Signal Acquisition and Bluetooth Issues - AT&T Samsung Galaxy S II Skyrocket SGH-I727

Anyone else experiencing signal acquisition problems on power-up? I've had this happen in 3 different cities so far, all non-LTE networks in locations where I previously had a 3+ bar signal. I'll have a signal, reboot my phone and after 15 minutes I still won't have a signal. I'll reboot the phone multiple times, pulling the battery out, etc... eventually it will reacquire a signal.
The other issue is bluetooth pairing with my car (BMW I-Drive system), which my previous Droid Incredible worked great with. It's 50/50 if it works or not with the Skyrocket. The issues I have are:
1) It says it connects and downloads my phonebook, but no numbers will dial from the car and no audio through the car (looks like bluetooth is crashing in phone).
2) I turn on bluetooth on my phone and within a minute, it turns off.
I've re-paired the car and phone multiple times, sometimes fixing the issue temporarily, until today when I had to delete everything under /data/misc/bluetoothd/* just to get bluetooth to start on my phone
My phone is rooted now and still on the OEM 2.3.6 OS, but the above issues all started occurring before the phone was rooted. I'm starting to feel like I have a dorked radio in my phone... The line with "Ctlr H/w error event" below has me scared. Anyone else having similar issues?
here's some dump info:
Code:
--------- beginning of /dev/log/main
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue in, id:2
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue calling gki_init_free_queue, id:2 size:660, totol:45
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue ret OK, id:2 size:660, totol:45
12-09 13:36:24.213 15336 15336 I /system/bin/btld: UAMP_Write error: -1 ( 0=success )
12-09 13:36:24.213 15336 15336 I /system/bin/btld: dtun_server_register_interface: Register DTUN interface [0]
12-09 13:36:24.213 15336 15336 I /system/bin/btld: dtun_server_start: dtun_server_start
12-09 13:36:24.213 15336 15336 I /system/bin/btld: BTL_IF_RegisterSubSystem: Registered subsystem [DTUN]
12-09 13:36:24.213 15336 15336 I /system/bin/btld: wrp_sock_create: wrp_sock_create : created socket (fd 20)
12-09 13:36:24.213 15336 15336 I /system/bin/btld: wrp_sock_bind: BTLIF_MAKE_LOCAL_SERVER_NAME return nwrp_sock_bind: BTLIF_MAKE_LOCAL_SERVER_NAME return name: brcm.bt.btlif.9000
12-09 13:36:24.213 15336 15336 I /system/bin/btld: wrp_sock_bind: result:0 server_name:brcm.bt.btlif.9000
12-09 13:36:24.213 15336 15336 I /system/bin/btld: wrp_sock_listen: wrp_sock_listen : (CTRL) listening on brcm.bt.btlif:9000 (20)
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue in, id:0
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue calling gki_init_free_queue, id:0 size:64, totol:48
12-09 13:36:24.213 15336 15336 I /system/bin/btld: gki_alloc_free_queue ret OK, id:0 size:64, totol:48
12-09 13:36:24.213 15337 15367 I UAMP_LINUX: UAMP_Init: wl_interface_name:
12-09 13:36:24.213 15337 15367 I UAMP_LINUX: UAMP_Open
12-09 13:36:24.213 15337 15368 E : Ctlr H/w error event
12-09 13:36:24.213 15337 15368 I GKI_LINUX: GKI_sched_lock
12-09 13:36:24.213 15337 15368 I GKI_LINUX: GKI_sched_unlock
12-09 13:36:24.213 177 177 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-09 13:36:24.213 177 177 I DEBUG : Build fingerprint: 'samsung/SGH-I727/SGH-I727:2.3.6/GINGERBREAD/UCKK1:user/release-keys'
12-09 13:36:24.213 177 177 I DEBUG : pid: 15337, tid: 15368 >>> /system/bin/btld <<<
12-09 13:36:24.213 177 177 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
12-09 13:36:24.213 177 177 I DEBUG : r0 0028c3fc r1 0028c878 r2 001f59dc r3 00000064
12-09 13:36:24.213 177 177 I DEBUG : r4 00000000 r5 0028c70c r6 00000000 r7 0028c7b8
12-09 13:36:24.213 177 177 I DEBUG : r8 001a90a4 r9 002a5278 10 00100000 fp 00000001
12-09 13:36:24.213 177 177 I DEBUG : ip 00000064 sp 40211e58 lr 00065d84 pc 0018aee0 cpsr 60000010
12-09 13:36:24.213 177 177 I DEBUG : d0 0000000000000000 d1 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d2 0000000000000000 d3 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d4 0000000000000000 d5 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d6 0000000000000000 d7 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d8 0000000000000000 d9 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d10 0000000000000000 d11 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d12 0000000000000000 d13 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d14 0000000000000000 d15 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d16 0000000000000000 d17 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d18 0000000000000000 d19 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d20 0000000000000000 d21 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d22 0000000000000000 d23 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d24 0000000000000000 d25 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d26 0000000000000000 d27 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d28 0000000000000000 d29 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : d30 0000000000000000 d31 0000000000000000
12-09 13:36:24.213 177 177 I DEBUG : scr 00000000
12-09 13:36:24.213 177 177 I DEBUG :
12-09 13:36:24.223 15336 15336 I /system/bin/btld: error: SIOCGIFFLAGS (No such device)
12-09 13:36:24.223 15336 15336 I /system/bin/btld: ifr_name ()
12-09 13:36:24.233 15336 15336 I /system/bin/btld: init_event_rx: Cannot get index -1
12-09 13:36:24.243 177 177 I DEBUG : #00 pc 0018aee0 /system/bin/btld (GKI_add_to_timer_list)
12-09 13:36:24.243 177 177 I DEBUG : #01 pc 00065d80 /system/bin/btld (bta_dm_sys_hw_cback)
12-09 13:36:24.243 177 177 I DEBUG : #02 pc 00060ea8 /system/bin/btld (bta_sys_hw_evt_stack_enabled)
12-09 13:36:24.243 177 177 I DEBUG : #03 pc 00061124 /system/bin/btld (bta_sys_sm_execute)
12-09 13:36:24.243 177 177 I DEBUG : #04 pc 00060ff4 /system/bin/btld (bta_sys_event)
12-09 13:36:24.243 177 177 I DEBUG : #05 pc 0012eb40 /system/bin/btld (btu_task)
12-09 13:36:24.243 177 177 I DEBUG : #06 pc 0018c7f8 /system/bin/btld (gki_task_entry)
12-09 13:36:24.243 177 177 I DEBUG : #07 pc 00011e10 /system/lib/libc.so (__thread_entry)
12-09 13:36:24.243 177 177 I DEBUG : #08 pc 000119dc /system/lib/libc.so (pthread_create)
12-09 13:36:24.243 177 177 I DEBUG :
12-09 13:36:24.243 177 177 I DEBUG : libc base address: afd00000
12-09 13:36:24.243 177 177 I DEBUG :
12-09 13:36:24.243 177 177 I DEBUG : code around pc:
12-09 13:36:24.243 177 177 I DEBUG : 0018aec0 d1a04007 d1a05006 da000015 e1a04007
12-09 13:36:24.243 177 177 I DEBUG : 0018aed0 e3560000 e5944000 c066c00c c581c00c
12-09 13:36:24.243 177 177 I DEBUG : 0018aee0 e594500c d591c00c e1a06005 e155000c
12-09 13:36:24.243 177 177 I DEBUG : 0018aef0 bafffff6 e1540007 0a000008 e594c004
12-09 13:36:24.243 177 177 I DEBUG : 0018af00 e591300c e581c004 e58c1000 e5841004
12-09 13:36:24.243 177 177 I DEBUG :
12-09 13:36:24.243 177 177 I DEBUG : code around lr:
12-09 13:36:24.243 177 177 I DEBUG : 00065d64 0affffa1 e59fe06c e3a02064 e2870f56
12-09 13:36:24.243 177 177 I DEBUG : 00065d74 e084400e e1a01006 e5874160 ebffec5f
12-09 13:36:24.243 177 177 I DEBUG : 00065d84 e3a00c12 ebfff0bc e5d5c004 e28c2001
12-09 13:36:24.243 177 177 I DEBUG : 00065d94 e28c3002 e7856103 e5c52004 eaffff92
12-09 13:36:24.243 177 177 I DEBUG : 00065da4 0018fe48 000003d4 00000b68 fffb2fec
12-09 13:36:24.243 177 177 I DEBUG :
12-09 13:36:24.243 177 177 I DEBUG : stack:
12-09 13:36:24.243 177 177 I DEBUG : 40211e18 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e1c 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e20 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e24 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e28 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e2c 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e30 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e34 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e38 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e3c 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e40 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e44 0028c878 [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e48 0028c3fc [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e4c 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e50 df002777
12-09 13:36:24.243 177 177 I DEBUG : 40211e54 e3a070ad
12-09 13:36:24.243 177 177 I DEBUG : #00 40211e58 00064ee4 /system/bin/btld
12-09 13:36:24.243 177 177 I DEBUG : 40211e5c 0028c70c [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e60 00000000
12-09 13:36:24.243 177 177 I DEBUG : 40211e64 0028c720 [heap]
12-09 13:36:24.243 177 177 I DEBUG : #01 40211e68 0028c720 [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e6c 000c0240 /system/bin/btld
12-09 13:36:24.243 177 177 I DEBUG : 40211e70 0028c334 [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e74 0028c344 [heap]
12-09 13:36:24.243 177 177 I DEBUG : 40211e78 001a7f50 /system/bin/btld
12-09 13:36:24.243 177 177 I DEBUG : 40211e7c 000009b0
12-09 13:36:24.243 177 177 I DEBUG : 40211e80 0018c7a4 /system/bin/btld
12-09 13:36:24.243 177 177 I DEBUG : 40211e84 00060eac /system/bin/btld
12-09 13:36:24.253 15337 15367 E UAMP_LINUX: Error opening uamp port
12-09 13:36:24.253 15337 15367 E : hcisu_amp_open: unable to open AMP port
12-09 13:36:24.393 177 177 I DEBUG : dumpstate /data/log/dumpstate_app_native.txt
12-09 13:36:24.393 299 336 I BootReceiver: Copying /data/tombstones/tombstone_00 to DropBox (SYSTEM_TOMBSTONE)
thanks,
-shelby

Related

[DEV ONLY][★★ICS★★][Sense 3.5][21 Dec]RCMix ICE v1.0, First Sense Android 4.0.1 rom!!

[DEV ONLY][★★ICS★★][Sense 3.5][21 Dec]RCMix ICE v1.0, First Sense Android 4.0.1 rom!!
Hi,
RCTeam presents
First Sense rom on Ice Cream Sandwich
ANDROID 4.0.1
wow so let start porting...need some dev for help...​
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
SOURCE:
http://forum.xda-developers.com/showthread.php?t=1403859
[DEV ONLY]
You people cant read? Stop spamming.
Sorry, but this version is on Sensation horrible slow (my opinion) it wont be fast on Desire
So i dont think it makes Sense to port this buggy version.
What would you want help with?
Wth people..Cant you read that it's just a notice about a rom from RC team and that the thread's a dev thread meant for doing work on it? It's not a release, so stop posting pointless comments asking for things about an unreleased rom and saying good work etc!! If you want to thank him, hit the thanks button..Stop posting in this thread...We havent subscribed to this thread to get thousands of user comments about it...
STOP POSTING IN THIS THREAD UNLESS YOU'RE OFFERING HELP FOR ITS DEVELOPMENT!
If you just want to rant about it, visit the thread in General Forum...
o$$!ram said:
Sorry, but this version is on Sensation horrible slow (my opinion) it wont be fast on Desire
So i dont think it makes Sense to port this buggy version.
Click to expand...
Click to collapse
Sorry...but i have the same thinking
Sent from my HTC Desire using XDA Premium App
Droidzone said:
What would you want help with?
Click to expand...
Click to collapse
Actually i don't know what i need...
i need donor ROM but with ICS libs/bin lets see with http://forum.xda-developers.com/showthread.php?t=1355660
here is logcat...
