Related
Hi,
I am one of those who want to upload custom kernel in my Nexus S (SHW-M200K which is for Korean). When I updated my android by the methods in android source. It worked.
I also downloaded android kernel by using following commands.
$ git clone samsung.git kernel
$ git branch -a
$ git checkout remotes/origin/android-samsung-2.6.35-gingerbread
And, configured the kernel using herring_defconfig without any modification. The compilation was okay, but the device cannot be booted. I used fastboot to flash my new kernel into the device.
I am wondering if I know how to make the device booted with my new kernel.
Second, I want to see the kernel bootlog, the device is not working with my kernel, so I cannot use adb shell dmesg. Is there a way to see device's serial out? and is there a way to configure the kernel to make it show kernel logs to microUSB port?
I googled and found some links, unfortunately I cannot pase the url because I am newbie , but I did not work in my environment. The contents of the link uses 150k resistor to link ID and GND of microUSB ports and links D+/D- to UART port.
I also found some threads about Nexus S's kernel console out, but they have a little message which makes me confused.
I also found microUSB to serial cable, which is named as FlexSerial™ Serial (RS232) Data Cable for Samsung Nexus S, I cannot also attach url links, and you can easily found the module by using google. But I am not sure it will work or not. Is there anybody used this device?
Finally, I will also wonder if I know a specific configuration in kernel to see kernel's serial out?
It would be very nice if you let me know how to do or give me useful links.
Thanks in advance.
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
Hi,
don't work on HTC One X with 4.0.3.
cheers
starbase64
Already too old
Hi,
Mempodipper / mempodroid exploit uses a serious security hole in Linux kernels 2.6.39 and higher, making some noise in Linux' world. A patch has been given by Linus Torvalds himself late january.
It always take some times to deploy patched kernels but by now, most of them are probably mempodroid-resistants.
Wait for the next...
I just updated my samsung galaxy nexus from 4.0.2 to 4.0.4. Before that, I could root it using the command line provided by saurik:
Galaxy Nexus 4.0.2: 0xd7f4 0xad4b
Click to expand...
Click to collapse
source: https://github.com/saurik/mempodroid
After the update, I did not manage to root it so I came to this topic after some research on xda
Unfortunately, it looks the 4.0.4 update patches this hole on the galaxy nexus (or the n95-offsets tool does not work, which is probably not the case). Here for the record is what is returned by the tool:
[email protected]:/data/local/tmp $ ./n95-offsets
n95-offsets by Nesquick95
Gets requiered offsets for mempodroid exploit
./mempodroid 0xd7cc 0xad27 sh
1|[email protected]:/data/local/tmp $ ./mempodroid 0xd7cc 0xad27 sh
1|[email protected]:/data/local/tmp $
Click to expand...
Click to collapse
No root shell given. Any proof on the vulnerability beeing patched with 4.0.3 or 4.0.4?
No proof but...
Hi,
I've also lost mempodroid rooting capacity when upgrading my Galaxy Nexus from 4.0.2 to 4.0.4.
The tool can be wrong but I mainly think that the hole has been patched. But you're right, no proof of it until now
Nesquick95 said:
Hi,
I've also lost mempodroid rooting capacity when upgrading my Galaxy Nexus from 4.0.2 to 4.0.4.
The tool can be wrong but I mainly think that the hole has been patched. But you're right, no proof of it until now
Click to expand...
Click to collapse
Yes, I think that too. How did you managed to get the 4.0.4 rooted then? Did you unlock the bootloader or did you use another root exploit?
Unlocked
I've rooted 4.0.4 by unlocking the bootloader, flashing ClockworkMod recovery then an update.zip containing only the su binary.
I'd prefered keeping stock booloader locked but there is not so much kernels exploits around here for now and I ain't got time for testing other devices (Acer, Sony,...) specifics exploits on the Gnex...
If you're interested, you can take a look at Dan Rosenberg's works, in addition to all the great things already done here at XDA :
http://vulnfactory.org/blog/
Nesquick95 said:
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
Click to expand...
Click to collapse
Hi Nesquick. I need to compile this source and mempodroid for a MIPS tablet (4.0.3 ICS and 3.0.8 kernel), since it seems that it cannot be rooted. Can't adb root or su. Do you think that it could be used or you can help generating the binaries for MIPS?
Thanks in advance
Hi,
Hard to say if it will work or not... Your 3.0.8 kernel may be a good candidate as long as it hasn't be mempodroid-patched by the tablet's provider.
