Related
Hey there,
I did post about the issue I'd been having with all recent ROM's in the CyanogenMod thread, but am posting my own thread as I've seen no one else bring up the issue.
Essentially, on all ROM's I've tried since but not including nk02's 4.0, including CyanogenMod 3.9.x and nk02's 4.1.x, I cannot run the browser or anything dependant on it, like Market, opening email, completing the initial wizard.
This is the output of logcat while starting Browser:-
Code:
I/ActivityManager( 127): Starting activity: Intent { action=android.intent.acti
on.MAIN categories={android.intent.category.LAUNCHER} flags=0x10200000 comp={com
.android.browser/com.android.browser.BrowserActivity} }
I/ActivityManager( 127): Start proc com.android.browser for activity com.androi
d.browser/.BrowserActivity: pid=404 uid=10034 gids={3003}
I/ActivityThread( 404): Publishing provider browser: com.android.browser.Browse
rProvider
I/DEBUG ( 108): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *
**
I/DEBUG ( 108): Build fingerprint: 'tmobile/kila/dream/trout:1.5/CRC1/150275:
user/ota-rel-keys,release-keys'
I/DEBUG ( 108): pid: 404, tid: 416 >>> com.android.browser <<<
I/DEBUG ( 108): signal 11 (SIGSEGV), fault addr 010867e8
I/DEBUG ( 108): r0 45017a34 r1 001bfd9c r2 001cec24 r3 00000000
I/DEBUG ( 108): r4 001bfd9c r5 00000007 r6 00217e00 r7 aa073e55
I/DEBUG ( 108): r8 45017d9c r9 423afed8 10 423afec4 fp 00000001
I/DEBUG ( 108): ip 7fe00000 sp 45017a34 lr aa1c4739 pc 010867e8 cpsr 000
00010
D/dalvikvm( 404): GC freed 1976 objects / 148848 bytes in 134ms
I/DEBUG ( 108): #00 pc 010867e8
I/DEBUG ( 108): #01 pc 001c4736 /system/lib/libwebcore.so
I/DEBUG ( 108): stack:
I/DEBUG ( 108): 450179f4 00000001
I/DEBUG ( 108): 450179f8 00000000
I/DEBUG ( 108): 450179fc afe2defc /system/lib/libc.so
I/DEBUG ( 108): 45017a00 aa16fed3 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a04 aa16fec1 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a08 00000000
I/DEBUG ( 108): 45017a0c 001ceb28 [heap]
I/DEBUG ( 108): 45017a10 00000000
I/DEBUG ( 108): 45017a14 001cf4c8 [heap]
I/DEBUG ( 108): 45017a18 00000984
I/DEBUG ( 108): 45017a1c aa170389 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a20 00000000
I/DEBUG ( 108): 45017a24 001c0a08 [heap]
I/DEBUG ( 108): 45017a28 df002777
I/DEBUG ( 108): 45017a2c e3a070ad
I/DEBUG ( 108): 45017a30 00000000
I/DEBUG ( 108): #01 45017a34 001c0a08 [heap]
I/DEBUG ( 108): 45017a38 aa073e55 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a3c aa14bf1b /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a40 001c0a08 [heap]
I/DEBUG ( 108): 45017a44 001bfd08 [heap]
I/DEBUG ( 108): 45017a48 001c0a08 [heap]
I/DEBUG ( 108): 45017a4c aa1aa761 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a50 001c0a08 [heap]
I/DEBUG ( 108): 45017a54 aa183c9b /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a58 0000000a
I/DEBUG ( 108): 45017a5c 45017aa8
I/DEBUG ( 108): 45017a60 aa3db598 /system/lib/libwebcore.so
I/DEBUG ( 108): 45017a64 00000000
I/DEBUG ( 108): 45017a68 00000000
I/DEBUG ( 108): 45017a6c 00000000
I/DEBUG ( 108): 45017a70 00000000
I/DEBUG ( 108): 45017a74 00000000
I/DEBUG ( 108): 45017a78 00000000
I/ActivityManager( 127): Process com.android.browser (pid 404) has died.
I/WindowManager( 127): WIN DEATH: Window{438c7088 com.android.browser/com.andro
id.browser.BrowserActivity paused=false}
I/DEBUG ( 108): debuggerd committing suicide to free the zombie!
D/Zygote ( 110): Process 404 terminated by signal (11)
I/DEBUG ( 417): debuggerd: May 13 2009 19:02:52
W/InputManagerService( 127): Window already focused, ignoring focus gain of: co
[email protected]
D/dalvikvm( 208): GC freed 196 objects / 8496 bytes in 128ms
Any idea what could be causing this? My phone is running the 32B engineering SPL and RAv1.1.2 recovery. I have tried mounting over usb, adb, and putting the card in a reader to upload the update.zip to the card. I have tried wiping several times before flashing. I have tried different mSD cards, and using different computers to push the files. I am really stumped as to why I cannot run Browser yet seemingly everyone else with a 32B phone can.
I'm willing to test updates in an attempt to fix the problem. Any help really appreciated!
Using nk02's rom, this is the logcat output of the wizard after pressing next on the screen where it asks if google can collect location data. If I've not skipped giving it the google login details, the phone will get stuck on a screen saying 'Signed in!', with a dimmed next button. If I skip giving it the google login details, and attempt to pass the collect location data screen, it'll show 'Date & Time settings' briefly at the top before looping back to the sign in screen with the same output to logcat
Code:
I/ServiceStateTracker( 119): Auto time state changed
I/ActivityManager( 56): Starting activity: Intent { comp={com.android.settings
/com.android.settings.DateTimeSettingsSetupWizard} }
I/ActivityManager( 56): Start proc com.android.settings for activity com.andro
id.settings/.DateTimeSettingsSetupWizard: pid=445 uid=1000 gids={3002, 3001, 300
3}
D/dalvikvm( 34): GC freed 277 objects / 10448 bytes in 342ms
D/dalvikvm( 34): GC freed 42 objects / 1864 bytes in 164ms
D/dalvikvm( 34): GC freed 2 objects / 56 bytes in 187ms
I/DEBUG ( 325): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *
**
I/DEBUG ( 325): Build fingerprint: 'google_ion/google_ion/sapphire/sapphire:1
.5/CRB43/148830:user/adp,test-keys'
I/DEBUG ( 325): pid: 445, tid: 445 >>> com.android.settings <<<
I/DEBUG ( 325): signal 4 (SIGILL), fault addr ad494ce8
I/DEBUG ( 325): r0 bef87f00 r1 bef87ee0 r2 00000000 r3 00000002
I/DEBUG ( 325): r4 001a78c4 r5 fff8df51 r6 ad4abbf8 r7 bef87778
I/DEBUG ( 325): r8 bef88124 r9 bef88124 10 ad4abdd0 fp ad4abdd0
I/DEBUG ( 325): ip ad4abf20 sp bef87698 lr ad496e3d pc ad494ce8 cpsr 800
00030
I/DEBUG ( 325): #00 pc 00094ce8 /system/lib/libicui18n.so
I/DEBUG ( 325): #01 lr ad496e3d /system/lib/libicui18n.so
I/DEBUG ( 325): stack:
I/DEBUG ( 325): bef87658 afe39dd0
I/DEBUG ( 325): bef8765c bef88124 [stack]
I/DEBUG ( 325): bef87660 ad4abdd0
I/DEBUG ( 325): bef87664 00000000
I/DEBUG ( 325): bef87668 bef87f00 [stack]
I/DEBUG ( 325): bef8766c 00000003
I/DEBUG ( 325): bef87670 001a78c4 [heap]
I/DEBUG ( 325): bef87674 ad533619 /system/lib/libicuuc.so
I/DEBUG ( 325): bef87678 00000000
I/DEBUG ( 325): bef8767c 00000000
I/DEBUG ( 325): bef87680 001a78a0 [heap]
I/DEBUG ( 325): bef87684 001a78c4 [heap]
I/DEBUG ( 325): bef87688 ad53a4a5 /system/lib/libicuuc.so
I/DEBUG ( 325): bef8768c 001a78c4 [heap]
I/DEBUG ( 325): bef87690 df002777
I/DEBUG ( 325): bef87694 e3a070ad
I/DEBUG ( 325): #00 bef87698 bef88124 [stack]
I/DEBUG ( 325): bef8769c 00000000
I/DEBUG ( 325): bef876a0 00000000
I/DEBUG ( 325): bef876a4 00000000
I/DEBUG ( 325): bef876a8 ffffffff
I/DEBUG ( 325): bef876ac 00000000
I/DEBUG ( 325): bef876b0 00000000
I/DEBUG ( 325): bef876b4 00000000
I/DEBUG ( 325): bef876b8 00000000
I/DEBUG ( 325): bef876bc 00000000
I/DEBUG ( 325): bef876c0 00000000
I/DEBUG ( 325): bef876c4 00000000
I/DEBUG ( 325): bef876c8 00000000
I/DEBUG ( 325): bef876cc 00000000
I/DEBUG ( 325): bef876d0 00000000
I/DEBUG ( 325): bef876d4 bef87c78 [stack]
I/DEBUG ( 325): bef876d8 000005b8
I/DEBUG ( 325): bef876dc 00000000
I/ActivityManager( 56): Process com.android.settings (pid 445) has died.
