[Guide] [Tweaks] Android Security Hardening - Android General

Lately I had been researching on how to further secure Android against Exploits, Malware, and Privacy issues. Some, if not most, of this guide is for the more paranoid users but I believe it is usefull information for everyone. I will try to keep it as easy to follow as possible.
Part 1 - ADB & Root:
What is ADB:
ADB (A.K.A the Android Debug Bridge) is a tool used by developers to allow access to an android device via a computer. The program consists of a server (ADBD) which lives on the phone/tablet and the client (ADB) which lives on the computer. This allows dev's to quickly access logs and install applications over a command shell.
The Threat:
While ADB is usefull if it is left on an attacker can use it to gain access to the device and dump logs, bypass the lock screen, root the device, steal credentails and more. One such attack is Kos' P2P-ADB. This framework allows an attack to bypass most (if not all) security if ADB is enabled on the device.
The Solution:
The easiest solution is to simply disable Degbuging. The setting is disabled by default but most custom roms have it enabled. To disable (on ICS/JB) it go to:
Code:
Settings ---> Developer Options ---> Android Debugging
Ensure Android debugging is unchecked.
For the more paranoid:
Adb actually relies on the ADBD binary. On most AOSP roms the binary is stored in /sbin/adbd if you change the permissions to 000 it can no longer execute and can't be used at all. One way to achieve this is by using this init.d script:
Code:
# Disable the adbd daemon
mount -o rw,remount -t rootfs rootfs /
chmod 000 /sbin/adbd
mount -o ro,remount -t rootfs rootfs /
mount -o ro,remount /system
Save the code to a file called 99secure and place it in /etc/init.d/ If your rom supports init.d the script will execute on boot and remove the adbd permissions so it can't run.
What is root/superuser:
The superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator, admin or supervisor. In some cases the actual name is not significant, rather an authorization flag in the user's profile determines if administrative functions can be performed.
Click to expand...
Click to collapse
The root user has full access to the system and can perform almost any task. Most custom ROMs ship with root enabled.
The problem:
Running with root enabled is inherently insecure. If a malicous app is allowed to run with root permisions it has full access to the system and can do what ever it wants (delete information, steal passwords, keylog, activate the camera, etc.)
The Solution:
If you are running a CyanogenMod Rom you can disable root by going to:
Code:
Settings ---> Developer Options ---> Root Access ---> Disabled
Alternatively you can change the permisions of the "su" binary to 000 with:
Code:
mount -o rw,remount /system
chmod 000 /system/xbin/su
mount -o ro,remount /system
Part 2 - Bluetooth:
Bluetooth is a great technology that allows close range (~30m) wireless comunication between devices such as headsets and speaker phones.
The Problem:
Bluetooth is a wide open whole for an attacker to gain access to your device. There are multiple exploits against bluetooth (such as bluejacking). While most aren't widely used bluetooth should be disabled when not in use.
The Solution:
Disable bluetooth via the settings app:
Code:
Settings ---> Bluetooth ---> Off
Alternatively you can disable the bluetooth service/daemon:
Code:
mount -o rw,remount /system
chmod 000 /system/bin/bluetoothd
mount -o ro,remount /system
and even the bluetooth device (this was done on a Galaxy Nexus running CM10 JB):
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO1
mount -o rw,remount /system
After that is done bluetooth can no longer be turned on by accident or a malicous attacker (provided they don't have root).
Part 3 - NFC:
What is NFC:
Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a "tag".[2]
NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.[5]
Click to expand...
Click to collapse
As per Wikipedia
The Problem:
This year at defcon NFC was shown to be vulnerable to attack (http://forum.xda-developers.com/showthread.php?t=1832186). Another example is the recent Samsung Exploit which can be executed by NFC tags as well.
The Solution:
NFC can be disabled by:
Code:
Settings --- > Wireless & Networks ---> NFC
Alternatively you can disable the NFC Device:
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO3
mount -o rw,remount /system
Part 4 - Network Attacks:
Just like a computer android is succeptable to attacks over the network. Bellow is a init.d script that will harden the TCP/IP stack:
Code:
# hardening TCP/IP stack for IPV4
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
Android also runs IPTables ( A firewall). You can change this by script or a nice GUI tool calledDroid Wall
Part 5 - Removing unneeded applications:
These commands will remove some applications that aren't needed and may have internet access. The bottom ones are kept for root only:
Code:
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/strace
chmod 000 /system/bin/bluetoothd
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping]
There may be more you want to remove like ssh.
I personally removed "Packet Management" as well to prevent installing apps over USB:
Code:
# disable the Packet Management binary
chmod 000 /system/bin/pm
Part 6 - Removing APK's:
You can also remove unneeded APK's by:
Code:
mount -o rw,remount /system
rm -r /system/app/[apk name here]
mount -o ro,remount /system
I removed these apps:
Bluetooth.apk
NFC.apk
Development.apk
DrmProvider.apk (You may not want to do this if you use the playstore)
Email.apk ( I use K-9 instead)
Exchange.apk (I don't need it you may)
PackageInstaller.apk ( Used to install apps. Don't remove if you want to install apps).
Click to expand...
Click to collapse
What apps you can and can't remove
Part 7 - Misc:
Personally I don't use the playstore/Google Framework as it sends back WAY to much info for me to trust it. I also reccomend using Full Device Encryption and a secure Kernel such as FuguMod.
Alot of the information I got is from this Sans guide
I will be posting more as I look into other security options
Let me know if I missed anything and please hit thanks if I helped at all.
Bellow is the init.d script I am using (modified from the Sans guide) ** ONLY TESTED ON A GSM GALAXY NEXUS ***:
Code:
#!/system/bin/sh
# Customize some parameters and lockout the SO
# July 2011
mount -o rw,remount /system
# Disable Bluetooth
chmod 000 /dev/ttyO1
#Disable NFC
chmod 000 /dev/ttyO3
# hardening TCP/IP stack for IPV4/IPV6
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
# Removing/ disabling unnecessary binaries. Some of them have access to Internet
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/strace
chmod 000 /system/bin/bluetoothd
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping
## This is the last step of the hardening
# do a backup before
# disable the Packet Management binary
chmod 000 /system/bin/pm
# Disable the adbd daemon
mount -o rw,remount -t rootfs rootfs /
chmod 000 /sbin/adbd
mount -o ro,remount -t rootfs rootfs /
mount -o ro,remount /system

Hardening android
How can I harden android to block certain web site or filtering the prono sites?