Code:
14:59:33.732 Error Netd 1480 Unable to create netlink socket: Protocol not supported
14:59:33.732 Error Netd 1480 Unable to open quota2 logging socket
14:59:33.732 Error Netd 1480 Unable to start DnsProxyListener (Protocol not supported)
14:59:33.732 Error SocketListener 1480 Obtaining file descriptor socket 'dnsproxyd' failed: Protocol not supported
14:59:33.951 Info dalvikvm 1481 mlock: /data/dalvik-cache/[email protected]@[email protected], fd=8
14:59:33.951 Info dalvikvm 1481 mlock(1185370112, 3368168), fd=8
14:59:34.060 Info 1479 mediaserver main in
14:59:34.060 Info 1479 after defaultServiceManager
14:59:34.060 Info 1479 ServiceManager: 0xf9f0
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 get speaker channel fail. -1
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 ACOUSTIC_SET_WB_SAMPLE_RATE fail. -1
14:59:34.060 Error AudioHardwareMSM8660 1479 ERROR opening the device
14:59:34.060 Error AudioHardwareMSM8660 1479 NO devices registered
14:59:34.060 Info AudioFlinger 1479 Loaded primary audio interface from LEGACY Audio HW HAL (audio)
14:59:34.060 Info AudioFlinger 1479 Using 'LEGACY Audio HW HAL' (audio.primary) as the primary audio interface
14:59:34.060 Info AudioFlinger 1479 Loaded a2dp audio interface from A2DP Audio HW HAL (audio)
14:59:34.060 Info CameraService 1479 CameraService started (pid=1479)
14:59:34.060 Error HTC Acoustic 1479 read back mic state fail. -1
14:59:34.060 Error AudioPolicyManagerBase 1479 Could not open support_receiver()
14:59:34.060 Info AudioFlinger 1479 AudioFlinger's thread 0x11608 ready to run
14:59:34.060 Info AudioHardwareMSM8660 1479 AudioStreamOutMSM72xx::setParameters() routing=2
14:59:34.060 Info AudioHardwareMSM8660 1479 Routing audio to Speakerphone
14:59:34.169 Info DEBUG 1254 debuggerd: 2011-12-22 09:29:33
14:59:34.169 Info DEBUG 1254 *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
14:59:34.169 Info DEBUG 1254 Build fingerprint: 'htc_europe/htc_pyramid/pyramid:4.0.1/ITL41D/234376.101:userdebug/test-keys'
14:59:34.169 Info DEBUG 1254 pid: 1479, tid: 1498 >>> /system/bin/mediaserver <<<
14:59:34.169 Info DEBUG 1254 thread: AudioOut_1
14:59:34.169 Info DEBUG 1254 debuggerd: isSystemServerCrash=0, isEnableTellHTC=0
14:59:34.169 Info DEBUG 1254 signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000020
14:59:34.169 Info DEBUG 1254 r0 00000003 r1 41142203 r2 4114454e r3 00000000
14:59:34.169 Info DEBUG 1254 r4 00000001 r5 00000002 r6 00000003 r7 41147550
14:59:34.169 Info DEBUG 1254 r8 00000020 r9 41142203 10 00000030 fp 411478dc
14:59:34.169 Info DEBUG 1254 ip ffffffcc sp 41746bf0 lr 4113cca9 pc 4113ce0e cpsr 20000030
14:59:34.169 Info DEBUG 1254 d0 7274536f69647541 d1 534d74754f6d6165
14:59:34.169 Info DEBUG 1254 d2 733a3a787832374d d3 656d617261507465
14:59:34.169 Info DEBUG 1254 d4 0000000000000000 d5 0000000000000000
14:59:34.169 Info DEBUG 1254 d6 0000000000000000 d7 3f80000000000000
14:59:34.169 Info DEBUG 1254 d8 0000000000000000 d9 0000000000000000
14:59:34.169 Info DEBUG 1254 d10 0000000000000000 d11 0000000000000000
14:59:34.169 Info DEBUG 1254 d12 0000000000000000 d13 0000000000000000
14:59:34.169 Info DEBUG 1254 d14 0000000000000000 d15 0000000000000000
14:59:34.169 Info DEBUG 1254 d16 6574756f725f6f64 d17 725f6f696475615f
14:59:34.169 Info DEBUG 1254 d18 0000000000000000 d19 0000000000000000
14:59:34.169 Info DEBUG 1254 d20 0000000000000000 d21 0000000000000000
14:59:34.169 Info DEBUG 1254 d22 0000000000000000 d23 0000000000000000
14:59:34.169 Info DEBUG 1254 d24 0000000000000000 d25 0000000000000000
14:59:34.169 Info DEBUG 1254 d26 0000000000000000 d27 0000000000000000
14:59:34.169 Info DEBUG 1254 d28 0000000000000000 d29 0000000000000000
14:59:34.169 Info DEBUG 1254 d30 0000000000000000 d31 0000000000000000
14:59:34.278 Info DEBUG 1254 scr 00000010
14:59:34.278 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 #00 pc 0000ae0e /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware18doAudioRouteOrMuteEj)
14:59:34.388 Info DEBUG 1254 #01 pc 0000bd0c /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware9doRoutingEPNS0_20AudioStreamInMSM72xxE)
14:59:34.388 Info DEBUG 1254 #02 pc 0000c8bc /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware21AudioStreamOutMSM72xx13setParametersERKN7android7String8E)
14:59:34.388 Info DEBUG 1254 #03 pc 0000f790 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 #04 pc 0002ee02 /system/lib/libaudioflinger.so (_ZN7android12AudioFlinger11MixerThread23checkForNewParameters_lEv)
14:59:34.388 Info DEBUG 1254 #05 pc 0003138a /system/lib/libaudioflinger.so (_ZN7android12AudioFlinger11MixerThread10threadLoopEv)
14:59:34.388 Info DEBUG 1254 #06 pc 0002224e /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv)
14:59:34.388 Info DEBUG 1254 #07 pc 00022908 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 #08 pc 000133b4 /system/lib/libc.so (__thread_entry)
14:59:34.388 Info DEBUG 1254 #09 pc 00012f08 /system/lib/libc.so (pthread_create)
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 code around pc:
14:59:34.388 Info DEBUG 1254 4113cdec ea4fc820 f8df1805 2003988c 2888f8df
14:59:34.388 Info DEBUG 1254 4113cdfc 1a06ea4f b00cf857 447a44f9 f8db4649
14:59:34.388 Info DEBUG 1254 4113ce0c f8533000 f7fb3008 f8dbe890 f8df3000
14:59:34.388 Info DEBUG 1254 4113ce1c 2003b86c 2868f8df 44fb4649 300af853
14:59:34.388 Info DEBUG 1254 4113ce2c f7fb447a f89be882 b1280000 f0819906
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 code around lr:
14:59:34.388 Info DEBUG 1254 4113cc88 600af857 f8d36833 1c4300a0 260ad001
14:59:34.388 Info DEBUG 1254 4113cc98 f8dfe791 447a2980 46292002 e946f7fb
14:59:34.388 Info DEBUG 1254 4113cca8 e7882603 d10a2c05 196cf8df f8df2002
14:59:34.388 Info DEBUG 1254 4113ccb8 260c296c 447a4479 e938f7fb 2c06e00b
14:59:34.388 Info DEBUG 1254 4113ccc8 f8dfd10b 2002195c 2958f8df 44792603
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 stack:
14:59:34.388 Info DEBUG 1254 41746bb0 41746cc4
14:59:34.388 Info DEBUG 1254 41746bb4 41746d3c
14:59:34.388 Info DEBUG 1254 41746bb8 40042d88
14:59:34.388 Info DEBUG 1254 41746bbc 400632bf /system/lib/libc.so
14:59:34.388 Info DEBUG 1254 41746bc0 41746c00
14:59:34.388 Info DEBUG 1254 41746bc4 00013ee0
14:59:34.388 Info DEBUG 1254 41746bc8 00000000
14:59:34.388 Info DEBUG 1254 41746bcc d45da700
14:59:34.388 Info DEBUG 1254 41746bd0 00010024
14:59:34.388 Info DEBUG 1254 41746bd4 00000001
14:59:34.388 Info DEBUG 1254 41746bd8 41142203 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746bdc 00000001
14:59:34.388 Info DEBUG 1254 41746be0 41147550
14:59:34.388 Info DEBUG 1254 41746be4 4113cca9 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746be8 df0027ad
14:59:34.388 Info DEBUG 1254 41746bec 00000000
14:59:34.388 Info DEBUG 1254 #00 41746bf0 00000001
14:59:34.388 Info DEBUG 1254 41746bf4 00000001
14:59:34.388 Info DEBUG 1254 41746bf8 00000000
14:59:34.388 Info DEBUG 1254 41746bfc 400fe421 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 41746c00 0000a008
14:59:34.388 Info DEBUG 1254 41746c04 00000000
14:59:34.388 Info DEBUG 1254 41746c08 00000001
14:59:34.388 Info DEBUG 1254 41746c0c 400fe421 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 41746c10 41746c4c
14:59:34.388 Info DEBUG 1254 41746c14 00013efc
14:59:34.388 Info DEBUG 1254 41746c18 00000000
14:59:34.388 Info DEBUG 1254 41746c1c 00000000
14:59:34.388 Info DEBUG 1254 41746c20 00013ed0
14:59:34.388 Info DEBUG 1254 41746c24 00000001
14:59:34.388 Info DEBUG 1254 41746c28 0000fc68
14:59:34.388 Info DEBUG 1254 41746c2c 20000000
14:59:34.388 Info DEBUG 1254 41746c30 41746c74
14:59:34.388 Info DEBUG 1254 41746c34 0000fcc0
14:59:34.388 Info DEBUG 1254 41746c38 00000000
14:59:34.388 Info DEBUG 1254 41746c3c 41746d3c
14:59:34.388 Info DEBUG 1254 41746c40 40042d88
14:59:34.388 Info DEBUG 1254 41746c44 4113dd11 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 #01 41746c48 0000fc68
14:59:34.388 Info DEBUG 1254 41746c4c 00000000
14:59:34.388 Info DEBUG 1254 41746c50 000115e0
14:59:34.388 Info DEBUG 1254 41746c54 41147550
14:59:34.388 Info DEBUG 1254 41746c58 41142203 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746c5c 41746c74
14:59:34.388 Info DEBUG 1254 41746c60 41746c9c
14:59:34.512 Info DEBUG 1254 41746c64 4113e8c1 /system/lib/hw/audio.primary.default.so
14:59:35.339 Info ServiceManager 965 service 'media.player' died
14:59:35.339 Info ServiceManager 965 service 'media.camera' died
14:59:35.339 Info ServiceManager 965 service 'media.audio_flinger' died
coolexe said:
Actually i don't know what i need...
i need donor ROM but with ICS libs/bin lets see with http://forum.xda-developers.com/showthread.php?t=1355660
here is logcat...
Code:
14:59:33.732 Error Netd 1480 Unable to create netlink socket: Protocol not supported
14:59:33.732 Error Netd 1480 Unable to open quota2 logging socket
14:59:33.732 Error Netd 1480 Unable to start DnsProxyListener (Protocol not supported)
14:59:33.732 Error SocketListener 1480 Obtaining file descriptor socket 'dnsproxyd' failed: Protocol not supported
14:59:33.951 Info dalvikvm 1481 mlock: /data/dalvik-cache/[email protected]@[email protected], fd=8
14:59:33.951 Info dalvikvm 1481 mlock(1185370112, 3368168), fd=8
14:59:34.060 Info 1479 mediaserver main in
14:59:34.060 Info 1479 after defaultServiceManager
14:59:34.060 Info 1479 ServiceManager: 0xf9f0
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 get speaker channel fail. -1
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 ACOUSTIC_SET_WB_SAMPLE_RATE fail. -1
14:59:34.060 Error AudioHardwareMSM8660 1479 ERROR opening the device
14:59:34.060 Error AudioHardwareMSM8660 1479 NO devices registered
14:59:34.060 Info AudioFlinger 1479 Loaded primary audio interface from LEGACY Audio HW HAL (audio)
14:59:34.060 Info AudioFlinger 1479 Using 'LEGACY Audio HW HAL' (audio.primary) as the primary audio interface
14:59:34.060 Info AudioFlinger 1479 Loaded a2dp audio interface from A2DP Audio HW HAL (audio)
14:59:34.060 Info CameraService 1479 CameraService started (pid=1479)
14:59:34.060 Error HTC Acoustic 1479 read back mic state fail. -1
14:59:34.060 Error AudioPolicyManagerBase 1479 Could not open support_receiver()
14:59:34.060 Info AudioFlinger 1479 AudioFlinger's thread 0x11608 ready to run
14:59:34.060 Info AudioHardwareMSM8660 1479 AudioStreamOutMSM72xx::setParameters() routing=2
14:59:34.060 Info AudioHardwareMSM8660 1479 Routing audio to Speakerphone
14:59:34.169 Info DEBUG 1254 debuggerd: 2011-12-22 09:29:33
14:59:34.169 Info DEBUG 1254 *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
14:59:34.169 Info DEBUG 1254 Build fingerprint: 'htc_europe/htc_pyramid/pyramid:4.0.1/ITL41D/234376.101:userdebug/test-keys'
14:59:34.169 Info DEBUG 1254 pid: 1479, tid: 1498 >>> /system/bin/mediaserver <<<
14:59:34.169 Info DEBUG 1254 thread: AudioOut_1
14:59:34.169 Info DEBUG 1254 debuggerd: isSystemServerCrash=0, isEnableTellHTC=0
14:59:34.169 Info DEBUG 1254 signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000020
14:59:34.169 Info DEBUG 1254 r0 00000003 r1 41142203 r2 4114454e r3 00000000
14:59:34.169 Info DEBUG 1254 r4 00000001 r5 00000002 r6 00000003 r7 41147550
14:59:34.169 Info DEBUG 1254 r8 00000020 r9 41142203 10 00000030 fp 411478dc
14:59:34.169 Info DEBUG 1254 ip ffffffcc sp 41746bf0 lr 4113cca9 pc 4113ce0e cpsr 20000030
14:59:34.169 Info DEBUG 1254 d0 7274536f69647541 d1 534d74754f6d6165
14:59:34.169 Info DEBUG 1254 d2 733a3a787832374d d3 656d617261507465
14:59:34.169 Info DEBUG 1254 d4 0000000000000000 d5 0000000000000000
14:59:34.169 Info DEBUG 1254 d6 0000000000000000 d7 3f80000000000000
14:59:34.169 Info DEBUG 1254 d8 0000000000000000 d9 0000000000000000
14:59:34.169 Info DEBUG 1254 d10 0000000000000000 d11 0000000000000000
14:59:34.169 Info DEBUG 1254 d12 0000000000000000 d13 0000000000000000
14:59:34.169 Info DEBUG 1254 d14 0000000000000000 d15 0000000000000000
14:59:34.169 Info DEBUG 1254 d16 6574756f725f6f64 d17 725f6f696475615f
14:59:34.169 Info DEBUG 1254 d18 0000000000000000 d19 0000000000000000
14:59:34.169 Info DEBUG 1254 d20 0000000000000000 d21 0000000000000000
14:59:34.169 Info DEBUG 1254 d22 0000000000000000 d23 0000000000000000
14:59:34.169 Info DEBUG 1254 d24 0000000000000000 d25 0000000000000000
14:59:34.169 Info DEBUG 1254 d26 0000000000000000 d27 0000000000000000
14:59:34.169 Info DEBUG 1254 d28 0000000000000000 d29 0000000000000000
14:59:34.169 Info DEBUG 1254 d30 0000000000000000 d31 0000000000000000
14:59:34.278 Info DEBUG 1254 scr 00000010
14:59:34.278 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 #00 pc 0000ae0e /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware18doAudioRouteOrMuteEj)
14:59:34.388 Info DEBUG 1254 #01 pc 0000bd0c /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware9doRoutingEPNS0_20AudioStreamInMSM72xxE)
14:59:34.388 Info DEBUG 1254 #02 pc 0000c8bc /system/lib/hw/audio.primary.default.so (_ZN20android_audio_legacy13AudioHardware21AudioStreamOutMSM72xx13setParametersERKN7android7String8E)
14:59:34.388 Info DEBUG 1254 #03 pc 0000f790 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 #04 pc 0002ee02 /system/lib/libaudioflinger.so (_ZN7android12AudioFlinger11MixerThread23checkForNewParameters_lEv)
14:59:34.388 Info DEBUG 1254 #05 pc 0003138a /system/lib/libaudioflinger.so (_ZN7android12AudioFlinger11MixerThread10threadLoopEv)
14:59:34.388 Info DEBUG 1254 #06 pc 0002224e /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv)
14:59:34.388 Info DEBUG 1254 #07 pc 00022908 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 #08 pc 000133b4 /system/lib/libc.so (__thread_entry)
14:59:34.388 Info DEBUG 1254 #09 pc 00012f08 /system/lib/libc.so (pthread_create)
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 code around pc:
14:59:34.388 Info DEBUG 1254 4113cdec ea4fc820 f8df1805 2003988c 2888f8df
14:59:34.388 Info DEBUG 1254 4113cdfc 1a06ea4f b00cf857 447a44f9 f8db4649
14:59:34.388 Info DEBUG 1254 4113ce0c f8533000 f7fb3008 f8dbe890 f8df3000
14:59:34.388 Info DEBUG 1254 4113ce1c 2003b86c 2868f8df 44fb4649 300af853
14:59:34.388 Info DEBUG 1254 4113ce2c f7fb447a f89be882 b1280000 f0819906
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 code around lr:
14:59:34.388 Info DEBUG 1254 4113cc88 600af857 f8d36833 1c4300a0 260ad001
14:59:34.388 Info DEBUG 1254 4113cc98 f8dfe791 447a2980 46292002 e946f7fb
14:59:34.388 Info DEBUG 1254 4113cca8 e7882603 d10a2c05 196cf8df f8df2002
14:59:34.388 Info DEBUG 1254 4113ccb8 260c296c 447a4479 e938f7fb 2c06e00b
14:59:34.388 Info DEBUG 1254 4113ccc8 f8dfd10b 2002195c 2958f8df 44792603
14:59:34.388 Info DEBUG 1254
14:59:34.388 Info DEBUG 1254 stack:
14:59:34.388 Info DEBUG 1254 41746bb0 41746cc4
14:59:34.388 Info DEBUG 1254 41746bb4 41746d3c
14:59:34.388 Info DEBUG 1254 41746bb8 40042d88
14:59:34.388 Info DEBUG 1254 41746bbc 400632bf /system/lib/libc.so
14:59:34.388 Info DEBUG 1254 41746bc0 41746c00
14:59:34.388 Info DEBUG 1254 41746bc4 00013ee0
14:59:34.388 Info DEBUG 1254 41746bc8 00000000
14:59:34.388 Info DEBUG 1254 41746bcc d45da700
14:59:34.388 Info DEBUG 1254 41746bd0 00010024
14:59:34.388 Info DEBUG 1254 41746bd4 00000001
14:59:34.388 Info DEBUG 1254 41746bd8 41142203 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746bdc 00000001
14:59:34.388 Info DEBUG 1254 41746be0 41147550
14:59:34.388 Info DEBUG 1254 41746be4 4113cca9 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746be8 df0027ad
14:59:34.388 Info DEBUG 1254 41746bec 00000000
14:59:34.388 Info DEBUG 1254 #00 41746bf0 00000001
14:59:34.388 Info DEBUG 1254 41746bf4 00000001
14:59:34.388 Info DEBUG 1254 41746bf8 00000000
14:59:34.388 Info DEBUG 1254 41746bfc 400fe421 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 41746c00 0000a008
14:59:34.388 Info DEBUG 1254 41746c04 00000000
14:59:34.388 Info DEBUG 1254 41746c08 00000001
14:59:34.388 Info DEBUG 1254 41746c0c 400fe421 /system/lib/libutils.so
14:59:34.388 Info DEBUG 1254 41746c10 41746c4c
14:59:34.388 Info DEBUG 1254 41746c14 00013efc
14:59:34.388 Info DEBUG 1254 41746c18 00000000
14:59:34.388 Info DEBUG 1254 41746c1c 00000000
14:59:34.388 Info DEBUG 1254 41746c20 00013ed0
14:59:34.388 Info DEBUG 1254 41746c24 00000001
14:59:34.388 Info DEBUG 1254 41746c28 0000fc68
14:59:34.388 Info DEBUG 1254 41746c2c 20000000
14:59:34.388 Info DEBUG 1254 41746c30 41746c74
14:59:34.388 Info DEBUG 1254 41746c34 0000fcc0
14:59:34.388 Info DEBUG 1254 41746c38 00000000
14:59:34.388 Info DEBUG 1254 41746c3c 41746d3c
14:59:34.388 Info DEBUG 1254 41746c40 40042d88
14:59:34.388 Info DEBUG 1254 41746c44 4113dd11 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 #01 41746c48 0000fc68
14:59:34.388 Info DEBUG 1254 41746c4c 00000000
14:59:34.388 Info DEBUG 1254 41746c50 000115e0
14:59:34.388 Info DEBUG 1254 41746c54 41147550
14:59:34.388 Info DEBUG 1254 41746c58 41142203 /system/lib/hw/audio.primary.default.so
14:59:34.388 Info DEBUG 1254 41746c5c 41746c74
14:59:34.388 Info DEBUG 1254 41746c60 41746c9c
14:59:34.512 Info DEBUG 1254 41746c64 4113e8c1 /system/lib/hw/audio.primary.default.so
14:59:35.339 Info ServiceManager 965 service 'media.player' died
14:59:35.339 Info ServiceManager 965 service 'media.camera' died
14:59:35.339 Info ServiceManager 965 service 'media.audio_flinger' died
Click to expand...
