Database Info

[GUIDE] Native Debian on Samsung Galaxy i7500

Hello fellow phone enthusiasts,
there are some sources on the internet describing how to run Debian on the Samsung Galaxy i7500 (Samsung's first Android device). Unfortunately, none of these sources can act as a complete guide, so I thought I could try to fill this void. This guide is far from complete and will hopefully grow over time. Anyway, I hope this is helpful for some people that are trying to do the same.
Note that this post should have gone into the development section, but I'm not senior enough to post there. Also the URLs in this guide are messed up for the same reason. Each messed up URL is marked with "(FIX this url)". I will fix these things as soon as possible, if there is any interest in this guide.
Best regards,
Frank
0. WARNING
This guide is for experienced users only. You might brick your phone while following this guide. I will not take responsibilty for any harm that may happen to you, your phone or those around you when following this guide. Please read and understand the complete guide before doing the first step. You have been warned.
Make a nandroid backup (can be done in the recovery image). Really, do it. Even if you think there's no valuable data, you must do a nandroid backub, because you will need to have the boot.img to boot back into android after debian has been installed. You must also copy your nandroid backup onto your PC.
1. Credits
A few years ago, there has been quite an active development community for the Galaxy i7500. Unfortunately, these forums have now pretty much died and I was not an active member of that community, because I was using it as my primary device back then and had no interest in hacking it.
Anyway, a HUGE THANK YOU goes to the fine fellas from drakaz.com and the GAOSP. You guys are awesome!
The actual hard technical work for this guide has been done by the authors of the following guides. I'm simply trying to understand what they did and write a step-by-step guide using their expertise:
(FIX this url)https :// code . google . com/p/linux-on-android/wiki/BasicSteps
(FIX this url)https :// wiki . debian . org/ChrootOnAndroid
(FIX this url)http :// www . bananenfisch . net/?p=1056
(FIX this url)https :// sven . killig . de/android/console.html
2. Overview
The goal of this guide is to have a running Debian Squeeze (Debian 6) running natively on a Samsung Galaxy i7500. Debian will not be run in a chroot environment on top of android, but instead the phone will directly boot into debian when powering it on. Debian will be installed on a SD card, so that we could still boot into Android, should we really mess things up at some point. It will not be true dual boot though (i.e. you have to reflash the boot section from a PC to boot into Android).
2.1 Primary goals
In the end, I'd like have the following functionality:
WLAN
Bluetooth
X Window / Graphical User Interface
All this is possible with below description now.
But this means we will loose the ability to make phone calls, send text messages, use GPS, connect to the internet through 3G or anything else you would normally expect from a smartphone. It's very likely possible to also have this functionality included, but I simply don't need it for my project. If someone else is willing to investigate this, I would be interested in the results though.
2.2 Prerequisites
Things you'll need include:
good Linux knowlegde
1 rooted Samsung Galaxy i7500 (I recommend to flash GAOSP)
1 micro SD card (I'm using an 8 GiB class 4 card)
1 computer running Linux with the following software installed (I'm using Debian & Fedora, but any distribution that has debootstrap should work)
debootstrap
git
fastboot (I suggest to use the version that comes with your distro, but you can also try the one from the Android SDK)
GCC cross-compiler for ARM in order to compile the kernel (Debian and Fedora come with compiler versions, that didn't work for me, so I'm using version 7 of the Android NDK, i. e. GCC version 4.4.3)
3. Installing Debian
Note that I had already GAOSP2 beta 3 installed on the i7500. I don't know if any of these steps are possible without installing GAOSP first.
3.1 Prepare partitions on SD card
The Samsung Galaxy i7500 has an "internal SD card" which will be preserved for use with Android, the recovery image, a.s.o. The external SD card will be used for debian. ALL data on the external card will be lost after below steps.
Put the SD card into an SD card reader or boot the i7500 into recovery mode (press "vol-" and "call" buttons when switching on the phone). Note that using GAOSP directly didn't work for me, because for some reason only the first partition was shown on the PC.
Code:
cfdisk /dev/sdX
(replace X with the correct letter for your SD card, and then create the one big enough partition for your needs, I created one 4GiB primary partition leaving me 4GiB for playing around later)
Code:
sudo mke2fs /dev/sdX1
3.2 Build debian filesystem structure
Create a directory for the newly created debian partition (I assume it' s called "debian") and run the following commands
Code:
sudo mount /dev/sdX1 ./debian/
Code:
sudo debootstrap --verbose --arch armel --foreign squeeze ./debian/ (FIX this url) http :// ftp . de . debian . org/debian
Code:
sudo umount ./debian/
3.3 Finalize the debian installation
The following is based on the steps as described here (FIX this url) wiki. debian.org/ChrootOnAndroid and www . bananenfisch .net/?p=1056.
Boot phone into GAOSP
Open terminal
Code:
su
Code:
cd /data/local
Code:
mkdir debian
Code:
mount /dev/block/mmcblk1p1 /data/local/debian
Finalize bootstrap:
Code:
chroot /data/local/debian /debootstrap/debootstrap --second-stage
Mount special file systems and chroot into Debian:
Code:
for f in dev dev/pts proc sys ; do mount -o bind /$f /data/local/debian /$f ; done
Code:
chroot /data/local/debian /bin/bash
Finalise the installation:
Code:
echo "deb (FIX this url) http :// ftp . de . debian . org/debian/ squeeze main non-free contrib" > /etc/apt/sources.list
Code:
apt-get update
Code:
rm -f /etc/mtab
Code:
ln -s /proc/mounts /etc/mtab
Code:
passwd root
Code:
echo i7500 > /etc/hostname
Code:
apt-get install openssh-server
Code:
apt-get clean && apt-get autoclean
The ssh-sever can be started whenever you like through
Code:
/etc/init.d/ssh start
Afterwards you can log in from your PC using "ssh [email protected]" into the chroot environment.
3.4 Configure locale
We need to set the locale for the system (otherwise there will always be warning messages, e.g. when installing new software):
Code:
apt-get install locales console-data keyboard-configuration
You might want to tweak a few more settings (especially if your locale is not en_US). You can use:
Code:
echo export LANG=en_US.UTF-8 >> /root/.bashrc
Code:
export LC_ALL="en_US.utf8"
Code:
dpkg-reconfigure locales
Code:
dpkg-reconfigure console-data
Code:
dpkg-reconfigure keyboard-configuration
3.5 Installing additional software
You can now start installing additional software that you might need (I suggest you log into your phone through ssh as described above). You'll be needing an editor to edit configuration files (I choose vim). For setting up WiFi the package "wpasupplicant" is needed.
Code:
apt-get install vim less wpasupplicant
3.6 Chroot into debian
If you at a later time want to chroot into your debian environment, I recommend to store the following commands in a shell script (I stored it in /data/local/debian.sh) which you can then run as root.
Code:
#!/bin/sh
mount /dev/block/mmcblk1p1 /data/local/debian
for f in dev dev/pts proc sys ; do mount -o bind /$f /data/local/debian/$f ; done
chroot /data/local/debian /bin/bash
4. Create boot image
4.1 Build kernel
Perform the following steps on your PC:
Download the Galaxo kernel sources: git clone (FIX this url) https :// github . com/drakaz/GalaxoKernel.git
Apply the patch described on (FIX this url) https :// code . google . com/p/linux-on-android/wiki/BasicSteps (themddi_toshiba_smd.c patch doesn't work, do the change manually)
Apply patch as described here: (FIX this url) http :// sven . killig . de/android/console.html
copy attached config.txt file to .config
I will eventually create a branch on github containing the patches and default config. But for now, you'll have to do the patching yourself.
Code:
make ARCH=arm CROSS_COMPILE=/path/to/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi- oldconfig
Code:
make ARCH=arm CROSS_COMPILE=/path/to/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-
Code:
make ARCH=arm CROSS_COMPILE=/path/to/android/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi- modules
4.2 Install modules
The modules need to be installed on the SD card partition, so you need to boot your phone into recovery and mount the SD card. Then execute the following command.
Code:
sudo make ARCH=arm CROSS_COMPILE=/path/to/android-ndk-r7/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi- INSTALL_MOD_PATH=/path/to/sdcard modules_install
In order for the WLAN kernel module to work the following files need to be copied from the GAOSP ROM to the /etc/ folder on the phone:
rtecdc.bin
nvram.txt
4.3 Minimal boot file system
A boot file system (a.k.a. initramfs) is needed to start the debian boot process. Create a folder called minimal_initramfs with the follwoing content:
Code:
minimal_initramfs/
|-- dev/
|-- init*
|-- mnt/
| `-- root/
|-- proc/
|-- sbin/
| `-- busybox*
`-- sys/
A binary of busybox can be downloaded from the busybox website (use busybox-armv4tl). The file "init" is actually a shell script with the following content:
Code:
#!/sbin/busybox sh