Have you made any further progress with locking down your phone. I switched from iPhone to android and I can't help but feel that the iPhone was more secure. Alot of my concern is that on Android I notice that even with a pin lock sometimes apps run on top of it and if you have a lock screen it sometimes seems to circumvent pin codes all together. Is the security of the phone now based on how secure the lock screen is?
As for your mods, It seems like most, if not all, of these mods require root access. Are you suggesting it is more secure to root your device and perform these mods than to leave it stock?
Also, how vulnerable is it to have a phone with an unlocked bootloader and a custom recovery? Doesn't that make it easier for someone with physical access to compromise your phone? I understand you can enable encryption which only encrypts the data partition but what about if the phone is already started up? Is there a way to harden it from physical attack other than disabling ADB?
Thank you
Josh

inaxsesable said:
Have you made any further progress with locking down your phone. I switched from iPhone to android and I can't help but feel that the iPhone was more secure. Alot of my concern is that on Android I notice that even with a pin lock sometimes apps run on top of it and if you have a lock screen it sometimes seems to circumvent pin codes all together. Is the security of the phone now based on how secure the lock screen is?
As for your mods, It seems like most, if not all, of these mods require root access. Are you suggesting it is more secure to root your device and perform these mods than to leave it stock?
Also, how vulnerable is it to have a phone with an unlocked bootloader and a custom recovery? Doesn't that make it easier for someone with physical access to compromise your phone? I understand you can enable encryption which only encrypts the data partition but what about if the phone is already started up? Is there a way to harden it from physical attack other than disabling ADB?
Thank you
Josh
Click to expand...
Click to collapse
Check out my other threads for more information and tweaks like secdroid. As far as iOS goes its pitiful for security I work in computer forensics and the iPhone is the easiest phone to pull data off of. If you want security and or encryption stick android. iOS encryption is defeated by simply turning the phone on ( it loads the keys automatically from hardware). If you need more help please pm as I can reply quicker there!
Sent from my Nexus 4 using xda premium

Check out Secdroid. The thread is still here somewhere or go straight to Google Play...
Sent from my Nexus 10 using xda app-developers app

Tor has a comprehensive how-to
Tor has a comprehensive how-to @ their blog called "mission-impossible-hardening-android-security-and-privacy"