I have Google NDK r7 installed, it offers only x86 and ARM support. It seems that MIPS support comes with r8 :
http://developer.android.com/sdk/ndk/index.html
You'll find the perl script used to compile my C programs attached (thanks to the author, Andrew Ross). I think t won't be to hard to adapt it to NDK r8 / MIPS platform...
the offsets of "exit" is wrong
Nesquick95 said:
Saurik's mempodroid exploit needs offsets of "exit" and "setresuid" functions calls in order to work.
Here's a tool that may find this two offsets while running on your ICS device and give you the mempodroid command line to run for gaining a temporary root shell.
This tool doesn't add any capability to Saurik's exploit.
Please let me know if you have any idea for improvement.
Feel free to use this tool, at your own risks.
1- download and unzip
2- push the two binaries to /data/local/tmp with adb
3- chmod 755
4- run n95-offsets
5- copy / paste the command line given by the tool
If the trick works, you will see the $ prompt change to a # one.
Hope it will help.
Click to expand...
Click to collapse
this is ok, great!!!
n95-offsets can work
olive360 said:
Hi, I get the offsets with n95-offsets
the offsets of "exit" is wrong
offsets of "setresuid" is right
my cell offsets is 0xd524 0xab8f
the offsets obtained with n95-offsets is 0x8003 0xab8f
Click to expand...
Click to collapse
sorry, i make a mistake, n95-offsets can work, i have rooted use it.
Thanks!!! It works with my Yifang / Mediacom MD 860 S2 (Generic ICS 4.0.4 tablet on a Cortex A9 platform)
Hi, I've Mediacom 715i (new one with 4.0.4), I've used n95-offsets to find the two offset, then I've executed mempodroid, but it doesn't work. still have '$' prompt. Any Idea?
Has anyone tested if it works on our tab or not....Plus does anyone know ho to find the power output of our tab's usb host mode????
I'll be geting my new usbotg cable soon so i'll also try n post the result....
For those who don't know about pppwidget, its a which allows you to use your 3G/2G stick(dongle) on your tab using the otg cable...
Market link
Read More about project here..
Hi thanks for this information, I tried this and it requires extra kernel modules (option, which is not included in cm10 kernel).
proudfoot said:
Hi thanks for this information, I tried this and it requires extra kernel modules (option, which is not included in cm10 kernel).
Click to expand...
Click to collapse
Can you please tell the steps you took and the result you got...This isn't supposed to need any modules except usb_modswitch which it already include....It works on CM10 nexus 7 too...Which dongle did you use???
Yup, it works it requires couple of modules not included in cm10 p5100 kernel, i already build the modules (see attachment) . Enjoy
I uses zte cdma modem, that modem requires 'option' module but most 3g/CDMA dongle uses this module.
You just need to copy those modules to /system/lib/modules.
edit: forgot to actually attaching the modules ~_~
Update: Vpn doesn't seem to work with pppwidget.
Update2: works, needs to manually set the gateway
cool...i'll get back to you in couple of days(waiting for my new otg cable)... can you please give the .c file for the modules also....still learning all this stuff so wlll be helpful....
kan_bleach said:
cool...i'll get back to you in couple of days(waiting for my new otg cable)... can you please give the .c file for the modules also....still learning all this stuff so wlll be helpful....
Click to expand...
Click to collapse
clone it from here -> https://github.com/cmenard/android_kernel_samsung_espresso10
as for compiling it follow/adapt from this tutorial -> http://stevechui.blogspot.com/2011/10/compiling-kernel-modules-tunko-for.html
Its giving 'port not found'....any solutions??
Did you directly connected the dongle to tab or used a powered hub???
kan_bleach said:
Its giving 'port not found'....any solutions??
Did you directly connected the dongle to tab or used a powered hub???
Click to expand...
Click to collapse
Directly, what the log (it should be in /sdcard/pppwidget/log/) say?
edit: actually with this -> http://www.amazon.com/Samsung-EPL-1PL0BEGXAR-USB-Connection-Kit/dp/B005518J6Q it's still count as directly right?
proudfoot said:
Directly, what the log (it should be in /sdcard/pppwidget/log/) say?
edit: actually with this -> http://www.amazon.com/Samsung-EPL-1PL0BEGXAR-USB-Connection-Kit/dp/B005518J6Q it's still count as directly right?
Click to expand...
Click to collapse
Yup that's direct
Checked the log...mod_switch successful, but loading option module fails...option.ko is in the correct folder..