Click to collapse
14:59:34.060 Info AudioHardwareMSM8660 1479 AudioStreamOutMSM72xx::setParameters() routing=2
14:59:34.060 Info AudioHardwareMSM8660 1479 Routing audio to Speakerphone
Driver should code or decode ! toooooo hard
Can we disable those services from starting at boot? The libs themselves would need hex patching to reroute instructions to appropriate addresses.. I'm thinking looking at the aosp source and disassembling the libs after making small modifications would help locate these.. These are stuff which ownhere and snq were good at.
14:59:33.732 Error Netd 1480 Unable to create netlink socket: Protocol not supported
14:59:33.732 Error Netd 1480 Unable to open quota2 logging socket
14:59:33.732 Error Netd 1480 Unable to start DnsProxyListener (Protocol not supported)
14:59:33.732 Error SocketListener 1480 Obtaining file descriptor socket 'dnsproxyd' failed: Protocol not supported
*Kernel, the new data tracking
14:59:34.060 Info 1479 mediaserver main in
14:59:34.060 Info 1479 after defaultServiceManager
14:59:34.060 Info 1479 ServiceManager: 0xf9f0
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 get speaker channel fail. -1
14:59:34.060 Error HTC Acoustic 1479 read engineer ID failed -1
14:59:34.060 Error HTC Acoustic 1479 ACOUSTIC_SET_WB_SAMPLE_RATE fail. -1
14:59:34.060 Error AudioHardwareMSM8660 1479 ERROR opening the device
14:59:34.060 Error AudioHardwareMSM8660 1479 NO devices registered
*The driver/libs we use is not exactly stock, done some editing to get it to work.
14:59:34.060 Info AudioFlinger 1479 Loaded primary audio interface from LEGACY Audio HW HAL (audio) <--- we still get something like that
Rest is pretty much the kernel not able to "speak" to the driver properly.
(this is only what I remember atm, been a while since we've had these errors)
Not sure how much you can borrow from the ASOP kernel, but here is a github that should be pretty much up to date. This is the kernel we're using.
https://github.com/tristan202/kernel
The changes in audio can be found on the github linked to in my thread.
I would recommend getting a kernel dev to take a look at it, we're available on IRC if there is something we can help with.
And for those thinking the sensation port is slow, try deleting the gralloc (the other then the default.gralloc.so) should speed things up until a real hw fix is out. Don't know how compatible the hw hack we're using are, but this speeded things up alot for us, until we got the hack.
*Edit: I'll take a look later today or tomorrow, and see if I get it booting, have a few ideas.But I'm quite busy because of christmas and moving from my appartment.
Desire Dev
Alex-V said:
Sorry...but i have the same thinking
Sent from my HTC Desire using XDA Premium App
Click to expand...
Click to collapse
Hi Alex/all devs
There's something I think I need to say, I thought as this thread focuses on the latest and greatest from HTC and Google, here was the best place.
So a simple message to all desire devs which will be important for continued development of our beloved desire's!
Please, please, please...collaborate and share your works and ideas.
After following the recent desire thread posted by the PVTeam (DesireS/HD etc) I was incredibly disappointed to see coders getting over protective of their work. THIS IS OPEN SOURCE FOLKS!!!
Only by sharing ideas and collaborating on projects and offering thanks will development improve and continue!
I've tried just about every runny ROM thats appeared for the Desire for the last six months with sebs ROM looking the most promising, but lags and instability have been all too frequent to make them useable......until I installed the PVTeam effort.
The PVTeam ROM is still on my fone, because it just works! It's quick, battery life is good and its very stable.
So support each other, share your work, I agree a bit of competition is healthy, but we all have our day jobs/education to worry about dont we??
Happy holidays and may 2012 be a good year for you all.
The changes in audio can be found on the github linked to in my thread.
Click to expand...
Click to collapse
@Sandvold, I cant locate the github you mentioned regarding audio drivers
@Other users: Please keep this thread clean from all lateral discussions. If you're not a dev or do not have an idea for development, your post does NOT belong here. No general discussions here please. Mods have been requested to warn/enforce this.
@Droidzone
this is what you lookin for?: https://github.com/ics-passion-dev
https://github.com/ics-passion-dev/android_device_htc_bravo
preston74 said:
@Droidzone
this is what you lookin for?: https://github.com/ics-passion-dev
https://github.com/ics-passion-dev/android_device_htc_bravo
Click to expand...
Click to collapse
Thanks. Found it from that profile. Must be this one:
https://github.com/ics-passion-dev/android_hardware_qcom_media/commits/ics
@Sandvold, do you know exactly which kernel driver is behind this issue? I could try doing diffs and merging the aosp and Sense kernels a little bit.
@coolexe, which kernel are you trying with this one atm? Sense GB? Maybe it would be better to use the Sense GB rom as merge recipient.
Droidzone said:
@coolexe, which kernel are you trying with this one atm? Sense GB? Maybe it would be better to use the Sense GB rom as merge recipient.
Click to expand...
Click to collapse
i tried both kernels ICS AOSP kernel and my kernel which is almost same as Gingercakes v9...
CorradoSud said:
Most useless thing in the world.
Click to expand...
Click to collapse
if Sensation XL getting ICS then its easy to port to DHD...or if possible DHD to Desire...
Sensation XL vs Desire HD
http://www.mobilesmspk.net/compare/htc-sensation-xl/htc-desire-hd
http://forum.xda-developers.com/showthread.php?t=1399446
I still don't get this exactly.
We're using the same kernel - which makes virtually the same sound system used. On top of it, we do have the source code. How come compilation succeeds but errors are emitted during boot? I think one should check the output of the compilation first, before the output of logcat - problems about redirection can be solved there perhaps?
In future I'll try to compile an Andorid without bionic (with Glibc) and I was planning to do it on ICS. You guys kinda scared me now
theGanymedes said:
I still don't get this exactly.
We're using the same kernel - which makes virtually the same sound system used. On top of it, we do have the source code. How come compilation succeeds but errors are emitted during boot? I think one should check the output of the compilation first, before the output of logcat - problems about redirection can be solved there perhaps?
Click to expand...
Click to collapse
Compilation? What compilation?
@coolexe, are you using libs from aosp? I have a hunch that ICS Sense may be more compatible with GB Sense than ICS Aosp..
Edit: I'm selling my Desire and wont be able to work on this anymore..Good luck to the others..
As the Developers Requested CAN you Not POST in Here Unless it has to do with Development.
Please no stupid 1 line Quotes and no Stupid Questions, Only Reply if it is to do with DEVELOPMENT Thank You
BE WARNED
Alex-V said:
Sorry...but i have the same thinking
Sent from my HTC Desire using XDA Premium App
Click to expand...
Click to collapse
same here. cant we port vanilla version of ICS?

Evaluating CVE-2015-1474 to escalate to system privileges

I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
To begin with I try to write down what I have found. This is just a compilation of information so they might look mixed up.
The class GraphicBuffer is utilized by the system service SurfaceFlinger. My current understanding is that the vulnerable method "unflatten" is used to create a GraphicBuffer object from raw data that is sent to the service by IPC using Binder. A forged message might be easiest supplied via adb shell using this commando
Code:
[email protected]:/ $ service call SurfaceFlinger ...
I am not sure yet how the parcel get's eventually to the GraphicBuffer. It is a lot of code and I do not understand the low level graphics system of Android yet. The IGraphicBufferConsumer interface has a sub class BufferItem which has also an unflatten method which will call unflatten on GraphicBuffer. My gut tells me that the Parcel class is also involved in that process, but I'm not sure how yet.
One important piece of information that I'm still missing is how the unflattened data is used in the further processing of SurfaceFlinger. I don't think it is possible to freely write in the memory of SurfaceFlinger with this bug. There are still a lot of sanity checks to come by.
This could also effect on how we have to implement the communication with SurfaceFlinger. Maybe it's also possible with some forged objects and a SurfaceView.
Maybe together we are able to bring some light into this. A little bump in the right direction might help.
Phate123 said:
I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
Click to expand...
Click to collapse
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
awinston said:
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
Click to expand...
Click to collapse
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
I'll upload the code on github, but first I want to briefly explain how I did it.
In Android everything that is a graphical element is represented by an GraphicBuffer.
GraphicBuffers are wrapped in BufferItems and managed by BufferQueues.
Each Queue has two sites, a producer side (IGraphicBufferProducer) and a consumer side (IGraphicBufferConsumer). In the basic scenario an app is the producer and the surfaceflinger is the consumer. These are obviously two different processes, but both must use the same BufferQueue.
BufferQueues are always created and owned by the consumers and consequently live in the same address space as the consumer. Producers must go through Binder to access their side of the queue.
As with everything in Android, the BufferQueue provides the same interface for both native (in the same process) and remote usage. The remote interface is implemented by a proxy that communicates through Binder with the other side.
In android KK BufferQueue implements the native side of the interface for both the producer (BnGraphicBufferProducer) and the consumer (BnGraphicBufferConsumer). These native implementations must provide a handler (onTransact) for requests that come from the remote proxies.
You can read more at https://source.android.com/devices/graphics/architecture.html.
Naturally, the first idea that comes into mind is to attack the native implementations of the BufferQueue that reside in the surfaceflinger. As the bug is in the unflatten routine of GraphicBuffer, we would like to craft a rogue parcel that represents a GraphicBuffer and then wait for the surfaceflinger to choke with it.
Unfortunately, from my findings, the bugged unflatten method is not called from the onTransact handler in the native implementations.
Only the proxy implementations seem to be a valid target, through BpGraphicBufferProducer::requestBuffer and BpGraphicBufferConsumer::aquireBuffer. Now we have a problem: as the BufferQueue resides in the surfaceflinger, there is no proxy implementation to attack.
Our only hope is to somehow create the BufferQueue in our process, so that we are the consumers, and use the surfaceflinger as the producer. This way the surfaceflinger would be accessing the BufferQueue through the bugged proxy (BpGraphicBufferProducer::requestBuffer). One way to use the surfaceflinger as a producer is to make screen captures.
I found the screencap command to be a very nice starting point to tinker with the idea as it does exactly what we wanted - it uses the surfaceflinger as a producer and pulls screen captures from it. Next I only had to hook the vtable entry of BpGraphicBufferProducer:: onTransact.
Now we have to control the overflow in GraphicsBuffer::unflatten.
p1gl3t said:
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
Click to expand...
Click to collapse
Wow you are really good! I had started to piece some of this together and wanted to document it for good measure even though you are going to clearly beat the rest of us to this exploit. Arguably I could never figure it out, but never hurts to try. At least I am learning.
https://charleszblog.wordpress.com/2014/02/20/understanding-android-internals-graphics-basics-i/
http://translate.google.com/transla...dyhuabing/article/details/7489776&prev=search
http://4.bp.blogspot.com/-qQxyvr2Vc8w/VFYLxdacwpI/AAAAAAAAAes/HMMrUIwC9OY/s1600/Selection_043.png
https://android.googlesource.com/platform/frameworks/native/+/master/libs/gui/tests/Surface_test.cpp
The screenshot test is where I was focusing but wasn't really getting very far.