Related

A Real Linux Android System

Before reading.
This article requires that your phone is Rooted and has Busybox installed.
HTC owners, S-off your phone as well.
Android is a great operating system for SmartPhones. Only problem with it (From a more technical users point of view) is the small useless bad excuse of a linux system running behind the UI. Some of the smaller issues can be fixed by installing Busybox that provides a better basic set of tools to work with, but it's not enough. What I would like is to be able to use almost any real linux cli application, daemon, library etc. Also some compilers would be great. I'm using an HTC desire which has more than enough power to do things like compiling (I know, I have done it.), and so has a lot of other SmartPhones. Why would one need this when there is cross compilers you can use on regular and faster machines? Well, because It's fun, why else. I did not spend all that money on a SmartPhones just to make a few phone calls and write a few text messages. My old Sony Ericsson did that quite well. I spend that money to get a phone with many possibilities that I could play with.
I tried to search the web for some helping instructions on how to port a real linux system to this phone. What I mostly got, was people who ported linux systems that would run as an extra OS on the phone, some even with an Xserver accessible via VNC. Sounds fun, but not what I was after. I did not want an extra OS using CPU and unnecessary RAM. I just wanted some extra tools, libs etc to work with and the regular linux user management. I managed to find an old article from someone using Debians armel version on an old G1 phone. I thought that if it worked on that phone, it would be possible to do so on mine. So I started playing around with that.
The way this works is by installing a bare minimum debian on an second partition. This will not boot anything up since it will just work as extra tools and lib using the already booted android linux system.. You will still only have one OS but more tools (Including the nice APT package system) to work with.
Now there is two ways of using debian on android.
The first way is to setup the Debian in an chroot environment. This has some flaws like I have not yet been able to make the chroot start second jobs, which means that you will be able to start applications and daemons running in the current shell session. But you will not be able to make them run in the background. But as an development environment it will still work great, as you will be able to use the Debian libs and compilers.
The second way (The way I was after) is to setup Debian using the UAFS kernel module. This is used to merge directories into one with different rules for each. For an example you would be able to merge /debian_root/etc and /system/etc into a shared /etc with RW on Debians etc and RO on Androids forcing any changes to be made in /debian_root/etc. Using this option you will use Debian to extend the Android Linux part. Android UI with Debian Shell.
This article is split into 3 parts. The first part is the setup of Debian. Must be done whether you want chroot or a merged system. In the second part we will cover the setup of the chroot environment.
The third part is the setup of the merged system. This will require one thing in order to work.
You will need a kernel with the uafs module which is not default in most android kernels. You will need to compile your own kernel. People using the Thalamus kernel, can download a kernel with this module kernel-2.6.37.2_AUFS.zip. A big thanks to Thalamus for providing this. Note that this kernel was a special request from me that he was kind enough to provide. It comes with absolutely no guaranties. Do not email spam him about errors you might encounter using it as this is not an official release.
Note that once you mount the Debian system, you will not be able to mount the SD Card when connecting it to your PC. You can download the App “Multi Mount SD-Card” from Market which will be able to mount your SD Card on your PC while mounted on your phone. This app should also speed up transfers on 2.6.37 kernels, or so I have heard.
Part 1: Building Debian
We are going to run debian from a file containing a ext2 filesystem. If your SD Card is big enough you might be able to create an extra partition and force it to mount as something else other than ext-sd, but in this article we are going to use a partitioned file.
Also, this will require that you have the tool “debootstrap” on your PC. This is found in Ubuntu and Debian, dont know about other Linux distro's or Operating systems. If you don't use Linux or an distro with debootstrap you can download a Ubuntu Live CD from the Ubuntu website. This can be run on CD, DVD and USB disks without installing it. For this article I have used Ubuntu 10.10.
Open a terminal on your Ubuntu/Debian/LiveCD PC and cd to the folder where you want to temp. store your debian. I will call this path “debian_dir”
The first thing we will do is to create the partitioned file.
I'm creating a file with 1.5GB of space. You can create the size you want.
Don't use 0 in the size, dd don't like that.
Code:
cd debian_dir
dd if=/dev/zero of=debian.img seek=1499999999 bs=1 count=1
mke2fs -F debian.img
mkdir debian
mount -o loop debian.img debian/
Now that we have created the file and mounted it, we should download and place debian inside of it. First we will install debootstrap.
Code:
apt-get install debootstrap
debootstrap --arch armel --foreign squeeze debian http://ftp.us.debian.org/debian
umount debian/
Debian Squeeze is Debian 6.0 which replaces the old Lenny.
Copy the debian.img file to your SD Card on your phone. I placed mine in the root of the SD Card.
Now open a terminal on your phone. You can download one from market. There are some free once, but the paid “Better Terminal” is the best to work with in my opinion.
Note: All shell work is done on the phone from now on.
First we need some temp. exports.
Type the fallowing:
Code:
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
export HOME=/root
export TERM=linux
export DM=/data/local/debian
export DI=/sdcard/debian.img
Now we will create the Debian dir and then create a loop device which we will use to mount the Debian image to the Debian dir.
Code:
mkdir -d $DM
mknod /dev/loop0 b 7 0
mount -o loop,noatime $DI $DM
Now that we have debian mounted in our debian folder, we need to finalize the installation. Not all files as been installed yet. Don't forget to activate Mobile Network or Wifi.
chroot $DM /debootstrap/debootstrap –second-stage
We also need to insert the debian repository and a DNS (I use OpenDNS).
You can use whatever you want for the DNS, you routers IP for an example. It should have some default Ips configured.
Code:
echo “deb http://ftp.us.debian.org/debian squeeze main contrib non-free” > $DM/etc/apt/sources.list
echo “208.67.222.222” > $DM/etc/resolv.conf
Now change the root to the debian dir and set a root password and make sure that certain folders already exists.
Code:
chroot $DM /bin/bash
passwd root
mkdir root
exit
Now we need to make sure that certain variables exists and that the values is as they should be. So we will alter the /system/bin/sh that android uses as login shell.
Code:
cd /system/bin
mv sh sh0
Create a new /system/bin/sh file with the fallowing content.
