seen to an email address, use that to keep logs of the entire session. Better terminal has this feature, but it stopped working, try
Files
Fw1251r1c.bin
The firmware filenames of the G1 and the Kaiser have the same name. So we should get a list of good kaiser firmware to rule firmware issues out as soon as possible. If you can connect in windows mobile to a wpa secured AP then the Fw1251r1c.bin in the windows folder on the rom should be the one you are using in Android.
File, Size in bytes, MD5SUM, Source
Fw1251r1c.bin, 185388, ebf5c2036d37bc56b4d41ddcbda4311e, 6.1 WWE ROM shifu, Download
tiwlan.ini
Lets get a good tiwlan.ini file, so we know if its causing issues.
Values:
Comming Soon...
wpa_supplicant.conf
Code:
ctrl_interface=tiwlan0
ap_scan=1
eapol_version=1
fast_reauth=1
eapol_version=1
update_config=1
network={
ssid="WIFISSID"
...
priority=1
}
-------------------------------------------------------------------------------------
Quick Scripts:
Its hard to type long commands on the keyboard so here are some scripts to help:
Code:
[B]/sdcard/cmd1[/B]
#!/bin/sh
echo 'Setting Variables...'
setprop wifi.interface tiwlan0
echo 'Variables Set!'
echo 'Logging to /sdcard/debuglog.txt...'
pkill logcat
logcat -f /sdcard/debuglog.txt &
echo 'Logger Started!'
echo 'Copying WLan Module...'
mkdir -p /lib/modules/`uname -r`
cp /system/lib/modules/wlan.ko /lib/modules/`uname -r`/
echo 'Module Coppied!'
echo 'Loading Module...'
modprobe wlan
lsmod
echo 'Module Loaded!'
#
Code:
[B]/sdcard/cmd2[/B]
#!/bin/sh
echo 'Running Loader...'
wlan_loader -f /sdcard/Fw1251r1c.bin -e /sdcard/calibration -i /sdcard/tiwlan.ini
echo 'Loder Completed'
echo 'Ifconfig Output'
ifconfig -a
dmesg|grep -i wlan
cat /sdcard/debuglog.txt... |grep -i wlan
#
Output:
$ su
~ # cd /sdcard/
/sdcard # ./cmd1
Setting Variables...
Variables Set!
Logging to /sdcard/debuglog.txt...
Logger Started!
Copying WLan Module...
Module Coppied!
Loading Module...
wlan 584168 0 - Live 0xbf000000
Module Loaded!
/sdcard # ./cmd2
Running Loader...
Loder Completed
Ifconfig Output
tiwlan0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[ 96.701234] TIWLAN: Driver loading
[ 97.593872] TIWLAN: Found SDIO controller (vendor 0x104c, device 0x9066)
[ 97.599251] TIWLAN: Driver initialized (rc 0)
[ 97.599511] TIWLAN: 1251 PG 1.1
[ 97.599547] TIWLAN: Driver loaded
D/wlan_loader( 518): adapter tiwlan0, eeprom /sdcard/calibration, init /system/etc/wifi/tiwlan.ini, firmware /sdcard/Fw1251r1c.bin
D/wlan_loader( 518): Configuring adapter
D/wlan_loader( 518): Adapter configuration rc = 0
D/wlan_loader( 518): Starting configMge
D/wlan_loader( 518): ConfigMge start rc = 0
D/wlan_loader( 518): Driver configured
D/wlan_loader( 518): Firmware loaded and running OK
D/wlan_loader( 518): Set property wlan.driver.status = ok - Ok

thanks,
how did you manage that configMge doesn't fail on start? I still get 'rc = -1'. Did you build a new 'wlan.ko' with the Kernelsource from git (Vogue/Kaiser)? And what firmware are you using (the original or the extracted?)
maybe you can post your files for testing...

toasty_ said:
thanks,
how did you manage that configMge doesn't fail on start? I still get 'rc = -1'. Did you build a new 'wlan.ko' with the Kernelsource from git (Vogue/Kaiser)? And what firmware are you using (the original or the extracted?)
maybe you can post your files for testing...
Click to expand...
Click to collapse
Its either the variable being set or modprobe being used that does the trick, so try those, i'm in the middle of compiling a newer kernel to see if it works better

Thx for the short Tutorial and the scripts. Unfortunately I still get the message:
Code:
'ConfigMge start rc = -1'
I think the reason is the (my) wlan.ko module - it shows following message/warning while loading (insmod and modprobe)
Code:
wlan: version magic '2.6.25-00818-gf668526 preempt mod_unload ARMv6 ' should be '2.6.25-00832-g42c5da5 preempt mod_unload ARMv6'
but its loaded...
especialy lsmod gives me another value for the second number (think the allocated memory):
Code:
wlan 583852 0 - Live 0xbf000000
I use the firmware from '3.34.shifuv11F WWE':
Size: 185388 byte
MD5: ebf5c2036d37bc56b4d41ddcbda4311e
dmesg:
Code:
[ 114.718730] TIWLAN: Driver loading
[ 115.079288] TIWLAN: Found SDIO controller (vendor 0x104c, device 0x9066)
[ 115.084840] TIWLAN: Driver initialized (rc 0)
[ 115.084952] TIWLAN: Driver loaded
[ 122.852419] TIWLAN: TIWLAN: Failed to start config manager
logcat:
Code:
D/wlan_loader( 444): adapter tiwlan0, eeprom /proc/calibration, init /sdcard/wlan/tiwlan.ini, firmware /sdcard/wlan/Fw1251r1c.bin
D/wlan_loader( 444): Configuring adapter
D/wlan_loader( 444): Adapter configuration rc = 0
D/wlan_loader( 444): Starting configMge
D/wlan_loader( 444): ConfigMge start rc = -1
D/wlan_loader( 444): Driver configuration failed (-1)
E/wlan_loader( 444): init_driver() failed
D/wlan_loader( 444): Set property wlan.driver.status = failed - Ok
can you tell me what wlan.ko you are using - maybe a link...

Upon further investigation it turns out that a specific version of the firmware and a compatible wlan.ko are needed to get it to work, i'm rolling up a fresh system.img to test now, i'll post it if it works

http://forum.xda-developers.com/showthread.php?p=4231219

toasty_ said:
Thx for the short Tutorial and the scripts. Unfortunately I still get the message:
Code:
'ConfigMge start rc = -1'
I think the reason is the (my) wlan.ko module - it shows following message/warning while loading (insmod and modprobe)
Code:
wlan: version magic '2.6.25-00818-gf668526 preempt mod_unload ARMv6 ' should be '2.6.25-00832-g42c5da5 preempt mod_unload ARMv6'
but its loaded...
especialy lsmod gives me another value for the second number (think the allocated memory):
Code:
wlan 583852 0 - Live 0xbf000000
I use the firmware from '3.34.shifuv11F WWE':
Size: 185388 byte
MD5: ebf5c2036d37bc56b4d41ddcbda4311e
dmesg:
Code:
[ 114.718730] TIWLAN: Driver loading
[ 115.079288] TIWLAN: Found SDIO controller (vendor 0x104c, device 0x9066)
[ 115.084840] TIWLAN: Driver initialized (rc 0)
[ 115.084952] TIWLAN: Driver loaded
[ 122.852419] TIWLAN: TIWLAN: Failed to start config manager
logcat:
Code:
D/wlan_loader( 444): adapter tiwlan0, eeprom /proc/calibration, init /sdcard/wlan/tiwlan.ini, firmware /sdcard/wlan/Fw1251r1c.bin
D/wlan_loader( 444): Configuring adapter
D/wlan_loader( 444): Adapter configuration rc = 0
D/wlan_loader( 444): Starting configMge
D/wlan_loader( 444): ConfigMge start rc = -1
D/wlan_loader( 444): Driver configuration failed (-1)
E/wlan_loader( 444): init_driver() failed
D/wlan_loader( 444): Set property wlan.driver.status = failed - Ok
can you tell me what wlan.ko you are using - maybe a link...
Click to expand...
Click to collapse
So you'll have to compile a custom kernel, then a custom wlan.ko before you try this. I have also uploaded the wifi firmware, a link is in the first post

Custom Kernel:
I use the Kernelsources from git ("git.linuxtogo.org", vogue branch). I also tried to build the 'wlan.ko' from Android-source (I set 'KERNEL_DIR' to the Folder of my Kernel source). If I run make I get some errors because of missing include-files.
//Edit: just made symlink to arm-msm
If I'm home on weekend I try to build a new wlan.ko for my kernel. Is there anything, that needs to be patched for kernel 2.6.25?
btw. I found this page http://www.johandekoning.nl/index.php, there are some information about wlan and firmware loading issues (for the G1, but nearly the same problemes)

