I am trying to implement a simple system call hook. My method was the same method used by standard linux rootkits like adore. this method worked for hooking sys_open and other file IO system calls. but when i tried to hook sys_fork and other process related system calls my android phone crashes (Nexus one, Motorola Milestone, and emulator). Something inherently different about Android either ARM or android kernel is different from basic linux machines which wont allow me to use the same method to hook the system call fork. Basically my method is below, this is implemented via a LKM on a phone that i have root access on.
//save pointer to original function
orig_fork = sys_call_table[__NR_fork];
//point sys_fork to my my_fork function
sys_call_table[__NR_fork] = my_fork;
//call original fork call (simplest case)
asmlinkage int my_fork(struct pt_regs *regs)
{
pid_t pid;
pid = (*orig_fork)(regs);
return pid;
}
Some how i think the stack is getting messed up. I looked at the source code for the kernel and found that the sys_fork isnt actually in the system call table. Instead it is a sys_fork_wrapper. This wrapper is an assembler function with two commands which lead it to branching to sys_fork. Sys_fork in turn calls another function called do_fork. Through debugging methods i was able to confirm that my call to the original fork function was returning correctly, but when i try to return the pid within my own function the crash occurs. Now whats interesting is that I was able to confirm that do_fork is called many times without calling sys_fork for many processes on the phone. So when i do the simplest process i can think of by starting up a shell the phone didnt crash. But it wont open up a shell. The terminal locks up when i try to open the shell. Starting up a shell will call a sys_fork_wrapper->sys_fork->do_fork like expected. Starting up another more complicated process such as calculator it will call sys_fork_wrapper->sys_fork->do_fork->do_fork->do_fork->do_fork.... so bacially i am left with lots of questions about why hooking sys_fork is not working.
In reality I am hooking an assembler "function" and not a c function. The sys_fork_wrapper does branch command without link which led me to believe that there is no return from it, from the program counter perspective.
Did you ever resolve this issue?
Maybe you could try some inline asm in your code to just jmp to the orig_fork, if it is an assembly function that doesn't return, i.e. just a jmp stub itself.
I would like to hook sys_fork as well, to present a dialog box every time a new app runs and to allow me to block certain apps from starting.
Android Kernel rootkit.
Awesome
@michaelmotes Thanks so much for posting this link! I'm in the process of trying to do a little hooking hack in order to... well bypass a restriction on most phones prior to ICS. I won't say what for because if it works... I'll be putting out an app lol. But I really appreciate you sharing this.
I hope this isn't a stupid question. But I couldn't find any real info regarding this. And after reading the Mysteries of Science thread it seemed to me, there really isn't much information regarding such things. So:
I noticed that for almost all Linux based OS you can find in-depth descriptions on how the OS works on a basic level. For example where specific settings are stored.
The guides at android.com deal with app development, but don't specify how you use the OS as a root user. For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file. Or where does Android store the startup settings, i.e. which apps to start at boot time or at specific system events. Or where do apps register as default app for viewing certain filetypes. There is a description how to code it, but not how Android stores that information and how it can be edited/viewed manually.
Since it's linux based I guess there are plain text config files for all those things. But where...? Was such information ever released by Google?
bur2000 said:
For example, if I want to change WLAN settings, there must be a way to do that without using the GUI or by using special classes but by editing a config file.
Click to expand...
Click to collapse
You can change network interface with 'ifconfig' command.
You can get ifconfig command by installing busybox.
There are commands that can be used, but this is still a bit liek try&error. So it seems there is no full documentation on how Android works?
Has Google ever addressed this, do they plan to release such documentation?
I'm creating an apps which type from laptop keyboard to android apps using VB.net 2010. I'm calling this code on KeyPress event
Shell("cmd.exe /c adb shell input text " & e.KeyChar, AppWinStyle.Hide)
This method seems to has latency about 500ms for each keystroke. Comparing to apps like ShareKM or MyMobiler which their result seems instant. Event I collect the use input with timer and send by a long string, the result still not as smooth as those two apps.
