Related
Hello,
Has anyone taken a look at the bcm4329's kernel module? I've been looking around and trying to figure out how the Sprint Hotspot application works and I've found it calls the SIOCSIWPRIV system call on the interface to bring up this mode.
Does anyone have any experience on this matter? I'm looking to get infrastructure mode working.
My current approach is to write a native C app, do the ioctl with some sort of struct (I'm tempted just to memalloc and hand-write the first one), and see what happens.
The driver throws a bunch of debug info into the kernel log when you invoke the command so its dead easy to spot.
Any suggestions?
andrew500 said:
Hello,
Has anyone taken a look at the bcm4329's kernel module? I've been looking around and trying to figure out how the Sprint Hotspot application works and I've found it calls the SIOCSIWPRIV system call on the interface to bring up this mode.
Does anyone have any experience on this matter? I'm looking to get infrastructure mode working.
My current approach is to write a native C app, do the ioctl with some sort of struct (I'm tempted just to memalloc and hand-write the first one), and see what happens.
The driver throws a bunch of debug info into the kernel log when you invoke the command so its dead easy to spot.
Any suggestions?
Click to expand...
Click to collapse
im definitely not up to speed on this but if you wanna post some links to the source files you're referencing, it might help me and anybody else who is interested to get up to speed quicker and provide suggestions.
appreciate your work on troubleshooting and experimenting with wifi tether!
joeykrim,
I'm knee deep in it right now. I'm taking the source code to iwconfig and using it as a template to implement the system calls I need, using a hybrid of the structs in wireless.h and in the bcm4329 driver source, from the bravo kernel. Basically I create a big struct in memory and pass it into the driver using a pointer to a iw_point struct, which holds my big master struct, and then the driver copies it out of user-space into kernel space and acts upon it.
I'll put together all the details once they are a little more solid.
It looks like infrastructure-mode on the EVO is a very distinct possibility, this code will also translate into the workaround for built-in tether on Froyo, from what I've seen they are exclusively using this broadcom interface so far.
It's a hardware specific hack, but many of the phones that have come out lately are using the bcm4329 (and with good reason, chip has freakin everything).
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
scholbert said:
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
Click to expand...
Click to collapse
Well, I'm not a kernel hacker, but I have an educated guess...
I believe that the radio system uses those functions to check whether the kernel is valid or not, so, we have the radio not working with a replacement kernel that is loaded using kexec...
Perhaps, if it is possible to "change" this function using a module, we could get a function always telling the kernel is valid and have kexec working on Milestone. Again, I'm not a kernel hacker, but that is my guess.
Hi, I'm sorry that I wont be much help but these guys might;
https://www.droid-developers.org/
irc://irc.freenode.net/#milestone-modding
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
scholbert said:
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
Click to expand...
Click to collapse
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
SophT said:
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
Click to expand...
Click to collapse
Yeah sure, i knew this
Anyway, thanks for the hyperlink!
In the meantime i grepped all binaries from the latest distribution.
I found out, that two applications are using /dev/sec.
1. dbvc_atvc_property_set
2. tcmd
If someone knows which package of source code they belong to... would save some time searching.
EDIT:
O.K. Google did it for me...
Seems that both binaries are proprietary code. Some early conclusions:
1. dbvc_atvc_property_set
This one is started as a service in init.mapphone_umts.rc and seems to use /dev/sec for granting rights to access OMAP secure world (e.g. read eFuse values for unique device id, IMEI etc.).
This binary contains a certificate which is not Milestone specific (XT720 uses the same).
So right now i don't know, if this certificate is needed to access /dev/sec or the application itself identifies itself as trusted application (signed app).
Would make sense, if the BP uses signed applications to access certain low level functions, e.g. read/write the eFuse bank.
2. tcmd
This one is also started as a service in init.mapphone_umts.rc to access a variety of devices. Seems to be related to data streaming or stuff.
As stated it has an entry for /dev/sec and it got no certifcate.
Would be interesting to get some more info about that.
Further comments....
P.S.: This bloody security stuff is making me sick
Regards,
scholbert
Hi again,
i just compared some of the defines in the kernel driver headers (/drivers/misc/sec/sec_core.h) with the ones xvilka reversed inside mbmloader.