This will ensure that these variables is created and/or changed every time you enter a new shell session. You can call another shell like bash or ash instead /system/xbin/sh, just make sure to use ash or sh at the top, since bash does not seam to understand [email protected]
Warning: It is very important that the /system/bin/sh file is made correct. Android will not boot if anything is wrong with this file. It should be exactly like the one I posted, and you cannot make it on your PC and push it to the phone. Don't know why, it works fine with other shell scripts, but not that one.
Enter an adb shell from your PC and use vi or nano (You can download nano here here) to copy and paste the content directly into the ADB Shell.
Note: ADB from the recovery will always work. It does not use /system/bin/sh
Code:
#!/system/xbin/sh
/system/xbin/sh --login [email protected]
Make sure that it has execute rights. Then type sh in the terminal to make sure that it works before you close your ADB Shell session.
Code:
chmod a+x /system/bin/sh
sh
sh0 will not be used, it's up to you wether you want to save it or not. Just make sure that /system/xbin/sh exists, otherwise
copy /system/bin/sh0 to /system/xbin/sh.
Now we need the profile file that is needed by this method. This file will make sure that we have all our variables and the data that they should contain.
Android does not keep very good track of these things. Place this data in the file /system/etc/profile
Code:
export TERM=linux
export TERMINFO=/etc/terminfo
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/vendor/bin:/system/bin:/system/xbin
if [ "$EUID" == "0" ]; then
if [ -z "$HOME" ] || [ -z "$USER" ] || [ -z "$GROUPS" ]; then
export HOME=/root
export USER=root
export GROUPS=0
fi
else
# Make sure that this user id variable exists.
if [ -z $EUID ]; then
export EUID=$(echo $(id | cut -d "(" -f 1) | cut -d "=" -f 2)
fi
# If we have an /etc/passwd file available,
# we should also make sure to get name, group and home info from that file and
# store in the default linux variables.
if [ -f /etc/passwd ]; then
# Create the user info variables based on user id and /etc/passwd
export USER=$(grep "x:${EUID}:" /etc/passwd | cut -d : -f 1)
export GROUPS=$(grep "x:${EUID}:" /etc/passwd | cut -d : -f 4)
export HOME=$(grep "x:${EUID}:" /etc/passwd | cut -d : -f 6)
fi
fi
export ADID=$EUID
if [ "$PS1" ]; then
if [ "$BASH" ]; then
# The file bash.bashrc already sets the default PS1.
if [ ! -z $HOME ] && [ -f $HOME/.bashrc ]; then
. $HOME/.bashrc
elif [ -f /etc/bash.bashrc ]; then
. /etc/bash.bashrc
else
export PS1='\h:\W\$ '
fi
else
if [ "$EUID" == "0" ]; then
PS1='\w # '
else
PS1='\w $ '
fi
fi
else
PS1='\h:\W\$ '
fi
if [ -d /etc/profile.d ]; then
for i in /etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
unset i
fi
We will also need an /etc/bash.bashrc which is needed because /etc/profile not always gets executed.
Code:
if [ "$ADID" != "$EUID" ]; then
# Some times /etc/profile is not executed (For an example when using Androids su command).
# /etc/bash.bashrc however it used instead. So we just execute it manually in these cases.
# If you create a local bashrc ($HOME/.bashrc), remember to include this check.
# /etc/bash.bachrc is not used when a local file exists.
if [ -f /etc/profile ]; then
. /etc/profile
# Since /etc/profile links back to this file,
# we will make sure not to start an unending loop.
# the profile file should update this, but it's better to be on the safe side.
if [ "$ADID" != "$EUID" ]; then
export ADID=$EUID
fi
fi
fi
PS1='\h:\W\$ '
And last we have some user and group configurations in order to make Debian better work with Android. Open your Android terminal emulator and make sure it opens as user and not root. Now type "/system/xbin/id".
What we need here is the uid, gid and the ids of each accosiated groups along with the names of it all. In my terminal I have "uid=10048(app_48) gid=10048(app_48) groups=1015(sdcard_rw),3003(inet)".
What we will do it create this user along with the groups in our Debian inveroment. However, I use the uid name and gid name "bterm" instead of app_48, but still with the original IDs. The inet and sdcard_rw groups will be created as system groups. Do the same for your app user and group if you don't want any login possibilities with this user. I however have assigned home and password to this user.
This needs to be doen in chroot
Code:
chroot $DM /bin/bash
groupadd --system --gid 1015 sdcard_rw
groupadd --system --gid 3003 inet
groupadd --gid 10048 bterm
adduser --home /home/bterm --gid 10048 --uid 10048 bterm
gpasswd -a bterm sdcard_rw
gpasswd -a bterm inet
exit
Now your ready for the next step. Remember that the user you have created, is the user used by your terminal emulator when you are not logged on as root. This ID is only assigned to that specific app, if you install another terminal, it will get another ID.
Part 2 – Setting up a chroot environment
The best way of doing this is to make two small scripts and place them in /system/bin or /system/xbin. One script for doing the mount after phone boot. And one script for entering the chroot when open a new shell session.
Here is the mounting script that I call mkdebian.
This needs to be executed once every time the phone has rebooted. If your ROM supports init scripts, you can add it there for auto-mount on boot.
Code:
#!/system/bin/sh
export DM=/data/local/debian
export DI=/sdcard/debian.img
# Create the loop device and mount the debian image
mknod /dev/loop0 b 7 0
mount -o loop,noatime $DI $DM
# Let's make sure that we can access our sd card from within the chroot
if [ ! -d "$DM/mnt/sdcard" ]; then
mkdir $DM/mnt/sdcard
fi
mount --bind /mnt/sdcard $DM/mnt/sdcard
# Now we make sure that the chroot has access to all the device maps
if [ ! -d "$DM/dev" ]; then
mkdir $DM/dev
fi
mount --bind /dev $DM/dev
# We also need to make proc, sys etc available from within the chroot
chroot $DM mount -t proc proc /proc
chroot $DM mount -t sysfs sysfs /sys
# And last fix the mtab
chroot $DM rm -f /etc/mtab
chroot $DM ln -s /proc/mounts /etc/mtab
echo “Debian was mounted in $DM/”
Now for the script that I called “debian”.
This script will make you enter the chroot environment using one single command. Every time you exist the debian chroot, you can enter back using the command “debian”.
Code:
#!/system/bin/sh
chroot /data/local/debian/ /bin/bash
And that is it. Open a terminal, type debian and start using your debian environment. It might be a good idea to run aptitude update or apt-get update before you start using the package manager.
Part 3 – Settings up a merged Android/Debian environment
This is the fun part to play with. A merged Android/Debian environment without the usage of chroot. This only requires a script to be executed at boot, or after boot.
Remember that this will not work unless your kernel has the aufs module.
Code:
#!/system/xbin/sh
export DM=/data/local/debian
export DI=/mnt/sdcard/debian.img
# Now we mount the debian image to our debian folder.
mknod /dev/loop0 b 7 0
mount -o loop,noatime $DI $DM
# These two directories exists in both android and debian,
# so these are going to be merged together.
mount -t aufs -o dirs=$DM/etc=rw:/system/etc=ro aufs /system/etc
# For some reason, mounting /sbin with aufs does not work.
# So we make a little cheat with symbolic links instead.
mount -o remount,rw /