D/Zygote ( 34): Process 445 terminated by signal (4)
W/InputManagerService( 56): Window already focused, ignoring focus gain of: co
[email protected]
I/ActivityManager( 56): Displayed activity com.android.setupwizard/.CloseAndLa
unchActivity: 117600 ms
If anyone has any idea what I'm doing wrong can they please inform me. Is my phone faulty? Everything else appears to be working fine. The flash completes without errors and the phone boots into a usable state with all hardware functioning fine.
nk02's ROM is unusable as I cannot get past the setup wizard. It just respawns if I kill it.
I'd love to get this sorted as my phone is useless at the moment
Just had a similar issue with SuperD v1.8. Browser and market would crash on startup. Library file /system/lib/libwebcore.so was causing it due to corruption during rom flashing. Not sure why this suddenly started to happen but if you check the file size it is correct, but the md5sum will differ from one extracted from the rom zip file. I pushed the extracted library to /system/lib and it fixed the issue. Of course you have to do this with /system mounted r/w.
The only thing I can think of is the recovery image is causing it since unzipping this file on my linux box produces a working library. Unzipping from recovery produces a corrupt file.
Just had a similar issue with SuperD v1.8. Browser and market would crash on startup. Library file /system/lib/libwebcore.so was causing it due to corruption during rom flashing. Not sure why this suddenly started to happen but if you check the file size it is correct, but the md5sum will differ from one extracted from the rom zip file. I pushed the extracted library to /system/lib and it fixed the issue. Of course you have to do this with /system mounted r/w.
The only thing I can think of is the recovery image is causing it since unzipping this file on my linux box produces a working library. Unzipping from recovery produces a corrupt file.
tmusall said:
Just had a similar issue with SuperD v1.8. Browser and market would crash on startup. Library file /system/lib/libwebcore.so was causing it due to corruption during rom flashing. Not sure why this suddenly started to happen but if you check the file size it is correct, but the md5sum will differ from one extracted from the rom zip file. I pushed the extracted library to /system/lib and it fixed the issue. Of course you have to do this with /system mounted r/w.
The only thing I can think of is the recovery image is causing it since unzipping this file on my linux box produces a working library. Unzipping from recovery produces a corrupt file.
Click to expand...
Click to collapse
Here's what I tried:
Using fastboot erase the recovery partition. Again from fastboot flash recovery-RA-sapphire-v1.5.2G.img. This is for a myTouch 3G, so if you've got a G1 use the proper recovery image. Reboot.
Reboot into recovery and flashed rom NexusSuperD18.zip.
From adb shell:
md5sum of /system/lib/libwebcore.so - 96a7cef79de087111c84c76f50353b18 (Correct checksum)
Reboot and let rom initialize. Fire up Browser and is still crashes!
Reboot back to recovery and check md5sum again:
/system/lib # md5sum libwebcore.so
03e1950b02dd5fb1f00750065aea66d1 libwebcore.so (WRONG!)
Something during first boot initialization has corrupted this library. I've got no idea what is causing this, but for now the only way to get it working is to push a good library in its place.
Hello.When i am starting CM9 on my tablet i have next :
Bootanimation... then :
logcat
Code:
--------- beginning of /dev/log/system
I/Vold ( 65): Vold 2.1 (the revenge) firing up
D/Vold ( 65): Volume sdcard state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 65): Volume nand state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 65): Volume usb state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 65): Volume nand state changing 0 (No-Media) -> 1 (Idle-Unmounted)
D/Vold ( 65): Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
D/DirectVolume( 65): DirectVolume::handlePartitionAdded -> MAJOR 253, MINOR 1, PARTN 1
D/Vold ( 65): Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted)
--------- beginning of /dev/log/main
I/DEBUG ( 69): be92f3b0 00000000
I/DEBUG ( 69): be92f3b4 00000000
I/DEBUG ( 69): be92f3b8 00000000
I/DEBUG ( 69): be92f3bc 00000000
I/DEBUG ( 69): be92f3c0 00000000
I/DEBUG ( 69): be92f3c4 00000000
I/DEBUG ( 69): be92f3c8 00000000
I/DEBUG ( 69): be92f3cc 00000000
I/DEBUG ( 69): be92f3d0 00000000
I/DEBUG ( 69): be92f3d4 00000000
I/DEBUG ( 69): be92f3d8 4049f58c /system/lib/libicuuc.so
I/DEBUG ( 69): be92f3dc 00000003
I/DEBUG ( 69): be92f3e0 404a0cd0 /system/lib/libicuuc.so
I/DEBUG ( 69): be92f3e4 00000001
I/DEBUG ( 69): be92f3e8 4049f58c /system/lib/libicuuc.so
I/DEBUG ( 69): be92f3ec 00000003
I/DEBUG ( 69): be92f3f0 404a0cd0 /system/lib/libicuuc.so
I/DEBUG ( 69): be92f3f4 00000001
I/DEBUG ( 69): be92f3f8 4049f590 /system/lib/libicuuc.so
I/DEBUG ( 69): be92f3fc 00000006
I/DEBUG ( 69): be92f400 4049f590 /system/lib/libicuuc.so
I/DEBUG ( 69): be92f404 00000006
I/DEBUG ( 69): be92f408 00000000
I/DEBUG ( 69): be92f40c 00000000
I/DEBUG ( 69): be92f410 00000000
I/DEBUG ( 69): be92f414 00000000
I/DEBUG ( 69): be92f418 00000000
I/DEBUG ( 69): be92f41c 00000000
I/DEBUG ( 69): be92f420 00000000
I/DEBUG ( 69): be92f424 00000000
I/DEBUG ( 69): be92f428 00000000
I/DEBUG ( 69): be92f42c 00000000
I/DEBUG ( 69): be92f430 00000000
I/DEBUG ( 69): be92f434 00000000
I/DEBUG ( 69): be92f438 404a0ca4 /system/lib/libicuuc.so
I/DEBUG ( 69): be92f43c 00000008
I/DEBUG ( 69): be92f440 00000000
I/DEBUG ( 69): be92f444 00000000
I/DEBUG ( 69): be92f448 00000000
I/DEBUG ( 69): be92f44c 00000000
I/DEBUG ( 69): be92f450 00000000
I/DEBUG ( 69): be92f454 00000000
I/DEBUG ( 69): be92f458 00000000
I/DEBUG ( 69): be92f45c 00000000
I/DEBUG ( 69): be92f460 00000000
I/DEBUG ( 69): be92f464 00000000
I/DEBUG ( 69): be92f468 00000000
I/DEBUG ( 69): be92f46c 00000000
I/DEBUG ( 69): be92f470 00000000
I/DEBUG ( 69): be92f474 00000000
I/DEBUG ( 69): be92f478 00000000
I/DEBUG ( 69): be92f47c 00000000
I/DEBUG ( 69): be92f480 00000000
I/DEBUG ( 69): be92f484 00000000
I/DEBUG ( 69): be92f488 00000000
I/DEBUG ( 69): be92f48c 00000000
I/DEBUG ( 69): be92f490 00000000
I/DEBUG ( 69): be92f494 00000000
I/DEBUG ( 69): be92f498 00000000
I/DEBUG ( 69): be92f49c 00000000
I/DEBUG ( 69): be92f4a0 00000000
I/DEBUG ( 69): be92f4a4 00000000
I/DEBUG ( 69): be92f4a8 00000000