Code:
...
#define API_HAL_KM_SOFTWAREREVISION_READ 33 // 0x21
...
#define API_HAL_NB_MAX_SVC 39 // 0x27
#define API_HAL_MOT_EFUSE (API_HAL_NB_MAX_SVC + 10) // 0x31
#define API_HAL_MOT_EFUSE_READ (API_HAL_NB_MAX_SVC + 15) // 0x36
...
For comparison see the table here:
https://www.droid-developers.org/wiki/Secure_Services
It is obvious that /dev/sec allows to access OMAP secure world and uses the above mentioned API calls to push information to userspace apps.
The question would be, if ioctl must be certified through the API using some key ...
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
See ya,
scholbert
scholbert said:
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
Click to expand...
Click to collapse
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
mystichobo said:
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
Click to expand...
Click to collapse
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
puffo81 said:
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
Click to expand...
Click to collapse
Thanks a lot for pointing out
Best regards,
scholbert
scholbert said:
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
Click to expand...
Click to collapse
That's what I thought
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Cheers,
hobo
mystichobo said:
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Click to expand...
Click to collapse
I got into contact with xvilka.
Obviously there'd been some investigations concerning this issue.
To be honest, i don't know if it's worth to digg a little deeper or if it will ever led to something useful in the end. Could be fun though
Perhaps it would be nice idea to tweak the driver and put some debug message in the code.
Another interesting thing to do would be a logging function.
This way it would be possible to get some insights of the API to secure monitor.
Anyway, i think it's never useless to discuss about some hacking here. At least were at xda-developers
If you like to tweak some kernel code, join in!!!
Have fun!
scholbert
Hi all
I have a xoom and installed eos about 30 mins after opening the box.
I love it but no user control of regulatory domain, that sucks.
Any pointers on how to implement this, build.prop keys don't seem to work and i'd not want to have to recompile gpu/oc kernel, but would if necessary.
It would seem that cm has it but don't want to move from eos as its ace.
Well it depends on what aspect of regulatory domain you speak of. Regarding wifi channels, yes its in the kernel. I have a patch that eliminates all the regulatory crap. This is something we are still debating as to whether we should implement or not.
9Yes wifi, i understand your concerns over implementing such a patch. But also believe that full control over our own device is fair and our own responsibility, Not to placed on the shoulders of dev's like you who do all the work so we can all enjoy our kit.
I am on nightly so would that mean it's in this kernel? If so should would i need something like iw to set it or a key in build.prop?
Thanks.
No iw won't help if its not enabled in the kernel. Ill likely add this to my overlay anyway so no worries.
Nice one
While your talking about overlay, when i'v flashed it i'v noticed that the gpu was not clocked
With the new kernel, any chance of a gpu version of the overlay, I know its not a mega overclock but would still prefer it in there call me cheeky if you want lol.
Sorry man, gpuoc in the overlay kernel ain't happening. I've merged a regulatory remove patch. However, I'm prettty sure we have to mod the firmware calibration file as well. Ill talk with the team about a more comprehensive solution.
No worries about gpu, its not that big of deal. Thanks for the merge i appreciate it.
Keep up the good work.
Thanks.
Just wondering if you managed to talk to the team about implementing this as a feature?
Hi all,
Few days ago I'v repaired HTC Desire Z with Russian keyboard and installed CM10.2 onto it. And of course I want to have working Russian keyboard layout.
Unfortunately only official firmware support it, and problem cannot be solved by editing layout tables because for some buttons there is two Cyrillic letters on one button. There is ruKeyboard application to fix it, but it closed source, so it doesn't acceptable for me.
So, I'm going to develop my application for it (open source, of course) and want to ask some questions... I have a lot of development experience (especially low level, e.g. drivers, MCU's firmware and so on), but never programmed for Android (however I know Java to some degree).
Of course, I can patch android kernel/sources to get my task done, but I suppose that it's a bad idea, because I'll need to port changes to new versions and so on. So, I want to process keyboard events from userspace.