I didn't do anything special to get a wlan.ko, just compiled it as normal:
Code:
KERNEL_DIR=/Android/kernel make ARCH=arm CROSS_COMPILE=arm-none-linux-gnueabi-
Current status from error log:
Code:
D/wlan_loader( 406): adapter tiwlan0, eeprom /proc/calibration, init /system/etc/wifi/tiwlan.ini, firmware /system/etc/wifi/Fw1251r1c.bin
D/wlan_loader( 406): Configuring adapter
D/wlan_loader( 406): Adapter configuration rc = 0
D/wlan_loader( 406): Starting configMge
D/wlan_loader( 406): ConfigMge start rc = 0
D/wlan_loader( 406): Driver configured
D/wlan_loader( 406): Firmware loaded and running OK
D/wlan_loader( 406): Set property wlan.driver.status = ok - Ok
D/dalvikvm( 161): GC freed 11747 objects / 572968 bytes in 363ms
V/WifiMonitor( 161): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=2]
V/WifiMonitor( 161): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=1]
D/SettingsWifiEnabler( 390): Received wifi state changed from Enabling to Enabled
V/WifiMonitor( 161): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=2]
V/WifiMonitor( 161): Event [CTRL-EVENT-STATE-CHANGE id=-1 state=1]
[B]D/WifiHW ( 161): 'DRIVER RSSI' command timed out.[/B]
[B]D/WifiHW ( 161): 'DRIVER LINKSPEED' command timed out.[/B]
[B]D/WifiHW ( 161): 'DRIVER MACADDR' command timed out.[/B]
V/WifiStateTracker( 161): Connection to supplicant established, state=INACTIVE
[B]D/WifiHW ( 161): 'DRIVER RXFILTER-ADD 0' command timed out.[/B]
[B]D/WifiHW ( 161): 'DRIVER BTCOEXSCAN-STOP' command timed out.[/B]
V/WifiStateTracker( 161): Changing supplicant state: INACTIVE ==> SCANNING
I/WindowManager( 161): Setting rotation to 1, animFlags=1
I/WindowManager( 161): Config changed: { scale=1.0 imsi=0/0 locale=en touch=3 key=2/1/1 nav=1 orien=2 }
[B]D/WifiHW ( 161): 'DRIVER SCAN-PASSIVE' command timed out.[/B]
V/WifiStateTracker( 161): Changing supplicant state: SCANNING ==> INACTIVE
V/WifiStateTracker( 161): Changing supplicant state: INACTIVE ==> SCANNING
V/WifiStateTracker( 161): Changing supplicant state: SCANNING ==> INACTIVE
W/WindowManager( 161): Window freeze timeout expired.
W/WindowManager( 161): Force clearing orientation change: Window{43120508 StatusBar paused=false}
[B]D/WifiHW ( 161): 'SCAN_RESULTS' command timed out.[/B]
D/StatusBar( 161): updateResources
I/WindowManager( 161): Config changed: { scale=1.0 imsi=0/0 locale=en touch=3 key=2/1/2 nav=1 orien=2 }
D/dalvikvm( 161): GC freed 5792 objects / 384744 bytes in 220ms
D/StatusBar( 161): updateResources
[B]D/WifiHW ( 161): 'LIST_NETWORKS' command timed out.[/B]
W/SurfaceFlinger( 161): timeout expired mFreezeDisplay=1, mFreezeCount=1
W/WindowManager( 161): App freeze timeout expired.
W/WindowManager( 161): Force clearing freeze: AppWindowToken{43358af8 token=HistoryRecord{43358808 {com.android.settings/com.android.settings.wifi.WifiSettings}}}
D/WifiHW ( 161): 'STATUS' command timed out.
D/dalvikvm( 161): GC freed 946 objects / 43184 bytes in 188ms
D/dalvikvm( 317): GC freed 356 objects / 32824 bytes in 105ms
D/WifiHW ( 161): 'DRIVER RSSI' command timed out.
W/WindowManager( 161): Key dispatching timed out sending to com.android.settings/com.android.settings.wifi.WifiSettings
W/WindowManager( 161): Dispatch state: null
W/WindowManager( 161): Current state: {{null to Window{4335b828 com.android.settings/com.android.settings.wifi.WifiSettings paused=false} @ 1247587631205 lw=Window{4335b828 com.android.settings/com.android.settings.wifi.WifiSettings paused=false} [email protected] fin=false gfw=true ed=true tts=0 wf=false fp=false mcf=Window{4335b828 com.android.settings/com.android.settings.wifi.WifiSettings paused=false}}}
I/ActivityManager( 161): ANR (application not responding) in process: com.android.settings
I/ActivityManager( 161): Annotation: keyDispatchingTimedOut
I/ActivityManager( 161): CPU usage:
I/ActivityManager( 161): Load: 5.21 / 3.21 / 1.36
I/ActivityManager( 161): CPU usage from 9963ms to 28ms ago:
I/ActivityManager( 161): system_server: 8% = 7% user + 0% kernel
I/ActivityManager( 161): com.android.alarmclock: 1% = 1% user + 0% kernel
I/ActivityManager( 161): com.android.phone: 0% = 0% user + 0% kernel
I/ActivityManager( 161): loop0: 0% = 0% user + 0% kernel
I/ActivityManager( 161): rild: 0% = 0% user + 0% kernel
I/ActivityManager( 161): android.process.acore: 0% = 0% user + 0% kernel
I/ActivityManager( 161): com.android.inputmethod.latin: 0% = 0% user + 0% kernel
I/ActivityManager( 161): android.process.media: 0% = 0% user + 0% kernel
I/ActivityManager( 161): TOTAL: 8% = 7% user + 1% kernel + 0% irq

toasty_ said:
Custom Kernel:
I use the Kernelsources from git ("git.linuxtogo.org", vogue branch). I also tried to build the 'wlan.ko' from Android-source (I set 'KERNEL_DIR' to the Folder of my Kernel source). If I run make I get some errors because of missing include-files.
If I'm home on weekend I try to build a new wlan.ko for my kernel. Is there anything, that needs to be patched for kernel 2.6.25?
btw. I found this page http://www.johandekoning.nl/index.php, there are some information about wlan and firmware loading issues (for the G1, but nearly the same problemes)
Click to expand...
Click to collapse
Sorry, my mistake, i did in fact have a different driver version. I have uploaded it, check the first post. This driver does not seem to work and will need to be modified.

thanks for the files, where did you get them? Compiling worked without any failure (just had to create a symlink to 'arch-msm'
it seem as if the firmware is loaded (on my phone it only works with the fw of the G1). I think it is realiy loaded because you get 'failed - OK' if you try to load it a 2nd time.
by the way have you extraced wlan-eeprom ('/proc/calibration') http://projects.linuxtogo.org/tracker/index.php?func=detail&aid=32&group_id=37&atid=273

toasty_ said:
thanks for the files, where did you get them? Compiling worked without any failure (just had to create a symlink to 'arch-msm'
it seem as if the firmware is loaded (on my phone it only works with the fw of the G1). I think it is realiy loaded because you get 'failed - OK' if you try to load it a 2nd time.
by the way have you extraced wlan-eeprom ('/proc/calibration') http://projects.linuxtogo.org/tracker/index.php?func=detail&aid=32&group_id=37&atid=273
Click to expand...
Click to collapse
Yes, i have extracted my eeprom file and i have found my mac address in there 3 times, which seems strange. I found the area which has the same start as the carlibration of a G1 (found here) and extracted a chunk to get the same size file. I tried it but it doesn't seem to make a difference. Maybe the data is read after the point at which we are having errors?

So I've played a bit around with the files. At the moment the driver is loaded and the firmware is accepted. But the wlan adapter still doesn't get a Mac.
Btw. if you take a look at the eeprom-file you find the MAC from Offset 0x5C to 0x61 in reverse order. Would be interesting the G1 eeprom-file looks like. Maybe somebody can 'cat /proc/calibration > /sdcard/calibration.bin'.
//***OK nearly the same as you said - should write faster***//
OK, yes found the offset in my file, but the its a bit different
Code:
G1:
02 11 56 06 1C 06 01 16 60 03 07 01 09 56 12 00 00 00 01 0D 56 40
Kaiser:
02 11 56 06 1C 06 [COLOR="Red"]00[/COLOR] 16 60 03 [COLOR="Red"]02[/COLOR] 01 09 56 12 00 00 00 01 0D 56 40

Ah, i made a mistake, still need to find where the contents of calibration are in the rom dump

Ok in romdump there are some more Offsets (0x243E5C8, 0x2500040, 0x2500840, 0x2520040 from full rom-dump) that have nearly the same byte order
But only in 0x2500840 and 0x2500040 my MAC is included --> I've checked with 'diff' both extracted Offsets (752 Byte) and they are same

toasty_ said:
So I've played a bit around with the files. At the moment the driver is loaded and the firmware is accepted. But the wlan adapter still doesn't get a Mac.
Btw. if you take a look at the eeprom-file you find the MAC from Offset 0x5C to 0x61 in reverse order. Would be interesting the G1 eeprom-file looks like. Maybe somebody can 'cat /proc/calibration > /sdcard/calibration.bin'.
//***OK nearly the same as you said - should write faster***//
OK, yes found the offset in my file, but the its a bit different
Code:
G1:
02 11 56 06 1C 06 01 16 60 03 07 01 09 56 12 00 00 00 01 0D 56 40
Kaiser:
02 11 56 06 1C 06 [COLOR="Red"]00[/COLOR] 16 60 03 [COLOR="Red"]02[/COLOR] 01 09 56 12 00 00 00 01 0D 56 40
Click to expand...
Click to collapse
Ok i found the correct location, I searched for 021156061c in the eeprom dump and found it. I haven't had a chance to test this yet. Also another interesting thing to note is that both the kaiser' and G1's mac address started with 00:18 :41

Newbie16 said:
Ok i found the correct location, I searched for 021156061c in the eeprom dump and found it. I haven't had a chance to test this yet. Also another interesting thing to note is that both the kaiser' and G1's mac address started with 00:18 :41
Click to expand...
Click to collapse
yap, my does it too...