I tried insmod but it says operation not permitted...
Tried su and then insmod but then it says failed (trying using terminal emulator)..
kan_bleach said:
Yup that's direct
Checked the log...mod_switch successful, but loading option module fails...option.ko is in the correct folder..
I tried insmod but it says operation not permitted...
Tried su and then insmod but then it says failed (trying using terminal emulator)..
Click to expand...
Click to collapse
Your option.ko probably not compatible with the kernel, try to do
Code:
strings option.ko | grep vermagic
uname -a
and compare both output, it should be similar.
also if you use insmod I think you'll need to insmod usb_wwan.ko first, because option.ko depends on that module, so it should be
Code:
insmod usb_wwan.ko
insmod option.ko
then, move the pppwidget to launcher and plug the dongle.
proudfoot said:
Your option.ko probably not compatible with the kernel, try to do
Code:
strings option.ko | grep vermagic
uname -a
and compare both output, it should be similar.
also if you use insmod I think you'll need to insmod usb_wwan.ko first, because option.ko depends on that module, so it should be
Code:
insmod usb_wwan.ko
insmod option.ko
then, move the pppwidget to launcher and plug the dongle.
Click to expand...
Click to collapse
Tried the command...output is the same...still not able to use insmod...
Log
Code:
USB_ModeSwitch log from Sat Oct 27 16:23:19 IST 2012
Raw args from udev: 1-1.4/1-1.4:1.0
Using top device dir /sys/bus/usb/devices/1-1.4
----------------
USB values from sysfs:
manufacturer ZTE, Incorporated
product USB Storage
serial 000000000002
----------------
bNumConfigurations is 1 - don't check for active configuration
SCSI attributes not needed, moving on
checking config: /data/data/de.draisberghof.pppwidget/app_tmp/19d2.fff5
! matched. Reading config data
config: TargetVendor set to 19d2
config: TargetProductList set to fff1,fffe,ffff
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
Logger is: /system/bin/log
Command to be run:
usb_modeswitch -I -W -D -s 20 -u -1 -b 1 -g 14 -v 19d2 -p fff5 -f $configBuffer
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are to be expected in the process)
--------------------------------
Reading long config from command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.4 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x19d2
DefaultProduct= 0xfff5
TargetVendor= 0x19d2
TargetProduct= not set
TargetClass= not set
TargetProductList="fff1,fffe,ffff"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint= not set
MessageContent="5553424312345678c00000008000069f030000000000000000000000000000"
NeedResponse=0
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/014 ...
Looking for default devices ...
bus/device number matched
searching devices, found USB ID 19d2:fff5
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Skipping the check for the current configuration
Using interface number 0
Using endpoints 0x0a (out) and 0x89 (in)
USB description data (for identification)
-------------------------
Manufacturer: ZTE, Incorporated
Product: USB Storage
Serial No.: 000000000002
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x0a for message sending ...
Trying to send message 1 to endpoint 0x0a ...
OK, message successfully sent
Resetting response endpoint 0x89
Resetting message endpoint 0x0a
Could not reset endpoint (probably harmless): -34
Device is gone, skipping any further commands
Bus/dev search active, referring success check to wrapper. Bye.
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Checking success of mode switch for max. 20 seconds ...
Waiting for device file system (1 sec.) ...
Reading attributes ...
All attributes matched
Mode switching was successful, found 19d2:fff1 (ZTE, Incorporated: ZTE CDMA Tech)
Now checking for bound driver ...
No driver has bound to interface 0
Module loader is /system/bin/insmod
Trying to find module "option"
Have you try to insert those modules manually first, before running pppwidget and plug-in the dongle? I think we use the same dongle, so it should works ~_~
anyway this is how i get this to work:
1. create directory /data/loca/modules/ on tab
2. move all those modules (option.ko, usb_wwan.ko, ppp_async.ko) to this directory.
3. su and insmod all those modules:
Code:
insmod /data/local/modules/usb_wwan.ko
insmod /data/local/modules/option.ko
insmod /data/local/modules/ppp_async.ko
5. move pppwidget to launcher and plug the dongle.
optional:
create this script and put it in /data/local/userinit.d/93loadmod directory
Code:
#!/system/bin/sh
/system/bin/insmod /data/local/modules/usb_wwan.ko
/system/bin/insmod /data/local/modules/option.ko
/system/bin/insmod /data/local/modules/ppp_async.ko
so it will load all those modules at boot time.