I/DEBUG ( 69): be92f4ac 00000000
I/DEBUG ( 69): be92f4b0 00000000
I/DEBUG ( 69): be92f4b4 00000000
I/DEBUG ( 69): be92f4b8 00000000
I/DEBUG ( 69): be92f4bc 00000000
I/DEBUG ( 69): be92f4c0 00000000
I/DEBUG ( 69): be92f4c4 00000000
I/DEBUG ( 69): be92f4c8 00000000
I/DEBUG ( 69): be92f4cc 00000000
I/DEBUG ( 69): be92f4d0 00000000
I/DEBUG ( 69): be92f4d4 00000000
I/DEBUG ( 69): be92f4d8 00000000
I/DEBUG ( 69): be92f4dc 00000000
I/DEBUG ( 69): be92f4e0 00000000
I/DEBUG ( 69): be92f4e4 00000000
I/DEBUG ( 69): be92f4e8 00000000
I/DEBUG ( 69): be92f4ec 00000000
I/DEBUG ( 69): be92f4f0 00000000
I/DEBUG ( 69): be92f4f4 00000000
I/DEBUG ( 69): be92f4f8 00000000
I/DEBUG ( 69): be92f4fc 00000000
I/DEBUG ( 69): be92f500 00000000
I/DEBUG ( 69): be92f504 be92f50d [stack]
I/DEBUG ( 69): be92f508 00000028
I/DEBUG ( 69): be92f50c 00000000
I/DEBUG ( 69): be92f510 00000000
I/DEBUG ( 69): be92f514 00000000
I/DEBUG ( 69): be92f518 00000000
I/DEBUG ( 69): be92f51c 00000000
I/DEBUG ( 69): be92f520 00000000
I/DEBUG ( 69): be92f524 00000000
I/DEBUG ( 69): be92f528 00000000
I/DEBUG ( 69): be92f52c 00000000
I/DEBUG ( 69): be92f530 00000000
I/DEBUG ( 69): be92f534 00000000
I/DEBUG ( 69): be92f538 00000000
I/DEBUG ( 69): be92f53c be92f545 [stack]
I/DEBUG ( 69): be92f540 00000028
I/DEBUG ( 69): be92f544 75636900
I/DEBUG ( 69): be92f548 36347464
I/DEBUG ( 69): be92f54c 0000006c
I/DEBUG ( 69): be92f550 00000000
I/DEBUG ( 69): be92f554 00000000
I/DEBUG ( 69): be92f558 00000000
I/DEBUG ( 69): be92f55c 00000000
I/DEBUG ( 69): be92f560 00000000
I/DEBUG ( 69): be92f564 00000000
I/DEBUG ( 69): be92f568 00000000
I/DEBUG ( 69): be92f56c 00000000
I/DEBUG ( 69): be92f570 00000008
I/DEBUG ( 69): be92f574 be92f57d [stack]
I/DEBUG ( 69): be92f578 00000028
I/DEBUG ( 69): be92f57c 75636900
I/DEBUG ( 69): be92f580 36347464
I/DEBUG ( 69): be92f584 6e702f6c
I/DEBUG ( 69): be92f588 73656d61
I/DEBUG ( 69): be92f58c 7563692e
I/DEBUG ( 69): be92f590 00000000
I/DEBUG ( 69): be92f594 00000000
I/DEBUG ( 69): be92f598 00000000
I/DEBUG ( 69): be92f59c 00000000
I/DEBUG ( 69): be92f5a0 00000000
I/DEBUG ( 69): be92f5a4 00000000
I/DEBUG ( 69): be92f5a8 00000013
I/DEBUG ( 69): be92f5ac be92f5b5 [stack]
I/DEBUG ( 69): be92f5b0 00000028
I/DEBUG ( 69): be92f5b4 75636900
I/DEBUG ( 69): be92f5b8 36347464
I/DEBUG ( 69): be92f5bc 6e702f6c
I/DEBUG ( 69): be92f5c0 73656d61
I/DEBUG ( 69): be92f5c4 7563692e
I/DEBUG ( 69): be92f5c8 00000000
I/DEBUG ( 69): be92f5cc 00000000
I/DEBUG ( 69): be92f5d0 00000000
I/DEBUG ( 69): be92f5d4 00000000
I/DEBUG ( 69): be92f5d8 00000000
I/DEBUG ( 69): be92f5dc 00000000
I/DEBUG ( 69): be92f5e0 00000013
I/DEBUG ( 69): be92f5e4 03aa6deb
I/DEBUG ( 69): be92f5e8 00000000
I/DEBUG ( 69): be92f5ec be92f634 [stack]
I/DEBUG ( 69): be92f5f0 00000000
I/DEBUG ( 69): be92f5f4 00002000
I/DEBUG ( 69): be92f5f8 be92f735 [stack]
I/DEBUG ( 69): be92f5fc be92f7f4 [stack]
I/DEBUG ( 69): be92f600 be92f7d0 [stack]
I/DEBUG ( 69): be92f604 be92f6f4 [stack]
I/DEBUG ( 69): be92f608 ffffffff
I/DEBUG ( 69): be92f60c 4044ece9 /system/lib/libicuuc.so
I/ServiceManager( 64): service 'media.audio_flinger' died
I/ServiceManager( 64): service 'media.player' died
I/ServiceManager( 64): service 'media.camera' died
I/ServiceManager( 64): service 'media.audio_policy' died
I/Netd ( 298): Netd 1.0 starting
E/Netd ( 298): Unable to create netlink socket: Protocol not supported
E/Netd ( 298): Unable to open quota2 logging socket
D/AndroidRuntime( 299):
D/AndroidRuntime( 299): >>>>>> AndroidRuntime START com.android.internal.os.ZygoteInit <<<<<<
D/AndroidRuntime( 299): CheckJNI is OFF
F/libc ( 299): Fatal signal 11 (SIGSEGV) at 0x58b4f282 (code=1)
I/ ( 300): ServiceManager: 0xf958
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/control/control.c:902:(snd_ctl_open_noupdate) Invalid CTL AndroidOut
W/AudioHardwareALSA( 300): Unable to attach mixer to device AndroidOut: No such file or directory
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/control/control.c:902:(snd_ctl_open_noupdate) Invalid CTL hw:00
E/AudioHardwareALSA( 300): Unable to attach mixer to device default: No such file or directory
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/control/control.c:902:(snd_ctl_open_noupdate) Invalid CTL AndroidIn
W/AudioHardwareALSA( 300): Unable to attach mixer to device AndroidIn: No such file or directory
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/control/control.c:902:(snd_ctl_open_noupdate) Invalid CTL hw:00
E/AudioHardwareALSA( 300): Unable to attach mixer to device default: No such file or directory
I/AudioFlinger( 300): Loaded primary audio interface from LEGACY Audio HW HAL (audio)
I/AudioFlinger( 300): Using 'LEGACY Audio HW HAL' (audio.primary) as the primary audio interface
W/AudioHardwareALSA( 300): ALSA Mixer is not valid. AudioFlinger will do software volume control.
V/MediaPlayerService( 300): MediaPlayerService created
I/CameraService( 300): CameraService started (pid=300)
E/CameraService( 300): Could not load camera HAL module
D/AudioHardwareALSA( 300): openOutputStream called for devices: 0x00000002
D/ALSAModule( 300): open called for devices 00000002 in mode 0...
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/pcm/pcm.c:2210:(snd_pcm_open_noupdate) Unknown PCM AndroidPlayback_Speaker_normal
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/pcm/pcm.c:2210:(snd_pcm_open_noupdate) Unknown PCM AndroidPlayback_Speaker
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/pcm/pcm.c:2210:(snd_pcm_open_noupdate) Unknown PCM AndroidPlayback
E/ALSALib ( 300): external/alsa-lib/src/conf.c:3601:(snd_config_update_r) Cannot access file /system/usr/share/alsa/alsa.conf
E/ALSALib ( 300): external/alsa-lib/src/pcm/pcm.c:2210:(snd_pcm_open_noupdate) Unknown PCM default
E/ALSAModule( 300): Failed to Initialize any ALSA PLAYBACK device: Unknown error: -2
E/AudioPolicyManagerBase( 300): Failed to initialize hardware output stream, samplingRate: 0, format 0, channels 0
E/AudioPolicyService( 300): couldn't init_check the audio policy (No such device)
I/DEBUG ( 69): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 69): Build fingerprint: 'motorola/tervigon/wingray:4.0.4/IMM76/292727:user/release-keys'
I/DEBUG ( 69): pid: 299, tid: 299 >>> zygote <<<
I/DEBUG ( 69): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 58b4f282
In Texet 7021 (firmware is quietly put on my tablet and load CM9) , but his have 4GB memory. What is wrong?!?!. Help me please!
If need i can Donate!