So my question:
1) Does ShareKM or MyMobiler use ADB or different method?
2) If use ADB, whats the trick?
Coisox said:
I'm creating an apps which type from laptop keyboard to android apps using VB.net 2010. I'm calling this code on KeyPress event
Shell("cmd.exe /c adb shell input text " & e.KeyChar, AppWinStyle.Hide)
This method seems to has latency about 500ms for each keystroke. Comparing to apps like ShareKM or MyMobiler which their result seems instant. Event I collect the use input with timer and send by a long string, the result still not as smooth as those two apps.
So my question:
1) Does ShareKM or MyMobiler use ADB or different method?
2) If use ADB, whats the trick?
Click to expand...
Click to collapse
It appears that ShareKM has been abandoned by it's developer, and it has a hard coded date that makes the app useless after last Sunday. I am trying to reverse engineer the app so we can take out the date limit for those of us who find the app very usefull. If you want to join the project and help us decompile the code that would be great, and the perk for you would be being able to see how shareKM works.
http://forum.xda-developers.com/showthread.php?t=2176712&page=13
vdefender said:
It appears that ShareKM has been abandoned by it's developer, and it has a hard coded date that makes the app useless after last Sunday. I am trying to reverse engineer the app so we can take out the date limit for those of us who find the app very usefull. If you want to join the project and help us decompile the code that would be great, and the perk for you would be being able to see how shareKM works.
http://forum.xda-developers.com/showthread.php?t=2176712&page=13
Click to expand...
Click to collapse
Yes, I do love ShareKM so much until its "beta expired" a few days back then I switch to MyMobiler. Though I would like to join u, honestly, I'm very noobs in this. My knowledge on android limited to 4 days workshop on PhoneGap + native hello world. So I don't believe I can contribute anything.
I did try to decompile ShareKM using "VPZ APK Studio.Net 4.0", and I'm not sure how successful it was, but looking at those massive codes, I can't tell the head and tail.
I'm opening this thread because I want to work out the multitasking gesture API implemented in Android Pie (I think DP3+.)
I'm going to try reverse-engineering the APK but I'm including a dumped copy here for anyone else who wants to have a shot at it.
(Note to Moderators: I have no idea if this kind of thing is allowed - if not, you can just delete the thread.)
Quick update; I reverse engineered some of the APK with Fernflower.
The code is heavily obfuscated but I think I found the relevant code. (This is just a quick glance as I don't have the time to go through it thoroughly.)
The ZIP contains:
com/android/systemui/shared:
recents/...*
system/...*
R.java
(I don't want to type out the whole list)
ABANDONED
Hi! Does anyone here use Linux desktop distributions in chroot environment on Android device?
I am developing wayland protocol server for Android devices. If anyone is interested in checking my project, latest version of apk is always available here:
ftp://ftp.drivehq.com/mogryph/sparkle/
Currently I am only focused on running Xwayland as client. Also apk supports audio output.
Simplest instruction:
1. Android 6 or newer required, busybox required, root required
2. Prepare linux distribution in directory, image or on partition. Make sure you have Xwayland installed in it. Make sure you specify which DE to run (or at least xterm) in ~/.xinitrc
3. Install and start sparkle.apk
4. Press "edit user.sh", uncomment (remove #) line starting with start_generic_container. Change rest of this line to match your device:
first arg - image or partition where distribution is installed. If distribution is installed in directory and mouting is not needed, leave this arg unchanged.
second arg - mount point or directory with distribution. If you use mounting (first arg), this arg can be left unchanged.
third arg - name of the user which will be used to start Xwayland and DE. Its better to specify non-root. Also this is the user who must have .xinitrc in his home dir (see step 2).
5. Save user.sh and click "Start".
6. Any problems and crashes will be reflected in the log.
If you want audio output:
1. Compile and install driver from pcm_sparkle.tar.gz in your distribtion
2. cp 1.asoundrc ~/.asoundrc
If you have blinking problem, change upload_mode from 1 to 2 in settings. If you have bad performance, setting no_damage to true may help, but in most cases no_damage=false is better. Fastest upload mode is 0 (if it works).