I am doing the same thing...but insmod is giving error
When i run the insmod command i get
insmod: init_module 'usb_wwan.ko' failed(Exec format error)
kan_bleach said:
insmod: init_module 'usb_wwan.ko' failed(Exec format error)
Click to expand...
Click to collapse
From a bit of googling it looks like your module is not build for your kernel (or even build for wrong architecture), what is your kernel? and where do you get the modules, do you compile it yourself or is it from somebody else?
try to do dmesg after you do insmod to see more information.
btw, the module that i have posted only works for p5100 and cm10 kernel (3.0.8-CM-g11fad65)
proudfoot said:
From a bit of googling it looks like your module is not build for your kernel (or even build for wrong architecture), what is your kernel? and where do you get the modules, do you compile it yourself or is it from somebody else?
try to do dmesg after you do insmod to see more information.
btw, the module that i have posted only works for p5100 and cm10 kernel (3.0.8-CM-g11fad65)
Click to expand...
Click to collapse
I used the modules you posted...I am using CMOC-10 kernel....Maybe that is the issue...But the kernels are supposed to be identical except for the OC and the governors feature...i am on 3.0.8-CM-gbd034d0
kan_bleach said:
gbd034d0
Click to expand...
Click to collapse
Yup that the problem, it needs to have the same extra version number even though it comes from same source. I guess I could compile it for you.
proudfoot said:
Yup that the problem, it needs to have the same extra version number even though it comes from same source. I guess I could compile it for you.
Click to expand...
Click to collapse
Please do...
kan_bleach said:
Please do...
Click to expand...
Click to collapse
Here, I hope it works because it comes from cm10 source, I only change the extra version to match yours.
proudfoot said:
Here, I hope it works because it comes from cm10 source, I only change the extra version to match yours.
Click to expand...
Click to collapse
Thanks i'll try and post the result...can you give me the github link for the cm10 kernal for our tab???
Hi, I have SBKv2 TF101.
I am using Tubuntu, with Net-Install Ubuntu (V0.7).
I have updated my kernel with 2.6.36.4.img as mentioned in Tubuntu installation guide.
Now my problem is I cannot connect to the internet to download stuff.
When the terminal is opened "ifconfig" command only shows l0 interface. Furthermore "ifconfig wlan0 up" gives No such device error.
When i type setup and get into configuring wpa_gui. I do not see any adapters. I get "could not get status from wpa_supplicant" error. I have seen a few people getting this message but could not find any actual post telling step by step what to do. I don't know how to configure wpa_supplicant.
Any help is appreciated!
Thanks!
Did you check this guide? They have steps to make wpa work.
Other than that... I don't have linux running on the device right now, but in some linux distributions unconfigured devices won't appear in ifconfig, you have to "ifconfig -a" to see them. Otherwise, in a console try something like:
sudo dmesg |grep -iE 'wpa|network'
and see if that returns any results/errors/etc. Sorry I can't be of obvious help, like if it's a known issue or whatnot other than the original post I referred you to.
Lethe6 said:
Did you check this guide? They have steps to make wpa work.
Other than that... I don't have linux running on the device right now, but in some linux distributions unconfigured devices won't appear in ifconfig, you have to "ifconfig -a" to see them. Otherwise, in a console try something like:
sudo dmesg |grep -iE 'wpa|network'
and see if that returns any results/errors/etc. Sorry I can't be of obvious help, like if it's a known issue or whatnot other than the original post I referred you to.
Click to expand...
Click to collapse
at this step:
"7. Execute this command: wpa_supplicant -B -c/etc/wpa_supplicant.con -iwlan0" I get an error of wlan0 which is "no such device"
"ifconfig -a" does not show any wireless related devices too...
sarpk said:
at this step:
"7. Execute this command: wpa_supplicant -B -c/etc/wpa_supplicant.con -iwlan0" I get an error of wlan0 which is "no such device"
"ifconfig -a" does not show any wireless related devices too...
Click to expand...
Click to collapse
I updated my guide. Can you try the command again only this time make sure it says wpa_supplicant.conf
I missed the f at the end of conf. Let me know.