Hi all,
I'm posting this here, as I haven't had many issues yet, so have less than 10 posts, and as such don't qualify to post straight to the dev forum thread for this.
I'm trying to get build 89 (also tried 88) running on my TF101, but it stops during the boot... I've tried using Timduru's kernel (Version 70 lidpatch) and the one that came with it, but in both cases I don't seem to get very far... I'm using TWRP 2.3.2.3.
The error I get is: (as per logcat of the boot process)
(I'm guessing it's to do with "E/dalvikvm( 953): cannot mountExternalStorage(): Interrupted system call" ,,, but I don't have any external storage in the system, and any internal storage is there, as that's where I am flashing from.....)
W/ActivityManager( 727): Process ProcessRecord{4119f9e0 947:android.process.aco
re/u0a10000} failed to attach
W/ActivityManager( 727): Unattached app died before broadcast acknowledged, ski
pping
W/ActivityManager( 727): Unattached app died before broadcast acknowledged, skipping
E/dalvikvm( 953): cannot mountExternalStorage(): Interrupted system call
E/dalvikvm( 953): VM aborting
F/libc ( 953): Fatal signal 11 (SIGSEGV) at 0xdeadd00d (code=1), thread 953 (zygote)
E/dalvikvm( 953): Storage environment undefined; unable to provide external storage
I/ActivityManager( 727): Start proc android.process.acore for broadcast com.and
roid.providers.contacts/.ContactsUpgradeReceiver: pid=953 uid=10000 gids={50000,
3003, 1015, 1023, 1028}
I/DEBUG ( 99): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *
**
I/DEBUG ( 99): Build fingerprint: 'asus/US_epad/TF101:4.0.3/IML74K/US_epad-9
.2.1.27-20120615:user/release-keys'
I/DEBUG ( 99): Revision: '0'
I/DEBUG ( 99): pid: 953, tid: 953, name: zygote >>> zygote <<<
I/DEBUG ( 99): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadd00
d
I/DEBUG ( 99): r0 00000000 r1 00000000 r2 deadd00d r3 00000000
I/DEBUG ( 99): r4 40872818 r5 0000020c r6 00000000 r7 410d9ca0
I/DEBUG ( 99): r8 00002710 r9 00000001 sl 40872818 fp 00002710
I/DEBUG ( 99): ip 00000001 sp beb72748 lr 4019c269 pc 40823678 cpsr
60070030
I/DEBUG ( 99): d0 400000003eaaaaab d1 3f4de16b00237718
I/DEBUG ( 99): d2 3ff0000000000000 d3 bf62cda764a98eab
I/DEBUG ( 99): d4 4000000000000000 d5 3f40000000000000
I/DEBUG ( 99): d6 002640009999999a d7 3eaaaaab3f800000
I/DEBUG ( 99): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 99): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 99): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 99): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 99): scr 80000010
I/DEBUG ( 99):
I/DEBUG ( 99): backtrace:
I/DEBUG ( 99): #00 pc 00040678 /system/lib/libdvm.so (dvmAbort+75)
I/DEBUG ( 99): #01 pc 0001d265 /system/lib/libc.so (__sflush_locked+32
)
I/DEBUG ( 99):
I/DEBUG ( 99): stack:
I/DEBUG ( 99): beb72708 00000001
I/DEBUG ( 99): beb7270c 401c71b4 /system/lib/libc.so
I/DEBUG ( 99): beb72710 401c71b4 /system/lib/libc.so
I/DEBUG ( 99): beb72714 401c71b4 /system/lib/libc.so
I/DEBUG ( 99): beb72718 401c71b4 /system/lib/libc.so
I/DEBUG ( 99): beb7271c 4019c269 /system/lib/libc.so (__sflush_lo
cked+36)
I/DEBUG ( 99): beb72720 401c724c /system/lib/libc.so
I/DEBUG ( 99): beb72724 401c71b4 /system/lib/libc.so
I/DEBUG ( 99): beb72728 00000000
I/DEBUG ( 99): beb7272c 4019d239 /system/lib/libc.so (_fwalk+32)
I/DEBUG ( 99): beb72730 40872818 /system/lib/libdvm.so
I/DEBUG ( 99): beb72734 0000020c
I/DEBUG ( 99): beb72738 00000000
I/DEBUG ( 99): beb7273c 410d9ca0 /dev/ashmem/dalvik-heap (deleted
)
I/DEBUG ( 99): beb72740 df0027ad
I/DEBUG ( 99): beb72744 00000000
I/DEBUG ( 99): #00 beb72748 beb7273b [stack]
I/DEBUG ( 99): ........ ........
I/DEBUG ( 99): #01 beb72748 beb7273b [stack]
I/DEBUG ( 99): beb7274c 6c756e28
I/DEBUG ( 99): beb72750 0000296c
I/DEBUG ( 99): beb72754 00000000
I/DEBUG ( 99): beb72758 00000000
I/DEBUG ( 99): beb7275c 00000000
I/DEBUG ( 99): beb72760 00000000
I/DEBUG ( 99): beb72764 00000000
I/DEBUG ( 99): beb72768 00000000
I/DEBUG ( 99): beb7276c 00000000
I/DEBUG ( 99): beb72770 00000000
I/DEBUG ( 99): beb72774 00000000
I/DEBUG ( 99): beb72778 00000000
I/DEBUG ( 99): beb7277c 00000000
I/DEBUG ( 99): beb72780 00000000
I/DEBUG ( 99): beb72784 00000000
I/DEBUG ( 99):
I/DEBUG ( 99): memory near r4:
I/DEBUG ( 99): 408727f8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): 40872808 00000000 00000000 00000000 00000000
I/DEBUG ( 99): 40872818 40dab010 40bb5fc0 00500000 10000000
I/DEBUG ( 99): 40872828 03000000 00000000 00000000 3fe80000
I/DEBUG ( 99): 40872838 00080000 00200000 00004000 00006000
I/DEBUG ( 99): 40872848 00000001 00000101 00000002 00000001
I/DEBUG ( 99): 40872858 00000000 00000000 00000000 00000002
I/DEBUG ( 99): 40872868 000001f4 4023853d 40238f69 00000000
I/DEBUG ( 99): 40872878 40238529 00000000 00000000 00000000
I/DEBUG ( 99): 40872888 40cdbf10 00000000 00000002 00000003
I/DEBUG ( 99): 40872898 00000001 00000001 00010100 00000100
I/DEBUG ( 99): 408728a8 00000000 40dab140 00000002 00000000
I/DEBUG ( 99): 408728b8 40adefc0 56f73170 00000000 00000000
I/DEBUG ( 99): 408728c8 40dab790 50000aa6 5821c010 00000000
I/DEBUG ( 99): 408728d8 56f73120 56f73140 40e6f1e8 40e6f2a8
I/DEBUG ( 99): 408728e8 40e6f350 40e6f3f8 40e6f4a0 40e6f548
I/DEBUG ( 99):
I/DEBUG ( 99): memory near r7:
I/DEBUG ( 99): 410d9c80 00000005 00000000 410d9b90 410d9bf8
I/DEBUG ( 99): 410d9c90 410d9c18 410d9c38 410d9c58 0000002b
I/DEBUG ( 99): 410d9ca0 40e709f8 00000000 00000005 00000000
I/DEBUG ( 99): 410d9cb0 0000c350 00000bbb 000003f7 000003ff
I/DEBUG ( 99): 410d9cc0 00000404 00000023 40e700e0 00000000
I/DEBUG ( 99): 410d9cd0 410d99d0 00000000 0000000c 00000015
I/DEBUG ( 99): 410d9ce0 00000000 0000001b 40e76fb8 00000000
I/DEBUG ( 99): 410d9cf0 00000001 00000000 410d9a28 00000023
I/DEBUG ( 99): 410d9d00 40e700e0 00000000 410d9d20 00000030
I/DEBUG ( 99): 410d9d10 00000000 00000001 00000000 0000001b
I/DEBUG ( 99): 410d9d20 40e70950 00000000 00000001 00000000
I/DEBUG ( 99): 410d9d30 00000030 00000023 40e700e0 00000000
I/DEBUG ( 99): 410d9d40 410d9d58 00000031 00000000 00000001
I/DEBUG ( 99): 410d9d50 00000000 0000001b 40e70950 00000000
I/DEBUG ( 99): 410d9d60 00000001 00000000 00000031 0000001b
I/DEBUG ( 99): 410d9d70 40e871a0 00000000 410d9dc0 00000001
I/DEBUG ( 99):
I/DEBUG ( 99): memory near r8:
I/DEBUG ( 99): 000026f0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002700 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002710 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002720 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002730 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002740 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002750 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002760 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002770 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002780 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002790 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027a0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027b0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027c0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027d0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027e0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99):
I/DEBUG ( 99): memory near sl:
I/DEBUG ( 99): 408727f8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): 40872808 00000000 00000000 00000000 00000000
I/DEBUG ( 99): 40872818 40dab010 40bb5fc0 00500000 10000000
I/DEBUG ( 99): 40872828 03000000 00000000 00000000 3fe80000
I/DEBUG ( 99): 40872838 00080000 00200000 00004000 00006000
I/DEBUG ( 99): 40872848 00000001 00000101 00000002 00000001
I/DEBUG ( 99): 40872858 00000000 00000000 00000000 00000002
I/DEBUG ( 99): 40872868 000001f4 4023853d 40238f69 00000000
I/DEBUG ( 99): 40872878 40238529 00000000 00000000 00000000
I/DEBUG ( 99): 40872888 40cdbf10 00000000 00000002 00000003
I/DEBUG ( 99): 40872898 00000001 00000001 00010100 00000100
I/DEBUG ( 99): 408728a8 00000000 40dab140 00000002 00000000
I/DEBUG ( 99): 408728b8 40adefc0 56f73170 00000000 00000000
I/DEBUG ( 99): 408728c8 40dab790 50000aa6 5821c010 00000000
I/DEBUG ( 99): 408728d8 56f73120 56f73140 40e6f1e8 40e6f2a8
I/DEBUG ( 99): 408728e8 40e6f350 40e6f3f8 40e6f4a0 40e6f548
I/DEBUG ( 99):
I/DEBUG ( 99): memory near fp:
I/DEBUG ( 99): 000026f0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002700 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002710 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002720 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002730 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002740 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002750 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002760 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002770 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002780 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 00002790 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027a0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027b0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027c0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027d0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99): 000027e0 ffffffff ffffffff ffffffff ffffffff
I/DEBUG ( 99):
I/DEBUG ( 99): memory near sp:
I/DEBUG ( 99): beb72728 00000000 4019d239 40872818 0000020c
I/DEBUG ( 99): beb72738 00000000 410d9ca0 df0027ad 00000000
I/DEBUG ( 99): beb72748 beb7273b 6c756e28 0000296c 00000000
I/DEBUG ( 99): beb72758 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72768 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72778 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72788 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72798 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727a8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727b8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727c8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727d8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727e8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb727f8 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72808 00000000 00000000 00000000 00000000
I/DEBUG ( 99): beb72818 00000000 00000000 00000000 00000000
I/DEBUG ( 99):
I/DEBUG ( 99): code around pc:
I/DEBUG ( 99): 40823658 34ccf8d3 eb56f7d8 461d2300 b1525d1a
I/DEBUG ( 99): 40823668 18ad3301 7f00f5b3 e004d1f8 4a0a4798
I/DEBUG ( 99): 40823678 f7d87015 490ceb4e 4a0c2006 44794c0c
I/DEBUG ( 99): 40823688 447c447a e9e8f7d8 f7d82000 6de3ea9a
I/DEBUG ( 99): 40823698 d1eb2b00 bf00e7eb deadd00d 0004e640
I/DEBUG ( 99): 408236a8 0004f1c4 0003698d 00035d64 00037be9
I/DEBUG ( 99): 408236b8 0004f18a 4605b530 b08b4c15 a8034915
I/DEBUG ( 99): 408236c8 6824447c 4479462a 93096823 fe6bf008
I/DEBUG ( 99): 408236d8 2100aa0a f8429808 f0091d20 b958fa8f
I/DEBUG ( 99): 408236e8 462b9802 4a0d490c 90004479 2006447a
I/DEBUG ( 99): 408236f8 e9b2f7d8 ff96f7ff f7f2a803 9a09fff5
I/DEBUG ( 99): 40823708 428a6821 f7d8d001 b00bea38 bf00bd30
I/DEBUG ( 99): 40823718 0004e5ac 00037baf 00035cfa 00037b92
I/DEBUG ( 99): 40823728 1a55b5f8 1c69460e 46174604 ed1af7e5
I/DEBUG ( 99): 40823738 696042b7 4631d004 f7d8462a 1940e994
I/DEBUG ( 99): 40823748 23006120 bdf87003 4604b538 460d6120
I/DEBUG ( 99):
I/DEBUG ( 99): code around lr:
I/DEBUG ( 99): 4019c248 447e4e08 68336836 f000b10b 4620fa4c
I/DEBUG ( 99): 4019c258 ffcaf7ff 68304605 4620b110 fa50f000
I/DEBUG ( 99): 4019c268 bd704628 0002acf2 4604b570 4811b928
I/DEBUG ( 99): 4019c278 e8bd4478 f0004070 4e0fbfcb 6836447e
I/DEBUG ( 99): 4019c288 b10b6833 fa2ff000 f01089a0 d1060f18
I/DEBUG ( 99): 4019c298 fe40f7f1 35fff04f 60012109 4620e003
I/DEBUG ( 99): 4019c2a8 ffa2f7ff 68324605 4620b112 fa28f000
I/DEBUG ( 99): 4019c2b8 bd704628 ffffffc9 0002acb8 44794909
I/DEBUG ( 99): 4019c2c8 680b6809 6843b963 60421e5a da012a00
I/DEBUG ( 99): 4019c2d8 bba6f001 f8116801 6001cb01 47704660
I/DEBUG ( 99): 4019c2e8 bff4f000 0002ac76 47f0e92d 4f3e4604
I/DEBUG ( 99): 4019c2f8 447f4688 683b683f f000b10b 6860f9f4
I/DEBUG ( 99): 4019c308 dc042800 f0014620 2800fad7 6826d15f
I/DEBUG ( 99): 4019c318 6865210a 462a4630 fe21f007 3001b168
I/DEBUG ( 99): 4019c328 c00cf8b4 f8c81b81 68621000 5300f44c
I/DEBUG ( 99): 4019c338 1a5381a3 0009e884 4606e043 f1056ca0
I/DEBUG ( 99):
I/DEBUG ( 99): memory map around fault addr deadd00d:
I/DEBUG ( 99): beb52000-beb73000 [stack]
I/DEBUG ( 99): (no map for address)
I/DEBUG ( 99): ffff0000-ffff1000 [vectors]
D/Zygote ( 101): Process 953 terminated by signal (11)
Does anyone have an idea where I need to check?
If it helps, here's the bit in the log that comes before the crash looping starts:
(Also, if it helps, CyanogenMod 10 works.. but that's still Android 4.1, so.. hmm..)