mv /sbin /sbin0
ln -s $DM/sbin /
rm -rf /sbin/adbd
rm -rf /sbin/ueventd
ln -s /sbin0/adbd /sbin/
ln -s /sbin0/ueventd /sbin/
# Let's get all the debian root directories out to the real root dir.
rm -rf /root
for x in tmp root lib bin boot home media opt selinux srv usr var
do
ln -s $DM/$x /
done
if [ -f /system/xbin/bash ]; then
mount --bind /bin/bash /system/xbin/bash
mount --bin /system/xbin/bash /system/xbin/sh
else
mount --bind /bin/bash /system/xbin/sh
fi
echo "Debian has been merged with Android..."
Run this at startup and start using all of debians possibilities (Don't run it yet).
The / dir is left with RW permissions. If this is set to RO then apt-get will not work. It writes tmp log files to this dir when running. It does not matter since all changes to this dir is restored to default on every boot.
Also dont forget to run apt-get update or aptitude update to update the package list.
You are now able to install and run almost anything (CLI Only) that runs on debian systems and other linux dists. Personally I'm currently running OpenSSH Server and Lighttpd with PHP. A perfect small transportable web server.
You can use either /etc/init.d/[your service] start
or
service [your service] start
to start daemons you have installed.
Now you can use the "mkdebian" command to merge your new Debian with Android.
Note: The command “su” from debian works differently than the android “su” command.
The debian command uses the regular linux management to provide access which means that it will ask for your root password that you created in the first part. The android command will just provide you with su rights without a password. Both commands provides su rights to both android and debian, so it is possible to remove the android command and create a new Android/Java based SU app for the Android UI that will require root password.
Note: There is a small problem with the Android "su" command. It does not recheck the /etc/profile.
That means that if you log on using the regular user, and then uses the "su" command, user variables does not get updated with su paths.
Using the Debian "su" command will work fine, just note that this command will promp for password. Also logging in using the root account
directly works fine.
Good luck
[Edit: 2011-03-09 11:06]
- Changed the /etc/profile script in Part 1
- Added /etc/bash.bashrc script in Part 1
- Changed User and Group setup and moved it from Part 3 to Part 1
- Fixed error in /system/bin/sh
All of this will fix some permission problems with Debian
[Edit: 2011-03-08 11:21]
- Fixed problems with user management by adding an /etc/profile and changing /system/bin/sh and the debian merge script. Using the "login" command is no longer needed.
[Edit: 2011-03-07 08:49]
- Fixed bug in Part 1 sh script.
[Edit: 2011-03-07 00:20]
- Added a new /system/bin/sh script to Part 1
- Added the way we create missing users and groups in Part 3
[Edit: 2011-03-06 19:36]
- Inserted a warning text in part 1 about avoiding problems when creating a new /system/bin/sh.
Applying Host name
If you want to set a custom hostname for your phone, you can create an init script (If your ROM supports it).
Code:
#!/system/bin/sh
# Get the hostname if it exists, or set it to localhost
if [ -f /system/etc/hostname ]; then
_HOSTNAME=$(cat /system/etc/hostname)
if [ -z $_HOSTNAME ]; then
_HOSTNAME=localhost
fi
else
_HOSTNAME=localhost
fi
# Update the Hostname
echo "$_HOSTNAME" > /proc/sys/kernel/hostname
# Update the hosts file
echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
# If the hostname is not localhost, we add one more line to the hosts file
if [ "$_HOSTNAME" != "localhost" ]; then
echo "127.0.0.1 $_HOSTNAME" >> /etc/hosts
fi
This will look in /system/etc/ for the regular linux hostname file. If it exists, it will take the hostname from that file and set as the global hostname.
If it does not exist, "localhost" is used instead. Also it creates the /system/etc/hosts file.
Add or Edit your hostname like this.
Code:
echo "myhostname" > /system/etc/hostname
Note: Remember to delete the hosts and hostname files in your debian /etc/ dir when using merged environment. Otherwise they will overwrite the once in /system/etc/ as debian has first priority.
Manipulating the Android Permissions
Androids permissions works by providing a User ID for each application. This user (Application) can then get a range of different permissions by being added to groups with the permissions required by the app. For an example an app that needs to write to the SD Card, should be a member of Androids sdcard_rw group which translates into 1015 in a Linux group id. Using the numeric values of the Android groups, we can assign these permissions to shell users, daemons etc.
An example:
I had problems with my Http Server because I wanted my www folder on my sdcard. But, the www-data user and group could not be allowed to write to the SD Card, which I needed it to do, because Android controls what permissions the SD Card should have, not even root can change that.
What I did was creating a system group that I named sdcard_rw (Same name as the android, just to better keep track of the groups) with the same Id as the Android sdcard_rw (1015). I then assigned that group to my www-data user (gpasswd -a www-data sdcard_rw) and now my lighttpd had Read/Write access to my sdcard.
You can use the same example for creating a regular SSH User by using the Android shell group or for any other type of user that needs some Android permissions to work properly.
[Edit: 2011-03-08 21:13]
- Added an permission example
Great...
I was just looking into this myself for the last few days.
strange how there isn't more of this being talked about.
at least I have been unable to find anything.
Omg this sounds awesome,
Will try this when u get home and will report back
Sent from my Nexus One using XDA App
I'm still trying to work out some problems with User Rights on SD Card. Can't get lighttpd to be allowed to create files in my SD Card www dir (Does not matter what user and group I set it to use). I can't even get the root account to be allowed to change permissions on SD Card files and folders. It's not the biggest problem, but will report back when I figure it out.
Nice! I've been constantly disappointed for the past year at how un-Linuxy Android is under the hood and unimpressed with the old chroot tricks. This looks much better and I'll try it soon.
I have added a new /system/bin/sh script that can be found in Part 1. This script will automatically look for bash and, if that exists, try to find bash.bashrc, .profile or .bashrc in /etc or the users home dir. If bash does not exist, it looks for sh instead. If you have both one of the Android specific compiled bash, then Debians bash is used when available as this is made to work in a real linux environment. Android bash does not seam to work that way. Also debians packages gets updates via APT.
Also I changed the way groups and users is created in Part 3. Manually inserting them to /etc/passwd, /etc/shadow and /etc/group did not seam to be enough. The users and groups where only half registered. For an example the command "login" gave me a lot of errors, and i had problems with user rights. By using adduser and addgroup in a chroot before the first merge, the user management seams to work as it should now.