Crashed unflatten as well
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
awinston said:
Okay so I crashed unflatten as well.
Click to expand...
Click to collapse
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
awinston said:
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
Click to expand...
Click to collapse
Surfaceflinger runs under the system user (+drmrpc group) and should have access to /dev/qseecom, through which we can get root using CVE-2014-4322.
The problem is that the heap buffer overflow triggered by unflatten seems very difficult to exploit.
We must consider the following to achieve a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the pros would have already implemented an exploit by now, if it could have been done.
p1gl3t said:
We must consider the following to obtain a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the exploit pros would have already implemented an exploit if it could have been done.
Click to expand...
Click to collapse
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Phate123 said:
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Click to expand...
Click to collapse
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
p1gl3t said:
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Click to expand...
Click to collapse
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
awinston said:
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
Click to expand...
Click to collapse
Here you go: https://github.com/p1gl3t/CVE-2015-1474_poc.
p1gl3t, great job on creating a poc of the exploit :good:
p1gl3t said:
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
Click to expand...
Click to collapse
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
ZPaul2Fresh8 said:
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
Click to expand...
Click to collapse
@jcase is right, only mediaserver is executed under group camera so that it can access /dev/video*. You can see that in init.base.rc and ueventd.qcom.rc.
Now returning to the original topic... I fiddled around with unflatten, giving some input that should have made it crash.
What I did is I left numInts untouched and set numFds = -numInts. I was expecting surfaceflinger to crash every single time when it did the first memcpy. Somehow it didn't. I was baffled and had to gdb the process to see where my assumptions were wrong.
I breaked just before the first memcpy and printed the params:
Code:
(gdb) p $r0
$19 = 3074255348
(gdb) p $r1
$20 = 3074340312
(gdb) p $r2
$21 = 4294967248
r0 is the destination, r1 the source and r2 the number of bytes to copy. r2 is the unsigned representation of 4 * (-12) = 4 * numFds = -4 * numInts.
How did the program NOT crash???!! It even worked a second time, but crashed with SIGABRT in a free() because of heap corruption (I suppose). So even the second memcpy passed without segfault.
Here you have the memory map of surfaceflinger.
LE I have traced the memcpy. It looks like this on my Apollo 14.4.5.2
Code:
.text:0002218C __memcpy_base
.text:0002218C CMP R2, #4
.text:0002218E BLT.W loc_222DC
.text:00022192 CMP R2, #0x10
.text:00022194 BLT.W loc_222BE
.text:00022198 CMP R2, #0x20
.text:0002219A BLT.W loc_222AE
.text:0002219E CMP R2, #0x40
.text:000221A0 BLT loc_222A2
It seems like R2 (number of bytes) is treated like a signed int and the first branch is taken and the following instructions are executed
Code:
.text:000222DC loc_222DC ; CODE XREF: __memcpy_base+2
.text:000222DC LSLS R2, R2, #0x1F
.text:000222DE ITT CS
.text:000222E0 LDRCSH.W R3, [R1],#2
.text:000222E4 STRCSH.W R3, [R0],#2
.text:000222E8 ITT MI
.text:000222EA LDRMIB R3, [R1]
.text:000222EC STRMIB R3, [R0]
This ends up copying only n & 3 bytes, which is < 4. Basically, only the 2 least significant bits from n matter).
So... I guess we are able to write to h->data + numFds*4 as long as numFds*4 is negative. But having numFds as an offset may hurt us on the malloc side.
Now we have to defeat aslr somehow.
Any chance
I hope you are still working on this, we really need to get ride of the crappy Amazon OS and unlock the full potential of these amazing tablet specs.
I have an open tablet that I should repair, if there is need to take some photos of components please let me know, I am not into software hacking yet and it will takes me some time to get into it... but I want to contribute to make this possible, I hope more smart guys from around here join their effort to do it.
I wish if there is another tablet on the market who is as good as this one right now at an affordable price, to just see how CM12.1 behave on it, I tried it on a KFHD before I get it bricked it was fine but little bit laggy due to limited specs and low ram.
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
dadreamer said:
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
Click to expand...
Click to collapse
Not sure what this thread was all about (didn't look back) but the last post was over 2 years ago. A lot has happened since then; every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-unlocking-bootloader-firmware-t3463982
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-4-5-5-2-easy-to-root-unlock-t3571240
Davey126 said:
every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
Click to expand...
Click to collapse
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
dadreamer said:
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
Click to expand...
Click to collapse
Have not seen @p1gl3t on this thread/forum in awhile; not sure if s/he is still active on XDA. Might try a PM. Given the age and, err, uniqueness of device in question I suspect you're in for quite a ride. Good luck.
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
Code:
[email protected]:/data/local/tmp $ ./badscreencap
pid 24824
display.update ret 0
IGraphicBufferConsumer::consumerDisconnect 0x18
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0xb6889759
BnGraphicBufferProducer::onTransact 0xb6889391
BBinder::onTransact = 0xb6899048
*BBinder::onTransact = 0xb6889759
BBinder::onTransact = 0xb7b912b0
*BBinder::onTransact = 0xb6889759
--------
f1 04 00 ff f7 18 be 38 b5 04 46 0d 46 11 b1 08 46 f6 f7 50
--------
[1] + Stopped (signal) ./badscreencap
When I issue any one command after that I get
Code:
[email protected]:/data/local/tmp $
[1] + Segmentation fault ./badscreencap (core dumped)
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
F/libc (24824): Fatal signal 11 (SIGSEGV) at 0x00000004 (code=1), thread 24824 (badscreencap)
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
D/wpa_supplicant(10784): wlan0: Control interface command 'PKTCNT_POLL'
I/DEBUG ( 266): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 266): Build fingerprint: 'DOCOMO/F01F/F01F:4.4.2/V10R22A/F01F.20150107.043237:user/release-keys'
I/DEBUG ( 266): Revision: '37'
I/DEBUG ( 266): pid: 24824, tid: 24824, name: badscreencap >>> ./badscreencap <<<
I/DEBUG ( 266): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000004
W/NativeCrashListener( 1119): Couldn't find ProcessRecord for pid 24824
I/DEBUG ( 266): r0 00000004 r1 beca97ac r2 b6f6f82c r3 00000004
I/DEBUG ( 266): AM write failure (32 / Broken pipe)
I/DEBUG ( 266): r4 00000000 r5 b7b8eee8 r6 b688b285 r7 00000000
I/DEBUG ( 266): r8 beca97e4 r9 00000000 sl beca99d8 fp beca98ac
I/DEBUG ( 266): ip b6ec1f38 sp beca9780 lr b6eba0d5 pc b6ee9b5c cpsr 000b0010
I/DEBUG ( 266): d0 0000000000000000 d1 0000000000000000
I/DEBUG ( 266): d2 0000000000000000 d3 0000000000000000
I/DEBUG ( 266): d4 0000000000000000 d5 0000000000000000
I/DEBUG ( 266): d6 0000000000000000 d7 3849498000000000
I/DEBUG ( 266): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 266): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 266): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 266): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 266): d16 7265646e6942422a d17 6e6172546e6f3a3a
I/DEBUG ( 266): d18 b6e8d399b6e8d4af d19 b6e8d07fb6e8d377
I/DEBUG ( 266): d20 b68827d1b6e8d071 d21 b6889759b68827f3
I/DEBUG ( 266): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 266): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 266): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 266): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 266): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 266): scr 00000010
I/DEBUG ( 266):
I/DEBUG ( 266): backtrace:
I/DEBUG ( 266): #00 pc 00003b5c /system/lib/libcutils.so (android_atomic_inc+8)
I/DEBUG ( 266): #01 pc 0000d0d1 /system/lib/libutils.so (android::RefBase::incStrong(void const*) const+6)
I/DEBUG ( 266): #02 pc 0002a3b5 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+20)
I/DEBUG ( 266): #03 pc 0003494f /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+78)
I/DEBUG ( 266): #04 pc 000349c1 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&)+14)
I/DEBUG ( 266): #05 pc 00005de1 /data/local/tmp/badscreencap
I/DEBUG ( 266): #06 pc 0000e5a3 /system/lib/libc.so (__libc_init+50)
I/DEBUG ( 266): #07 pc 00005590 /data/local/tmp/badscreencap
I/DEBUG ( 266):
I/DEBUG ( 266): stack:
I/DEBUG ( 266): beca9740 00000000
I/DEBUG ( 266): beca9744 b6885b8b /system/lib/libgui.so (android::CpuConsumer::releaseAcquiredBufferLocked(int)+150)
I/DEBUG ( 266): beca9748 00000000
I/DEBUG ( 266): beca974c b68a0154 /system/lib/libgui.so
I/DEBUG ( 266): beca9750 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9754 b7b900f0 [heap]
I/DEBUG ( 266): beca9758 b7b8fc40 [heap]
I/DEBUG ( 266): beca975c b7b8fc40 [heap]
I/DEBUG ( 266): beca9760 0000000c
I/DEBUG ( 266): beca9764 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9768 b7b8fc40 [heap]
I/DEBUG ( 266): beca976c 00000000
I/DEBUG ( 266): beca9770 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9774 b6885c09 /system/lib/libgui.so (android::CpuConsumer::unlockBuffer(android::CpuConsumer::LockedBuffer const&)+92)
I/DEBUG ( 266): beca9778 b7b8fc40 [heap]
I/DEBUG ( 266): beca977c beca9808 [stack]
I/DEBUG ( 266): #00 beca9780 beca97ac [stack]
I/DEBUG ( 266): ........ ........
I/DEBUG ( 266): #01 beca9780 beca97ac [stack]
I/DEBUG ( 266): beca9784 b68853b9 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+24)
I/DEBUG ( 266): #02 beca9788 beca9800 [stack]
I/DEBUG ( 266): beca978c b688f953 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+82)
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r1:
I/DEBUG ( 266): beca978c b688f953 b6f4b334 00000002 b7b8f0e0
I/DEBUG ( 266): beca979c 00000000 b6f3d1d8 b7b8eee8 b7b8fc40
I/DEBUG ( 266): beca97ac b7b8f0e0 b6f6e08f 00000000 b7b91270
I/DEBUG ( 266): beca97bc b6f6e268 b7b8f0e0 b6f6e24e b6899008
I/DEBUG ( 266): beca97cc b688f9c5 00000000 ffffffff 00000000
I/DEBUG ( 266): beca97dc b6f6dde5 00000000 b7b8f0a0 00000018
I/DEBUG ( 266): beca97ec 00000001 00000040 00000001 00000034
I/DEBUG ( 266): beca97fc 00000001 b7b8fc40 b7b8f0e0 00000000
I/DEBUG ( 266): beca980c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca981c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca982c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca983c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca984c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca985c beca98b4 beca98b4 beca98bc 00000001
I/DEBUG ( 266): beca986c b6f3cfd8 b6f6db95 00000000 00000000
I/DEBUG ( 266): beca987c b6f015a5 00000000 00000000 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r2:
I/DEBUG ( 266): b6f6f80c b6f6f9d0 b6f6f8ac b6f6f8fc b6f6f958
I/DEBUG ( 266): b6f6f81c b6f6f9a8 0000058c 00000000 00000000
I/DEBUG ( 266): b6f6f82c b6f6d769 b6f6d7e1 b6f6d5eb b6f6d5f9
I/DEBUG ( 266): b6f6f83c b6f6d899 b6883bd5 b6883ce9 b68843d1
I/DEBUG ( 266): b6f6f84c b6882dd5 b68828f1 b68829e9 b6883a59
I/DEBUG ( 266): b6f6f85c b6f6d8f5 b6889391 b6881f99 b6884cf1
I/DEBUG ( 266): b6f6f86c b6884ac9 b688372d b68839b9 b6884fb9
I/DEBUG ( 266): b6f6f87c b68822a9 b6882889 b68826f5 b6882679
I/DEBUG ( 266): b6f6f88c b6882383 b6882359 b688232f b6882305
I/DEBUG ( 266): b6f6f89c b688241d 00000588 fffffffc 00000000
I/DEBUG ( 266): b6f6f8ac b6f6d92d b6f6d5fd b6e8d075 b6e8d071
I/DEBUG ( 266): b6f6f8bc b6e8d071 b6e8d1e9 b6e8d079 b6e8d079
I/DEBUG ( 266): b6f6f8cc b6e8d071 b6e8d4af b6e8d399 b6e8d377
I/DEBUG ( 266): b6f6f8dc b6e8d07f b6e8d071 b6f6d7cf b6f6d805
I/DEBUG ( 266): b6f6f8ec b6889759 0000057c fffffff0 00000000
I/DEBUG ( 266): b6f6f8fc b6f6d7c9 b6f6d7ff b6f6d5eb b6884fb1
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r5:
I/DEBUG ( 266): b7b8eec8 b7b8eed0 0000001b 00000001 00000001
I/DEBUG ( 266): b7b8eed8 b7b8eec4 00000001 00000000 00000023
I/DEBUG ( 266): b7b8eee8 b689d17c b689d1d0 b7b8ef88 b7b8efc8
I/DEBUG ( 266): b7b8eef8 00000001 b689d200 b7b8ef08 0000001b
I/DEBUG ( 266): b7b8ef08 00000002 00000002 b7b8eefc 00000001
I/DEBUG ( 266): b7b8ef18 006e0061 0000001b b689e97c b7b8e408
I/DEBUG ( 266): b7b8ef28 b689e9a4 b7b8ef38 00660072 0000001b
I/DEBUG ( 266): b7b8ef38 00000001 00000002 b7b8ef28 00000000