D/dalvikvm( 728): WAIT_FOR_CONCURRENT_GC blocked 6ms
D/dalvikvm( 728): WAIT_FOR_CONCURRENT_GC blocked 6ms
D/dalvikvm( 728): WAIT_FOR_CONCURRENT_GC blocked 7ms
E/ConnectivityService( 728): Ignoring protectedNetwork 10
E/ConnectivityService( 728): Ignoring protectedNetwork 11
E/ConnectivityService( 728): Ignoring protectedNetwork 12
D/BluetoothTethering( 728): startMonitoring: target: Handler (com.android.serve
r.ConnectivityService$NetworkStateTrackerHandler) {425cc2d8}
D/BluetoothManagerService( 728): Message: 20
D/BluetoothManagerService( 728): Added callback: android.bluetooth.BluetoothAda
[email protected]:true
D/BluetoothPan( 728): BluetoothPan() call bindService
D/BluetoothManagerService( 728): Message: 30
D/BluetoothPan( 728): BluetoothPan(), bindService called
W/ApplicationContext( 728): Calling a method in the system process without a qu
alified user: android.app.ContextImpl.bindService:1424 android.bluetooth.Bluetoo
thPan.<init>:141 android.bluetooth.BluetoothAdapter.getProfileProxy:1164
I/WifiService( 728): WifiService starting up with Wi-Fi disabled
D/WifiWatchdogStateMachine( 728): Disabling poor network avoidance for wi-fi on
ly device
I/SystemServer( 728): Network Service Discovery Service
D/NsdService( 728): Network service discovery enabled true
I/SystemServer( 728): Throttle Service
I/SystemServer( 728): UpdateLock Service
I/SystemServer( 728): Notification Manager
I/SystemServer( 728): Device Storage Monitor
I/SystemServer( 728): Location Manager
I/SystemServer( 728): Country Detector
I/SystemServer( 728): Search Service
I/SystemServer( 728): DropBox Service
I/SystemServer( 728): Wallpaper Service
W/WallpaperService( 728): failed parsing /data/system/users/0/wallpaper_info.xm
l java.io.FileNotFoundException: /data/system/users/0/wallpaper_info.xml: open f
ailed: ENOENT (No such file or directory)
I/SystemServer( 728): Audio Service
I/SystemServer( 728): Dock Observer
I/SystemServer( 728): Wired Accessory Manager
W/WiredAccessoryManager( 728): This kernel does not have usb audio support
I/SystemServer( 728): USB Service
I/SystemServer( 728): Serial Service
I/SystemServer( 728): Twilight Service
I/SystemServer( 728): UI Mode Manager Service
I/SystemServer( 728): Backup Service
V/BackupManagerService( 728): No ancestral data
D/dalvikvm( 728): GC_CONCURRENT freed 250K, 31% free 4711K/6744K, paused 4ms+3m
s, total 35ms
D/dalvikvm( 728): WAIT_FOR_CONCURRENT_GC blocked 5ms
D/dalvikvm( 728): WAIT_FOR_CONCURRENT_GC blocked 19ms
I/BackupManagerService( 728): Backup enabled => false
I/SystemServer( 728): AppWidget Service
I/SystemServer( 728): Recognition Service
I/SystemServer( 728): DiskStats Service
I/SystemServer( 728): SamplingProfiler Service
I/SystemServer( 728): NetworkTimeUpdateService
I/SystemServer( 728): CommonTimeManagementService
I/SystemServer( 728): CertBlacklister
I/SystemServer( 728): Dreams Service
I/WindowManager( 728): SAFE MODE not enabled
I/SystemServer( 728): AssetRedirectionManager Service
E/SQLiteLog( 728): (1) no such table: locksettings
I/LockSettingsService( 728): Migrated lock settings to new location
I/ActivityManager( 728): Sending system update to ComponentInfo{com.android.pro
viders.contacts/com.android.providers.contacts.ContactsUpgradeReceiver} for user
0
I/ActivityManager( 728): Sending system update to ComponentInfo{com.android.pro
viders.media/com.android.providers.media.MediaUpgradeReceiver} for user 0
I/ActivityManager( 728): Sending system update to ComponentInfo{com.android.pro
viders.calendar/com.android.providers.calendar.CalendarUpgradeReceiver} for user
0
I/ActivityManager( 728): Sending system update to ComponentInfo{com.google.andr
oid.gsf/com.google.android.gsf.loginservice.MigrateToAccountManagerBroadcastRece
iver} for user 0
I/SystemServer( 728): Enabled StrictMode for system server main thread.
I/Zygote ( 728): Process: zygote socket opened
E/dalvikvm( 926): cannot mountExternalStorage(): Success
E/dalvikvm( 926): VM aborting
F/libc ( 926): Fatal signal 11 (SIGSEGV) at 0xdeadd00d (code=1), thread 926
(zygote)
E/dalvikvm( 926): Storage environment undefined; unable to provide external sto
rage
I/ActivityManager( 728): Start proc android.process.acore for broadcast com.and
roid.providers.contacts/.ContactsUpgradeReceiver: pid=926 uid=10000 gids={50000,
3003, 1015, 1023, 1028}
I/DEBUG ( 97): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *
**
I/DEBUG ( 97): Build fingerprint: 'asus/US_epad/TF101:4.0.3/IML74K/US_epad-9
.2.1.27-20120615:user/release-keys'
I/DEBUG ( 97): Revision: '0'
I/DEBUG ( 97): pid: 926, tid: 926, name: zygote >>> zygote <<<
I/DEBUG ( 97): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadd00
d
.. and so n, now looping the sig11 crash.
Sorry for all the log lines.. here's some more info.. I did a mount on the system via adb shell, and I get this.. just in case it helps any further:
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p1 /system ext4 ro,relatime,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p2 /cache ext4 rw,nosuid,nodev,noatime,errors=panic,user_xattr,acl,barrier=1,data=ordered 0 0
/dev/block/mmcblk0p7 /data ext4 rw,nosuid,nodev,noatime,user_xattr,acl,barrier=1,data=ordered 0 0
tmpfs /Removable tmpfs rw,relatime,mode=755,gid=1000 0 0
Hmm.. it seems I made it work by flashing RaymanFX's v0.8.0 version of 4.2 first, and then flashing the TeamEOS nightly on top of that... no idea why that would make it work, but it does... ^.^ Well, that's solved, then.
Just out of curiousity, when you were trying to flash, did you wipe cache. dalvik, battery stats, etc? basically everything hat you can wipe? I know that this tablet is picky about an image taking unless its on a completely clean device. ps. also trying to rack up 10 posts lol
Hi fairlight
Usually when it does that it's because there are still parts of the previous rom installed.
Most likely because you didn't do a full wipe/factory reset & format system + wipe cache & dalvik-cache.
The first time you jump from one major Android version or one rom to another,
you should basically follow this procedure:
http://public.timduru.org/Android/tf101/eos4/#install
One you are on a rom and update to another minor version of the same rom,
you can usually skip the factory reset and most of the time also skip the /system format.
However if you encounter an issue it's advised to do the full wipe cycle again to make sure it's not caused by that.
As to why it might work after raymanfx rom, is most likely because of the way he creates his zip,
it's basically flashing the full blob and in the process wiping system for you.
It's inefficient as it basically flashes / copies twice and it's much longer to do it that way.
It has the advantage to do the wipe automatically for you though, so it's good for a first install.
The way the EOS4 zip does it is that it installs only the new stuff,
that's much faster and efficient, and will speed up the update process greatly.
But for the first time you migrate from another rom, you need to do the wipe steps yourself manually.
I might add the system format in the process later on, as it's really adding much more overhead.
Hi,
thanks for the replies!
I've done it exactly as descripted in the link you posted, Timduru... Factory reset, format /system, installed the ROM, then your kernel, then gapps...
I've also tried without flashing your kernel, same result, also did a complete format of /data (so, including all my internal storage), just to be sure.. all same result with the crash loop.
Seeya,
Fairlight!
FairlightLion said:
Hi,
thanks for the replies!
I've done it exactly as descripted in the link you posted, Timduru... Factory reset, format /system, installed the ROM, then your kernel, then gapps...
I've also tried without flashing your kernel, same result, also did a complete format of /data (so, including all my internal storage), just to be sure.. all same result with the crash loop.
Seeya,
Fairlight!
Click to expand...
Click to collapse
that's weird.
Not sure what could be causing that then.
Looking more at the error messages you've posted I've seen that before,
but it was when I was working on getting katkernel compatible with 4.2.1
Did you pick up the correct 70b lidpatch version , ie the specific 4.2 one ?
As you say you're having also the same issue with the default kernel included in the eos4 rom I'd say it shouldn't be that that,
but the error seems similar to what I was getting back then.
Are you getting the exact same behaviour / errors when using the eos4 included kernel or is it different ?
I have the following files that I try to flash:
07/01/2013 17:59 127,742,856 EOS-tf101-20130107-89.zip
07/01/2013 17:59 80,041,553 gapps-jb-20130105-EOS-TF101-ONLY.zip
07/01/2013 18:25 5,212,302 Tim_KatKernel_70_Lidpatch.zip
I'll recheck your thread if there's another Kernel specific for 7.2.
(Edit: Ok, that was the wrong kernel, then obviosuly.. still wondering why it also didnt work for the default EOS one.. giving the 4.2 one a go now.)
Ok, thanks to Timduru it's working now.... I seem to have constantly tried to install the 4.1 kernel of his instead of the 4.2 version... *facepalms*
Thanks for all the hints and replies... ^.^
I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
To begin with I try to write down what I have found. This is just a compilation of information so they might look mixed up.
The class GraphicBuffer is utilized by the system service SurfaceFlinger. My current understanding is that the vulnerable method "unflatten" is used to create a GraphicBuffer object from raw data that is sent to the service by IPC using Binder. A forged message might be easiest supplied via adb shell using this commando
Code:
[email protected]:/ $ service call SurfaceFlinger ...
I am not sure yet how the parcel get's eventually to the GraphicBuffer. It is a lot of code and I do not understand the low level graphics system of Android yet. The IGraphicBufferConsumer interface has a sub class BufferItem which has also an unflatten method which will call unflatten on GraphicBuffer. My gut tells me that the Parcel class is also involved in that process, but I'm not sure how yet.