I was playing with Debian on my phone just a few days ago too. I've found that same G1 article you mentioned, and installed Lenny in a chroot environment. Background daemons work fine for me, I've installed OpenSSH and I'm using ConnectBot connecting to 127.0.0.1 to get a terminal, so I don't have to chroot every time. I even have X with tightvnc server + android-vnc-viewer. Running the desktop Firefox on my phone is fun Although not very useful. I'm still thinking about what awesome things we could do with this that we couldn't otherwise.
Anyway, great howto.
Do you have any details on the Thalamus kernel? What phone is it for? Overclocked, audio hack, etc? Or is it just a vanilla kernel with the extra module?
What applications can we dream up?
The first thing that springs to mind is could this be used to create a low power server running bittorrent and the like?
Would a cheap device like the Vodafone 845 be under-powered for this?
Can you connect to a usb hub to allow multiple devices to be connected to it? I'm thinking usb network adapters, external storage, etc.
How much additional effort on top of this guide would be needed?
Just curious...
will not... - -!
Well I learned one thing. Don't make Shell scripts when you are tired. I started a shell loop on phone bootup with my /system/bin/sh fix (Which had been changed). When using the merged environment, you need (for now) to enter /bin/login when you open a new shell and login as user with the password you created in Part 3. This will make Debian take over the user management which among other things will make sure that the right variables etc. exists. I have tried to locate where android controls new shell sessions, but I cant seam to find it.
When you make Debian take over, you can use your Linux shell as any other. .bashrc, .profile, /etc/bash.bashrc, /etc/profile files, change default shell (bash, sh, ash) in /etc/passwd and so on.
#9 Well the kernel is the same that is found in the Oxygen 2.0.1, so it's an gingerbread rom (2.3.3). If it works only in Oxygen, I don't know but I don't think so.
#10 He he, Could not say. For now I'm just trying to make it work as I want it to work. After that I might start playing around with different things.
The "login" command is no longer needed. I finally found a way to successfully control user variables and management, making Android and Debian work together as one when merging the two.
This is amazing. Totally going to do this later tonight when I get home.
If you merge using AUFS instead of making a chroot, you should perhaps use the system user (Id: 1000, Group: 1000) as the regular user.
There are only two static users in Android, 0 and 1000.
Android just isn't made to work as an multi-user system. This is how the Java UI is made, and we really need to Linux part to be compatible with that part of the OS. Instead of multi-users, android uses it's apps as users. Each app works as one user with different id. So the 10048 I used as regular user is just the ID of mine "Better Terminal". Switching to another terminal app changed the EUID.
Use the root and only root to work with in the shell. And then delete Debians "su" command and stick with the one from android. Debians need all users that execute "su" to be written to the /etc/passwd.
All GNU tool and library, that's Great. thanks a lot.
I have added an example of how to apply Android rules to shell users, daemons etc. Some daemons will need this in order to function.
I have added this in Thread 2 below the hostname example.
I also changed the main Thread. Found a fix for the rest of the permission problems, including the Android "su" command issue.
I have tested this Android/Debian merge using several methods (ADB, SSH, different local terminals) and it worked on most. I had one problem with one local terminal app that did not execute /etc/profile and some Debian users in /etc/passwd that didn't either.
To fix this I changed /system/bin/sh from using "/system/xbin/sh --login [email protected]" to instead use "/system/xbin/sh --rcfile /system/etc/profile [email protected]". I then moved the Debians /bin/bash to /usr/bin/bash and made a similar script file in /bin/bash > "/usr/bin/bash --rcfile /etc/profile [email protected]". You can make the same for /bin/sh if you don't like using bash for your /etc/passwd users.
Remember to change the bash bind mount in the mkdebian script from /bin/bash to /usr/bin/bash
Use whatever method works on your phone.
This looks like a ton of fun, and could be very useful. I'd like to try this on my NookColor (N2Acard, CM7.1), probably using The Guardian Project's lilDebi image as a base. They go the chroot route with their installer, and I'm going to have to do some hacking on their scripts to make them work with the NookColor. I figure if I'm going to have to hack on it, I might as well put my efforts toward a more ideal solution.
Question: It doesn't look like the CM7.1 kernel supports aufs. That is,
Code:
cat /proc/filesystems
doesn't return aufs as one of the supported filesystems.
Aside from a lack of elegance, is there any reason we can't apply your /sbin workaround to "merging" the whole filesystem? [I recognize there's a certain amount of ignorance behind the question; I figure there's only one way to cure that: Ask.]
OR, how difficult might it be to take a complete CM7.1 kernel and add aufs support to it?
'preciate any help I can get!
mailman1175 said:
This looks like a ton of fun, and could be very useful. I'd like to try this on my NookColor (N2Acard, CM7.1), probably using The Guardian Project's lilDebi image as a base. They go the chroot route with their installer, and I'm going to have to do some hacking on their scripts to make them work with the NookColor. I figure if I'm going to have to hack on it, I might as well put my efforts toward a more ideal solution.
Question: It doesn't look like the CM7.1 kernel supports aufs. That is,
Code:
cat /proc/filesystems
doesn't return aufs as one of the supported filesystems.
Aside from a lack of elegance, is there any reason we can't apply your /sbin workaround to "merging" the whole filesystem? [I recognize there's a certain amount of ignorance behind the question; I figure there's only one way to cure that: Ask.]
OR, how difficult might it be to take a complete CM7.1 kernel and add aufs support to it?
'preciate any help I can get!
Click to expand...
Click to collapse
here's where you get aufs patches.
you'll have to build the kernel yourself to make it work.
to the OP:
using the aufs mount method instead of a chroot...
I have a small problem, I don't know if it shows up with your .img filesystem method, but with an sd-ext partition used intead of the .img file, apt-get fouls massively when trying to update/upgrade libc6.
it complains about the libc6*.so existing in two places at once, and requests the existing one be removed. If it's removed, then nothing in the Linux install works, because just about everything is compiled against libc. I can use busybox to manipulate files with the libc6 removed or hidden away, but can't seem to get past the error since dpkg and apt don't work without some version of libc installed.
Any hints/suggestions? I like your scripts a lot better than the chroot ones I cobbled together from everyone else's work last year for similar purposes before I got aufs working in a kernel.