[ROM][32B/MT3G] 'Stock' T-mob DRD35 (swype ROM) w/root

->current release<-
->RAM hack,CPU_FREQ 384000/528000<-
Stock DRD35 (swype ROM) w/root
built updated kernel (oldconfig) w/ netfilter
signed and ready to flash
Code:
#
# build.prop EDITS
#
ro.ril.hep=1
ro.ril.hsxpa=1
ro.ril.enable.dtm=1
ro.ril.gprsclass=10
ro.ril.hsdpa.category=8
ro.ril.enable.a53=1
ro.ril.enable.3g.prefix=1
ro.ril.htcmaskw1.bitmask = 4294967295
ro.ril.htcmaskw1 = 14449
ro.ril.hsupa.category = 5
ro.setupwizard.mode=OPTIONAL
#ro.com.android.dataroaming=false
ro.modversion=OpCode1300_Mod-v1
Code:
#
# default.prop EDITS
#
ro.secure=0
ro.allow.mock.location=0
ro.debuggable=1
persist.service.adb.enable=1
Thanks to:
Cyanogenmod (apn-conf.xml)
Amon_RA (busybox,network settings,update-script)
daproy (RAM Hack Kernel source)

32B right?

opcode1300 said:
->HERE<-
Stock DRD35 (swype ROM) w/root
built updated kernel (oldconfig) w/ netfilter
signed and ready to flash
Click to expand...
Click to collapse
You just did the exact same thing I did, at the same time. I just recompiled the kernel with netfilter support too!

cursordroid said:
You just did the exact same thing I did, at the same time. I just recompiled the kernel with netfilter support too!
Click to expand...
Click to collapse
lol your all kinds of busy today arent you. wish i knew more about all this to help more.

cursordroid said:
You just did the exact same thing I did, at the same time. I just recompiled the kernel with netfilter support too!
Click to expand...
Click to collapse
nice! the rom part was quick, signing sucked lol (java issues)
fabbio87 said:
32B right?
Click to expand...
Click to collapse
yep.

5 downloads.. any feedback?

ok, guess i didnt do as well as i thought, will have an update soon

chasing down some issues.. anyhelp
01-26 00:07:45.227: ERROR/RIL Acoustic(49): can't open /dev/htc-acoustic -1
01-26 00:07:47.457: ERROR/HTC Acoustic(51): Fail to open /system/etc/AudioPara_TMUS.csv -1.
01-26 00:08:01.317: ERROR/libEGL(88): h/w accelerated eglGetDisplay() failed (EGL_SUCCESS)
01-26 00:08:05.817: ERROR/PackageManager(88): Package org.zenthought.android.su has no signatures that match those in shared user android.uid.system; ignoring!
01-26 00:08:38.107: ERROR/ApplicationContext(88): Couldn't create directory for SharedPreferences file shared_prefs/wallpaper-hints.xml
01-26 00:09:35.031: ERROR/vold(47): Unable to lookup media '/devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001'
01-26 00:09:35.031: ERROR/vold(47): Error processing uevent msg (No such file or directory)
01-26 00:09:36.291: ERROR/GTalkService(203): [ERROR: GTalkConnection.12] xmppError = null Connection failed. No response from server.
01-26 00:09:43.231: ERROR/wlan_loader(473): Cannot open eeprom image file </proc/calibration>: No such file or directory
01-26 00:09:43.231: ERROR/wlan_loader(473): init_driver() failed

opcode1300 said:
01-26 00:07:45.227: ERROR/RIL Acoustic(49): can't open /dev/htc-acoustic -1
01-26 00:07:47.457: ERROR/HTC Acoustic(51): Fail to open /system/etc/AudioPara_TMUS.csv -1.
01-26 00:08:01.317: ERROR/libEGL(88): h/w accelerated eglGetDisplay() failed (EGL_SUCCESS)
01-26 00:08:05.817: ERROR/PackageManager(88): Package org.zenthought.android.su has no signatures that match those in shared user android.uid.system; ignoring!
01-26 00:08:38.107: ERROR/ApplicationContext(88): Couldn't create directory for SharedPreferences file shared_prefs/wallpaper-hints.xml
01-26 00:09:35.031: ERROR/vold(47): Unable to lookup media '/devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001'
01-26 00:09:35.031: ERROR/vold(47): Error processing uevent msg (No such file or directory)
01-26 00:09:36.291: ERROR/GTalkService(203): [ERROR: GTalkConnection.12] xmppError = null Connection failed. No response from server.
01-26 00:09:43.231: ERROR/wlan_loader(473): Cannot open eeprom image file </proc/calibration>: No such file or directory
01-26 00:09:43.231: ERROR/wlan_loader(473): init_driver() failed
Click to expand...
Click to collapse
Fixed, was an issue w/ su.
updated 1st post w/ new release

hello
this rom in english and espagnol
it's possible to add the french language ????
thanks

added ram hack / over clock mod

[Q] IPSEC on Gen8

Hello,
i'm trying urukdroid 0.5 and i can not use ipsec/l2tp with it
logcat say :
...
E/racoon ( 1972): libipsec failed pfkey open: Operation not permitted
I/racoon ( 1972): initiate new phase 2 negotiation: 192.168.0.200[4500]<=>192.168.0.10[4500]
I/racoon ( 1972): NAT detected -> UDP encapsulation (ENC_MODE 2->4).
I/racoon ( 1972): Adjusting my encmode UDP-Transport->Transport
I/racoon ( 1972): Adjusting peer's encmode UDP-Transport(4)->Transport(2)
E/racoon ( 1972): pfkey UPDATE failed: Function not implemented
E/racoon ( 1972): pfkey ADD failed: Function not implemented
...
is there a way to rebuild the urukdroid kernel with all ipsec function implemented ?