One important piece of information that I'm still missing is how the unflattened data is used in the further processing of SurfaceFlinger. I don't think it is possible to freely write in the memory of SurfaceFlinger with this bug. There are still a lot of sanity checks to come by.
This could also effect on how we have to implement the communication with SurfaceFlinger. Maybe it's also possible with some forged objects and a SurfaceView.
Maybe together we are able to bring some light into this. A little bump in the right direction might help.
Phate123 said:
I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
Click to expand...
Click to collapse
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
awinston said:
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
Click to expand...
Click to collapse
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
I'll upload the code on github, but first I want to briefly explain how I did it.
In Android everything that is a graphical element is represented by an GraphicBuffer.
GraphicBuffers are wrapped in BufferItems and managed by BufferQueues.
Each Queue has two sites, a producer side (IGraphicBufferProducer) and a consumer side (IGraphicBufferConsumer). In the basic scenario an app is the producer and the surfaceflinger is the consumer. These are obviously two different processes, but both must use the same BufferQueue.
BufferQueues are always created and owned by the consumers and consequently live in the same address space as the consumer. Producers must go through Binder to access their side of the queue.
As with everything in Android, the BufferQueue provides the same interface for both native (in the same process) and remote usage. The remote interface is implemented by a proxy that communicates through Binder with the other side.
In android KK BufferQueue implements the native side of the interface for both the producer (BnGraphicBufferProducer) and the consumer (BnGraphicBufferConsumer). These native implementations must provide a handler (onTransact) for requests that come from the remote proxies.
You can read more at https://source.android.com/devices/graphics/architecture.html.
Naturally, the first idea that comes into mind is to attack the native implementations of the BufferQueue that reside in the surfaceflinger. As the bug is in the unflatten routine of GraphicBuffer, we would like to craft a rogue parcel that represents a GraphicBuffer and then wait for the surfaceflinger to choke with it.
Unfortunately, from my findings, the bugged unflatten method is not called from the onTransact handler in the native implementations.
Only the proxy implementations seem to be a valid target, through BpGraphicBufferProducer::requestBuffer and BpGraphicBufferConsumer::aquireBuffer. Now we have a problem: as the BufferQueue resides in the surfaceflinger, there is no proxy implementation to attack.
Our only hope is to somehow create the BufferQueue in our process, so that we are the consumers, and use the surfaceflinger as the producer. This way the surfaceflinger would be accessing the BufferQueue through the bugged proxy (BpGraphicBufferProducer::requestBuffer). One way to use the surfaceflinger as a producer is to make screen captures.
I found the screencap command to be a very nice starting point to tinker with the idea as it does exactly what we wanted - it uses the surfaceflinger as a producer and pulls screen captures from it. Next I only had to hook the vtable entry of BpGraphicBufferProducer:: onTransact.
Now we have to control the overflow in GraphicsBuffer::unflatten.
p1gl3t said:
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
Click to expand...
Click to collapse
Wow you are really good! I had started to piece some of this together and wanted to document it for good measure even though you are going to clearly beat the rest of us to this exploit. Arguably I could never figure it out, but never hurts to try. At least I am learning.
https://charleszblog.wordpress.com/2014/02/20/understanding-android-internals-graphics-basics-i/
http://translate.google.com/transla...dyhuabing/article/details/7489776&prev=search
http://4.bp.blogspot.com/-qQxyvr2Vc8w/VFYLxdacwpI/AAAAAAAAAes/HMMrUIwC9OY/s1600/Selection_043.png
https://android.googlesource.com/platform/frameworks/native/+/master/libs/gui/tests/Surface_test.cpp
The screenshot test is where I was focusing but wasn't really getting very far.
Crashed unflatten as well
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
awinston said:
Okay so I crashed unflatten as well.
Click to expand...
Click to collapse
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
awinston said:
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
Click to expand...
Click to collapse
Surfaceflinger runs under the system user (+drmrpc group) and should have access to /dev/qseecom, through which we can get root using CVE-2014-4322.
The problem is that the heap buffer overflow triggered by unflatten seems very difficult to exploit.
We must consider the following to achieve a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the pros would have already implemented an exploit by now, if it could have been done.
p1gl3t said:
We must consider the following to obtain a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the exploit pros would have already implemented an exploit if it could have been done.
Click to expand...
Click to collapse
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Phate123 said:
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Click to expand...
Click to collapse
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
p1gl3t said:
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Click to expand...
Click to collapse
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
awinston said:
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
Click to expand...
Click to collapse
Here you go: https://github.com/p1gl3t/CVE-2015-1474_poc.
p1gl3t, great job on creating a poc of the exploit :good:
p1gl3t said:
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
Click to expand...
Click to collapse
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
ZPaul2Fresh8 said:
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
Click to expand...
Click to collapse
@jcase is right, only mediaserver is executed under group camera so that it can access /dev/video*. You can see that in init.base.rc and ueventd.qcom.rc.
Now returning to the original topic... I fiddled around with unflatten, giving some input that should have made it crash.
What I did is I left numInts untouched and set numFds = -numInts. I was expecting surfaceflinger to crash every single time when it did the first memcpy. Somehow it didn't. I was baffled and had to gdb the process to see where my assumptions were wrong.
I breaked just before the first memcpy and printed the params:
Code:
(gdb) p $r0
$19 = 3074255348
(gdb) p $r1
$20 = 3074340312
(gdb) p $r2
$21 = 4294967248
r0 is the destination, r1 the source and r2 the number of bytes to copy. r2 is the unsigned representation of 4 * (-12) = 4 * numFds = -4 * numInts.
How did the program NOT crash???!! It even worked a second time, but crashed with SIGABRT in a free() because of heap corruption (I suppose). So even the second memcpy passed without segfault.
Here you have the memory map of surfaceflinger.
LE I have traced the memcpy. It looks like this on my Apollo 14.4.5.2
Code:
.text:0002218C __memcpy_base
.text:0002218C CMP R2, #4
.text:0002218E BLT.W loc_222DC
.text:00022192 CMP R2, #0x10
.text:00022194 BLT.W loc_222BE
.text:00022198 CMP R2, #0x20
.text:0002219A BLT.W loc_222AE
.text:0002219E CMP R2, #0x40
.text:000221A0 BLT loc_222A2
It seems like R2 (number of bytes) is treated like a signed int and the first branch is taken and the following instructions are executed
Code:
.text:000222DC loc_222DC ; CODE XREF: __memcpy_base+2
.text:000222DC LSLS R2, R2, #0x1F
.text:000222DE ITT CS
.text:000222E0 LDRCSH.W R3, [R1],#2
.text:000222E4 STRCSH.W R3, [R0],#2
.text:000222E8 ITT MI
.text:000222EA LDRMIB R3, [R1]
.text:000222EC STRMIB R3, [R0]
This ends up copying only n & 3 bytes, which is < 4. Basically, only the 2 least significant bits from n matter).
So... I guess we are able to write to h->data + numFds*4 as long as numFds*4 is negative. But having numFds as an offset may hurt us on the malloc side.
Now we have to defeat aslr somehow.
Any chance
I hope you are still working on this, we really need to get ride of the crappy Amazon OS and unlock the full potential of these amazing tablet specs.
I have an open tablet that I should repair, if there is need to take some photos of components please let me know, I am not into software hacking yet and it will takes me some time to get into it... but I want to contribute to make this possible, I hope more smart guys from around here join their effort to do it.
I wish if there is another tablet on the market who is as good as this one right now at an affordable price, to just see how CM12.1 behave on it, I tried it on a KFHD before I get it bricked it was fine but little bit laggy due to limited specs and low ram.
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
dadreamer said:
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
Click to expand...
Click to collapse
Not sure what this thread was all about (didn't look back) but the last post was over 2 years ago. A lot has happened since then; every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-unlocking-bootloader-firmware-t3463982
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-4-5-5-2-easy-to-root-unlock-t3571240
Davey126 said:
every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
Click to expand...
Click to collapse
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
dadreamer said:
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
Click to expand...
Click to collapse
Have not seen @p1gl3t on this thread/forum in awhile; not sure if s/he is still active on XDA. Might try a PM. Given the age and, err, uniqueness of device in question I suspect you're in for quite a ride. Good luck.