Hello everybody. I need help figuring out what command line configuration to put inside of the parentheses of
Code:
fastboot -c " "
How can I find out what command line to put in so that I can use
Code:
fastboot boot
Apparently since Android 4.4 you can no longer simply do the command
Code:
fastboot boot img.mg
and you have to do it something like
Code:
fastboot -c "console=ttyHSL0,115200,n8 androidboot.hardware=mako lge.kcal=0|0|0|x" img.img
or
Code:
fastboot -c "lge.kcal=0|0|0|x" boot img.img
or else it won't boot. The above commands work for the nexus 4. I do not have the source for my device but I do have the boot.img and zimage. My device is an Amazon Fire HD6. Thanks!
So that is your CMDLINE. You can get the default CMDLINE from the stock boot.img. If you are on Ubuntu, you can
Code:
apt-get install abootimg
, then
Code:
abootimg -x path/to/boot.img
The file named something.cfg will contain the stock CMDLINE. Hope that helps.
AdamOutler said:
So that is your CMDLINE. You can get the default CMDLINE from the stock boot.img. If you are on Ubuntu, you can
Code:
apt-get install abootimg
, then
Code:
abootimg -x path/to/boot.img
The file named something.cfg will contain the stock CMDLINE. Hope that helps.
Click to expand...
Click to collapse
I appreciate your reply. Neat tool. Before I was using unpackbootimg and it would create a blank boot.img-cmdline file. I just tried out your method and got similar results:
Code:
bootsize = 0x51f100
pagesize = 0x800
kerneladdr = 0x10008000
ramdiskaddr = 0x11000000
secondaddr = 0x10f00000
tagsaddr = 0x10000100
name =
cmdline =
I am guessing that the image should not require an additional command line param. But I am unable to boot even the stock boot img with fastboot boot. Is this a result of a locked bootloader?
powerpoint45 said:
I appreciate your reply. Neat tool. Before I was using unpackbootimg and it would create a blank boot.img-cmdline file. I just tried out your method and got similar results:
Code:
bootsize = 0x51f100
pagesize = 0x800
kerneladdr = 0x10008000
ramdiskaddr = 0x11000000
secondaddr = 0x10f00000
tagsaddr = 0x10000100
name =
cmdline =
I am guessing that the image should not require an additional command line param. But I am unable to boot even the stock boot img with fastboot boot. Is this a result of a locked bootloader?
Click to expand...
Click to collapse
Well, youd need UART to debug it... Thats the CONSOLE parameter which you mentioned earlier.
AdamOutler said:
Well, youd need UART to debug it... Thats the CONSOLE parameter which you mentioned earlier.
Click to expand...
Click to collapse
I have never done UART but am willing to learn. This may be a long shot but I took some HD pictures of the motherboard. Would you happen to know where the UART connectors are?
drive.google.com/folderview?id=0Bx_94ujbh0qodjhua0FrUGNjc1U#
This thread may have better pictures forum.xda-developers.com/fire-hd/help/jtag-t2933430
powerpoint45 said:
I have never done UART but am willing to learn. This may be a long shot but I took some HD pictures of the motherboard. Would you happen to know where the UART connectors are?
drive.google.com/folderview?id=0Bx_94ujbh0qodjhua0FrUGNjc1U#
This thread may have better pictures forum.xda-developers.com/fire-hd/help/jtag-t2933430
Click to expand...
Click to collapse
Id need a device to probe. The jdebug and jdbg2 look interesting. I cant tell by looking. I'd need to hook up an oscilloscope.
AdamOutler said:
Id need a device to probe. The jdebug and jdbg2 look interesting. I cant tell by looking. I'd need to hook up an oscilloscope.
Click to expand...
Click to collapse
Oh alright. So I'm looking at the type of tools I would need. I see that you have used a bus pirate in one of your videos. Would that be all that is needed or would I also need something like http://www.amazon.com/CP2102-UART-6...?ie=UTF8&qid=1420152323&sr=8-12&keywords=UART to read the logs.
I found the bus pirate here: http://www.amazon.com/SparkFun-Bus-...TF8&qid=1420153058&sr=8-1&keywords=bus+pirate
The Fire HD6 starts at $99 USD, If you wanted I could send you about $70 if you were willing to help out in the HD6 Community (; Just an offer.
Edit:
I just built a USB to UART with my arduino. Tested on my raspberry pi. Will look into the ports
AdamOutler said:
Id need a device to probe. The jdebug and jdbg2 look interesting. I cant tell by looking. I'd need to hook up an oscilloscope.
Click to expand...
Click to collapse
Thanks for all your help. I just found the UART port on the Fire HD6! Will be doing testing soon. http://forum.xda-developers.com/fire-hd/development/uart-port-fire-hd6-t2991474