[DEV][CM7/AOSP] Hack you way into proprietary libs with gdb and IDA Pro

Hello folks,
This thread is about sharing tricks about porting Android on new devices, and in particular how to reverse-engineer proprietary files with specific tools. Specifically, I'll use my experience on the camera part of the HTC ChaCha as an example.
Prerequisites
Install or reinstall the stock ROM
Make sure your device is rooted. If not, you might need to unlock the bootloader (for example, with the XTC Clip for HTC phones), install ClockworkMod and finally flash the Superuser package. There are many tutorials elsewhere on this so be sure to use the search button
Install adb from the SDK and (if using Windows) the required drivers for communicating with adbd on the phone or tablet. For HTC phones, here is a direct link to the driver: http://goo-inside.me/tools/USB_driver_20101122_release.zip
Modify your PATH so that adb is in it (optional but useful)
Install the NDK. Go into clockworkmod, run "adb shell mount /system", then "adb push /opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/gdbserver /system/bin/" and finally "adb shell chmod 755 /system/bin/gdbserver".
You will need to replace the path to gdbserver above with the correct path to your NDK installation.
Make a CWM backup of the stock ROM, so that you can switch easily from between stock and your CyanogenMod / AOSP build.
Install the free evaluation version of IDA Pro, see http://www.hex-rays.com/products/ida/support/download_demo.shtml
The general idea
We mostly use binary libraries from the stock ROM, so the important part is to understand how to communicate with them properly.
Note: the exception is the Linux kernel, because we don't use binary kernels from stock ROMs in CM7 and AOSP as they are generally incompatible and lack features (overclocking, pure bluetooth stack, ...). I'll probably make another thread about hacking kernel sources.
So we have to understand how things communicate with each other & the order and content of messages that are passed between components of the system. Reading the sources of Android is generally the best way to begin, to trace the interactions from the Java side of things up to the kernel.
Reverse-engineering of APKs with apktool, dex2jar & jd-gui
I'll complete this part shortly.
Static reverse-engineering of libcamera.so
In the case of the camera, a quick analysis of the source shows the Camera application uses the android.hardware.Camera class, which is mostly a bridge to the C++ file android_hardware_Camera.cpp, itself another bridge to the libcamera_client, which in turns calls the camera service inside the process "mediaserver" through a Binder (an Android-specific IPC mechanism). This architecture in theory allows concurrent access to the camera (but who does that?)
So the actual part that talks to the hardware is in libcameraservice, loaded by mediaserver at runtime. Examining the code in CameraService.cpp shows that is communicates with the proprietary libcamera.so through a C++ interface, CameraHardwareInterface.h.
This is where the stuff from HTC in the ChaCha starts to diverge from the original Android sources. Loading libcamera.so in IDA Pro allows us to look at the actual CameraHardwareInterface virtual table. It is actually easy to locate in IDA by searching for " `vtable for'android::QualcommCameraHardware". However IDA does not automatically detect it's a table of function pointers, so use the Edit->Array with a size of 46 and an entry size of 4 (the size of a pointer).
By manually comparing the list of pointers to the CameraHardwareInterface.h in the CM7 sources, one can see two functions that can be added with the USE_GETBUFFERINFO in BoardConfig.mk define: getBufferInfo and encodeData. There is however another third function not present in CameraHardwareInterface.h, setFaceDetectionState(), just after getParameters(). Thus we have to add this function to CameraHardwareInterface.h so that the virtual table matches the one in libcamera.so.
Now it's also interesting to compare the list of symbols between libraries from different ROMs. In this case, we can try to extract the camera parameters in HTC's ROM, and see if they match the symbols in CM7. The supported list of parameters is provided in libcamera_client.so. Use the program objdump from the NDK to retrieve the list of symbols and have them sorted (if using Windows, you'll need Cygwin):
Code:
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/arm-linux-androideabi/bin/objdump -T libcamera_client-cm7.so |cut -d '_' -f 2- > sym-camera_client-cm7
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/arm-linux-androideabi/bin/objdump -T libcamera_client-htc.so |cut -d '_' -f 2- > sym-camera_client-htc
diff -u sym-camera_client-cm7 sym-camera_client-htc
There are a bunch of new interesting symbols not present in CM7. Some of them seem related to HTC's Ola face detection engine, whilst others are unknown:
Code:
+ZN7android16CameraParameters27KEY_PREVIEW_FRAME_RATE_MODEE
+ZN7android16CameraParameters16KEY_CAPTURE_MODEE
+ZN7android16CameraParameters17KEY_PICTURE_COUNTE
+ZN7android16CameraParameters27KEY_MAX_BURST_PICTURE_COUNTE
+ZN7android16CameraParameters19KEY_TOUCH_INDEX_AECE
+ZN7android16CameraParameters18KEY_TOUCH_INDEX_AFE
+ZN7android16CameraParameters16KEY_SCENE_DETECTE
+ZN7android16CameraParameters26KEY_SUPPORTED_SCENE_DETECTE
+ZN7android16CameraParameters23KEY_TAKING_PICTURE_ZOOME
+ZN7android16CameraParameters22KEY_SELECTABLE_ZONE_AFE
+ZN7android16CameraParameters32KEY_SUPPORTED_SELECTABLE_ZONE_AFE
...
Debugging libcamera.so
At this point it would be a bit time-consuming to statically check all code paths within the stock ROM to see what parameters are actually used when taking a normal picture. A easier way is to break into the setParameter function within libcamera to inspect at runtime the arguments. We'll use gdb for this.
Run "adb forward tcp:1234 tcp:1234" to forward the TCP port used by gdbserver. Then run an adb shell, then "su" to become root, then list the processes with "ps", and finally run "gdbserver :1234 --attach <pid of mediaserver>".
Not on the phone, but on the host, extract the libraries and mediaserver, then run gdb:
Code:
mkdir lib
cd lib
adb pull /system/lib
adb pull /system/bin/mediaserver
adb pull /system/bin/linker
/opt/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-gdb mediaserver
In the gdb command prompt, enter "set height 0", "set solib-search-path ./" and then "target remote 127.0.0.1:1234". gdb should then show the loading of all .so files, such as "Reading symbols from /root/chacha/system/lib/libarimedia.so...
(no debugging symbols found)...done.". Sometimes nothing is shown, if so start over (exit gdb, reattach gdbserver, restart gdb).
Now we can set breakpoints on the functions that interest us. Open libcamera.so in IDA Pro, also have a look at the list of symbols with objdump -T. The following functions are of particular interest:
Code:
_ZN7android16CameraParameters3setEPKci
_ZN7android16CameraParameters3setEPKcS2_
In the ARM binary calling convention, parameters are passed in registers r4 to r8 (instead of say, 32-bit x86 where parameters are pushed on the stack). Let's examine what they point to at runtime:
Code:
(gdb) break _ZN7android16CameraParameters3setEPKci
Breakpoint 5 at 0xaba8eef4
(gdb) break _ZN7android16CameraParameters3setEPKcS2_
Breakpoint 6 at 0xaba8ed14
(gdb) cont
Continuing.
[New Thread 923]
[Switching to Thread 923]
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
(gdb) x/1s $r4
0xaba9100c <_ZN7android16CameraParameters16KEY_PREVIEW_SIZEE>: "preview-size"
(gdb) x/1x $r5
0xafd4d6e8 <__stack_chk_guard>: 0x10997eaa
(gdb) x/1s $r5
0xafd4d6e8 <__stack_chk_guard>: "�~\231\020"
(gdb) x/1s $r6
0x411139cc: "640x384"
(gdb) x/1s $r7
0x30d0c: "h8��\210\f\003"
(gdb) x/1s $r8
0xa811d251 <__dso_handle+512417>: "�\205h\203�\ahFh�h����"
(gdb) cont
Continuing.
So we see the first parameter is passed in r4 and the second in r6. Likewise, for breakpoint 5we can examine the registers and see the parameters r7 and r5. Now let's enable logging and automatically dump the arguments each time a breakpoint is hit, then resume execution:
Code:
(gdb) set logging on
Copying output to gdb.txt.
(gdb) commands 5
Type commands for when breakpoint 5 is hit, one per line.
End with a line saying just "end".
>x/1s $r7
>x/1s $r5
>cont
>end
(gdb) commands 6
Type commands for when breakpoint 6 is hit, one per line.
End with a line saying just "end".
>x/1s $r4
>x/1s $r6
>cont
>end
Finally, here's the juicy bits we wanted
Code:
(gdb) cont
Continuing.
Breakpoint 5, 0xaba8eef4 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba9106c <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: "preview-frame-rate-values"
0x411139dc: "15"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba914a4 <_ZN7android16CameraParameters22KEY_VIDEO_FRAME_FORMATE>: "video-frame-format"
0xa7912c16 <__dso_handle+4262342>: "yuv420sp"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91030 <_ZN7android16CameraParameters18KEY_PREVIEW_FORMATE>: "preview-format"
0xa7912c16 <__dso_handle+4262342>: "yuv420sp"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91110 <_ZN7android16CameraParameters16KEY_PICTURE_SIZEE>: "picture-size"
0x411139cc: "2592x1952"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba91134 <_ZN7android16CameraParameters18KEY_PICTURE_FORMATE>: "picture-format"
0xa79120a5 <__dso_handle+4259413>: "jpeg"
Breakpoint 6, 0xaba8ed14 in android::CameraParameters::set () from /root/chacha/system/lib/libcamera_client.so
0xaba911f8 <_ZN7android16CameraParameters16KEY_JPEG_QUALITYE>: "jpeg-quality"
0xa7912bb9 <__dso_handle+4262249>: "100"
... and so on
If mediaserver crashes or stop responding, as a worst case you may have to reboot the phone, as the Linux kernel doesn't always properly cleanup dead debugged processes.
Then the operation can be repeated but with CM7 instead of stock ROM, and the gdb.txt output files compared for any modifications. Now this is just the beginning, but hopefully I've showed you a taste of how to do reverse-engineering on Android and I hope it'll help make this area of work less obscure to newcomers

This post reserved for future updates, references, examples and so on.

That's amazing teaching material, thanks for that Xdbg!
Btw, I found that presentation by Defer quite interesting also: http://www.slideshare.net/deovferreira/from-stock-to-cyanogenmod-the-sony-ericsson-case . Have a look at slides 68 and next.

Thanks, xdbg!
In the past I was able to debug native libs of Swype to crack its security and of Angry Birds to get its encryption keys. It was a lot of fun ;-D
I was using similar technique to you - Angry Birds hacking is described here: http://forum.xda-developers.com/showpost.php?p=12853986&postcount=19 . But I'm totally new to native debugging, so I was using a lot of tricks and workarounds. Your technique is much more mature
Thanks again.

Brut.all said:
Thanks, xdbg!
In the past I was able to debug native libs of Swype to crack its security and of Angry Birds to get its encryption keys. It was a lot of fun ;-D
I was using similar technique to you - Angry Birds hacking is described here: http://forum.xda-developers.com/showpost.php?p=12853986&postcount=19 . But I'm totally new to native debugging, so I was using a lot of tricks and workarounds. Your technique is much more mature
Thanks again.
Click to expand...
Click to collapse
Hey very nice, defeating software protections is also a lot of fun I'm glad you find this short tutorial useful!
Unfortunately the evaluation version of IDA Pro does not contain the gdb client plugin, which would have been ideal to debug with a GUI. At the moment we'd have to either pirate it (which I of course condone) or buy it -- it costs about $400 iirc
EDIT: OMG, you're the author of apktool! I'm a huge fan, I use it all the time

tips!
Great tips! TNX!