How to Disable Carrier IQ

Hi Androider’s,
If Carrier IQ has bothered you like it bugged the heck out of me, I have a solution for you. This is not for new users to try. I may try and create an app for this!
1) Create a text file (ciq-off) on your Linux system using the provided code. Windows users should use Notepad++ .(Can’t have any pesky carriage return/line feeds in the file)
2) Use “adb push” to store it on your SD card of your phone. (If you don’t know what adb is, you should have someone help you.)
3) Give the file execute permissions then run the file. ( chmod 644 ciq-off)
4) Your phone should reboot and Carrier IQ will be disabled not to return, even after reboot. (Note: Your carrier can remotely start the app.)
In the future posting, I will attempt to remove the .so files that allows execution. This is a complicated process and the research seems to stretch far and wide at times. However, with enough people using their minds on this issue Carrier IQ will be defeated someday.
[ciq-off script]
HTML:
# Mount Filesytem Read/Write
grep " /system " /proc/mounts | awk '{system("mount -o rw,remount -t "$3" "$1" "$2)}'
#
# Enable Write to goldfish script
chmod 777 /system/etc/init.goldfish.sh
#
# Create append string for startup script
str=$(cat <<EOF
# Carrier IQ Disabler v1.0
su -c "setprop service.iq.active 0"
su -c "pm disable android/com.carrieriq.iqagent.service.IQService"
su -c "pm disable android/com.carrieriq.iqagent.service.receivers.BootCompletedReceiver"
su -c "pm disable android/com.carrieriq.iqagent.service.ui.DebugSettings"
su -c "pm disable android/com.carrieriq.iqagent.service.ui.ShowMessage"
su -c "pm disable android/com.carrieriq.iqagent.client.NativeClient"
su -c "pm disable android/com.carrieriq.iqagent.stdmetrics.survey.android.QuestionnaireLaunchActivity"
su -c "pm disable android/com.carrieriq.iqagent.stdmetrics.survey.android.QuestionnaireActivity"
EOF
)#
# Return script previous permissions
chmod 550 /system/etc/init.goldfish.sh
#
# Reboot Phone
reboot
References:
http://forum.xda-developers.com/showthread.php?t=1373394
http://android-tricks.blogspot.com/2009/01/mount-filesystem-read-write.html
Users:
dmanbuhnik
JoshMiers

[ARMv7/Intel][Root][Busybox][init.d]Optware-ng: install pre-compiled native packages

This how-to describes how to bootstrap and configure Optware-ng. Optware-ng is my Optware firmware-independent fork. This allows to install numerous pre-compiled packages.
Lists of available packages can be found here:
ARMv7 hardfloat
Intel
ARMv7 softfloat
And the project home is currently here:
https://github.com/alllexx88/Optware-ng
Some packages may not work, since not all of them are compatible with android, but most will. There're some pre-requisites you must satisfy before you can proceed:
1. You must be rooted
2. Optware-ng relies on some standard linux commands, the easiest way to make sure you have them is to install Busybox with all the links
3. We'll create Optware-ng initialization script in /system/etc/init.d, so init.d support is needed. If you don't have it, you can either add it (google for how-tos on doing this) or edit your init.rc android startup script to include Optware-ng initialization lines (though adding init.d support is still a better idea)
The following commands should be issued from terminal as root. I suggest you use some SSH server available on the Play Store, and connect via SSH from you PC.
1. This prepares needed environment:
- Optware-ng will be installed to /data/Optware-ng with /opt symlinked to it
- Optware-ng scripts rely on /bin/sh, so we symlink it to /system/bin/sh
- Optware-ng needs /tmp temp dir: we create 64Mb RAM disk there (you may adjust the size if you like)
Code:
mkdir -p /data/Optware-ng
mount -o remount,rw /
ln -s /data/Optware-ng /opt
mkdir /bin
ln -s /system/bin/sh /bin/sh
mkdir /tmp
chmod 777 /tmp
mount -t tmpfs -o size=64M tmpfs /tmp
mount -o remount,ro /
export PATH=$PATH:/opt/bin:/opt/sbin
2. This bootstraps the feed:
2.a) for ARMv7 hardfloat (most modern android devices):
Code:
cd /tmp
wget http://optware-ng.zyxmon.org/buildroot-armeabihf/buildroot-armeabihf-bootstrap.sh
sh buildroot-armeabihf-bootstrap.sh
2.b) for Intel:
Code:
cd /tmp
wget http://optware-ng.zyxmon.org/buildroot-i686/buildroot-i686-bootstrap.sh
sh buildroot-i686-bootstrap.sh
2.c) for the unlikely case where your device is ARMv7, but lacks FPU (softfloat feed):
Code:
cd /tmp
wget http://optware-ng.zyxmon.org/buildroot-armeabi-ng/buildroot-armeabi-ng-bootstrap.sh
sh buildroot-armeabi-ng-bootstrap.sh
Unless you're using ARMv7 softfloat feed, bootstrapping process may appear to be "stuck" on this:
Configuring glibc-locale
Generating locale-archive with default locales ...
Click to expand...
Click to collapse
Don't be frightened: if your device isn't too powerful, it indeed takes a lot of time, but you have to do this just once, so please be patient.
3. Make sure environment needed for Optware-ng is restored after reboots, and also run Optware-ng startup scripts on boot:
Create init.d startup script and make it executable
Code:
mount -o remount,rw /system
echo '#!/system/bin/sh
mount -o remount,rw /
ln -s /data/Optware-ng /opt
mkdir /bin
ln -s /system/bin/sh /bin/sh
mkdir /tmp
chmod 777 /tmp
mount -t tmpfs -o size=64M tmpfs /tmp
mount -o remount,ro /
sleep 2
export PATH=$PATH:/bin:/opt/bin:/opt/sbin
for script in `ls /opt/etc/init.d/S*`; do
$script start
done' > /system/etc/init.d/S99Optware-ng
chmod 755 /system/etc/init.d/S99Optware-ng
mount -o remount,ro /system
Once again, you may adjust this line
Code:
mount -t tmpfs -o size=64M tmpfs /tmp
if you want greater/lesser RAM disk on /tmp
(4.) You're basically done, but I suggest you now install Optware-ng's dropbear-android package to act as an SSH server:
Code:
ipkg update
ipkg install dropbear-android
dropbear configs are stored in /opt/etc/default/dropbear and by default are:
Code:
DROPBEAR_ENABLE=no
DROPBEAR_PORT=2222
DROPBEAR_PASSWORD=password
Run these commands to adjust configs, enable dropbear and start it:
(replace <*> strings with actual desired values)
Code:
sed -i -e '/^DROPBEAR_PORT=/s/=.*/=<YOUR_PORT>/' -e '/^DROPBEAR_PASSWORD=/s/=.*/=<YOUR_PASSWORD>/' -e '/^DROPBEAR_ENABLE=/s/=.*/=yes/' /opt/etc/default/dropbear
/opt/etc/init.d/S51dropbear start
Now you are advised to use dropbear as SSH server to play with Optware-ng: use 'root' user, '<YOUR_PASSWORD>' password and '<YOUR_PORT>' port
For better security you may use public key authorization only: set password to blank and add your public keys to /opt/etc/dropbear/authorized_keys (don't forget to `chmod 600 /opt/etc/dropbear/authorized_keys` after you create it!) and restart dropbear or just reboot.
P.S. I'm not exactly sure that this is the right place to post this, please move it if needed.