If you don't trust me and don't want to give sparkle root permissions (I perfectly understand this) you don't have to. Also you can do without busybox.
But in this case, you need to understand and do a lot of things. Check sparkle's user.sh to get idea about what needs to be done. Basically:
1. You need to make /data/data/com.sion.sparkle/files accessible from inside chroot container. You can use bind bound.
2. Make sure you have tmpfs mounted over /tmp in container.
3. You may need to change selinux context on /tmp to match sparkle's context or disable SELinux.
4. You need to create new directory in /tmp, symlink sparkle's wayland socket from /data/data/com.sion.sparkle/files/wayland-0 to this dir. And export XDG_RUNTIME_DIR to point to this dir. Dir must be (ch)owned by user who will be running Xwayland and DE.
5. After all this, you can try to start Xwayland and your DE.
new version
New version
rgho.st/8Fbz64Rxj
Added x86 and x86_64 support. Actually it is rewritten almost from scratch but x86 support is the only thing others can notice...
Hello! This project is interesting. I tried you app and it works on my Xiaomi Redmi Note 4X(chromium and glmark from chrooted environment works very well)! Can you publish source code on Github, because it really interesting project?
Also I'm interested, please post it on github!
Did you put this up on github or move this thread? Looks very interesting.
1
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Hentacler said:
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Click to expand...
Click to collapse
Check your PM please!
1
Hello again.
For last two weeks I was rewriting it from scratch (yes. again... yes, third time).
Probably need another week to make it stable.
Currently I am not sure it runs on any device except my own 5-year old phone (LineageOS 14).
I will maintain last version here:
ftp://ftp.drivehq.com/mogryph/sparkle/
There is no English documentation, but you can see script "user.sh" to get idea about how to start xwayland. In most cases it should be enough to edit few lines in that script to make it work on another device. If you execute this script on your device with "install" argument, it is supposed to place itself into sparkle's directory and sparkle is supposed to run it ("start" function) automatically. Sparkle doesn't request root unless script does.
Here is video of sparkle working:
https://www.youtube.com/watch?v=tOSFYxCF7Q8
But it seems that KDE + video recording was too much for my old phone
Still, if you going to see video, don't close it until 2:00 where I turned of composition which caused lags.
Also on device everything looks much smoother than on video, even after 2:00.
When I watch fullscreen (1280x720) video on my device, sparkle + xwayland together add just 5% of CPU load (20% load of single core).
Thats it I guess... I tried to to discuss sparkle on 4pda.ru (russian forums), but got very bad reception. "xsdl is perfect, dont reinvent the wheel" they say. So I started to hate humanity and I decided to make sparkle personal project. Also this is last time I am solving reCAPTCHA to leave post on XDA.
Still alive
We are still alive. I've changed first post to reflect actual state. Now sparkle supports audio, auto-mouting containers and is lot more stable.
Yet there are still many things I want to improve in sparkle's core before adding new functions.
Also there are few demo videos on ftp.
Amazing!
Working great on my redmi 6 pro. Stock miui 9.9.3 rom. With linuxdeploy and sparkle from your ftp. No lag on visual and sound. My Linux distribution is alpinelinux arm64 arch.
Since first time I see your posting on 4pda. I'm interested in it. And finally it's on xda.
Thanks dev.
---------- Post added at 02:52 AM ---------- Previous post was at 02:44 AM ----------
For anyone interested in the topic. Please follow the instructions in documentation from ftp. And Translate it to eng from rus.
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
I now have it working very well on my Samsung Tab S3 using Xwayland and a tiling window manager. Firefox runs amazingly well!
Is it meant to be used only with Xwayland or will it also work with native Wayland applications?
BTW, I think if you open sourced this project and promoted it a bit, it could become quite popular. It's basically the first way to run X11 GUI applications on Android devices at full speed. If you set up a donation link, you could also get compensated for your time and effort. I'll personally contribute $20 if it's open sourced, and I'm sure others will chip in as well.
robsmith11 said:
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
Click to expand...