# initramfs pre-boot init script
# Something (what?) needs a few cycles here
/sbin/busybox sleep 1
# Populate /dev
/sbin/busybox mknod /dev/mmcblk1p1 b 179 9
# Mount the root filesystem, second partition on micro SDcard
/sbin/busybox mount -t ext2 -o noatime,nodiratime /dev/mmcblk1p1 /mnt/root
# Transfer root to SDcard
exec /sbin/busybox switch_root /mnt/root /sbin/init
The directory structure must then be compressed. To do this run the following sequence of commands when in the minimal_initramfs directory:
Code:
find . | cpio --quiet -H newc -o | gzip > ../minimal.cpio.gz
4.4 Creating the image
For creating the image you need the tool mkbootimg which you can find in android_bootimg_tools.tar.gz. Run the following command to create the boot image from the initramfs and the kernel you created above:
Code:
./mkbootimg --kernel /path/to/Galaxo-kernel/arch/arm/boot/zImage --ramdisk /path/to/minimal.cpio.gz --cmdline "fbcon=font:VGA8x8" --pagesize 2048 --base 10000000 -o debian_boot.img
5. Configuring network
5.1 Setting up the interface
Your /etc/network/interfaces file on the phone should look like this:
Code:
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wpa-driver wext
wpa-conf /etc/wpa_supplicant.conf
5.2 Setting up wireless encryption
For network configuration we'll be using wpa_supplicant which we already installed in one of the above steps. On the phone create the file /etc/wpa_supplicant.conf with the following content. Please enter the correct values for ssid, psk and key_mgmt for your network:
Code:
network={
ssid="YourSSID"
psk="YourSecretPassword"
key_mgmt=WPA-PSK
priority=11
}
5.3 Loading drivers
In order for the WLAN kernel module to be loaded add the following line to /etc/modules:
Code:
bcm4325 firmware_path=/etc/rtecdc.bin nvram_path=/etc/nvram.txt
6. Flashing the boot image and booting into Debian
Now it's finally time to finally flash the previously created boot image. At this time, be sure that you only have your Galaxy connected to your PC. Otherwise you might brick any other connected phone. On the PC run
Code:
sudo fastboot flash boot debian_boot.img
Then boot the Galaxy into fastboot mode by pressing "call" when powering on the phone.
When the process is finished the phone will boot into Debian and automatically connect to your wireless network (if the set-up was correct). You can now connect to the phone through ssh and enjoy your new pocket server.
If you may ever want to boot into android again, you just need to flash the original boot.img that you created with nandroid:
Code:
sudo fastboot flash boot boot.img
7. Bluetooth
7.1 Compile brcm_patchram_plus
For getting bluetooth operational it is necessary to use Broadcom's brcm_patchram_plus software. As it is not available as a Debian Squeeze package, we need to compile it ourselves. So we need to install the following packages on the phone:
Code:
apt-get install git gcc make libbluetooth-dev
Then it's possible to download the sources:
Code:
git clone (FIX this url)https :// github . com / MarkMendelsohn / brcm_patchram.git
And compile the tool using:
Code:
make
7.2 Activating bluetooth
In order for bluetooth to work the following files need to be copied from the GAOSP ROM to the same folder on the phone that you compiled the brcm_patchram_plus in:
BCM4325D1_004.002.004.0153.0156.hcd
After that it's possible to execute the followig commands:
Code:
echo 0 > /sys/class/rfkill/rfkill0/state
echo 1 > /sys/class/rfkill/rfkill0/state
./brcm_patchram_plus -d --enable_hci --baudrate 3000000 --use_baudrate_for_download --patchram BCM4325D1_004.002.004.0153.0156.hcd /dev/ttyHS0
The last command will never terminate and you will get a lot of output due to the (-d) switch. After starting a new console, you will be able to scan for bluetooth devices using:
Code:
hcitool -i hci0 scan
7.3 Connecting a keyboard
I'm using a Rapoo E6100 keyboard and the following procedure worked fine for me. It should be similar with other keyboards.
Code:
apt-get install python-bluez python-gobject python-dbus bluez-compat
Code:
cd /usr/share/doc/bluez/examples
Press pairing button on keyboard then
Code:
./simple-agent hci0 6C:xx:xx:xx:xx:xx
(use the bluetooth address of your keyboard, according to the scan in the previous chapter)
The script will ask for a PIN. I entered 0000 on both the keyboard and phone and the keyboard was registered.
Code:
./test-device trusted 6C:xx:xx:xx:xx:xx yes
(again use the bluetooth address of your keyboard)
Code:
hidd --connect 6C:xx:xx:xx:xx:xx
Now you should be good to use your keyboard.
7.4 Automate patchram
Right now, the KB is not automatically connected on boot, because the patchram command from above needs to be executed on every boot. Hence the following commands should be added to /etc/rc.local (before the exit 0):
Code:
#Activate bluetooth
echo 0 > /sys/class/rfkill/rfkill0/state
echo 1 > /sys/class/rfkill/rfkill0/state
/path/to/brcm_patchram_plus --enable_hci --baudrate 3000000 --use_baudrate_for_download --patchram /path/to/BCM4325D1_004.002.004.0153.0156.hcd /dev/ttyHS0 &
8. Setting the clock
I was having trouble with my clock forgetting the day and time after each reboot. It was a flaw in my kernel config. In the current version of attached config file this is fixed. Anyway, I'm also running NTP to have the clock more accurate.
Code:
apt-get install ntpdate
NTP already come nicely pre-configured (thanks, Debian maintainers!). After that the timezone can be selected using
Code:
dpkg-reconfigure tzdata
9. GUI (X.org)
X.org works almost out-of-the-box since we already pathed the kernel as described in chapter 4 above. Based on the description from (FIX this url)https :// code . google . com/p/linux-on-android/wiki/BasicSteps only two minor changes have been made:
The framebuffer device is at /dev/fb0 instead of /dev/graphcics/fb0
I use evdev instead of tslib, because it provided better results for me (thanks to pabs from #debian-mobile for pointing me there)
9.1 Install X.org
All we need to do is download the software
Code:
apt-get install xorg xserver-xorg-video-fbdev xserver-xorg-input-evdev
9.2 Configuring X.org
Now create /etc/X11/xorg.conf:
Code:
Section "InputDevice"
Identifier "Touchscreen"
Driver "evdev"
Option "Device" "/dev/input/event2"
EndSection
Section "Device"
Identifier "Configured Video Device"
Driver "fbdev"
Option "fbdev" "/dev/fb0"
EndSection
Section "Monitor"
Identifier "Configured Monitor"
Option "DPMS" "false"
EndSection
Section "Screen"
Identifier "Default Screen"
Monitor "Configured Monitor"
Device "Configured Video Device"
EndSection
Section "ServerLayout"
Identifier "Default"
Screen "Default Screen"
InputDevice "Touchscreen" "CorePointer"
EndSection
Section "ServerFlags"
Option "DefaultServerLayout" "Default"
EndSection
9.3 Testing X.org
For testing X.org I've installed icewm and created the following /root/.xsession
Code:
#!/bin/sh
xterm&
exec icewm
Then just type in startx from the console and you have X. Of course you will have to change this to whatever you need or maybe even make X start on boot.
9.4 Boot into Browser
For my target system I want the phone to directly boot into a browser. This can easily be achieved by using the nodm package:
Code:
apt-get install nodm
and midori as browser:
Code:
apt-get install midori
We'll also need a user account. I called my user "default". But naturally you can of course choose whatever you like.
Code:
adduser default
Then nodm has to be configured in /etc/default/nodm:
Code:
# nodm configuration
# Set NODM_ENABLED to something different than 'false' to enable nodm
NODM_ENABLED=true
# User to autologin for
NODM_USER=default
# xinit program
NODM_XINIT=/usr/bin/xinit
# First vt to try when looking for free VTs
NODM_FIRST_VT=7
# X session
NODM_XSESSION=/etc/X11/Xsession
# Options for the X server
NODM_X_OPTIONS='vt7 -nolisten tcp'
# If an X session will run for less than this time in seconds, nodm will wait an
# increasing bit of time before restarting the session.
NODM_MIN_SESSION_TIME=60
And we have to create ~/.xsession for our user:
Code:
#!/bin/bash
midori -e Fullscreen &
exec icewm
A few tweaks in the icewm config (~/.icewm/preferences) will make the window manager look more nicely:
Code:
WorkspaceNames=" 1 "
TaskBarShowCPUStatus=0
TaskBarDoubleHeight=0
TaskBarShowWorkspaces=0
TaskBarShowMailboxStatus=0
TaskBarShowNetStatus=0
TimeFormat="%H:%M"
TaskBarShowWindowListMenu=1
TaskBarShowShowDesktopButton=0
10. Power management
The kernel is already configured with many different frequency govenors. Also the default govenor is set to "ondemand" but for some reason the when looking at /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor it's using the "performance" govenor. This can be solved by simply installing cpufreq-utils:
Code:
apt-get install cpufrequtils
The default settings are already using "ondemand", which seems to be a good choice. Anyway, further optimisations can be done in /etc/default/cpufrequtils if needed.
The phone still gets a little too warm for my taste (I think warmer than in android). Maybe there's something that could fix this, but I'm not an expert.
11. Known shortcomings
The whole set-up is in a really, REALLY early alpha stage
If any of the hardware buttons is touched in text mode the phone crashes (does not happen when in X.org)
The screen will time-out after some time, I have no idea how to wake it up again
Did I mention this is in an alpha stage?
12. Future improvements
Switching to a newer kernel version: The latest version of GAOSP runs on kernel version 2.6.35, while this guide is using 2.6.27. I have experimented with 2.6.29, but I had trouble getting a working frame buffer.
Switching to the latest version of debian (wheezy).