My question: Is it possible to hook all hardware keyboard events (i.e. scancodes, not characters) from userspace, remove them from message queue, and produce new events? I know that producing new events is possible, but what about hooking it (like MS Windows event hooks?). Can you give me a hint (maybe link to example or API, suitable for it)?
Thank you in advance.
FossaFX said:
My question: Is it possible to hook all hardware keyboard events (i.e. scancodes, not characters) from userspace, remove them from message queue, and produce new events? I know that producing new events is possible, but what about hooking it (like MS Windows event hooks?). Can you give me a hint (maybe link to example or API, suitable for it)?
Click to expand...
Click to collapse
I am not a programmer, but I would be interested in an app that could substitute key press events (on my Motorola Droid 4).
Have you heard of the Xposed framework? Maybe this would be a possibility to achieve your goal and Xposed might make things much easier for you.
daniel_m said:
I am not a programmer, but I would be interested in an app that could substitute key press events (on my Motorola Droid 4).
Have you heard of the Xposed framework? Maybe this would be a possibility to achieve your goal and Xposed might make things much easier for you.
Click to expand...
Click to collapse
Thank you, I'll read about it (and no, I didn't hear about it, I have never programmed for Android).
daniel_m said:
I am not a programmer, but I would be interested in an app that could substitute key press events (on my Motorola Droid 4).
Have you heard of the Xposed framework? Maybe this would be a possibility to achieve your goal and Xposed might make things much easier for you.
Click to expand...
Click to collapse
http://www.howtogeek.com/195476/7-t...ramework-on-a-rooted-android-phone-or-tablet/ looks like good thing. So I'll investigate sources of Xposed to look how do they did it.
Good luck!
Would be wonderful for yet another useful Xposed module to see the light of day
Hello,
I am wondering whether anybody can provide some clarifications regarding the mtce-utils configuration. More precisely, I would like to know if it is possible to assign intents to hardware (SWC of front panel) keys, and if so, how.
I have set most things up in mtce-utils/settings.ini according to the built-in documentation (comments in the configuration file), including app_xxx type of assignments (of apps to keys). In the old days of Xposed-mtc-keys one could also use intent_xxx assignments to associate intents instead of apps; however these do not appear to work in mtce-utils (this, or I am doing something wrong).
So, my main question is, can intents be assigned to buttons using mtce-utils, and if so how? As a more general question, is there any further documentation available for this module other than the comments in the configuration file? Advice is much appreciated.
sbruda said:
Hello,
I am wondering whether anybody can provide some clarifications regarding the mtce-utils configuration. More precisely, I would like to know if it is possible to assign intents to hardware (SWC of front panel) keys, and if so, how.
I have set most things up in mtce-utils/settings.ini according to the built-in documentation (comments in the configuration file), including app_xxx type of assignments (of apps to keys). In the old days of Xposed-mtc-keys one could also use intent_xxx assignments to associate intents instead of apps; however these do not appear to work in mtce-utils (this, or I am doing something wrong).
So, my main question is, can intents be assigned to buttons using mtce-utils, and if so how? As a more general question, is there any further documentation available for this module other than the comments in the configuration file? Advice is much appreciated.
Click to expand...
Click to collapse
Did you ever get an answer? I would like to know the same thing. If you found a way to do that please send me a message
panteryx_26 said:
Did you ever get an answer? I would like to know the same thing. If you found a way to do that please send me a message
Click to expand...
Click to collapse
As a matter of fact I found this resource (thanks @Xorit); I don't speak Russian but Google Translate produces a decent result. I have not had the time to test it, but in a nutshell the old "intent_xxx = string" setting should continue to work as it did in the previous (and now obsolete) mtc-keys module.
Could one of you post the mcte utils module? Can't find it to download anywhere...
Thank you!
Here is xposed-mtce-utils.apk v1.12:
xposed-mtce-utils v1.12
jtrosky said:
Here is xposed-mtce-utils.apk v1.12:
xposed-mtce-utils v1.12
Click to expand...
Click to collapse
could you load it up one more time?
Hey guys,
I can't find a working download respectively no download source for the latest mtce-utils. Can some1 give me a hint or upload the file, please?
Thanks in advance...