I/DEBUG ( 266): b7b8ef48 00000000 0000001b b6e9a888 b7b8eff0
I/DEBUG ( 266): b7b8ef58 00000001 00000000 00000010 00000023
I/DEBUG ( 266): b7b8ef68 00000001 00000001 b7b8f0d4 00000001
I/DEBUG ( 266): b7b8ef78 00000000 00000000 00000020 00000043
I/DEBUG ( 266): b7b8ef88 b6e9a944 00000001 00000000 00000001
I/DEBUG ( 266): b7b8ef98 00000000 b7b8ef50 b6e9a858 00000000
I/DEBUG ( 266): b7b8efa8 00000000 00000000 00000010 00000000
I/DEBUG ( 266): b7b8efb8 b7b8a048 b6e9a9ac b7b8efc8 0000001b
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r6:
I/DEBUG ( 266): b688b264 a81047a0 ea4cf7f4 a8104604 ea4ef7f4
I/DEBUG ( 266): b688b274 f7f4a804 4620ea4c bdf0b01d 00014f3c
I/DEBUG ( 266): b688b284 b09db5f0 a8044604 461f4615 f7f4460e
I/DEBUG ( 266): b688b294 a810ea26 ea22f7f4 a804491c f7f44479
I/DEBUG ( 266): b688b2a4 4631ea24 f7f4a804 a803eada f7f46829
I/DEBUG ( 266): b688b2b4 a903ead0 f7f4a804 a803ead2 fe31f7f5
I/DEBUG ( 266): b688b2c4 a8044639 ea16f7f4 a8049922 ea12f7f4
I/DEBUG ( 266): b688b2d4 a8049923 ea0ef7f4 a8049924 ea0af7f4
I/DEBUG ( 266): b688b2e4 210e68a0 68032200 aa049200 ab10695c
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
I/DEBUG ( 266): b688b2f4 a81047a0 ea04f7f4 a8104604 ea06f7f4
I/DEBUG ( 266): b688b304 f7f4a804 4620ea04 bdf0b01d 00014e94
I/DEBUG ( 266): b688b314 1d05b538 f1004604 f7f4004c 4628ee1e
I/DEBUG ( 266): b688b324 fdfff7f5 f7f54620 4620fdfc b538bd38
I/DEBUG ( 266): b688b334 4615460c 4620e004 f7ff3d01 3460ffe9
I/DEBUG ( 266): b688b344 d1f82d00 0000bd38 b09db530 a8044604
I/DEBUG ( 266): b688b354 f7f4460d a810e9c4 e9c0f7f4 23004925
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r8:
I/DEBUG ( 266): beca97c4 b6f6e24e b6899008 b688f9c5 00000000
I/DEBUG ( 266): beca97d4 ffffffff 00000000 b6f6dde5 00000000
I/DEBUG ( 266): beca97e4 b7b8f0a0 00000018 00000001 00000040
I/DEBUG ( 266): beca97f4 00000001 00000034 00000001 b7b8fc40
I/DEBUG ( 266): beca9804 b7b8f0e0 00000000 00000000 00000000
I/DEBUG ( 266): beca9814 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9824 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9834 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9844 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9854 00000000 00000000 beca98b4 beca98b4
I/DEBUG ( 266): beca9864 beca98bc 00000001 b6f3cfd8 b6f6db95
I/DEBUG ( 266): beca9874 00000000 00000000 b6f015a5 00000000
I/DEBUG ( 266): beca9884 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9894 b6f6d594 b6f6f668 b6f6f670 b6f6f678
I/DEBUG ( 266): beca98a4 beca98b0 00000000 b6f57881 00000001
I/DEBUG ( 266): beca98b4 beca99d8 00000000 beca99e7 beca99f8
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sl:
I/DEBUG ( 266): beca99b8 beca99d4 00000000 00000000 5c2cbe0e
I/DEBUG ( 266): beca99c8 6dbb4e08 7c900b9b 76a8a152 006c3776
I/DEBUG ( 266): beca99d8 61622f2e 72637364 636e6565 5f007061
I/DEBUG ( 266): beca99e8 622f2e3d 63736461 6e656572 00706163
I/DEBUG ( 266): beca99f8 48544150 62732f3d 2f3a6e69 646e6576
I/DEBUG ( 266): beca9a08 622f726f 2f3a6e69 74737973 732f6d65
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
I/DEBUG ( 266): beca9a18 3a6e6962 7379732f 2f6d6574 3a6e6962
I/DEBUG ( 266): beca9a28 7379732f 2f6d6574 6e696278 4f4f4c00
I/DEBUG ( 266): beca9a38 4f4d5f50 50544e55 544e494f 6e6d2f3d
I/DEBUG ( 266): beca9a48 626f2f74 4e410062 494f5244 4f525f44
I/DEBUG ( 266): beca9a58 2f3d544f 74737973 56006d65 5f454249
I/DEBUG ( 266): beca9a68 45504950 5441505f 642f3d48 702f7665
I/DEBUG ( 266): beca9a78 73657069 45485300 2f3d4c4c 74737973
I/DEBUG ( 266): beca9a88 622f6d65 732f6e69 4e410068 494f5244
I/DEBUG ( 266): beca9a98 41445f44 2f3d4154 61746164 444e4100
I/DEBUG ( 266): beca9aa8 44494f52 5353415f 3d535445 7379732f
I/DEBUG ( 266):
I/DEBUG ( 266): memory near fp:
I/DEBUG ( 266): beca988c 00000000 00000000 b6f6d594 b6f6f668
I/DEBUG ( 266): beca989c b6f6f670 b6f6f678 beca98b0 00000000
I/DEBUG ( 266): beca98ac b6f57881 00000001 beca99d8 00000000
I/DEBUG ( 266): beca98bc beca99e7 beca99f8 beca9a35 beca9a4e
I/DEBUG ( 266): beca98cc beca9a63 beca9a7d beca9a92 beca9aa5
I/DEBUG ( 266): beca98dc beca9ac0 beca9acb beca9af4 beca9b13
I/DEBUG ( 266): beca98ec beca9b26 beca9b34 beca9b5c beca9e57
I/DEBUG ( 266): beca98fc beca9e83 beca9e9a beca9ebf beca9ee9
I/DEBUG ( 266): beca990c beca9f02 beca9f16 beca9f3d beca9f67
I/DEBUG ( 266): beca991c beca9f8d beca9f9a beca9fb4 beca9fd7
I/DEBUG ( 266): beca992c beca9fe2 00000000 00000010 0007b0d7
I/DEBUG ( 266): beca993c 00000006 00001000 00000011 00000064
I/DEBUG ( 266): beca994c 00000003 b6f68034 00000004 00000020
I/DEBUG ( 266): beca995c 00000005 00000008 00000007 b6f56000
I/DEBUG ( 266): beca996c 00000008 00000000 00000009 b6f6d530
I/DEBUG ( 266): beca997c 0000000b 000007d0 0000000c 000007d0
I/DEBUG ( 266):
I/DEBUG ( 266): memory near ip:
I/DEBUG ( 266): b6ec1f18 b6f1e845 b6f052ef b6f05357 b6f196c1
I/DEBUG ( 266): b6ec1f28 b6f15749 b6f1542c b6f1cb11 b6f1e239
I/DEBUG ( 266): b6ec1f38 b6ee9b54 b6ee9b34 b6ee9b74 b6ee9b0c
I/DEBUG ( 266): b6ec1f48 b6ee9bb8 b6f00de1 b6f2d62f b6f164dd
I/DEBUG ( 266): b6ec1f58 b6f1ba3d b6f1e7b9 b6f2d3bb b6f167db
I/DEBUG ( 266): b6ec1f68 b6f20c55 b6f135e4 b6f20035 b6f05f01
I/DEBUG ( 266): b6ec1f78 b6f05f29 b6f05f71 b6f003d0 b6f05f1b
I/DEBUG ( 266): b6ec1f88 b6f01b38 b6f01a34 b6f13468 b6f13348
I/DEBUG ( 266): b6ec1f98 b6eeb151 b6f06279 b6f13180 b6f1fec3
I/DEBUG ( 266): b6ec1fa8 b6f01810 b6f01f44 b6f02190 b6f0227c
I/DEBUG ( 266): b6ec1fb8 b6f01f84 b6f01ec0 b6f01fa0 b6f140ec
I/DEBUG ( 266): b6ec1fc8 b6ede927 b6f13d10 b6ede919 b6f13510
I/DEBUG ( 266): b6ec1fd8 b6f0086c b6f021ec b6f00ab8 b6f00ad8
I/DEBUG ( 266): b6ec1fe8 b6f13530 b6f14964 b6f14984 b6f138b4
I/DEBUG ( 266): b6ec1ff8 b6f1f0f9 b6f14944 b6ec2000 ffffffff
I/DEBUG ( 266): b6ec2008 00000001 ffffffff b6ebb42d 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sp:
I/DEBUG ( 266): beca9760 0000000c b6f6e268 b7b8fc40 00000000
I/DEBUG ( 266): beca9770 b6f6e268 b6885c09 b7b8fc40 beca9808
I/DEBUG ( 266): beca9780 beca97ac b68853b9 beca9800 b688f953
I/DEBUG ( 266): beca9790 b6f4b334 00000002 b7b8f0e0 00000000
I/DEBUG ( 266): beca97a0 b6f3d1d8 b7b8eee8 b7b8fc40 b7b8f0e0
I/DEBUG ( 266): beca97b0 b6f6e08f 00000000 b7b91270 b6f6e268
I/DEBUG ( 266): beca97c0 b7b8f0e0 b6f6e24e b6899008 b688f9c5
I/DEBUG ( 266): beca97d0 00000000 ffffffff 00000000 b6f6dde5
I/DEBUG ( 266): beca97e0 00000000 b7b8f0a0 00000018 00000001
I/DEBUG ( 266): beca97f0 00000040 00000001 00000034 00000001
I/DEBUG ( 266): beca9800 b7b8fc40 b7b8f0e0 00000000 00000000
I/DEBUG ( 266): beca9810 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9820 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9830 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9840 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9850 00000000 00000000 00000000 beca98b4
I/DEBUG ( 266):
I/DEBUG ( 266): code around pc:
I/DEBUG ( 266): b6ee9b3c e1910f9f e080c003 e1812f9c e3520000
I/DEBUG ( 266): b6ee9b4c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b5c e1930f9f e2801001 e1832f91 e3520000
I/DEBUG ( 266): b6ee9b6c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b7c e3e02000 e1930f9f e080c002 e1831f9c
I/DEBUG ( 266): b6ee9b8c e3510000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9b9c f57ff05f e1910f9f e000c003 e1812f9c
I/DEBUG ( 266): b6ee9bac e3520000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9bbc f57ff05f e1910f9f e180c003 e1812f9c
I/DEBUG ( 266): b6ee9bcc e3520000 1afffffa e12fff1e 6883b508
I/DEBUG ( 266): b6ee9bdc 47984608 2140ea6f ea801840 eb023290
I/DEBUG ( 266): b6ee9bec ea831302 bd082093 2203b5f8 46046943
I/DEBUG ( 266): b6ee9bfc 43726846 0f92ebb3 0076d923 46302104
I/DEBUG ( 266): b6ee9c0c ebe4f7ff b1e04605 1e772200 6821e011
I/DEBUG ( 266): b6ee9c1c 3022f851 6858e00a e00cf8d3 0c00ea07
I/DEBUG ( 266): b6ee9c2c 102cf855 f84560d9 4673302c d1f22b00
I/DEBUG ( 266):
I/DEBUG ( 266): code around lr:
I/DEBUG ( 266): b6eba0b4 000078c4 4604b510 ffe2f7ff f7fd4620
I/DEBUG ( 266): b6eba0c4 4620e918 b510bd10 1d206844 ea2af7fd
I/DEBUG ( 266): b6eba0d4 f7fd4620 f1b0ea28 d1085f80 f04f4621
I/DEBUG ( 266): b6eba0e4 f7fd4070 68a0ea26 68996803 bd104788
I/DEBUG ( 266): b6eba0f4 6844b510 f7fd1d20 4620ea16 ea12f7fd
I/DEBUG ( 266): b6eba104 f1b0b138 d1085f80 4070f04f f7fd4621
I/DEBUG ( 266): b6eba114 68a0ea10 68996803 bd104788 68186843
I/DEBUG ( 266): b6eba124 30044770 beb4f003 4604b538 460d3004
I/DEBUG ( 266): b6eba134 ea04f7fd d1192801 07d968e3 6823d409
I/DEBUG ( 266): b6eba144 5f80f1b3 e00cd100 e8bd4620 f0034038
I/DEBUG ( 266): b6eba154 68a0bea7 694a6801 47904629 07c268e0
I/DEBUG ( 266): b6eba164 68a0d504 6801b110 4790684a b570bd38
I/DEBUG ( 266): b6eba174 68444605 4620460e e9e0f7fd d10b2801
I/DEBUG ( 266): b6eba184 463168a0 68da6803 68e04790 d40307c0
I/DEBUG ( 266): b6eba194 46286829 4798684b 46314620 4070e8bd
I/DEBUG ( 266): b6eba1a4 bfc2f7ff 4604b570 460e3004 e9baf7fd
Click to expand...
Click to collapse
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
dadreamer said:
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
When I issue any one command after that I get
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
Click to expand...
Click to collapse
Is your goal to gain root on FireOS v3/v4/5 or are you experimenting with this for other reasons? If the former there are far easier methods (FireOS version dependent) of achieving this; even a theoretical way to unlock the bootloader sans root.

[Completed] RILD crash while Integrating ZTE 3G modem for Custom board with Android

Hello all,
We have ported Android 4.4 (kitkat) version on a custom board with iMX6 processor and are successful in getting Android running on the custom board. Now, when tried to add support for 3G modem provided by ZTE, the rild daemon is crashing continuously there disabling the complete telephony.
Android service for rild in init.rc file is as below
service ril-daemon /system/bin/rild -l /system/lib/libreference-ril.so -- -d /dev/ttyUSB2
class main
socket rild stream 660 root radio
socket rild-debug stream 660 radio system
user root
group radio cache inet misc audio
The sockets are getting created with the specified permissions as specified in the init.rc but unfortunately rild daemon is crashing throwing segmentation fault (SIGSEGV). The core dump of the crash
F/libc ( 2810): Fatal signal 11 (SIGSEGV) at 0x0000000c (code=1), thread 2821 (rild)
I/DEBUG ( 2387): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 2387): Build fingerprint: 'HKI/indus_1012/i1012:4.4.2/1.0.0-rc3/20140630:user/dev-keys'
I/DEBUG ( 2387): Revision: '405525'
I/DEBUG ( 2387): pid: 2810, tid: 2821, name: rild >>> /system/bin/rild <<<
I/DEBUG ( 2387): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
I/DEBUG ( 2387): r0 0000000c r1 00000000 r2 00000011 r3 00000000
I/DEBUG ( 2387): r4 0000000c r5 00000000 r6 00000000 r7 4021909c
I/DEBUG ( 2387): r8 40219157 r9 4021d02c sl 402190fc fp 4021d028
I/DEBUG ( 2387): ip 4021cf00 sp 405f7cd8 lr 4015315d pc 4014f708 cpsr 200d0010
I/DEBUG ( 2387): d0 0000000000000000 d1 0000000000000000
I/DEBUG ( 2387): d2 0000000000000000 d3 0000000000000000
I/DEBUG ( 2387): d4 0000000000000000 d5 0000000000000000
I/DEBUG ( 2387): d6 0000000000000000 d7 0243d58000000000
I/DEBUG ( 2387): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 2387): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 2387): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 2387): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 2387): d16 41826b235ab851ec d17 3f50624dd2f1a9fc
I/DEBUG ( 2387): d18 41c2ab23a6000000 d19 0000000000000000
I/DEBUG ( 2387): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 2387): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 2387): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 2387): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 2387): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 2387): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 2387): scr 00000010
I/DEBUG ( 2387):
I/DEBUG ( 2387): backtrace:
I/DEBUG ( 2387): #00 pc 0000e708 /system/lib/libc.so
I/DEBUG ( 2387): #01 pc 00012159 /system/lib/libc.so (readdir+10)
I/DEBUG ( 2387): #02 pc 000026fd /system/lib/libreference-ril-mw3820.so
I/DEBUG ( 2387): #03 pc 00004069 /system/lib/libreference-ril-mw3820.so
I/DEBUG ( 2387): #04 pc 0000d248 /system/lib/libc.so (__thread_entry+72)
I/DEBUG ( 2387): #05 pc 0000d3e0 /system/lib/libc.so (pthread_create+240)
I/DEBUG ( 2387):
I/DEBUG ( 2387): stack:
I/DEBUG ( 2387): 405f7c98 00000000
I/DEBUG ( 2387): 405f7c9c 00000000
I/DEBUG ( 2387): 405f7ca0 00000000
I/DEBUG ( 2387): 405f7ca4 00000000
I/DEBUG ( 2387): 405f7ca8 00000000
libc.so is not getting loaded but libc.so and libreference-ril-mw3820.so are all available in the system/lib folder. and the contents of system.prop is
rild.libpath=/system/lib/libreference-ril-mw3820.so
rild.libargs=-d /dev/ttyUSB2
but still the above crash persists. Any help on this would be of great help.