History
History:
2013-12-27:
Initial version
2013-12-30:
Minimized the the init script by removing mounts for /dev, /proc, and /sys. These are not necessary and mounting /dev prevents Debian's udev from working correctly.
2014-01-19:
Added description for bluetooth.
2014-01-25:
Added description for graphical user interface (X.org).
2014-01-25:
Boot into X/Browser and power management
2014-01-26:
Updated clock settings

Video proof
Hi all,
to get a better understanding what this is all about please watch the attached video. Please excuse the poor quality and the fingerprints on the screen.
As you can see the framebuffer output has a few quirks, but hopefully this will work out as soon as X is working.
BR,
Frank

All goals achieved
Okay, I think I now have achieved all goals. I can connect to WiFi and bluetooth. And there is a graphical user interface. Now the tweaking can start (first thing that comes to mind is powersaving). I really created this guide for myself, but I'd be happy to know if anyone else has interest in this topic.

Nice, I am interested. One question!
frank47 said:
Okay, I think I now have achieved all goals. I can connect to WiFi and bluetooth. And there is a graphical user interface. Now the tweaking can start (first thing that comes to mind is powersaving). I really created this guide for myself, but I'd be happy to know if anyone else has interest in this topic.
Click to expand...
Click to collapse
Nice, I am interested. One question!
I would like to use this device to get some data from the sensors. I have tested some apps in Android GAOSP to read the sensors in the i7500, but instead of using android apps, it could be very interesting to have a debian.
Have you tried to do it? Do you think it is possible? Is it too tricky to get a stable debian running an app to send sensors' data to another debian? I could help if you see it is interesting.
What is your opinion? Thank you...

Hi PabloGN,
there are a lot of entries in /proc and /sys. I think it's likely to be possible te access the sensors. For now, I have only looked at the battery status. Don't know if you'd consider that a sensor. Anyway, you would probably have to re-write your software to use those devices instead of using already existing Java libs for android. Hard to tell,*if it's worth the effort.
BR,
Frank

PabloGN said:
I would like to use this device to get some data from the sensors.
Click to expand...
Click to collapse
This is the list of input devices on my the i7500:
Code:
[email protected]:~# cat /proc/bus/input/devices
I: Bus=0000 Vendor=0000 Product=0000 Version=0000
N: Name="I7500_headset"
P: Phys=
S: Sysfs=/devices/virtual/input/input0
U: Uniq=
H: Handlers=kbd event0
B: EV=3
B: KEY=4 0 0 0 0 0 0 0
I: Bus=0000 Vendor=0000 Product=0000 Version=0000
N: Name="I7500_keypad"
P: Phys=
S: Sysfs=/devices/virtual/input/input1
U: Uniq=
H: Handlers=kbd event1
B: EV=3
B: KEY=800180 100000 0 41000800 1c1ec0 0 0 0
I: Bus=0000 Vendor=0000 Product=0000 Version=0033
N: Name="melfas-tsi-touchscreen"
P: Phys=
S: Sysfs=/devices/virtual/input/input2
U: Uniq=
H: Handlers=event2
B: EV=b
B: KEY=400 0 0 0 0 0 0 0 0 0 0
B: ABS=11000003
I: Bus=0000 Vendor=0000 Product=0000 Version=0000
N: Name="compass"
P: Phys=
S: Sysfs=/devices/virtual/input/input3
U: Uniq=
H: Handlers=event3
B: EV=9
B: ABS=20305ff
I: Bus=0000 Vendor=0000 Product=0000 Version=0000
N: Name="proximity_i2c"
P: Phys=
S: Sysfs=/devices/virtual/input/input4
U: Uniq=
H: Handlers=event4
B: EV=1
So, it should at least be possible to read the compass and proximity sensor data form /dev/input/event3 and /dev/input/event4. Maybe there's more and I just haven't compiled it into the kernel or it's accessed in some other way. Sorry, the sensors are not part of my use case so far.
I'm only using /dev/input/event2 (touchscreen) in my xorg.conf as an input device. Works like a charm.
Good luck with your endeavour. If you want me to test something or send you the output of some command, just ask here or by PM.