Thx, useful info.

thank you for sharing!!! i didn't know it was possible to debug too!!!

Demangling compiled C++ names
I believe it can be interesting, I've just found out that you can automatically demangle compiled C++ names using c++filt:
Say you have:
Code:
export PATH=~/android/cm9/prebuilt/linux-x86/toolchain/arm-eabi-4.2.1/bin/:$PATH
then you can run:
Code:
arm-eabi-objdump -T libcamera.so | arm-eabi-c++filt
It will produce something like:
Code:
...
0000e088 g DF .text 00000b8c android::QualcommCameraHardware::initDefaultParameters()
00000000 DF *UND* 00000000 android::CameraParameters::setPreviewFrameRate(int)
00000000 DF *UND* 00000000 android::CameraParameters::setPreviewFormat(char const*)
00000000 DO *UND* 00000000 android::CameraParameters::KEY_SUPPORTED_PREVIEW_FRAME_RATES
00000000 DO *UND* 00000000 android::CameraParameters::KEY_VIDEO_FRAME_FORMAT
...

This is very nice! Thanks for sharing this information with us

i'm stuck here! what's the problem?
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
0x4019eacc in __ioctl () from libc.so
Code:
media 4719 1 37452 9616 ffffffff 4019eacc T /system/bin/mediaserver
root 4735 2 0 0 c0195f74 00000000 S kworker/u:3
system 4736 210 318980 38056 ffffffff 4002e868 S com.android.settings:remo
te
app_17 4755 210 306468 37164 ffffffff 4002e868 S com.htc.calendar
app_17 4770 210 303944 37248 ffffffff 4002e868 S com.htc.bgp
app_175 4796 210 317960 42636 ffffffff 4002e868 S com.google.android.apps.m
aps:NetworkLocationService
app_175 4821 210 309512 38256 ffffffff 4002e868 S com.google.android.apps.m
aps:FriendService
app_11 4842 210 305784 35312 ffffffff 4002e868 S com.android.bluetooth
app_199 4868 210 301900 36220 ffffffff 4002e868 S com.vital.TouchScreenTune
root 4904 2 0 0 c0195f74 00000000 S kworker/u:1
root 4905 2 0 0 c0195f74 00000000 S kworker/0:2
root 4912 283 872 444 c0109558 400942b4 S /system/bin/sh
root 4917 4912 872 444 c0109558 400232b4 S sh
root 4927 2 0 0 c0195f74 00000000 S kworker/u:2
root 4953 2 0 0 c0195f74 00000000 S kworker/0:0
root 4955 4917 1052 380 00000000 4003b898 R ps
[email protected]:/ # gdbserver :1234 --attach 4719
gdbserver :1234 --attach 4719
Attached; pid = 4719
Listening on port 1234
Remote debugging from host 127.0.0.1
libthread_db:td_ta_new: Probing system for platform bug.
libthread_db:td_ta_new: Running as root, nothing to do.
Code:
(gdb) set height 0
(gdb) set solib-search-path ./
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
0x4019eacc in __ioctl () from libc.so
(gdb) info sharedlibrary
warning: while parsing target library list (at line 2): No segment defined for /
system/bin/mediaserver
From To Syms Read Shared Object Library
0xb0001000 0xb00068b4 Yes (*) C:\Users\Fabiano\ones\system\lib/linker
0x4019e420 0x401cc704 Yes (*) libc.so
0x400d9934 0x400d9a3c Yes (*) libstdc++.so
0x40093f70 0x400a3db8 Yes (*) libm.so
0x4003c028 0x4003d574 Yes (*) liblog.so
0x400abab0 0x400b48c4 Yes (*) libcutils.so
0x400232e0 0x40034100 Yes (*) libz.so
0x40217ce0 0x4022c580 Yes (*) libutils.so
0x40319570 0x40331368 Yes (*) libstlport.so
0x402ef330 0x402fd078 Yes (*) libGLESv2_dbg.so
0x402c498c 0x402d4250 Yes (*) libEGL.so
0x4008f22c 0x4008fb50 Yes (*) libwpa_client.so
0x40338928 0x4033a6ec Yes (*) libhostapd_client.so
0x400d25c8 0x400d4f90 Yes (*) libnetutils.so
0x400c9910 0x400cd48c Yes (*) libhardware_legacy.so
0x4007aba8 0x4008a220 Yes (*) libpixelflinger.so
0x400d76cc 0x400d78c4 Yes (*) libhardware.so
0x40473300 0x40473720 Yes (*) libemoji.so
0x404774e0 0x404a7260 Yes (*) libjpeg.so
0x400dce88 0x400eabf0 Yes (*) libexpat.so
0x40373960 0x4043dc4c Yes (*) libskia.so
0x404c3fa0 0x404cda1c Yes (*) libbinder.so
0x404d6744 0x404d6dfc Yes (*) libgenlock.so
0x402ad8f0 0x402b60e4 Yes (*) libui.so
0x404dc8b8 0x404ed490 Yes (*) libsonivox.so
0x406278d8 0x40627d24 Yes (*) libgabi++.so
0x40554610 0x405e8ef0 Yes (*) libicuuc.so
0x4067e564 0x4067f8f4 Yes (*) libGLESv2.so
0x40686794 0x40688700 Yes (*) libmemalloc.so
0x40681afc 0x4068208c Yes (*) libQcomUI.so
0x40665400 0x40670c58 Yes (*) libgui.so
0x4063c958 0x40641464 Yes (*) libcamera_client.so
0x40690ad8 0x40693cdc Yes (*) libstagefright_foundation.so
0x406db640 0x407a3610 Yes (*) libicui18n.so
0x4026a070 0x40284ae4 Yes (*) libmedia.so
0x4004ce90 0x400668ec Yes (*) libsrscorehtc.so
0x407bab54 0x407bb560 Yes (*) libeffects.so
0x407bec00 0x407bf030 Yes (*) libpowermanager.so
0x407c5014 0x407c5cd4 Yes (*) libdumppcm.so
0x400020a8 0x40002b38 Yes (*) libsrsprocessing.so
0x40115980 0x40134a28 Yes (*) libaudioflinger.so
0x407d08f4 0x407d4470 Yes (*) libcameraservice.so
0x40841d78 0x4084d14c Yes (*) libvorbisidec.so
0x4097b6a0 0x409e4040 Yes (*) libcrypto.so
0x40a2665c 0x40a3eb60 Yes (*) libssl.so
0x4091fc48 0x4093ea00 Yes (*) libnativehelper.so
0x40a4e790 0x40a8ff00 Yes (*) libsqlite.so
0x40b5fcc4 0x40b605f0 Yes (*) libqc-opt.so
0x40abc000 0x40b35e44 Yes (*) libdvm.so
0x40b64fe4 0x40b669f4 Yes (*) libGLESv1_CM.so
0x40b685e8 0x40b69210 Yes (*) libETC1.so
0x400ef498 0x400ef9d4 Yes (*) libnfc_ndef.so
0x40b6bedc 0x40b6c724 Yes (*) libusbhost.so
0x40b71e78 0x40ba3cc4 Yes (*) libharfbuzz.so
0x40bb6cc0 0x40bcc548 Yes (*) libhwui.so
0x40bd3b54 0x40bd3d74 Yes (*) libtilerenderer.so
0x40bdbecc 0x40be58fc Yes (*) libbluetooth.so
0x40bd59b8 0x40bd62ec Yes (*) libbluedroid.so
0x40bf7a68 0x40c12c6c Yes (*) libdbus.so
0x40895bc0 0x408e6838 Yes (*) libandroid_runtime.so
0x40ddddb0 0x40dde680 Yes (*) libstagefright_yuv.so
0x40dedb64 0x40df3320 Yes (*) libdrmframework.so
0x40efabf8 0x40efc7c0 Yes (*) libdiag.so
0x40e5001c 0x40e5e7d8 Yes (*) libaudcal.so
0x40e00a60 0x40e045e4 Yes (*) libacdbloader.so
0x40df8af8 0x40dfd49c Yes (*) libalsa-intf.so
0x40fd0708 0x411052dc Yes (*) libchromium_net.so
0x41187764 0x4118a6d0 Yes (*) libstagefright_amrnb_common.so
0x411935c4 0x4119367c Yes (*) libstagefright_enc_common.so
0x411961f0 0x41199194 Yes (*) libstagefright_avc_common.so
0x40c810f8 0x40d6cb04 Yes (*) libstagefright.so
0x411c5c54 0x411ca5f8 Yes (*) libstagefright_omx.so
0x407fe590 0x40825dec Yes (*) libmediaplayerservice.so
0x4000db48 0x4000f03c Yes (*) libbeatscorehtc.so
0x411a1210 0x411a91e4 Yes (*) audio.primary.default.so
0x411adc78 0x411af048 Yes (*) libhtc_acoustic.so
0x411b37f8 0x411b6024 Yes (*) alsa.default.so
0x413e19c0 0x413e2834 Yes (*) libbt-aptx-4.0.3.so
0x413e7a08 0x413e81f8 Yes (*) libpower.so
0x415f48b0 0x41600a64 Yes (*) audio.a2dp.default.so
0x411b9aa4 0x411b9cf0 Yes (*) libstagefrighthw.so
0x413eaf14 0x413ec8b4 Yes (*) libOmxCore.so
0x4162c308 0x4175edf0 Yes (*) libaricentomxplugin.so
0x413f1820 0x413f23fc Yes (*) libstagefright_soft_vorbisdec.so
0x41523398 0x415252a0 Yes (*) libgemini.so
0x41500570 0x4151dcfc Yes (*) libmmjpeg.so
0x41528bc0 0x4152a1f8 Yes (*) libsysutils.so
0x41533668 0x415337f8 Yes (*) libjnigraphics.so
0x41e7f330 0x41ea5ca4 Yes (*) libOlaEngine.so
0x4152eff8 0x41530dd8 Yes (*) libcameraface.so
0x41535348 0x41535358 Yes (*) libsurfaceflinger_client.so
0x419d9fa8 0x41a95550 Yes (*) libcamerapp.so
0x41e4dd78 0x41e67894 Yes (*) camera.msm8960.so
0x4153d948 0x4154357c Yes (*) audio_policy.default.so
(*): Shared library is missing debugging information.
(gdb)