Hello and thank you for using XDA Assist.
XDA Assist is for new users to receive guidance on how to navigate through XDA to find the information they seek.
It does not sound like you are an inexperienced user. Your best bet is to ask in the specific device forum or the main Android Q&A section.
We here at XDA Assist will never give you a technical answer.
Good Luck
Ragnar
EDIT 2DAYS NO REPLY. THREAD CLOSED.

Problems with Hardware Decoder, KD Unit [dev's need help]

Hello! I have a problem. I have app which need to use hardware decoder.
And when app trying do this, video driver it just crashes and dies.
I have KD v2.06, but some users reports that on another device it works.
Any suggestion ? @Malaysk maybe you can help ?
Code:
01-31 17:16:09.604 I/H264_DEBUG(7215): init done status 0, ts_en = 0 debug 0
01-31 17:16:09.605 E/vpu (7215): scan /proc/device-tree for vpu_service failed
01-31 17:16:09.605 E/vpu (7215): can not find dts for vpu_service
01-31 17:16:09.605 I/vpu_dma_buf(7215): USE ION_CMA_HEAP
01-31 17:16:09.606 E/vpu (7215): scan /proc/device-tree for vpu_service failed
01-31 17:16:09.606 E/vpu (7215): can not find dts for vpu_service
01-31 17:16:09.606 I/vpu_dma_buf(7215): USE ION_CMA_HEAP
01-31 17:16:09.606 I/H264_DEBUG(7215): decoded width 800 decoded height 480
01-31 17:16:09.607 I/H264_DEBUG(7215): display width 800, display height 480
01-31 17:16:09.607 I/vpu_api (7215): info_change break
01-31 17:16:09.607 I/vpu_api (7215): get info change out xxxx
01-31 17:16:09.609 F/libc (7215): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x8 in tid 9028 (Binder_3)
01-31 17:16:09.710 I/DEBUG (139): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-31 17:16:09.710 I/DEBUG (139): Build fingerprint: 'rockchip/rk3188/rk3188:5.1.1/LMY48Y/root12162133:userdebug/test-keys'
01-31 17:16:09.710 I/DEBUG (139): Revision: '0'
01-31 17:16:09.710 I/DEBUG (139): ABI: 'arm'
01-31 17:16:09.710 W/NativeCrashListener(402): Couldn't find ProcessRecord for pid 7215
01-31 17:16:09.710 I/DEBUG (139): pid: 7215, tid: 9028, name: Binder_3 >>> /system/bin/mediaserver <<<
01-31 17:16:09.710 I/DEBUG (139): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8
01-31 17:16:09.711 E/DEBUG (139): AM write failure (32 / Broken pipe)
01-31 17:16:09.726 I/DEBUG (139): r0 42c310a0 r1 00000000 r2 000064d4 r3 46039c94
01-31 17:16:09.726 I/DEBUG (139): r4 42cd12f0 r5 41a9d024 r6 42489f00 r7 00000007
01-31 17:16:09.726 I/DEBUG (139): r8 42cd12f0 r9 40b2a231 sl 000001e0 fp 42cd12b0
01-31 17:16:09.726 I/DEBUG (139): ip 41a9d004 sp 46039c90 lr 00000000 pc 41a96b34 cpsr 200d0010
01-31 17:16:09.726 I/DEBUG (139):
01-31 17:16:09.726 I/DEBUG (139): backtrace:
01-31 17:16:09.727 I/DEBUG (139): #00 pc 00002b34 /system/lib/libvpu.so (VPUMemLink+60)
01-31 17:16:09.727 I/DEBUG (139): #01 pc 00007330 /system/lib/libomxvpu_dec.so (Rkvpu_Post_OutputFrame+936)
01-31 17:16:09.727 I/DEBUG (139): #02 pc 00007acc /system/lib/libomxvpu_dec.so (Rkvpu_OMX_OutputBufferProcess+208)
01-31 17:16:09.727 I/DEBUG (139): #03 pc 00007b28 /system/lib/libomxvpu_dec.so
01-31 17:16:09.727 I/DEBUG (139): #04 pc 00016ea3 /system/lib/libc.so (__pthread_start(void*)+30)
01-31 17:16:09.727 I/DEBUG (139): #05 pc 00014deb /system/lib/libc.so (__start_thread+6)

[WIP] Building a custom ROM for the LeapFrog Epic (CM/LOS)

So, uh, I decided to spin this off to a new thread to keep the other ones from being bloated.
A few days ago I started work on getting at least CyanogenMod to work on the LeapFrog Epic, which runs off the same MT8127 SoC as certain variants of the Amazon Fire tablet amongst other things. CM11 was first on my agenda since it is close to the KitKat build that came from the factory, but compiler issues kept me from pushing on with this one. I then moved on to CM12.1, which was far less of a pain build-wise, but I then faced a number of issues that kept me from getting this to run. Fixed the MTK headers, and added a shim to get rid of that missing function error with the Mali drivers, but now I am stuck with this if I use the stock 1.1.95 libs that came with the Epic Academy Edition. Boot animation does not start at all:
Code:
I/SurfaceFlinger( 2317): SurfaceFlinger is starting
I/SurfaceFlinger( 2317): SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
D/libEGL ( 2317): loaded /system/lib/egl/libEGL_mali.so
D/libEGL ( 2317): loaded /system/lib/egl/libGLESv1_CM_mali.so
D/libEGL ( 2317): loaded /system/lib/egl/libGLESv2_mali.so
W/libEGL ( 2317): eglInitialize(0x1) failed (EGL_BAD_ALLOC)
I/[MALI][Gralloc]( 2317): gralloc UREE_CreateSession recount = 0
I/[MALI][Gralloc]( 2317): gralloc call UREE_CreateSession
I/[MALI][Gralloc]( 2317): UREE_CreateSession fail, ret = -65536
I/gralloc ( 2317): [Gralloc] refreshRate = 0, info.pixclock = ffffffff
I/gralloc ( 2317): [Gralloc] info.upper_margin = ffffffff, info.lower_margin = ffffffff
I/gralloc ( 2317): [Gralloc] info.yres = 258, info.hsync_len = ffffffff
I/gralloc ( 2317): [Gralloc] info.left_margin = ffffffff, info.right_margin = ffffffff
I/[MALI][Gralloc]( 2317): ro_dpi: 160.000000
I/[MALI][Gralloc]( 2317): using (fd=13)
I/[MALI][Gralloc]( 2317): id = mtkfb
I/[MALI][Gralloc]( 2317): xres = 1024 px
I/[MALI][Gralloc]( 2317): yres = 600 px
I/[MALI][Gralloc]( 2317): xres_virtual = 1024 px
I/[MALI][Gralloc]( 2317): yres_virtual = 1800 px
I/[MALI][Gralloc]( 2317): bpp = 32
I/[MALI][Gralloc]( 2317): r = 16:8
I/[MALI][Gralloc]( 2317): g = 8:8
I/[MALI][Gralloc]( 2317): b = 0:8
I/[MALI][Gralloc]( 2317): width = 163 mm (159.568100 dpi)
I/[MALI][Gralloc]( 2317): height = 95 mm (160.421051 dpi)
I/[MALI][Gralloc]( 2317): refresh rate = 60.00 Hz
I/[MALI][Gralloc]( 2317): init_framebuffer va: 0xb50f8000 mva: 0xb3700000
E/hwcomposer( 2317): [BLIT] sw_sync_timeline_create failed, aborting
F/libc ( 2317): Fatal signal 6 (SIGABRT), code -6 in tid 2317 (surfaceflinger)
I/DEBUG ( 129): property debug.db.uid not set; NOT waiting for gdb.
I/DEBUG ( 129): HINT: adb shell setprop debug.db.uid 100000
I/DEBUG ( 129): HINT: adb forward tcp:5039 tcp:5039
I/DEBUG ( 129): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 129): Build fingerprint: 'LeapFrog/cm_narnia/narnia:5.1.1/LMY49J/e2909bc29b:eng/test-keys'
I/DEBUG ( 129): Revision: '0'
I/DEBUG ( 129): ABI: 'arm'
I/DEBUG ( 129): pid: 2317, tid: 2317, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
I/DEBUG ( 129): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
I/DEBUG ( 129): r0 00000000 r1 0000090d r2 00000006 r3 00000000
I/DEBUG ( 129): r4 b6f34e38 r5 00000006 r6 0000000d r7 0000010c
I/DEBUG ( 129): r8 ffffffb4 r9 b5e01d8c sl b608f158 fp bec93a6c
I/DEBUG ( 129): ip 0000090d sp bec937e0 lr b6e8d8f5 pc b6eb08d0 cpsr 60010010
I/DEBUG ( 129):
I/DEBUG ( 129): backtrace:
I/DEBUG ( 129): #00 pc 000378d0 /system/lib/libc.so (tgkill+12)
I/DEBUG ( 129): #01 pc 000148f1 /system/lib/libc.so (pthread_kill+52)
I/DEBUG ( 129): #02 pc 0001564b /system/lib/libc.so (raise+10)
I/DEBUG ( 129): #03 pc 00011cc5 /system/lib/libc.so (__libc_android_abort+36)
I/DEBUG ( 129): #04 pc 0001005c /system/lib/libc.so (abort+4)
I/DEBUG ( 129): #05 pc 00010af9 /system/lib/hw/hwcomposer.mt8127.so (_ZN11BlitManagerC1Ev+140)
I/DEBUG ( 129): #06 pc 0000b8d9 /system/lib/hw/hwcomposer.mt8127.so (_ZN11HWCMediatorC2Ev+12)
I/DEBUG ( 129): #07 pc 0000ba5d /system/lib/hw/hwcomposer.mt8127.so (_ZN7android9SingletonI11HWCMediatorE11getInstanceEv+28)
I/DEBUG ( 129): #08 pc 0000bbfd /system/lib/hw/hwcomposer.mt8127.so
I/DEBUG ( 129): #09 pc 00023d17 /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #10 pc 00023a0b /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #11 pc 000195bb /system/lib/libsurfaceflinger.so (_ZN7android14SurfaceFlinger4initEv+130)
I/DEBUG ( 129): #12 pc 00000af1 /system/bin/surfaceflinger
I/DEBUG ( 129): #13 pc 0000ff19 /system/lib/libc.so (__libc_init+44)
I/DEBUG ( 129): #14 pc 00000c08 /system/bin/surfaceflinger
I/DEBUG ( 129):
I/DEBUG ( 129): Tombstone written to: /data/tombstones/tombstone_08
If I use hwcomposer.mt8127.so, libgralloc_extra.so, libion_mtk.so and libtz_uree.so from @pix106's Lenovo Tab 2 A7-10F vendor tree, I get this additional message:
Code:
E/hwcomposer( 290): [BLIT] UREE_CreateSession failed (Non-specific cause.), aborting
I know there's probably only a few developers here who own a LeapFrog Epic, but I am at a loss here and any help would be very much appreciated. Yes I've read the Lenovo thread here before, but this one is a bit of a clincher, more so as I don't have complete kernel sources and I'm only building against a 3.4.67 kernel. My device tree's here, if anyone is interested: https://github.com/huckleberrypie/android_device_quanta_narnia
blakegriplingph said:
If I use hwcomposer.mt8127.so, libgralloc_extra.so, libion_mtk.so and libtz_uree.so from @pix106's Lenovo Tab 2 A7-10F vendor tree]
Click to expand...
Click to collapse
Tab2 has 3.10.54 kernel, I don't know if you can use these libs with a 3.4 kernel.
When missing a symbol, you can grep it in your device stock rom to find what lib provides it.
From a running device using adv, or using a stock room dumping your computer.
grep -r _Zazertyuiopqsdfghjklmwxcvbn /path/to/libs
pix106 said:
Tab2 has 3.10.54 kernel, I don't know if you can use these libs with a 3.4 kernel.
When missing a symbol, you can grep it in your device stock rom to find what lib provides it.
From a running device using adv, or using a stock room dumping your computer.
grep -r _Zazertyuiopqsdfghjklmwxcvbn /path/to/libs
Click to expand...
Click to collapse
Good call on the grep stuff. And I wonder if I could kang libs off another MT8127 device running KitKat which is a little tiny bit of a stretch to hunt for.
blakegriplingph said:
And I wonder if I could kang libs off another MT8127 device running KitKat which is a little tiny bit of a stretch to hunt for.
Click to expand...
Click to collapse
My "mistake", in a way : Tab2 also had KitKat with a 3.4 kernel, but I used kernel 3.10 and vendor from Lollipop stock rom to build cm-12.1.
You can try to download and extract lenovo's kk rom, or I can search my archives later and try to upload a KitKat stock rom dump somewhere, but I'm not home and have slow internet for now.
pix106 said:
My "mistake", in a way : Tab2 also had KitKat with a 3.4 kernel, but I used kernel 3.10 and vendor from Lollipop stock rom to build cm-12.1.
You can try to download and extract lenovo's kk rom, or I can search my archives later and try to upload a KitKat stock rom dump somewhere, but I'm not home and have slow internet for now.
Click to expand...
Click to collapse
3.4.67 I presume? I do have kernel sources for the Epic but it's missing a few things from what I've been told. The ROM dump does however have what appears to be a build config used by Quanta/LeapFrog to customise the board support package they used, or so I assume.
Apologies for the bump, and I hope they won't mind, but the likes of @superdragonpt are a lot more experienced with MTK than I could muster, so I was wondering if they could at least offer a bit of advice with this.