Permission denied though uid=root

I'm trying to understand why I still get such "Permission denied" errors though I'm UID root.
I will describe my setup and particular error, but I think a proper explanation of what's happening may interest others.
I just need occasional root shell for reverse engineering sessions, and from what I know, a simple way to achieve this is to boot a modified initial ramdisk that contains a properly modified /default.prop, and/or a setuid shell, and/or some kind of su command.
I managed to successfully boot the device (Moto G) with my custom modified image using "fastboot boot custom_boot.img".
First I can verify it's actually "my initrd.img" that's in use:
Code:
[email protected]_umts:/ $ cat /default.prop
#
# ADDITIONAL_DEFAULT_PROPERTIES
#
[I]ro.secure=0[/I]
ro.allow.mock.location=0
[I]ro.debuggable=1[/I]
This does _not_ allow me to get root shell (with "adb shell"):
Code:
[email protected]_umts:/ $ id
[I]uid=2000(shell)[/I] gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
So, I added a setuid copy of /system/bin/sh to the initial ramdisk, at "/sbin/shell0".
Code:
[email protected]_umts:/ $ ls /sbin/shell0 -l
[I]-rwsr-xr-- root shell[/I] 157424 2014-07-14 16:08 shell0
[email protected]_umts:/ $ /sbin/shell0
# id
[I]uid=2000(shell)[/I] gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
# exit
[email protected]_umts:/ $ /sbin/shell0 +p
[email protected]_umts:/ # id
[I]uid=0(root)[/I] gid=2000(shell) groups=2000(shell) context=u:r:shell:s0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
Here, it appears that I have to use the "+p" flag to prevent the shell to immediately get back to the real user id (2000), despite the suid bit is set on /sbin/shell0.
But I don't understand I don't have the permission neither to open simple directories as /data, nor to read the interesting stuff in the /proc subsystem, though I'm uid=0 (root).
I've also tried adding to the initial ramdisk a simple su command, at /sbin/test_su, that does the setuid(0)/setgid(0)/execve(...) thing (snippets available at android.googlesource.com).
But though this properly keep the supplementary groups I had lost within the previous try above, I still can't read into /data:
Code:
[email protected]_umts:/ $ ls -l /sbin/test_su
[I]-rwsr-xr-- root shell[/I] 6316 2014-07-14 17:12 test_su
[email protected]_umts:/ $ test_su
[email protected]_umts:/ # id
[I]uid=0(root) gid=0(root)[/I] groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
From a un*x point of view, it seems weird to me that the shell still answers "opendir failed, Permission denied" while I'm uid/gid 0 (root).
I will continue to investigate, notably regarding SELinux which may enforce rules I'm not aware of, but would also greatly appreciate anyone who could put some light on this issue. At least for me it's an issue, as I don't understand what's happening.
Thanks.

t0kt0ckus said:
So, I added a setuid copy of /system/bin/sh to the initial ramdisk, at "/sbin/shell0".
Click to expand...
Click to collapse
Note that making a setuid shell executable might not be 100% reliable. When I've tried this with bash, it quickly realizes that getuid() != geteuid(), and drops the root permission.
I don't see this happening in your logs, but it's something to watch out for. Typically I've just used simple wrapper programs like the attached file to guarantee that the real/effective/saved UIDs are 0/0/0.
From a un*x point of view, it seems weird to me that the shell still answers "opendir failed, Permission denied" while I'm uid/gid 0 (root).
I will continue to investigate, notably regarding SELinux which may enforce rules I'm not aware of, but would also greatly appreciate anyone who could put some light on this issue. At least for me it's an issue, as I don't understand what's happening.
Click to expand...
Click to collapse
Chainfire is probably the best person to comment on Android SELinux matters. If you look through his old G+ posts you may be able to determine which restrictions apply to your security context.
Do you see any denials logged in dmesg? (Or is that inaccessible too?)
If there is a /selinux/enforce file, does it read back '0' or '1'?

Thank you for your answer.
cernekee said:
Note that making a setuid shell executable might not be 100% reliable. When I've tried this with bash, it quickly realizes that getuid() != geteuid(), and drops the root permission.
I don't see this happening in your logs, but it's something to watch out for. Typically I've just used simple wrapper programs like the attached file to guarantee that the real/effective/saved UIDs are 0/0/0.
Click to expand...
Click to collapse
I've looked at your attached source, the main difference with my own wrapper is that you fork the process, I've tried also, behavior is the same. But, after reading your comment, I've modified my setuid/execve code, to make it more verbose about the real/effective/saved UIDs (using getresuid()).
Code:
[email protected]_umts:/ $ test_su
Initial UIDs
ruid: 2000
[B]euid: 0[/B]
suid: 0
Setting UIDs ...
New UIDs
[B]ruid: 0
[/B]euid: 0
suid: 0
[email protected]_umts:/ # ls /data/
[I]opendir failed, Permission denied[/I]
1|[email protected]_umts:/ #
It clearly appears that, POSIX speaking, all go fine until the "Permission denied" error:
the effective uid is already 0 (just after the "adb shell" command), which is expected and documented, as the content of my /default.prop prevents the shell to revert its effective uid to its real one, which would then be 2000 (shell)
after the setuid(0) call, the real uid is successfully set to 0, as expected, because the suid bit is set AND we were already privileged (if not privileged, setuid() should only change the effective uid, as for "man 2 setuid")
after execve(..), the whole prompt, "[email protected]_umts:/ #", again confirms the real uid is 0 (root)
Chainfire is probably the best person to comment on Android SELinux matters. If you look through his old G+ posts you may be able to determine which restrictions apply to your security context.
Click to expand...
Click to collapse
Yes, I definitely need to dig into the SELinux/Android stuff (see bellow), and will try to find the Chainfire posts you propose.
Do you see any denials logged in dmesg? (Or is that inaccessible too?)
If there is a /selinux/enforce file, does it read back '0' or '1'?
Click to expand...
Click to collapse
Neither dmseg (which is accessible) nor logcat shows any related error or warning.
I haven't any /selinux/enforce file, but it clearly appears from information bellow that SELinux is activated and enforced:
Code:
[email protected]_umts:/ $ getenforce
[B]Enforcing[/B]
[email protected]_umts:/ # setenforce 0
setenforce: Could not set enforcing status: Permission denied
[email protected]_umts:/ $ cat seapp_contexts
isSystemServer=true domain=system
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=_app domain=untrusted_app type=app_data_file levelFrom=none
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
user=log domain=log_app type=system_data_file
user=sprint_extension domain=carrier_ext type=platform_app_data_file
user=smartcard domain=smartcard type=smartcard_data_file
I'm a noob at SELinux, and I may be wrong, but I think a rule policy could prevent a user, being it root, to achieve certain actions. I need to read stuff about this.
The initial boot image that I modify (just add my suid shell /sbin/test_su) is the 4.4.2 one from sbf, and I expand/repack it using standard un*x tools (gunzip,cpio,...) and abootimg. Anything wrong with that ?
I build the C files using:
Code:
$ echo $CC
<android-ndk>/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi-gcc --sysroot=<android-ndk>/platforms/android-19/arch-arm
$ $CC -o test_su test_su.c
Should I use particular flags for gcc, to make it produce SELinux aware object files ?
[EDIT: stupid question, answer is no]
Again, thanks for your help and ideas.