Hi Fabiano,
Looks good to me. Did you try to simply resume execution of mediaserver with "cont"?

:good: Thank you! It was so simple...
I'm curious: why we attach mediaserver? Because it needs library "libcameraservice.so", and "libcameraservice.so" needs "libcamera_client.so", so when mediaserver is started, it loads all library needed and we can debug them?
An other question, for example, I want to change values at 0x1635aa0: "5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31"
What is mapped at 0x1635aa0? (I think that these values are stored in the kernel, but I'm not sure. Is there a way to check?)
I was searching here \drivers\media\video\msm\sensors\s5k3h2yx_v4l2.c (since HTC One S uses a s5k3h2yx sensor and build config point to that file)
s5k3h2yx_v4l2.c is attached belowe as s5k3h2yx.txt, i'm on the right way, or these value are not here?
Code:
0x4061d958 0x40622464 Yes (*) libcamera_client.so
Breakpoint 2, 0x4063649e in android::CameraParameters::set(char const*, char const*) () from libcamera_client.so
x1/s
r4 0x40639af0 <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: "preview-frame-rate-values"
r5 0x153c99c: "X¿[email protected](Tc\001\a"
r6 0x41ec2e08: ""
r7 0x426de95c: "`Yc\001\030Yc\001¨émBèXc\001àWc\001Ð1c\001¸Wc\001\220Wc\001hWc\001ÀVc\001hVc\001Tå¤A\030Vc\001ØUc\001\220Uc\001hUc\001ÜxëAøTc\001ÐTc\001¨Tc\001\200Tc\001HQc\001hSc\[email protected]\001¸Rc\001àQc\001HQc\001\001"
r8 0x1635aa0: "5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31"
x1/x
r4 0x40639af0 <_ZN7android16CameraParameters33KEY_SUPPORTED_PREVIEW_FRAME_RATESE>: 0x70
r5 0x153c99c: 0x58
r6 0x41ec2e08: 0x00
r7 0x426de95c: 0x60
r8 0x1635aa0: 0x35
now i know for sure that these value are not hardcoded in the libs since 0x1635aa0 is out of libs memory zone:
Code:
From To Syms Read Shared Object Library
0xb0001000 0xb00068b4 Yes (*) C:\Program Files (x86)\Android\android-ndk-r8b\toolchains\arm-linux-androideabi-4.4.3\prebuilt\windows\bin/linker
0x4014b420 0x40179704 Yes (*) libc.so
0x40190934 0x40190a3c Yes (*) libstdc++.so
0x40193f70 0x401a3db8 Yes (*) libm.so
0x4013c028 0x4013d574 Yes (*) liblog.so
0x40070ab0 0x400798c4 Yes (*) libcutils.so
0x400132e0 0x40024100 Yes (*) libz.so
0x401eece0 0x40203580 Yes (*) libutils.so
0x402d7570 0x402ef368 Yes (*) libstlport.so
0x402ad330 0x402bb078 Yes (*) libGLESv2_dbg.so
0x4028298c 0x40292250 Yes (*) libEGL.so
0x4000e22c 0x4000eb50 Yes (*) libwpa_client.so
0x4008e928 0x400906ec Yes (*) libhostapd_client.so
0x400955c8 0x40097f90 Yes (*) libnetutils.so
0x40005910 0x4000948c Yes (*) libhardware_legacy.so
0x402fdba8 0x4030d220 Yes (*) libpixelflinger.so
0x400106cc 0x400108c4 Yes (*) libhardware.so
0x4004a300 0x4004a720 Yes (*) libemoji.so
0x404474e0 0x40477260 Yes (*) libjpeg.so
0x4047ce88 0x4048abf0 Yes (*) libexpat.so
0x40346960 0x40410c4c Yes (*) libskia.so
0x404a7fa0 0x404b1a1c Yes (*) libbinder.so
0x40046744 0x40046dfc Yes (*) libgenlock.so
0x400358f0 0x4003e0e4 Yes (*) libui.so
0x404bd8b8 0x404ce490 Yes (*) libsonivox.so
0x406088d8 0x40608d24 Yes (*) libgabi++.so
0x40535610 0x405c9ef0 Yes (*) libicuuc.so
0x4065f564 0x406608f4 Yes (*) libGLESv2.so
0x40667794 0x40669700 Yes (*) libmemalloc.so
0x40662afc 0x4066308c Yes (*) libQcomUI.so
0x40646400 0x40651c58 Yes (*) libgui.so
0x4061d958 0x40622464 Yes (*) libcamera_client.so
0x40671ad8 0x40674cdc Yes (*) libstagefright_foundation.so
0x406bc640 0x40784610 Yes (*) libicui18n.so
0x40241070 0x4025bae4 Yes (*) libmedia.so
0x401b5e90 0x401cf8ec Yes (*) libsrscorehtc.so
0x40043b54 0x40044560 Yes (*) libeffects.so
0x4079cc00 0x4079d030 Yes (*) libpowermanager.so
0x407a3014 0x407a3cd4 Yes (*) libdumppcm.so
0x407a90a8 0x407a9b38 Yes (*) libsrsprocessing.so
0x400be980 0x400dda28 Yes (*) libaudioflinger.so
0x407b48f4 0x407b8470 Yes (*) libcameraservice.so
0x40825d78 0x4083114c Yes (*) libvorbisidec.so
0x4095f6a0 0x409c8040 Yes (*) libcrypto.so
0x40a0a65c 0x40a22b60 Yes (*) libssl.so
0x40903c48 0x40922a00 Yes (*) libnativehelper.so
0x40a32790 0x40a73f00 Yes (*) libsqlite.so
0x40b43cc4 0x40b445f0 Yes (*) libqc-opt.so
0x40aa0000 0x40b19e44 Yes (*) libdvm.so
0x40b48fe4 0x40b4a9f4 Yes (*) libGLESv1_CM.so
0x40b4c5e8 0x40b4d210 Yes (*) libETC1.so
0x40b4f498 0x40b4f9d4 Yes (*) libnfc_ndef.so
0x40b51edc 0x40b52724 Yes (*) libusbhost.so
0x40b57e78 0x40b89cc4 Yes (*) libharfbuzz.so
0x40b9ccc0 0x40bb2548 Yes (*) libhwui.so
0x40bb9b54 0x40bb9d74 Yes (*) libtilerenderer.so
0x40bc1ecc 0x40bcb8fc Yes (*) libbluetooth.so
0x40bbb9b8 0x40bbc2ec Yes (*) libbluedroid.so
0x40bdda68 0x40bf8c6c Yes (*) libdbus.so
0x40879bc0 0x408ca838 Yes (*) libandroid_runtime.so
0x40dc3db0 0x40dc4680 Yes (*) libstagefright_yuv.so
0x40dd3b64 0x40dd9320 Yes (*) libdrmframework.so
0x40ee0bf8 0x40ee27c0 Yes (*) libdiag.so
0x40e3601c 0x40e447d8 Yes (*) libaudcal.so
0x40de6a60 0x40dea5e4 Yes (*) libacdbloader.so
0x40ddeaf8 0x40de349c Yes (*) libalsa-intf.so
0x40fb6708 0x410eb2dc Yes (*) libchromium_net.so
0x4116d764 0x411706d0 Yes (*) libstagefright_amrnb_common.so
0x411795c4 0x4117967c Yes (*) libstagefright_enc_common.so
0x4117c1f0 0x4117f194 Yes (*) libstagefright_avc_common.so
0x40c670f8 0x40d52b04 Yes (*) libstagefright.so
0x411a6c54 0x411ab5f8 Yes (*) libstagefright_omx.so
0x407e2590 0x40809dec Yes (*) libmediaplayerservice.so
0x41193b48 0x4119503c Yes (*) libbeatscorehtc.so
0x41187210 0x4118f1e4 Yes (*) audio.primary.default.so
0x41197c78 0x41199048 Yes (*) libhtc_acoustic.so
0x413b17f8 0x413b4024 Yes (*) alsa.default.so
0x413ca9c0 0x413cb834 Yes (*) libbt-aptx-4.0.3.so
0x413d0a08 0x413d11f8 Yes (*) libpower.so
0x415e98b0 0x415f5a64 Yes (*) audio.a2dp.default.so
0x413d3aa4 0x413d3cf0 Yes (*) libstagefrighthw.so
0x413d5f14 0x413d78b4 Yes (*) libOmxCore.so
0x41621308 0x41753df0 Yes (*) libaricentomxplugin.so
0x413dc820 0x413dd3fc Yes (*) libstagefright_soft_vorbisdec.so
0x414f0398 0x414f22a0 Yes (*) libgemini.so
0x415c5570 0x415e2cfc Yes (*) libmmjpeg.so
0x414f5bc0 0x414f71f8 Yes (*) libsysutils.so
0x41500668 0x415007f8 Yes (*) libjnigraphics.so
0x41ca6330 0x41cccca4 Yes (*) libOlaEngine.so
0x414fbff8 0x414fddd8 Yes (*) libcameraface.so
0x41502348 0x41502358 Yes (*) libsurfaceflinger_client.so
0x41dcdfa8 0x41e89550 Yes (*) libcamerapp.so
0x419cdd78 0x419e7894 Yes (*) camera.msm8960.so
0x41535948 0x4153b57c Yes (*) audio_policy.default.so