So I kanged hwcomposer from @pix106's dump of the A7-10F KitKat ROM, and it looks like I got something else other than the usual sw_sync_timeline failure:
Code:
I/SurfaceFlinger( 512): SurfaceFlinger is starting
I/SurfaceFlinger( 512): SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
D/libEGL ( 512): loaded /system/lib/egl/libEGL_mali.so
D/libEGL ( 512): loaded /system/lib/egl/libGLESv1_CM_mali.so
D/libEGL ( 512): loaded /system/lib/egl/libGLESv2_mali.so
W/libEGL ( 512): eglInitialize(0x1) failed (EGL_BAD_ALLOC)
I/[MALI][Gralloc]( 512): gralloc UREE_CreateSession recount = 0
I/[MALI][Gralloc]( 512): gralloc call UREE_CreateSession
I/[MALI][Gralloc]( 512): UREE_CreateSession fail, ret = -65536
I/gralloc ( 512): [Gralloc] refreshRate = 0, info.pixclock = ffffffff
I/gralloc ( 512): [Gralloc] info.upper_margin = ffffffff, info.lower_margin = ffffffff
I/gralloc ( 512): [Gralloc] info.yres = 258, info.hsync_len = ffffffff
I/gralloc ( 512): [Gralloc] info.left_margin = ffffffff, info.right_margin = ffffffff
I/[MALI][Gralloc]( 512): ro_dpi: 160.000000
I/[MALI][Gralloc]( 512): using (fd=13)
I/[MALI][Gralloc]( 512): id = mtkfb
I/[MALI][Gralloc]( 512): xres = 1024 px
I/[MALI][Gralloc]( 512): yres = 600 px
I/[MALI][Gralloc]( 512): xres_virtual = 1024 px
I/[MALI][Gralloc]( 512): yres_virtual = 1800 px
I/[MALI][Gralloc]( 512): bpp = 32
I/[MALI][Gralloc]( 512): r = 16:8
I/[MALI][Gralloc]( 512): g = 8:8
I/[MALI][Gralloc]( 512): b = 0:8
I/[MALI][Gralloc]( 512): width = 163 mm (159.568100 dpi)
I/[MALI][Gralloc]( 512): height = 95 mm (160.421051 dpi)
I/[MALI][Gralloc]( 512): refresh rate = 60.00 Hz
I/[MALI][Gralloc]( 512): init_framebuffer va: 0xb50f8000 mva: 0xb3700000
I/hwcomposer( 512): [DPY] Display Information:
I/hwcomposer( 512): [DPY] # fo devices : 1
I/hwcomposer( 512): [DPY] -----------------------------
I/hwcomposer( 512): [DPY] Device id : 0
I/hwcomposer( 512): [DPY] Width : 1024
I/hwcomposer( 512): [DPY] Height : 600
I/hwcomposer( 512): [DPY] xdpi : 160.000000
I/hwcomposer( 512): [DPY] ydpi : 160.000000
I/hwcomposer( 512): [DPY] vsync : 1
I/hwcomposer( 512): [DPY] refresh : 17179179
I/hwcomposer( 512): [DPY] connected : 1
I/hwcomposer( 512): [DPY] subtype : 0
W/hwcomposer( 512): [EVENT] Failed to open vsync device (Permission denied)
W/hwcomposer( 512): [EVENT] HW VSync State(0)
W/hwcomposer( 512): [EVENT] Start to listen uevent, addr.nl_pid(512)
I/6620_launcher( 124): Can't open device node(/dev/stpwmt)
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/SurfaceFlinger( 512): Using composer version 1.2
I/hwcomposer( 512): [HWC] getConfigs Display(0)
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/hwcomposer( 512): [HWC] getAttributes Display(0)
I/hwcomposer( 512): [HWC] getConfigs Display(1)
I/hwcomposer( 512): [HWC] getAttributes Display(1)
E/hwcomposer( 512): [HWC] Failed to get display attributes (dpy=1 is not connected)
W/SurfaceFlinger( 512): no suitable EGLConfig found, trying a simpler query
F/SurfaceFlinger( 512): no suitable EGLConfig found, giving up
F/libc ( 512): Fatal signal 6 (SIGABRT), code -6 in tid 512 (surfaceflinger)
I/DEBUG ( 129): property debug.db.uid not set; NOT waiting for gdb.
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/DEBUG ( 129): HINT: adb shell setprop debug.db.uid 100000
I/DEBUG ( 129): HINT: adb forward tcp:5039 tcp:5039
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/DEBUG ( 129): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 129): Build fingerprint: 'LeapFrog/cm_narnia/narnia:5.1.1/LMY49J/e2909bc29b:eng/test-keys'
I/DEBUG ( 129): Revision: '0'
I/DEBUG ( 129): ABI: 'arm'
I/DEBUG ( 129): pid: 512, tid: 512, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
I/DEBUG ( 129): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
I/DEBUG ( 129): Abort message: 'no suitable EGLConfig found, giving up'
I/DEBUG ( 129): r0 00000000 r1 00000200 r2 00000006 r3 00000000
I/DEBUG ( 129): r4 b6fc1e38 r5 00000006 r6 00000000 r7 0000010c
I/DEBUG ( 129): r8 b6482000 r9 00000000 sl 00000000 fp 00000001
I/DEBUG ( 129): ip 00000200 sp be8d34a0 lr b6f1a8f5 pc b6f3d8d0 cpsr 60070010
I/DEBUG ( 129):
I/DEBUG ( 129): backtrace:
I/DEBUG ( 129): #00 pc 000378d0 /system/lib/libc.so (tgkill+12)
I/DEBUG ( 129): #01 pc 000148f1 /system/lib/libc.so (pthread_kill+52)
I/DEBUG ( 129): #02 pc 0001564b /system/lib/libc.so (raise+10)
I/DEBUG ( 129): #03 pc 00011cc5 /system/lib/libc.so (__libc_android_abort+36)
I/DEBUG ( 129): #04 pc 0001005c /system/lib/libc.so (abort+4)
I/DEBUG ( 129): #05 pc 00007a41 /system/lib/libcutils.so (__android_log_assert+88)
I/DEBUG ( 129): #06 pc 0002930d /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #07 pc 00028f09 /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #08 pc 000195e7 /system/lib/libsurfaceflinger.so (_ZN7android14SurfaceFlinger4initEv+174)
I/DEBUG ( 129): #09 pc 00000af1 /system/bin/surfaceflinger
I/DEBUG ( 129): #10 pc 0000ff19 /system/lib/libc.so (__libc_init+44)
I/DEBUG ( 129): #11 pc 00000c08 /system/bin/surfaceflinger
blakegriplingph said:
So I kanged hwcomposer from @pix106's dump of the A7-10F KitKat ROM, and it looks like I got something else other than the usual sw_sync_timeline failure:
Code:
I/SurfaceFlinger( 512): SurfaceFlinger is starting
I/SurfaceFlinger( 512): SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
D/libEGL ( 512): loaded /system/lib/egl/libEGL_mali.so
D/libEGL ( 512): loaded /system/lib/egl/libGLESv1_CM_mali.so
D/libEGL ( 512): loaded /system/lib/egl/libGLESv2_mali.so
W/libEGL ( 512): eglInitialize(0x1) failed (EGL_BAD_ALLOC)
I/[MALI][Gralloc]( 512): gralloc UREE_CreateSession recount = 0
I/[MALI][Gralloc]( 512): gralloc call UREE_CreateSession
I/[MALI][Gralloc]( 512): UREE_CreateSession fail, ret = -65536
I/gralloc ( 512): [Gralloc] refreshRate = 0, info.pixclock = ffffffff
I/gralloc ( 512): [Gralloc] info.upper_margin = ffffffff, info.lower_margin = ffffffff
I/gralloc ( 512): [Gralloc] info.yres = 258, info.hsync_len = ffffffff
I/gralloc ( 512): [Gralloc] info.left_margin = ffffffff, info.right_margin = ffffffff
I/[MALI][Gralloc]( 512): ro_dpi: 160.000000
I/[MALI][Gralloc]( 512): using (fd=13)
I/[MALI][Gralloc]( 512): id = mtkfb
I/[MALI][Gralloc]( 512): xres = 1024 px
I/[MALI][Gralloc]( 512): yres = 600 px
I/[MALI][Gralloc]( 512): xres_virtual = 1024 px
I/[MALI][Gralloc]( 512): yres_virtual = 1800 px
I/[MALI][Gralloc]( 512): bpp = 32
I/[MALI][Gralloc]( 512): r = 16:8
I/[MALI][Gralloc]( 512): g = 8:8
I/[MALI][Gralloc]( 512): b = 0:8
I/[MALI][Gralloc]( 512): width = 163 mm (159.568100 dpi)
I/[MALI][Gralloc]( 512): height = 95 mm (160.421051 dpi)
I/[MALI][Gralloc]( 512): refresh rate = 60.00 Hz
I/[MALI][Gralloc]( 512): init_framebuffer va: 0xb50f8000 mva: 0xb3700000
I/hwcomposer( 512): [DPY] Display Information:
I/hwcomposer( 512): [DPY] # fo devices : 1
I/hwcomposer( 512): [DPY] -----------------------------
I/hwcomposer( 512): [DPY] Device id : 0
I/hwcomposer( 512): [DPY] Width : 1024
I/hwcomposer( 512): [DPY] Height : 600
I/hwcomposer( 512): [DPY] xdpi : 160.000000
I/hwcomposer( 512): [DPY] ydpi : 160.000000
I/hwcomposer( 512): [DPY] vsync : 1
I/hwcomposer( 512): [DPY] refresh : 17179179
I/hwcomposer( 512): [DPY] connected : 1
I/hwcomposer( 512): [DPY] subtype : 0
W/hwcomposer( 512): [EVENT] Failed to open vsync device (Permission denied)
W/hwcomposer( 512): [EVENT] HW VSync State(0)
W/hwcomposer( 512): [EVENT] Start to listen uevent, addr.nl_pid(512)
I/6620_launcher( 124): Can't open device node(/dev/stpwmt)
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/SurfaceFlinger( 512): Using composer version 1.2
I/hwcomposer( 512): [HWC] getConfigs Display(0)
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/hwcomposer( 512): [HWC] getAttributes Display(0)
I/hwcomposer( 512): [HWC] getConfigs Display(1)
I/hwcomposer( 512): [HWC] getAttributes Display(1)
E/hwcomposer( 512): [HWC] Failed to get display attributes (dpy=1 is not connected)
W/SurfaceFlinger( 512): no suitable EGLConfig found, trying a simpler query
F/SurfaceFlinger( 512): no suitable EGLConfig found, giving up
F/libc ( 512): Fatal signal 6 (SIGABRT), code -6 in tid 512 (surfaceflinger)
I/DEBUG ( 129): property debug.db.uid not set; NOT waiting for gdb.
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/DEBUG ( 129): HINT: adb shell setprop debug.db.uid 100000
I/DEBUG ( 129): HINT: adb forward tcp:5039 tcp:5039
W/hwcomposer( 512): [WKR] Failed to set priority to RR: Operation not permitted
I/DEBUG ( 129): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 129): Build fingerprint: 'LeapFrog/cm_narnia/narnia:5.1.1/LMY49J/e2909bc29b:eng/test-keys'
I/DEBUG ( 129): Revision: '0'
I/DEBUG ( 129): ABI: 'arm'
I/DEBUG ( 129): pid: 512, tid: 512, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
I/DEBUG ( 129): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
I/DEBUG ( 129): Abort message: 'no suitable EGLConfig found, giving up'
I/DEBUG ( 129): r0 00000000 r1 00000200 r2 00000006 r3 00000000
I/DEBUG ( 129): r4 b6fc1e38 r5 00000006 r6 00000000 r7 0000010c
I/DEBUG ( 129): r8 b6482000 r9 00000000 sl 00000000 fp 00000001
I/DEBUG ( 129): ip 00000200 sp be8d34a0 lr b6f1a8f5 pc b6f3d8d0 cpsr 60070010
I/DEBUG ( 129):
I/DEBUG ( 129): backtrace:
I/DEBUG ( 129): #00 pc 000378d0 /system/lib/libc.so (tgkill+12)
I/DEBUG ( 129): #01 pc 000148f1 /system/lib/libc.so (pthread_kill+52)
I/DEBUG ( 129): #02 pc 0001564b /system/lib/libc.so (raise+10)
I/DEBUG ( 129): #03 pc 00011cc5 /system/lib/libc.so (__libc_android_abort+36)
I/DEBUG ( 129): #04 pc 0001005c /system/lib/libc.so (abort+4)
I/DEBUG ( 129): #05 pc 00007a41 /system/lib/libcutils.so (__android_log_assert+88)
I/DEBUG ( 129): #06 pc 0002930d /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #07 pc 00028f09 /system/lib/libsurfaceflinger.so
I/DEBUG ( 129): #08 pc 000195e7 /system/lib/libsurfaceflinger.so (_ZN7android14SurfaceFlinger4initEv+174)
I/DEBUG ( 129): #09 pc 00000af1 /system/bin/surfaceflinger
I/DEBUG ( 129): #10 pc 0000ff19 /system/lib/libc.so (__libc_init+44)
I/DEBUG ( 129): #11 pc 00000c08 /system/bin/surfaceflinger
Click to expand...
Click to collapse
I would not know how to help you but maybe ggow who has compiled lineage 12.1 for amazon fire mt8127 can help you.
Rortiz2 said:
I would not know how to help you but maybe ggow who has compiled lineage 12.1 for amazon fire mt8127 can help you.
Click to expand...
Click to collapse
Does that one run on Kitkat originally? If anything, both the Epic and the MT8127 Amazon Fire tablets are made by the same ODM iirc. I might also try updating the blobs and kernel to version 1.8.45 to see if it helps any, but hwcomposer is apparently still the same.
blakegriplingph said:
Does that one run on Kitkat originally? If anything, both the Epic and the MT8127 Amazon Fire tablets are made by the same ODM iirc. I might also try updating the blobs and kernel to version 1.8.45 to see if it helps any, but hwcomposer is apparently still the same.
Click to expand...
Click to collapse
Amazon Fire tablets came with lollipop 5.1.
Have you tried to port the Rom instead of compiling? It is easier :/ . If you send me the stock bootimg and the stock system.img I can port you some ROM.
Rortiz2 said:
Amazon Fire tablets came with lollipop 5.1.
Have you tried to port the Rom instead of compiling? It is easier :/ . If you send me the stock bootimg and the stock system.img I can port you some ROM.
Click to expand...
Click to collapse
You sure you're able to port a ROM built for newer (prebuilt) kernel on a 3.4.67 device? The only sticking point so far with the LeapFrog CM12 port is hwcomposer/surfaceflinger refusing to cooperate. As of late I recompiled the ROM with no blobs kanged off other devices with the following flags added to BoardConfig:
Code:
TARGET_RUNNING_WITHOUT_SYNC_FRAMEWORK := true
BOARD_EGL_WORKAROUND_BUG_10194508 := true
...and ran logcat on it. Still the same sw_sync issues though it apparently has something to do with SELinux denying those requests as what the attached log seems to imply. It might be a red herring though, and I've read that @pix106 also ran into similar issues before with him trying a myriad of build flags in an attempt to fix this. Any ideas on what to use to get rid of this once and for all and finally get the damn GUI to boot? I'm thinking about using "BOARD_NEEDS_OLD_HWC_API := true" given how the blobs were for KitKat but what do you guys think? If only there were developers here who just happen to own an Epic lol.