Just for information (for thus who are as dumb as I am): acquiring uid=(euid=suid=)0 is of little or no help within a user application, you're (obviously) still constrained by capabilities you can't acquire unless involving some kind of exploit.
To get a shell that's not restricted by the SE policies (on the 4.4 branch), the main way seems to have somewhat a system daemon capable to spawn /system/bin/sh with appropriate privileges/capabilities upon su client requests: so you again need an exploit.
So, for my understanding, starting with KitKat you can't anymore get a useful adb root shell through the uid=0 thing (traditional su), you have either to flash a custom rom or involve an exploit.

[MOD] Encrypt sdcard with EncFS

Introduction
While Android allows to encrypt the /data partition this is not the case for the sdcard with many ROMs. So there are many files on the sdcard that remain accessible for wicked persons who have physical access to it. This script is an attempt to solve this problem by encrypting the content of the sdcard with the help of EncFS.
This thread is for people who have an interest to encrypt their sdcard. If you don't need it of if you want to discuss the necessity of encrypting the sdcard or encryption in general, please stay away and open a new thread if necessary.
Why EncFS?
When I was looking for a proper way to encrypt my sdcard, I wanted the following points to be fulfilled:
well-known, strong encryption method - the encrypted data should be accessible with other devices and systems (e.g. with Windows, MacOS, Linux)
conventional plain data and encrypted data on one sdcard - some file possibly should stay unencrypted (e.g. files for osmand, video files,...)
shared space for plain and encrypted data - especially with small sdcards it is more comfortable to stay with one big partition instead of splitting the sdcard
EncFS fulfills these points. Furthermore, there are working binaries and build instructions for Android thanks to Cryptionite.
Is it stable? Will it slow down my device?
I'm running my phone with encrypted sdcard for about a year now without any serious problems. I tested it with Sultanxda's CM11 KitKat ROM and ivanich's CM12 Lollipop ROM so I expect it to work at least on every CM11 and CM12 ROM. Please let me know if it works / doesn't work for you.
Using encryption will obviously slow down the read/write speed from/to sdcard. However, for me it is fast enough. As encryption and decryption is taking place in the CPU I expect the deceleration to be less on slow sdcards. But this is only an assumption.
With a SanDisk Ultra Class10 and AES 128 Bit encryption I tested the speed with the dd method on Android Lollipop:
Without encryption:
Write: 9 Mb/s
Read: 21,3 Mb/s
With EncFS encryption:
Write: 4,5 Mb/s
Read: 19,4 MB/s
Again, I hope to hear about the speed you measure.
Installation Instructions
Please backup your device before you try this! I don't know if this is working on your device and ROM. Do it at your own risk! I'm not responsible for any damage or data loss!
encrypt your /data partition. Your password for the sdcard-encryption will be stored on /data in plain text, so this is essential
install the attached zip-file via recovery
create a folder named ".encrypted" in the root of your sdcard
create an EncFS repository in the ".encrypted" folder. This is not difficult, search for howtos if you don't know what to do. You can do this on your device via adb or terminal (as root):
Code:
/system/bin/mount.encfs /sdcard/.encrypted /sdcard/decrypted
or with Linux, Windows or MacOS (via MacPorts), for example:
Code:
encfs /path-to-sdcard/.encrypted /only-temporary
save the password you entered in /data/local/passwd on your phone (adb or terminal as root)
Code:
echo "your-encfs-password-here" > /data/local/passwd
reboot
if everything works, you have the decrypted files of the ".encrypted" folder in "/storage/sdcard0" and ordinary plain files on your sdcard in "/storage/sdcard1"
now you can move the data of your apps, photos, ringtones, music,... from "/storage/sdcard1" to "/storage/sdcard0"
After flashing a new ROM, you only have to flash the zip-file again.
How does it work?
The script is executed every time you mount your sdcard (at boot and when inserting the sdcard). To achieve this, the sdcard daemon at /system/bin/sdcard is replaced with a script which performs the mounting stuff. It is looking for the ".encrypted" folder on the sdcard. If the folder exists, it decrypts it with the password stored in "/data/local/passwd". You will have the following sdcard structure dependent of the presence of the ".encrypted" folder:
".encrypted" folder is present (and "/data/local/passwd" containing the right password):
/storage/sdcard0 -> the decrypted data of .encrypted (the EncFS folder)
/storage/sdcard1 -> all the data of your sdcard
".encrypted" folder is not present:
/storage/sdcard0 -> all the data of your sdcard
So if you rename or delete the ".encrypted" folder on your sdcard, the script should react as if it doesn't exist.
There are some apps which can be configured to use another folder as "sdcard0". These can make use of "sdcard1", especially if they must access big files very fast (like Osmand or some podcast-apps).
Where is the EncFS binary from?
The EncFS binary is an ARMv7-version taken from Cryptonite. You can also build it yourself and replace the one in the zip file.

[ Reserved ]

support!!

Info
Can i encrypt/decrypt a single folder in internal sdcard?

ki1120 said:
support!!
Click to expand...
Click to collapse
Yeah.. so... I don't know what to say...
ultrasound1991 said:
Can i encrypt/decrypt a single folder in internal sdcard?
Click to expand...
Click to collapse
This is exactly what cryptonite does. You can mount single encrypted folders via a comfortable GUI.
If you want to mount the folder automatically together with the sdcard my script can also be adjusted. However, umnounting the sdcard (from settings or when connecting USB) could be prevented. This sould be tested. You can ask me if you need help.

Info
Cryptonite is no longer supported.
I have smartphone with Android L, root, and only internal sdcard.
I want to use your script to mount an encrypted folder, that contain encfs6.xml file.
Can you help me? I am not a programmer.

EncFS (FUSE) UID, GID not set, always "0" ("root")
It's old though, I was experimenting on a KitKat. All sets up fine, just the permissions part. Whatever uid and gid is set in command, folder is always mounted as uid=0 and gid=0 i.e. root when checked by 'mount' command. Mount details are as under:
Code:
[email protected]:/ # mount | grep "storage/sdcard"
encfs /storage/sdcard0 fuse.encfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0 0
/dev/fuse /storage/sdcard1 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
[email protected]:/ #
It's because sdcard daemon is run as root?
But apps need uid and gid 1023 (media_rw) or perhaps 1028 (sdcard_r). I'm not sure about this. As the init.qcom.rc lines say:
Code:
# create virtual SD card at /mnt/sdcard, based on the /data/media directory
# daemon will drop to user/group system/media_rw after initializing
# underlying files in /data/media wil be created with user and group media_rw (1023)
service sdcard /system/bin/sdcard -u 1023 -g 1023 -l /data/media /mnt/shell/emulated
class late_start
service fuse_sdcard1 /system/bin/sdcard -u 1023 -g 1023 /mnt/media_rw/sdcard1 /storage/sdcard1
.
Now, if I run command as user 1023 or 1028, encfs can't read /storage or /mnt directories due to restricted permissions:
Code:
[email protected]:/ # su 1023 /system/bin/mount.encfs -s -o "rw,nosuid,nodev,uid=1023,gid=1023,umask=006,allow_other" /mnt/media_rw/sdcard0/.encrypted /storage/sdcard0
The directory "/storage/sdcard0" does not exist. Should it be created? (y,n) y
Unable to create directory: : Permission denied
06:06:32 (main.cpp:435) Unable to locate mount point, aborting.
How to achieve this drop part?:
Code:
#daemon will drop to user/group system/media_rw after initializing
I think I'm missing something very simple.
And encfs latest static binary for arm can be made available somehow other than compiling? That's a real tough part.
Does EncFS work with Android 6+? If no, any similar alternatives i.e. command-line solution, not apps.