Hi!
You can check the memory map by printing /proc/<your process pid>/maps, such as:
Code:
~ $ cat /proc/`pidof a.out`/maps
00400000-00401000 r-xp 00000000 08:02 6337054 /home/abc/a.out
00600000-00601000 rw-p 00000000 08:02 6337054 /home/abc/a.out
7ffff7a56000-7ffff7bd3000 r-xp 00000000 08:02 13642881 /lib/x86_64-linux-gnu/libc-2.13.so
...
As far as modifying data goes, it is fairly easy to do when you whan to write one byte or one word, for example "set *(char *)$MYREGISTER=0xff"
You can write a larger piece of data with the command restore (you need a writable place, like the stack). As an illustration of restoring the truth:
Code:
~ $ cat a.c
#include <stdio.h>
int f(int i1, int i2, char *c)
{
printf("You better believe me: %s\n", c);
return 0;
}
int main(void)
{
return f(1, 2, "HTC is not evil");
}
~ $ gcc a.c
~ $ echo "HTC is evil" >raw
~ $ gdb a.out
GNU gdb (GDB) 7.4.1-debian
[...]
(gdb) break f
Breakpoint 1 at 0x400510
(gdb) run
Starting program: /home/abc/a.out
Breakpoint 1, 0x0000000000400510 in f ()
(gdb) x/1s $rdx
0x400627: "HTC is not evil"
(gdb) print $rsp-0x1000
$2 = (void *) 0x7fffffffd370
(gdb) restore raw binary 0x7fffffffd370
Restoring binary file raw into memory (0x7fffffffd370 to 0x7fffffffd37c)
(gdb) set $rdx=0x7fffffffd370
(gdb) cont
Continuing.
You better believe me: HTC is evil

By the way, the value of interest to you could come (in theory) from lots of places, but most likely the Camera app, of some place in the framework. Consider disassembling both to check the contents.

Already done (everything is in Java at this level so it can be decompiled almost to source code, so it's the first thing i did), framework just contains Google APIs that call *.so lib functions, and just explodes a full string to single values (but full string is sent by libs)
camera apps (or other apps as well) can only set supported parameters by calling Google APIs (that call libs), if i want to set a non standard value, libs check the value and reply with an error (unsupported parameter, changing it to a default one). So values are stored in low level.
Maybe values are in the libs, but i don't know how some structs are stored in low level assembly, maybe i cannot find them because of my ignorance
In some open source camera HAL libs (for other phones but should be similar) i found some structs like these:
Code:
const char *preview_sizes =
"1280x720,800x480,768x432,720x480,640x480,576x432,480x320,384x288,352x288,320x240,240x160,176x144";
const char *video_sizes =
"1280x720,800x480,720x480,640x480,352x288,320x240,176x144";
const char *preferred_size = "640x480";
const char *preview_frame_rates = "30,27,24,15";
const char *preferred_frame_rate = "15";
const char *frame_rate_range = "(15,30)";
or
Code:
const char CameraHardware::supportedPictureSizes [] = "640x480,352x288,320x240";
const char CameraHardware::supportedPreviewSizes [] = "640x480,352x288,320x240";
const supported_resolution CameraHardware::supportedPictureRes[] = {{640, 480} , {352, 288} , {320, 240} };
const supported_resolution CameraHardware::supportedPreviewRes[] = {{640, 480} , {352, 288} , {320, 240} };
typedef struct {
size_t width;
size_t height;
} supported_resolution;

I see! You could try having a look at the stack to identify the caller hierarchy up to the JNI, and also in IDA Pro check the xref to the function. At some point the values will be generated. It is possible that the string itself is constructed from an array of dwords, so checking for the little-endian hexadecimal dwords in the .so could be useful.
Regarding structs, it might be easier to identify them in IDA Pro, however I'm not sure it is possible to create a struct type in gdb (by default it will use the symbols, but for proprietary libs there are none...).
Note there is support for gdbserver in IDA Pro, which allows you to trace the code you have annotated. It is much nicer than the text interface of gdb, however the gdb client plugin in IDA can be flaky at times. Note that in this case, you'll want to loader mediaserver then load any additional .so in IDA to be able to trace them all. In addition, it would be a good idea to disable ASLR (IDA Pro doesn't handle library randomization too well). Run "echo 0 > /proc/sys/kernel/randomize_va_space"

Thank you again for all useful info!
It seems that strings are built by some "string" functions, so I think you are right, but it's a bit hard with static analysis.
Now I'm trying to connect IDA Pro with gdb, but I'm stuck with a connection error:
Plan B: I can remove lib checks when setting parameters, but it's an hacky solution, I prefer clean solutions...
EDIT: I missed "adb forward tcp:1234 tcp:1234" :/
now i got "irs_recv: Timeout" error
EDIT 2: Attached! (switched from arm/android debugger to gdb)
EDIT 3: I don't know how to set breakpoint, if I try to set with F2, process never stops, if I try to set it via console i got an error...

pirlano said:
Thank you again for all useful info!
It seems that strings are built by some "string" functions, so I think you are right, but it's a bit hard with static analysis.
Now I'm trying to connect IDA Pro with gdb, but I'm stuck with a connection error:
Plan B: I can remove lib checks when setting parameters, but it's an hacky solution, I prefer clean solutions...
EDIT: I missed "adb forward tcp:1234 tcp:1234" :/
now i got "irs_recv: Timeout" error
EDIT 2: Attached! (switched from arm/android debugger to gdb)
EDIT 3: I don't know how to set breakpoint, if I try to set with F2, process never stops, if I try to set it via console i got an error...
Click to expand...
Click to collapse
Glad to know! I'll write a short tutorial of gdbserver +IDA a bit later using mediaserver as an example, in two different cases: first one with symbols, second out without.

xd.bx said:
Glad to know! I'll write a short tutorial of gdbserver +IDA a bit later using mediaserver as an example, in two different cases: first one with symbols, second out without.
Click to expand...
Click to collapse
Alright, so I'm running into the same issue when trying to trigger a breakpoint and trace stuff. On the other hand gdb works fine. /methink IDA Pro's internal gdb client is not that good. In fact it would be rather nice to have an open-source replacement for this piece of software, one that makes stepping through proprietary code less of a chore.