...and I got a tiny bit further with the SELinux whitelist applied, though it's still the same "stuck on LeapFrog logo" moment with no sign of the boot animation springing to life. The backtrace mentions something along the lines of "buffer" in the functions called. Could it be that "BOARD_EGL_NEEDS_LEGACY_FB := true" is at fault here?
Also, there's an error in the log saying:
Code:
File size of 0 bytes not large enough to contain ELF header of 52 bytes: '/data/dalvik-cache/arm/[email protected]@boot.oat'
blakegriplingph said:
...and I got a tiny bit further with the SELinux whitelist applied, though it's still the same "stuck on LeapFrog logo" moment with no sign of the boot animation springing to life. The backtrace mentions something along the lines of "buffer" in the functions called. Could it be that "BOARD_EGL_NEEDS_LEGACY_FB := true" is at fault here?
Also, there's an error in the log saying:
Click to expand...
Click to collapse
I'd first check permission issues (/dev/stpwmt : iirc I had a few permission errors at early boot, but quick after it should be working fine), and nvram.
pix106 said:
I'd first check permission issues (/dev/stpwmt : iirc I had a few permission errors at early boot, but quick after it should be working fine), and nvram.
Click to expand...
Click to collapse
Care to explain even further? I'll have to check things on my other Epic to see if I got the permissions right (I have three Epics actually, one for development, one which I keep as stock for reference purposes and another as a parts unit).
Also, any ideas on why ART appears to be failing? Permissions issues as well I presume?
ART does seem to work, but for some reason /dev/stpwmt isn't being loaded properly despite it being declared on the init files. I can however load it manually through ADB shell. Also, even if I did seem to set the right permissions to the display drivers surfaceflinger crashes for a few times until the crash logs cease to show up, and I then get spammed with the following:
Code:
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll return 1
I/hwcomposer( 2058): [DPY] UEventThread::threadLoop recv [email protected]/devices/platform/battery/power_supply/ac
D/hwcomposer( 2058): [DPY] handle_uevents : s = 0xb5ce2138, len = 191
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll wait
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll return 1
I/hwcomposer( 2058): [DPY] UEventThread::threadLoop recv [email protected]/devices/platform/battery/power_supply/usb
D/hwcomposer( 2058): [DPY] handle_uevents : s = 0xb5ce2138, len = 194
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll wait
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll return 1
I/hwcomposer( 2058): [DPY] UEventThread::threadLoop recv [email protected]/devices/platform/battery/power_supply/battery
D/hwcomposer( 2058): [DPY] handle_uevents : s = 0xb5ce2138, len = 794
D/hwcomposer( 2058): [DPY] UEventThread::threadLoop poll wait
I think the surfaceflinger crash may have something to do with the permissions being loaded a bit too late. Can anyone look into this?
blakegriplingph said:
Care to explain even further? I'll have to check things on my other Epic to see if I got the permissions right (I have three Epics actually, one for development, one which I keep as stock for reference purposes and another as a parts unit).
Also, any ideas on why ART appears to be failing? Permissions issues as well I presume?
Click to expand...
Click to collapse
I remember I had issues with this permission too, and maybe had to modify it from init.mt8127, among other permissions. Check my GitHub, check cm-12.1 branch, which was used as base for the CyanogenMod for Lenovo Tab2A710F repository ; you'll find the commits before cm finally booted.
pix106 said:
I remember I had issues with this permission too, and maybe had to modify it from init.mt8127, among other permissions. Check my GitHub, check cm-12.1 branch, which was used as base for the CyanogenMod for Lenovo Tab2A710F repository ; you'll find the commits before cm finally booted.
Click to expand...
Click to collapse
I'll check that one out. Permissions seem to be the thing that's keeping CM from booting up at all lol. If only LeapFrog did a Lollipop update for the Epic (like seriously, KitKat in 2019 wtf?) that would've saved me the trouble of hacking up fixes and whatnot.
Strange, I applied your edits to init.mt8127 yet /dev/stpwmt isn't being loaded automatically. And HWC/surfaceflinger still spazzes out with complaints about buffers or something along the lines of it. I don't know if I should just suck it up and throw the towel for now, but I've gone too far into this project that it would be a shame to just let it go.
That being said, is it possible to decompile sepolicy and kang whatever it is in there so I don't have to compile a whole list of things to whitelist? And I really do need people who own a LeapFrog Epic and are also interested in porting CM to this damn thing. It's a shot in the dark but I could use all the help I could muster right now.
Seems like we need to adapt what I saw on this repo as the MediatekHacks.cpp I threw in to fix the missing symbols issue may have accounted for why SurfaceFlinger isn't cooperating.
@pix106 - Did you by any chance use the repo I mentioned above when you built your ROM? I've used the vanilla CM android_frameworks_native repo for one and that may have accounted for why my ROM is spazzing out. Also, I saw a commit by thp1997 (along with a patch of similar intent by @Kirito96) which appears to be a patch/shim set for the MT6572 that seems to tackle the same issue as what I've been experiencing with the Epic. The crash log...
Code:
--------- beginning of crash
F/libc ( 127): Fatal signal 7 (SIGBUS), code 1, fault addr 0xb6400189 in tid 127 (surfaceflinger)
I/DEBUG ( 133): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 133): Build fingerprint: 'LeapFrog/cm_narnia/narnia:5.1.1/LMY49J/ad8cbe2f60:eng/test-keys'
I/DEBUG ( 133): Revision: '0'
I/DEBUG ( 133): ABI: 'arm'
I/DEBUG ( 133): pid: 127, tid: 127, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
I/DEBUG ( 133): signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0xb6400189
I/DEBUG ( 133): r0 ffffffff r1 b6400189 r2 00000005 r3 00000000
I/DEBUG ( 133): r4 b6400189 r5 ffffffff r6 be827298 r7 b60b30d0
I/DEBUG ( 133): r8 b6d6dc2c r9 be826db4 sl 00000000 fp 00000000
I/DEBUG ( 133): ip b6e02f38 sp be826d60 lr b6e68dbc pc b6e68dbc cpsr 80000010
I/DEBUG ( 133):
I/DEBUG ( 133): backtrace:
I/DEBUG ( 133): #00 pc 00003dbc /system/lib/libcutils.so (android_atomic_add+16)
I/DEBUG ( 133): #01 pc 0000d61f /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+10)
I/DEBUG ( 133): #02 pc 00028f7b /system/lib/libgui.so (_ZN7android2spINS_13GraphicBufferEEaSERKS2_+22)
I/DEBUG ( 133): #03 pc 000290af /system/lib/libgui.so (_ZN7android19BufferQueueConsumer13acquireBufferEPNS_22IGraphicBufferConsumer10BufferItemEx+270)
I/DEBUG ( 133): #04 pc 0002c411 /system/lib/libgui.so (_ZN7android12ConsumerBase19acquireBufferLockedEPNS_22IGraphicBufferConsumer10BufferItemEx+16)
I/DEBUG ( 133): #05 pc 00023571 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #06 pc 00023679 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #07 pc 0002849b /system/lib/libgui.so (_ZN7android11BufferQueue21ProxyConsumerListener16onFrameAvailableERKNS_10BufferItemE+26)
I/DEBUG ( 133): #08 pc 0002ba2b /system/lib/libgui.so (_ZN7android19BufferQueueProducer11queueBufferEiRKNS_22IGraphicBufferProducer16QueueBufferInputEPNS1_17QueueBufferOutputE+562)
I/DEBUG ( 133): #09 pc 00037423 /system/lib/libgui.so (_ZN7android7Surface11queueBufferEP19ANativeWindowBufferi+254)
I/DEBUG ( 133): #10 pc 00036693 /system/lib/libgui.so (_ZN7android7Surface16hook_queueBufferEP13ANativeWindowP19ANativeWindowBufferi+10)
I/DEBUG ( 133): #11 pc 0000f720 /system/lib/libMali.so
I/DEBUG ( 133): #12 pc 00010218 /system/lib/libMali.so
I/DEBUG ( 133): #13 pc 0005e5d8 /system/lib/libMali.so
I/DEBUG ( 133): #14 pc 0005d70c /system/lib/libMali.so
I/DEBUG ( 133): #15 pc 0005bf58 /system/lib/libMali.so (shim_eglSwapBuffers+64)
I/DEBUG ( 133): #16 pc 000120d7 /system/lib/libEGL.so (eglSwapBuffers+290)
I/DEBUG ( 133): #17 pc 0000f541 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #18 pc 0001c187 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #19 pc 0001b367 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #20 pc 0001a6eb /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #21 pc 0001a459 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #22 pc 00011127 /system/lib/libutils.so (_ZN7android6Looper9pollInnerEi+410)
I/DEBUG ( 133): #23 pc 00011219 /system/lib/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+92)
I/DEBUG ( 133): #24 pc 00017b95 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #25 pc 0001a04d /system/lib/libsurfaceflinger.so (_ZN7android14SurfaceFlinger3runEv+8)
I/DEBUG ( 133): #26 pc 00000b4d /system/bin/surfaceflinger
I/DEBUG ( 133): #27 pc 0000ff19 /system/lib/libc.so (__libc_init+44)
I/DEBUG ( 133): #28 pc 00000c08 /system/bin/surfaceflinger
F/libc ( 261): Fatal signal 7 (SIGBUS), code 1, fault addr 0xffffffff in tid 261 (surfaceflinger)
I/DEBUG ( 133): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
...appears to allude to the ones mentioned in the patch files. Maybe this is the cure we needed, short of using a different HWC which I more or less doubt to be necessary.
blakegriplingph said:
Seems like we need to adapt what I saw on this repo as the MediatekHacks.cpp I threw in to fix the missing symbols issue may have accounted for why SurfaceFlinger isn't cooperating.
@pix106 - Did you by any chance use the repo I mentioned above when you built your ROM? I've used the vanilla CM android_frameworks_native repo for one and that may have accounted for why my ROM is spazzing out. Also, I saw a commit by thp1997 (along with a patch of similar intent by @Kirito96) which appears to be a patch/shim set for the MT6572 that seems to tackle the same issue as what I've been experiencing with the Epic. The crash log...
Code:
--------- beginning of crash
F/libc ( 127): Fatal signal 7 (SIGBUS), code 1, fault addr 0xb6400189 in tid 127 (surfaceflinger)
I/DEBUG ( 133): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 133): Build fingerprint: 'LeapFrog/cm_narnia/narnia:5.1.1/LMY49J/ad8cbe2f60:eng/test-keys'
I/DEBUG ( 133): Revision: '0'
I/DEBUG ( 133): ABI: 'arm'
I/DEBUG ( 133): pid: 127, tid: 127, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
I/DEBUG ( 133): signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0xb6400189
I/DEBUG ( 133): r0 ffffffff r1 b6400189 r2 00000005 r3 00000000
I/DEBUG ( 133): r4 b6400189 r5 ffffffff r6 be827298 r7 b60b30d0
I/DEBUG ( 133): r8 b6d6dc2c r9 be826db4 sl 00000000 fp 00000000
I/DEBUG ( 133): ip b6e02f38 sp be826d60 lr b6e68dbc pc b6e68dbc cpsr 80000010
I/DEBUG ( 133):
I/DEBUG ( 133): backtrace:
I/DEBUG ( 133): #00 pc 00003dbc /system/lib/libcutils.so (android_atomic_add+16)
I/DEBUG ( 133): #01 pc 0000d61f /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+10)
I/DEBUG ( 133): #02 pc 00028f7b /system/lib/libgui.so (_ZN7android2spINS_13GraphicBufferEEaSERKS2_+22)
I/DEBUG ( 133): #03 pc 000290af /system/lib/libgui.so (_ZN7android19BufferQueueConsumer13acquireBufferEPNS_22IGraphicBufferConsumer10BufferItemEx+270)
I/DEBUG ( 133): #04 pc 0002c411 /system/lib/libgui.so (_ZN7android12ConsumerBase19acquireBufferLockedEPNS_22IGraphicBufferConsumer10BufferItemEx+16)
I/DEBUG ( 133): #05 pc 00023571 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #06 pc 00023679 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #07 pc 0002849b /system/lib/libgui.so (_ZN7android11BufferQueue21ProxyConsumerListener16onFrameAvailableERKNS_10BufferItemE+26)
I/DEBUG ( 133): #08 pc 0002ba2b /system/lib/libgui.so (_ZN7android19BufferQueueProducer11queueBufferEiRKNS_22IGraphicBufferProducer16QueueBufferInputEPNS1_17QueueBufferOutputE+562)
I/DEBUG ( 133): #09 pc 00037423 /system/lib/libgui.so (_ZN7android7Surface11queueBufferEP19ANativeWindowBufferi+254)
I/DEBUG ( 133): #10 pc 00036693 /system/lib/libgui.so (_ZN7android7Surface16hook_queueBufferEP13ANativeWindowP19ANativeWindowBufferi+10)
I/DEBUG ( 133): #11 pc 0000f720 /system/lib/libMali.so
I/DEBUG ( 133): #12 pc 00010218 /system/lib/libMali.so
I/DEBUG ( 133): #13 pc 0005e5d8 /system/lib/libMali.so
I/DEBUG ( 133): #14 pc 0005d70c /system/lib/libMali.so
I/DEBUG ( 133): #15 pc 0005bf58 /system/lib/libMali.so (shim_eglSwapBuffers+64)
I/DEBUG ( 133): #16 pc 000120d7 /system/lib/libEGL.so (eglSwapBuffers+290)
I/DEBUG ( 133): #17 pc 0000f541 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #18 pc 0001c187 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #19 pc 0001b367 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #20 pc 0001a6eb /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #21 pc 0001a459 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #22 pc 00011127 /system/lib/libutils.so (_ZN7android6Looper9pollInnerEi+410)
I/DEBUG ( 133): #23 pc 00011219 /system/lib/libutils.so (_ZN7android6Looper8pollOnceEiPiS1_PPv+92)
I/DEBUG ( 133): #24 pc 00017b95 /system/lib/libsurfaceflinger.so
I/DEBUG ( 133): #25 pc 0001a04d /system/lib/libsurfaceflinger.so (_ZN7android14SurfaceFlinger3runEv+8)
I/DEBUG ( 133): #26 pc 00000b4d /system/bin/surfaceflinger
I/DEBUG ( 133): #27 pc 0000ff19 /system/lib/libc.so (__libc_init+44)
I/DEBUG ( 133): #28 pc 00000c08 /system/bin/surfaceflinger
F/libc ( 261): Fatal signal 7 (SIGBUS), code 1, fault addr 0xffffffff in tid 261 (surfaceflinger)
I/DEBUG ( 133): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
...appears to allude to the ones mentioned in the patch files. Maybe this is the cure we needed, short of using a different HWC which I more or less doubt to be necessary.
Click to expand...
Click to collapse
i did not use this repo.
i could build a bootable and usable cm12.1 without any patch.
thp1997 joined afterwards and added patched repos, but they were not strictly needed : they allowed WPS wifi pairing, headset icon, usb mode selection when usb is not plugged.

Categories

Resources