mirfatif said:
I think I'm missing something very simple.
Click to expand...
Click to collapse
Do you use the script I provided? It should create the sdcard as root before running encfs:
Code:
mkdir /storage/sdcard0 0700 root root
After that it runs encfs as root – the "drop part" is actually "uid=0,gid=01028" with which encfs mounts the encrypted folder:
Code:
/system/bin/mount.encfs -s -o "rw,nosuid,nodev,uid=0,gid=01028,umask=6,allow_other" /mnt/media_rw/sdcard0/.encrypted /storage/sdcard0
mirfatif said:
And encfs latest static binary for arm can be made available somehow other than compiling? That's a real tough part.
Click to expand...
Click to collapse
Development of Cryptonite seems quite inactive unfortunately. But there is a fork that seems to have some fixes for building, a build script and build instructions.
mirfatif said:
Does EncFS work with Android 6+? If no, any similar alternatives i.e. command-line solution, not apps.
Click to expand...
Click to collapse
I didn't test it with Android 6 as from there on adoptable storage is available. Adoptable storage fulfils most of the things I wanted for sdcard encryption (see my first post: strong encryption; conventional plain data and encrypted data). Thus, it basically makes my encfs-solution obsolete for Android 6+.

bastei said:
Do you use the script I provided? It should create the sdcard as root before running encfs:
Code:
mkdir /storage/sdcard0 0700 root root
After that it runs encfs as root – the "drop part" is actually "uid=0,gid=01028" with which encfs mounts the encrypted folder:
Code:
/system/bin/mount.encfs -s -o "rw,nosuid,nodev,uid=0,gid=01028,umask=6,allow_other" /mnt/media_rw/sdcard0/.encrypted /storage/sdcard0
Click to expand...
Click to collapse
I used these scripts without any problems on:
Android 4.4:
Code:
#!/system/bin/sh
#####################################################################################################
# DISABLE INTERNAL MEMORY (/data/media/0) AND USE EXTERNAL SD CARD AS INTERNAL STORAGE #
# ENCRYPT FILES ON EXTERNAL SD CARD FOR SECURITY #
# #
# STEPS: #
# 1. DIM i.e disable internal memory (KitKat, Lollipop), not explained here #
# #
# 2. change in boot.img > ramdisk > init.qcom.rc: #
# service fuse_sdcard0 /system/bin/sdcard -u 1023 -g 1023 -d /mnt/media_rw/sdcard0 /storage/sdcard0 #
# to #
# service fuse_sdcard1 /system/bin/sdcard -u 1023 -g 1023 -d /mnt/media_rw/sdcard0 /storage/sdcard1 #
# #
# ensure both lines exist in init.qcom.rc: #
# "mkdir /storage/sdcard1 0700 root root" and "mkdir /storage/sdcard0 0700 root root" #
# #
# 3. rename /system/bin/sdcard to sdcard_orig #
# 4. replace /system/bin/sdcard with this script (named "sdcard") #
# 5. copy encfs bianry to /system/bin #
# 6. set chmod +x permissions on all 3 files #
# #
# 7. encrypt internal storage (from settings) and save encfs password: #
# echo <your_password> | tee /data/local/pswd #
# 8. run this as root to mount encrypted directory: #
# /system/bin/encfs -o allow_other,umask=0 /mnt/media_rw/sdcard0/.encfs /data/local/SDCardTemp #
# copy all data on internal storage (/data/media/0/) to /data/local/SDCardTemp #
# reboot #
#####################################################################################################
export PATH=/system/bin:/system/xbin
# save log
mkdir -p /data/local/tmp
exec &>/data/local/tmp/encfs.log
date
echo "sdcard $*"
# mount encfs if not mounted already
if ! mountpoint /storage/sdcard0
then
cat /data/local/pswd | encfs -S /mnt/media_rw/sdcard0/.encfs /storage/sdcard0 -- -o allow_other,umask=0
# or may use uid=0,gid=1028,umask=006
fi
# pass original init command to sdcard daemon
sdcard_orig "[email protected]"
Android 5.0:
Code:
#!/system/bin/sh
# add following lines to boot.img > ramdisk > init.qcom.rc before sdcard service:
## service encfs /system/bin/encfs.sh
## oneshot
## class late_start
# save this script as /system/bin/encfs.sh
# copy encfs bianry to /system/bin
# chmod a+x /system/bin/encfs*
# echo <password> | tee /data/local/pswd
# /system/bin/encfs -o allow_other,umask=0 /data/media/encfs_crypted /data/local/SDCardTemp
# rsync -a --progress --exclude=encfs_crypted /data/media/ /data/local/SDCardTemp/
export PATH=/system/bin
# wait to avoid "PROTO_EXEC|PROTO_WRITE failed" error
sleep 5
# save log
exec &>/data/local/encfs.log
date
# mount encfs
exec cat /data/local/pswd | encfs -S /data/media_encfs_crypted /data/media -- -o uid=1023,gid=1023,umask=006,allow_other,nonempty &&
echo Mounted.
Mount options "nosuid" and "nodev" are set by default as a security measure. Mostly applications making use of FUSE (in kernel space) and optionally libfuse (in userspace) also set (or give a commandline parameters to set) "allow_other" and "default_permissions" options by default.
UMASK, UID, GID, ALLOW_OTHER
"umask" (or "dmask" and "fmask") needs to be provided explicitly to make files world accessible. Default mode set by "encfs" is 0600 (umask=177) and only mount owner (root) can access files unless every newly created file is manually chmod-ed.
Similarly, "uid" and "gid" options are needed to set desired owner/group. Default owner:group is the mount owner (0:0) unless every newly created file is manually chown-ed.
Actually mount owner and files/directories owner can be different, which was the source of my confusion. That's how FUSE is implemented to let non-privileged mounts work. Have a look at this:
user_id=N
group_id=N Specifies the numeric uid/gid of the mount owner.
This option should not be specified by the filesystem owner. It is set by libfuse (or, if libfuse is not used, must be set by the filesystem itself).​
. . .
uid=N
Override the st_uid field set by the filesystem (N is numeric).​
Click to expand...
Click to collapse
Since all "init" processes (including "sdcard" daemon) run as root (uid=0 and gid=0), 'mount' command always show "user_id=0" and "group_id=0". However it should be noted that provided "uid" and "gid" appear when we view files' ownership:
Code:
[B]/~#[/B] encfs -o allow_other,[COLOR="Red"]umask=7,uid=1023,gid=0[/COLOR] /.enc /enc
EncFS Password:
[B]/~#[/B] mount | grep enc
encfs on /encfs type fuse.encfs (rw,nosuid,nodev,relatime,[COLOR="red"]user_id=0,group_id=0[/COLOR],default_permissions,allow_other)
[B]/~#[/B] touch /enc/test
[B]/~#[/B] ls -l /.enc /enc
/.enc:
[COLOR="red"]-rw-rw-rw-[/COLOR] 1 [COLOR="Red"]0 0[/COLOR] 0 Mar 3 17:58 CoXOLL0fc0RaxZjq2HaSj9en
/enc:
[COLOR="YellowGreen"]-rwxrwx---[/COLOR] 1 [COLOR="YellowGreen"]1023 0[/COLOR] 0 Mar 3 17:58 test
[B]/~#[/B] chmod 0777 /enc/test
[B]/~#[/B] chown 0:1023 /enc/test
[B]/~#[/B] ls -l /.enc /enc
/.enc:
[COLOR="red"]-rwxrwxrwx[/COLOR] 1 [COLOR="red"]0 1023[/COLOR] 0 Mar 3 17:58 CoXOLL0fc0RaxZjq2HaSj9en
/enc:
[COLOR="YellowGreen"]-rwxrwx---[/COLOR] 1 [COLOR="YellowGreen"]1023 0[/COLOR] 0 Mar 3 17:58 test
[B]/~#[/B]
Setting "uid"/"gid" isn't necessarily required if universal access is granted using "umask=0" and "allow_other" mount options. Since every app is treated as a user on Android, so even the file explorer (same user who mounted filesystem by getting root privileges) can't access EncFS mounted directory without "allow_other" (if not running as root). So "allow_other" is necessarily required.
Mounting with "gid=9997,dmask=0007,fmask=0117,allow_other" at "/mnt/runtime/write/emulated/0/<mount_point>" on Android 6+ grants write access to apps with android.permission.WRITE_EXTERNAL_STORAGE granted. See this answer for details.
MOUNT OWNER