[ROOT] [Magisk/Tasker] [Andromeda] Start Andromeda directly on boot from your phone

Hi,
You need to be rooted. Why to use Andromeda if you are rooted, you might wonder. Well, it runs miles better, there is no difference in speed between a themed and a not themed app. With a root Substratum, the difference is quite noticeable, for the worst.
Plus, I used magisk, although it should also be runnable from within Tasker, Auto Tools, or something alike, or simply with /system/etc/init.d support, which my P20 Pro lacks. The init.d injector magisk module didn't work either.
Hence I've modified the official linux adb script to be run at init directly on the phone. Due to the missing init.d support on many phones, like mine, I placed the script on /magisk/.core/service.d since I already had magisk installed
I also
Code:
ln -s /magisk/.core/service.d /system/etc/init.d
to make it easier to remember and have init.d support
The sleep timer might need to be increased, I tried to wait for projekt.substratum to be running but it was not enough, so unless someone can shed light on what other process to wait for, the sleep will do.
So download the script, rename it to start_andromeda-android.sh, and
Code:
adb push start_andromeda-android.sh /magisk/.core/service.d/
adb shell
su
chown 0:0 /magisk/.core/service.d/start_andromeda-android.sh
chmod 0755 /magisk/.core/service.d/start_andromeda-android.sh
#### optional, if your phone lacks /system/etc/init.d support, and you want to simulate it with magisk
# mount -o remount,rw /system
## if /system/etc/init.d exists and is not functional, like on my P20 Pro, just do
# rm -fr /system/etc/init.d
# ln -s /magisk/.core/service.d /system/etc/init.d
# mount -o remount,ro /system
# start_andromeda-android.sh
Code:
#!/system/bin/sh
sleep 15
# Let's first grab the location where Andromeda is installed
pkg=$(pm path projekt.andromeda)
# Due to the way the output is formatted, we have to strip 10 chars at the start
pkg=$(echo $pkg | cut -d : -f 2 | sed s/\\r//g)
# Now let's kill the running Andromeda services on the mobile device
kill=$(pidof andromeda)
# Check if we need to kill the existing pids, then kill them if need be
if [ -z "$kill" ]; then[INDENT]am force-stop projekt.substratum
appops set projekt.andromeda RUN_IN_BACKGROUND allow
appops set projekt.substratum RUN_IN_BACKGROUND allow
CLASSPATH=$pkg app_process /system/bin --nice-name=andromeda projekt.andromeda.Andromeda &
[/INDENT]
else
[INDENT]am force-stop projekt.substratum
kill -9 $kill
appops set projekt.andromeda RUN_IN_BACKGROUND allow
appops set projekt.substratum RUN_IN_BACKGROUND allow
CLASSPATH=$pkg app_process /system/bin --nice-name=andromeda projekt.andromeda.Andromeda &
[/INDENT]
fi

possible LG WebOS root with su

ON further discussion with other users, this may only work from a remnant from the GetMeIn exploit, which I had attempted to use but it was unsuccessfully not able to map memory. Perhaps this in combination with GetMeIn may be of use to others.
- - - - - - - -
While awaiting the exciting new from retr0id RootMY.TV , I came across a very straightforward way to achieve root and escape chroot on a OLED55E6P with WebOS release 3.3.4 and firmware version 05.30.60.
I am still fiddling to find preferred method of establishing a permanent root remote shell, and will update later with that.
Curious if this works on your WebOS + Firmware versions?
This procedure opens a root shell over telnet outside of the chroot jail, that is connected to a TTY. Bash history is available across sessions, arrow keys and home/end keys function!
Code:
## Do normal procedure to install developer app, register at LG, enable keyserver, get key, save key, etc.
##Then:
ssh -i ~/.ssh/tv_webos -p 9922 [email protected]_IP "/bin/bash -i"
#Enter passphrase for key '~/.ssh/tv_webos':
#/bin/bash: can't access tty; job control turned off
#/media/developer $
su
#su: must be run from a terminal
#sad, but
/bin/busybox.suid su
Password: alpine
id
#uid=0(root) gid=0(root) groups=0(root),10(wheel),506(pulse-access),509(se),777(crashd)
/bin/busybox.nosuid chroot /proc/1/root
#/ # /bin/sh: can't access tty; job control turned off
##1st Time prepare directory, set root password###
mkdir -p /home/overlay/etc
mkdir -p /home/overlay/work
mount -t overlay overlay -o lowerdir=/etc:/media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service//binaries-armv71/opt/openssh/etc,upperdir=/home/overlay/etc,workdir=/home/overlay/work /etc
passwd
####
nohup telnetd -l /sbin/sulogin &
#### then from another terminal, run
telnet TV_IP
## dont break anything
Why didn't it work on my webOS 3.0 TV? It replyed 'incorrect password'.

Categories

Resources