Click to collapse
Thanks for feedback. Nice to hear that someone managed to start this thing
Twaik's repository is clone of my very very old version of sparkle. I made that version years ago when I was just starting to learn linux and C++. Sparkle was rewritten from scratch two or three times since that version. And (I believe) current version is much better.
Regarding making it open source... Few months ago I had to find real job. Can't spend much time on personal projects any more. But I have my own strange programming style and my own vision of what sparkle should be. Not sure I want others to paint on my picture. It's probably all because of Twaik! I hate how he used old open source version of sparkle. He did terrible things to it, outraging all my beliefs Sorry!
P.S.: Yesterday I've uploaded another apk to my ftp. The file is called "sparkle-testing.apk". This version is much newer and has many fixes. But I've also changed to many things since tested version including some fundamental changes. No guarantee it will run at all on other devices. Interest is mega low and I get no test reports at all.
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
tillum said:
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
Click to expand...
Click to collapse
ftp://ftp.drivehq.com/mogryph/sparkle/
Link to FTP should work and there you can get two versions:
sparkle.apk - old version, but confirmed to work by 3-4 people.
sparkle-testing.apk - latest version, but only briefly tested by me.
I don't ask anyone to invest anything... Sparkle doesn't request root access or any other dangerous permissions (unless you enable automatic container mounting and starting) so it's safe to try for anyone who wants.
Btw, somewhere between these two versions I've replaced BASH container initialization script with LUA version. That was probably a bad idea. LUA script is harder to start directly as root and hacks I used may not work (currently may even cause application freeze if root access is denied). Going to revert to BASH probably. But this only touches people who want sparkle to mount container and launch everything automatically on single button press.
p.s.: Why I need to solve captcha every time I post something?
Thanks for the new release! I've updated and everything seems to be working without any changes on my Samsung Tab S3 with chroot and Arch Arm Linux.
Your changes also solved the flickering for me! The old version would flicker the screen whenever my keyboard's trackpoint activated, but it's not flickering at all any more. Performance seems to be about the same.
I think this could be quite popular, but not many people know about it. Perhaps a post on Hacker News or Reddit would raise awareness.
I understand your position on open source and maintaining control. One idea if you haven't already considered it is releasing the code with a restrictive license that forbids any forks. But either way, I'm enjoying being to properly use X11 on my tablet.
BTW, have you tried any native Wayland compositors? I don't really understand the Wayland ecosystem that well. I gave Sway a brief try, but it didn't seem to work. I've only been using XWayland.
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
tillum said:
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
Click to expand...
Click to collapse
I am not sure it is possible to use sparkle without root...
Sparkle makes it's directory accessible for everyone (chmod 777). Before Android 8 or 9 this was enough and xwayland from termux was able to connect to sparkle. Here is how people used to start it:
export XDG_RUNTIME_DIR=/data/data/com.sion.sparkle/files
Xwayland
But newer versions of Android brought more restrictions and termux can no longer connect to sparkle. These new restrictions are implemented using SELinux if you know what it is. Applications now have different security contexts.
But that is not all. Newest versions of android brought even more terrible meaningless restrictions effectively "killing" applications like termux and many others.
In short, from now one applications are not allowed to execute code (binary) that comes from "untrusted" sources. Termux used to download a lot of such code from it's own repositories. And now it can't. We can't even unpack binaries from assets.
So I can only help with rooted devices.
P.S. Please forgive me, but I am leaving this website. Making people solve recaptcha every time they want to post something is unacceptable level of contempt.
My mail: [email protected]
Thanks for that, will have a play. I could always just root my device. Weird about recaptcha, not having this issue. Currently through termux I have access to the whole sdcard, and am able to download packages (and distros) in it - will have a play and see what else is possible.
@tillum
I basically just followed the instructions on the first post for using Sparkle without busybox. I didn't need to modify the Lua scripts.
I'm guessing SELinux may be a problem without root. I'll try setting it up without root when I have a chance later.