On Linux non-root users who are member of "fuse" group can mount and un-mount FUSE filesystems using "fusermount(3)" which is always run as root by set-UID-root or "setcap cap_sys_admin+ep". "fuse" group is the GID of "/dev/fuse". But non-privileged users can't set "allow_other" unless "user_allow_other" is set in FUSE configuration file /etc/fuse.conf. "/etc/fuse.conf" is used by "libfuse", and hence by all program depending on or linked to this library like "bindfs", "encfs", "sshfs", "rclone" and so on. So a non-root user can be the mount owner but other users (including root) can't access the mounted filesystem.
However on Android non-privileged user can't (u)mount FUSE filesystem because:
FUSE support is fully enabled from kernel side (on Linux it's usually a loadable module), can be checked by:
Code:
grep -E 'fuse|fuseblk' /proc/filesystems
But there are limitations in userspace.
There's no "fusermount" binary available on Android and the libfuse implementation doesn't use FUSE configuration because it's meant only for root users. But if we try to use binaries statically linked to standard Linux "libfuse" (like EncFS), they do read "/etc/fuse.conf" and may depend on "fusermount".
Apps on Android are run with all privileges dropped, so they can't make "mount" syscall even if "fusermount" is present with SUID bit set.
"/dev/fuse" is readable and writable only by root (0600, 0:0).
Non-root users on Android may face problem accessing filesystems (e.g. executing EncFS binary and reading "/dev/fuse") due to DAC or MAC permission checks. SELinux might need to be set "permissive" for the same reason, or the policy needs to be patched. SELinux also restricts Linux capabilities of processes.
So in short, EncFS and all other programs that make use of FUSE, can only be mounted by root on Android.
MOUNT NAMESPACE
Next important thing to be considered is "mount namespace" where even "allow_other" and root access won't help you. Mount namespaces enable apps to be exposed to an individual view of mounted filesystems. It means that "/proc/mounts" (which actually is "/proc/self/mounts") may look different to different processes. FUSE was implemented since KitKat to impose permissions derived from directory structure by emulating internal and/or external SD cards instead of direct mounting them. Mount namespaces are implemented since Marshmallow to serve the purpose of apps isolation in better way enforced by "zygote" at runtime. On rooted devices when an app requests a root shell, SU manager starts the shell in a new isolated namespace. While FUSE is implemented through UID's, namespaces are implemented through PID's. Super user rights with namespace separation are granted through
Code:
unshare -m sh
i.e. providing the app (process id) an independent view of mount points, not visible to the rest of apps.
Namespaces only affect (1) emulated SD card mounts handled by zygote or (2) any other filesystem mounted from a shell which was initiated by SuperSU with mount NS separation. All root processes started by Android ("init" on boot) run in global namespace. For example all mounts from adb shell will have no namespace separation because "adbd" is run in global namespace. Similarly, all shared mounts done at boot by init are propagated as a single unit from default/global/root namespace to all new zygote-forked per process namespaces. If we un-mount a filesystem from an app with root access, it will not affect the system and other apps. However if mount namespace separation is disabled, un-mounting a filesystem from any app will un-mount it globally. So isolated namespace feature provided by SU solutions is a security measure.
Say, you execute the following command from Termux (or any other terminal emulator app):
Code:
/system/bin/encfs -o allow_other /data/media/0/.encfs /data/media/0/encfs
Now, if mount namespace separation is enabled (by default), you will be able to open /data/media/0/encfs only from Termux app and from no other file explorer etc. For any other app, EncFS is not mounted at all. However Android su binaries provide a mount master option to always mount in global namespace:
Code:
[COLOR="Red"][B]su -mm[/B][/COLOR] /system/bin/encfs -o allow_other /data/media/0/.encfs /data/media/0/encfs
nsenter command can also be used to enter an existing isolated mount namespace. But note that namespaces are killed as soon as they have zero process running.
Other option is to disable "Mount Namespace Separation" in SuperSU app settings. However, do not disable this if you want to use apps like Titanium Backup or "Hide Root" feature as in Magisk etc. In addition to Isolated and Global, Magisk also provides a third option: Inherited i.e. run the root shell in same isolated namespace in which app is already running.
Related: Partition gets unmounted automatically in Android Oreo
DROP DAEMON PRIVILEGES
What I quoted earlier:
#daemon will drop to user/group system/media_rw after initializing
Click to expand...
Click to collapse
This "drop daemon privilege" thing is specific for "sdcard" daemon only as stated here and neither true for FUSE in general, nor related to filesystem "user_id" or "uid" options:
It must be run as root, but will drop to requested UID/GID as soon as it mounts a filesystem.
Click to expand...
Click to collapse
Code:
snprintf(opts, sizeof(opts),
"fd=%i,rootmode=40000,default_permissions,allow_other,user_id=%d,group_id=%d",
fd, uid, gid);
res = mount("/dev/fuse", dest_path, "fuse", MS_NOSUID | MS_NODEV, opts);
if (res < 0) {
ERROR("cannot mount fuse filesystem: %s\n", strerror(errno));
goto error;
}
/* Drop privs */
res = setgroups(sizeof(kGroups) / sizeof(kGroups[0]), kGroups);
if (res < 0) {
ERROR("cannot setgroups: %s\n", strerror(errno));
goto error;
}
res = setgid(gid);
if (res < 0) {
ERROR("cannot setgid: %s\n", strerror(errno));
goto error;
}
res = setuid(uid);
if (res < 0) {
ERROR("cannot setuid: %s\n", strerror(errno));
goto error;
}
fuse_init(&fuse, fd, source_path, write_gid, derive, split_perms);
umask(0);
res = ignite_fuse(&fuse, num_threads);
/* we do not attempt to umount the file system here because we are no longer
* running as the root user */
Process should call "setuid" itself to drop/elevate privileges which isn't the case for EncFS/FUSE by default. We can't use "su" or "setuidgid" or "chpst" commands to drop privileges later on but this isn't needed either as explained earlier. Only "uid=" and "gid=" options are enough.
Same source code file also explains somewhat how "legacy" and "derived permissions" work particularly on Android 4.4, 5 and 6 using FUSE filesystems for emulating SD card.
SUMMARY
On Android, only root can mount EncFS (FUSE) filesystem
Do mention "allow_other" option if you want to access EncFS mounted directory from a non-root app
Do mention "umask=" option if you want to read/write encrypted files from a non-root app
"uid" and "gid" need to be set if you want to give some specific non-root app write access to the filesystem. Otherwise "allow_other" and "umask" can suffice.
Disable "Mount Namespace Separation" option in SuperSU app if:
EncFS is to be mounted feom CLI (Terminal Emulator) app and not by some boot script or from adb shell, and
You want to access EncFS mounted directory from some app other than the root shell in CLI app
bastei said:
Development of Cryptonite seems quite inactive unfortunately. But there is a fork that seems to have some fixes for building, a build script and build instructions.
Click to expand...
Click to collapse
Latest EncFS binary is available here. Thanks to @DualJoe. It works with Android Oreo as well. However, overlapping with already mounted FUSE or sdcardfs (a FUSE-like filesystem implemented in Android 8+ that works in kernel space) should be avoided.
This is my understanding of EncFS and FUSE. Correct me if I'm wrong.