[5.1.x] [SM-T325] CyanogenMod 12.1 UNOFFICIAL Nightlies for the Tab Pro 8.4 LTE

CyanogenMod is a free, community built, aftermarket firmware distribution of Android 5.1.x (Lollipop), which is designed to increase performance and reliability over stock Android for your device.
Code:
#include <std_disclaimer.h>
/*
* Your warranty is now void.
*
* We are not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at us for messing up your device, we will laugh at you.
*
*/
CyanogenMod is based on the Android Open Source Project with extra contributions from many people within the Android community. It can be used without any need to have any Google application installed. You will need to provide your own Google Applications package (gapps). CyanogenMod does still include various hardware-specific code, which is also slowly being open-sourced anyway.
All the source code for CyanogenMod is available in the CyanogenMod Github repo. And if you would like to contribute to CyanogenMod, please visit our Gerrit Code Review. Your changelog is whatever was merged into gerrit.
Instructions
First time flashing CyanogenMod 12.1 on your device, or coming from another ROM?
Download the zip(s).
Install a compatible Recovery
Perform a NANDroid backup of your current ROM (Optional)
Wipe data & cache partitions of your device (required when coming from stock!).
Flash CyanogenMod.
Optional: Install the Google Apps addon package.
Known Issues
* None
Other Issues?
Before posting on this thread, make sure of a few things:
You've utilized the search function of the forums. Nothing irritates me more than lazy people who do not search for an answer before asking.
If you are the only one having a problem. Boot into recovery, wipe data/factory reset, reflash the rom/gapps and nothing else. Boot up and see if the problem persists.
Make sure your post is relevant to this thread. "I'm having problems rooting/unlocking" is NOT relevant here.
LOGS LOGS LOGS!!!! Use this: SysLog by Tortel
Download Links
CyanogenMod: download.crpalmer.org
Google apps addon:
Download: http://d-h.st/users/dhacker29/?fld_id=27426 (use latest lpmr1 gapps)
XDA:DevDB Information
CyanogenMod 12.1 for MondrianLTE (Unofficial), ROM for the Samsung Galaxy Tab Pro 12.2, 10.1, 8.4
Contributors
crpalmer
ROM OS Version: 5.1.x Lollipop
Version Information
Status: No Longer Updated
Created 2015-04-18
Last Updated 2016-02-13

Reserved

Works fine
ROM works fine, made a dirty flash from CM12.
No problems at all.

http://review.cyanogenmod.org/#/c/95004/2
hopefully merged soon (already in cm12 since late march..just noticed recently in cm12 builds in mms.apk...should have known by looking at the history for the cm12 version)
EDIt
One thing though
Email exchange (hotmail etc) app has a repeated error popup during sync..this is from 4/17 build and also today's 4/18...was not the case till 4/16..noticed the apk file size has changed (not sure what..but it starts giving error popups during sync...pretty irritating as have to somehow get it to stop the sync to stop the popup...using the cm12.1 email apk 5.82mb from 4/16 or earlier fixes the issue)
cm12 not having such issues,.at least from 4.16 to 4/18 no email.apk file size changes..no sync issues
Edit attached mixer file to address earpiece echo for other caller not speakerphone echo for other caller.. change zip in extension to xml.. not a zip file..put in system etc folder permissions 644

Does miracast work with this build? I know CM started enabling the feature, but it didn't work when I last tried it with my SM-T315. Thank you for your answer.

Can I just ask a general question to all who have flashed this on the T325, what version specifically of TWRP did you use to flash this? Been having some issues and just want to compare.

RavenY2K3 said:
Can I just ask a general question to all who have flashed this on the T325, what version specifically of TWRP did you use to flash this? Been having some issues and just want to compare.
Click to expand...
Click to collapse
TWRP 2.8.5.0 here. Any later version will work as well.

Hello,
Thank you @crpalmer - great job with this rom!
Any chance I could buy you a beer to express my gratitude? I don't see a donations link in the OP

vrl13 said:
Hello,
Thank you @crpalmer - great job with this rom!
Any chance I could buy you a beer to express my gratitude? I don't see a donations link in the OP
Click to expand...
Click to collapse
Thanks!
There's a donate link in my profile but I prefer not to clutter up useful information with extra donate links...
My PayPal is [email protected].

Beer uploaded: 7UG08116JF1461945
Thanks again!
Sent from my SM-T325 using Tapatalk

Anyone having issues with there WiFi. Sometimes it picks up my wifi other times it doesn't. Sees all the others around the building but not mine.
Sent from my Nexus 6 using XDA Free mobile app

mackenzie121 said:
Anyone having issues with there WiFi. Sometimes it picks up my wifi other times it doesn't. Sees all the others around the building but not mine.
Sent from my Nexus 6 using XDA Free mobile app
Click to expand...
Click to collapse
Hello,
I'm having no issue with both 2.4 and 5ghz wifi in my home.
Sounds like a router problem though.. can your other devices pick your wifi without a hitch?
Maybe it would help using a fixed IP, in case you are using DHCP now.
Regards.
Sent from my SM-T325 using Tapatalk

RavenY2K3 said:
Can I just ask a general question to all who have flashed this on the T325, what version specifically of TWRP did you use to flash this? Been having some issues and just want to compare.
Click to expand...
Click to collapse
I used TWRP 2.8.6.0. I already flashed several nightlies on this tablet, no issues.
---------- Post added at 10:41 PM ---------- Previous post was at 10:26 PM ----------
Is the changelog the same of the nightlies for "MONDRIANWIFI"? Thanks

Is it support cifs ?

Device encryption doesn't work. Build 20150507
Log:
Code:
D/Cryptfs ( 247): unmounting /data succeeded
D/QSEECOMAPI: ( 247): QSEECom_get_handle sb_length = 0x2000
D/QSEECOMAPI: ( 247): App is not loaded in QSEE
E/QSEECOMAPI: ( 247): Error::Cannot open the file /vendor/firmware/keymaster/keymaster.mdt
E/QSEECOMAPI: ( 247): Error::Loading image failed with ret = -1
D/QSEECOMAPI: ( 247): QSEECom_get_handle sb_length = 0x2000
D/QSEECOMAPI: ( 247): App is not loaded in QSEE
E/QSEECOMAPI: ( 247): Error::Cannot open the file /firmware/image/keymaste.mdt
E/QSEECOMAPI: ( 247): Error::Loading image failed with ret = -1
E/QCOMKeyMaster( 247): Loading keymaster app failed
E/Cryptfs ( 247): could not open keymaster device in keystore (Operation not permitted)
E/Cryptfs ( 247): Failed to init keymaster
F/libc ( 247): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x3c in tid 316 (vold)
F/libc ( 247): Unable to open connection to debuggerd: Connection refused
W/vold ( 316): type=1400 audit(0.0:190): avc: denied { search } for name="/" dev="mmcblk0p1" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir
W/vold ( 316): type=1300 audit(0.0:190): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=b62f84fc a2=20000 a3=0 items=1 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/vold" subj=u:r:vold:s0 key=(null)
W/auditd ( 314): type=1307 audit(0.0:190): cwd="/"
W/auditd ( 314): type=1302 audit(0.0:190): item=0 name="/vendor/firmware/keymaster/keymaster.mdt"
W/auditd ( 314): type=1320 audit(0.0:190):
W/vold ( 316): type=1400 audit(0.0:191): avc: denied { search } for name="/" dev="mmcblk0p1" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:firmware_file:s0 tclass=dir
W/vold ( 316): type=1300 audit(0.0:191): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=b62f84fc a2=20000 a3=0 items=1 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/vold" subj=u:r:vold:s0 key=(null)
W/auditd ( 314): type=1307 audit(0.0:191): cwd="/"
W/auditd ( 314): type=1302 audit(0.0:191): item=0 name="/firmware/image/keymaste.mdt"
W/auditd ( 314): type=1320 audit(0.0:191):
W/vold ( 316): type=1701 audit(0.0:192): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=u:r:vold:s0 reason="memory violation" sig=11
I/Vold ( 8391): Vold 2.1 (the revenge) firing up
D/Vold ( 8391): Volume sdcard1 state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 8391): Volume usbdisk state changing -1 (Initializing) -> 0 (No-Media)
I/Cryptfs ( 8391): Check if PFE is activated on Boot
E/Cryptfs ( 8391): Bad magic for real block device /dev/block/platform/msm_sdcc.1/by-name/userdata
E/Cryptfs ( 8391): Error getting crypt footer and key
I see, that file /vendor/firmware/keymaster/keymaster.mdt exists:
# ls -la /system/vendor/firmware/keymaster/keymaster.mdt
lrw-r--r-- root root 2015-05-07 07:04 keymaster.mdt -> /firmware/image/keymaste.mdt
# ls -la /firmware/image/keymaste.mdt <
-r--r----- system drmrpc 12892 2014-11-13 05:32 keymaste.mdt
Any ideas how to fix it? Thanks.

crpalmer said:
CyanogenMod
Click to expand...
Click to collapse
f2fs support?
I am waiting for 10 minutes, hanging on the logo

Alexey71 said:
f2fs support?
I am waiting for 10 minutes, hanging on the logo
Click to expand...
Click to collapse
Try again with today's build and let me know.

crpalmer said:
Try again with today's build and let me know.
Click to expand...
Click to collapse
For me :
cm-12.1-20150523-UNOFFICIAL-mondrianlte.zip work fine but
cm-12.1-20150527-UNOFFICIAL-mondrianlte.zip and cm-12.1-20150528-UNOFFICIAL-mondrianlte.zip don't work : hanging on the logo

27-28 build not work (ext4-f2fs)
26 build work ext4

Builds 0527 and 0528 does not boot; instead, causes shutdown of the tab.