You could use /mnt/encfs. I think it might not be affected by namespace isolation.

DualJoe said:
You could use /mnt/encfs. I think it might not be affected by namespace isolation.
Click to expand...
Click to collapse
It didn't work for me. What I have understood is that mount namespace isolation implemented by SuperSU app is totally independent of that implemented by AOSP on emulated storage. SuperSU grants root access on the basis of app, not path. When an app requests root rights from SuperSU, a new namespace is created in which all global mounts are cloned. Now it's up to that app what it does with the mountpoints, not affecting any other process. So the path where filesystem is mounted doesn't matter. Also whatever location we choose, mount call won't be successful without root. I have added a few lines about this in my previous post.

Are you sure you're invoking 'mount' with 'su -mm'?
I can only speak for my system (LOS13, Magisk) but i can mount cifs or ecryptfs on any place (/data/media/0, /mnt/*) without problems. Magisk is still set to default namespace option (inherited). The '-mm' switch is always 'global namespace' though as it's primarily intended for public mounting (as described in 'su --help').

DualJoe said:
Are you sure you're invoking 'mount' with 'su -mm'?
I can only speak for my system (LOS13, Magisk) but i can mount cifs or ecryptfs on any place (/data/media/0, /mnt/*) without problems. Magisk is still set to default namespace option (inherited). The '-mm' switch is always 'global namespace' though as it's primarily intended for public mounting (as described in 'su --help').
Click to expand...
Click to collapse
Yes definitely 'su -mm' mounts in global namespace. I was talking about simple mount command from a su shell, without '-mm'.

After putting password in terminal after encfs command, does nothing. Means decrypted directory always remain empty. any idea how to resolve this ? Android 13
Edit1: now this working but new issue came which ia mentioned in next post.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

i using below command:
su -mm -c "encfs --public -o nonempty,allow_other,rw,noatime,noexec,nodev,nosuid,gid=9997,umask=006 -S /mnt/runtime/write/3B86-9400/.encrypted /mnt/runtime/write/emulated/0/decrypted"
I can see content in the file manager only but not gallery.
After Android media store refresh only content of decrypted folder showing in gallery but content of sub folder of decrypted folder is not showing in the gallery.
Any idea how to resolve this issue.

Launch Linux without vnc

I'm new to the forum so please pardon me if my english or explainations are not perfect.
I post here to explain a way to launch linux from android without vnc.
We need to stop android services to do that, but as already explain in other topics, the framebuffer access seems to be blocked on android 4.4 (or above).
I found that the framebuffer can still be accessed but just at the beginning of the boot process.
A way to launch linux is thus to modify the file "/system/etc/install-revovery.sh" (sometimes it is under "/system/bin") wich is started just at the same moment with other android services.
You can for instance add in that file:
busybox mount /dev/block/mmcblk1p1 /mnt/asec
# were mmcblk1p1 is your sdcard
if [ -e /mnt/asec/start.sh ] ; then
setprop ctl.stop zygote
setprop.ctl.stop bootanim
setprop ctl.stop surfaceflinger
setprop ctl.stop servicemanager
# (you should stop all services showed in /init.rc that restart other services)
# (you can repeat the setprop ctl.stop two or three times to be sure they are stopped)
exec busybox chroot /mnt/asec /start.sh
fi
In your sdcard, you should install a linux-arm system (for instance debian, can be done with linuxdeploy app), and place a file "start.sh" like this one:
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
mount -t tmpfs none /dev
mount -t proc none /proc
mount -t sysfs none /sys
sleep 1
busybox mdev -s
# (busybox should be installed in the linux-arm system)
mkdir /dev/pts
mount -t devpts none /dev/pts
sleep 1
sudo startx -- vt1
If you reboot your device within your sdcard insert, linux should start. If something goes wrong, just reboot the device without the sdcard (long-press power), and android should restart.
If your kernel doesn't have tty support, it can also work. Just add in the "install-recovery.sh" file:
( while [ 1 ]
do
echo 0>/sys/class/graphics/fb0/rotate
busybox sleep 0.01
done ) &
And in your start.sh you should replace the last line with:
ln -s /dev/null /dev/tty1
sudo startx -- vt1 -sharevts
(I learn this trick by examin the source code of linuxdeploy, wich use it too).
If you're lucky, touchscreen will work (with default evdev driver that comes with linux).
If not, you can try tslib driver (search for "tslib" and "xf86-input-tslib" on olimex website or other places on the web).
For this be aware they are some patchs to apply (can be found on olimex website) and you should compile.
However when sucessfull it seems to work on a good number of devices (you can also try some "tslib-multitouch" patchs that make the driver work on some other devices).
For the keyboard you can use matchbox-keyboard program for instance, wich use the touchscreen to emulate the keyboard.
I've tested this method on two tablets (an allwinner and a rockchip) and on a Wiko phone (MediaTek processor). It has worked for each of three.
Be carefull nevertheless when modifying "install-recovery.sh" (wrong manipulations can brick your device, you are warned, I shall not be responsable for any damage).
Thanks.

Thank you kind sir. This is what I have searching for.

honestly it's kind of funny to know that I've scoured the internet looking for this and it's been right here the whole time I just didn't do a search on this site for whatever stupid reason. you are a gentleman and a scholar, thank you for your time.

Allow bash script to remount /system as rw at boot CM 12.1 and selinux

Hi all,
Trying to build CM 12.1 for the old otter2. Everything works but the previous developers has a shell script that runs from init.d that remounts system as rw, calibrates the wifi adapter then remounts as ro.
Im having issues with selinux allowing me to do this. I've added the appropriate sepolicy to the .te but this is in violation of a global denyall.
Code:
allow fixmac labeledfs:filesystem remount;
So when I build i get this:
Code:
libsepol.report_failure: neverallow on line 268 of external/sepolicy/domain.te (or line 8279 of policy.conf) violated by allow fixmac labeledfs:filesystem { remount };
libsepol.check_assertions: 1 neverallow failures occurred
This is the offending policy:
Code:
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
And the offedning mount point:
Code:
/dev/block/platform/omap/omap_hsmmc.1/by-name/system /system ext4 ro,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0
Whats the right way to allow me to mount the fs rw so I can write the calibration file? As far as I can tell it needs to be done at boot for each device. I could add the firmware to the image but then everyone would have the same mac address.
I can run the script without issue via an adb shell, but I assume root doesn't care about selinux policies?

can anyone help with this at all? Seems fairly straight forward but for selinux.

Not that I know selinux any better than anyone else, but couldn't you turn it off the script is ran? I am assuming you have root, right? E.g.
setenforce 0 && calibrate-wifi.sh ; setenforce 1