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
Code:
[email protected]:/data/local/tmp $ ./badscreencap
pid 24824
display.update ret 0
IGraphicBufferConsumer::consumerDisconnect 0x18
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0xb6889759
BnGraphicBufferProducer::onTransact 0xb6889391
BBinder::onTransact = 0xb6899048
*BBinder::onTransact = 0xb6889759
BBinder::onTransact = 0xb7b912b0
*BBinder::onTransact = 0xb6889759
--------
f1 04 00 ff f7 18 be 38 b5 04 46 0d 46 11 b1 08 46 f6 f7 50
--------
[1] + Stopped (signal) ./badscreencap
When I issue any one command after that I get
Code:
[email protected]:/data/local/tmp $
[1] + Segmentation fault ./badscreencap (core dumped)
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
F/libc (24824): Fatal signal 11 (SIGSEGV) at 0x00000004 (code=1), thread 24824 (badscreencap)
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
D/wpa_supplicant(10784): wlan0: Control interface command 'PKTCNT_POLL'
I/DEBUG ( 266): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 266): Build fingerprint: 'DOCOMO/F01F/F01F:4.4.2/V10R22A/F01F.20150107.043237:user/release-keys'
I/DEBUG ( 266): Revision: '37'
I/DEBUG ( 266): pid: 24824, tid: 24824, name: badscreencap >>> ./badscreencap <<<
I/DEBUG ( 266): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000004
W/NativeCrashListener( 1119): Couldn't find ProcessRecord for pid 24824
I/DEBUG ( 266): r0 00000004 r1 beca97ac r2 b6f6f82c r3 00000004
I/DEBUG ( 266): AM write failure (32 / Broken pipe)
I/DEBUG ( 266): r4 00000000 r5 b7b8eee8 r6 b688b285 r7 00000000
I/DEBUG ( 266): r8 beca97e4 r9 00000000 sl beca99d8 fp beca98ac
I/DEBUG ( 266): ip b6ec1f38 sp beca9780 lr b6eba0d5 pc b6ee9b5c cpsr 000b0010
I/DEBUG ( 266): d0 0000000000000000 d1 0000000000000000
I/DEBUG ( 266): d2 0000000000000000 d3 0000000000000000
I/DEBUG ( 266): d4 0000000000000000 d5 0000000000000000
I/DEBUG ( 266): d6 0000000000000000 d7 3849498000000000
I/DEBUG ( 266): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 266): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 266): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 266): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 266): d16 7265646e6942422a d17 6e6172546e6f3a3a
I/DEBUG ( 266): d18 b6e8d399b6e8d4af d19 b6e8d07fb6e8d377
I/DEBUG ( 266): d20 b68827d1b6e8d071 d21 b6889759b68827f3
I/DEBUG ( 266): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 266): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 266): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 266): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 266): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 266): scr 00000010
I/DEBUG ( 266):
I/DEBUG ( 266): backtrace:
I/DEBUG ( 266): #00 pc 00003b5c /system/lib/libcutils.so (android_atomic_inc+8)
I/DEBUG ( 266): #01 pc 0000d0d1 /system/lib/libutils.so (android::RefBase::incStrong(void const*) const+6)
I/DEBUG ( 266): #02 pc 0002a3b5 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+20)
I/DEBUG ( 266): #03 pc 0003494f /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+78)
I/DEBUG ( 266): #04 pc 000349c1 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&)+14)
I/DEBUG ( 266): #05 pc 00005de1 /data/local/tmp/badscreencap
I/DEBUG ( 266): #06 pc 0000e5a3 /system/lib/libc.so (__libc_init+50)
I/DEBUG ( 266): #07 pc 00005590 /data/local/tmp/badscreencap
I/DEBUG ( 266):
I/DEBUG ( 266): stack:
I/DEBUG ( 266): beca9740 00000000
I/DEBUG ( 266): beca9744 b6885b8b /system/lib/libgui.so (android::CpuConsumer::releaseAcquiredBufferLocked(int)+150)
I/DEBUG ( 266): beca9748 00000000
I/DEBUG ( 266): beca974c b68a0154 /system/lib/libgui.so
I/DEBUG ( 266): beca9750 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9754 b7b900f0 [heap]
I/DEBUG ( 266): beca9758 b7b8fc40 [heap]
I/DEBUG ( 266): beca975c b7b8fc40 [heap]
I/DEBUG ( 266): beca9760 0000000c
I/DEBUG ( 266): beca9764 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9768 b7b8fc40 [heap]
I/DEBUG ( 266): beca976c 00000000
I/DEBUG ( 266): beca9770 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9774 b6885c09 /system/lib/libgui.so (android::CpuConsumer::unlockBuffer(android::CpuConsumer::LockedBuffer const&)+92)
I/DEBUG ( 266): beca9778 b7b8fc40 [heap]
I/DEBUG ( 266): beca977c beca9808 [stack]
I/DEBUG ( 266): #00 beca9780 beca97ac [stack]
I/DEBUG ( 266): ........ ........
I/DEBUG ( 266): #01 beca9780 beca97ac [stack]
I/DEBUG ( 266): beca9784 b68853b9 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+24)
I/DEBUG ( 266): #02 beca9788 beca9800 [stack]
I/DEBUG ( 266): beca978c b688f953 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+82)
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r1:
I/DEBUG ( 266): beca978c b688f953 b6f4b334 00000002 b7b8f0e0
I/DEBUG ( 266): beca979c 00000000 b6f3d1d8 b7b8eee8 b7b8fc40
I/DEBUG ( 266): beca97ac b7b8f0e0 b6f6e08f 00000000 b7b91270
I/DEBUG ( 266): beca97bc b6f6e268 b7b8f0e0 b6f6e24e b6899008
I/DEBUG ( 266): beca97cc b688f9c5 00000000 ffffffff 00000000
I/DEBUG ( 266): beca97dc b6f6dde5 00000000 b7b8f0a0 00000018
I/DEBUG ( 266): beca97ec 00000001 00000040 00000001 00000034
I/DEBUG ( 266): beca97fc 00000001 b7b8fc40 b7b8f0e0 00000000
I/DEBUG ( 266): beca980c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca981c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca982c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca983c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca984c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca985c beca98b4 beca98b4 beca98bc 00000001
I/DEBUG ( 266): beca986c b6f3cfd8 b6f6db95 00000000 00000000
I/DEBUG ( 266): beca987c b6f015a5 00000000 00000000 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r2:
I/DEBUG ( 266): b6f6f80c b6f6f9d0 b6f6f8ac b6f6f8fc b6f6f958
I/DEBUG ( 266): b6f6f81c b6f6f9a8 0000058c 00000000 00000000
I/DEBUG ( 266): b6f6f82c b6f6d769 b6f6d7e1 b6f6d5eb b6f6d5f9
I/DEBUG ( 266): b6f6f83c b6f6d899 b6883bd5 b6883ce9 b68843d1
I/DEBUG ( 266): b6f6f84c b6882dd5 b68828f1 b68829e9 b6883a59
I/DEBUG ( 266): b6f6f85c b6f6d8f5 b6889391 b6881f99 b6884cf1
I/DEBUG ( 266): b6f6f86c b6884ac9 b688372d b68839b9 b6884fb9
I/DEBUG ( 266): b6f6f87c b68822a9 b6882889 b68826f5 b6882679
I/DEBUG ( 266): b6f6f88c b6882383 b6882359 b688232f b6882305
I/DEBUG ( 266): b6f6f89c b688241d 00000588 fffffffc 00000000
I/DEBUG ( 266): b6f6f8ac b6f6d92d b6f6d5fd b6e8d075 b6e8d071
I/DEBUG ( 266): b6f6f8bc b6e8d071 b6e8d1e9 b6e8d079 b6e8d079
I/DEBUG ( 266): b6f6f8cc b6e8d071 b6e8d4af b6e8d399 b6e8d377
I/DEBUG ( 266): b6f6f8dc b6e8d07f b6e8d071 b6f6d7cf b6f6d805
I/DEBUG ( 266): b6f6f8ec b6889759 0000057c fffffff0 00000000
I/DEBUG ( 266): b6f6f8fc b6f6d7c9 b6f6d7ff b6f6d5eb b6884fb1
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r5:
I/DEBUG ( 266): b7b8eec8 b7b8eed0 0000001b 00000001 00000001
I/DEBUG ( 266): b7b8eed8 b7b8eec4 00000001 00000000 00000023
I/DEBUG ( 266): b7b8eee8 b689d17c b689d1d0 b7b8ef88 b7b8efc8
I/DEBUG ( 266): b7b8eef8 00000001 b689d200 b7b8ef08 0000001b
I/DEBUG ( 266): b7b8ef08 00000002 00000002 b7b8eefc 00000001
I/DEBUG ( 266): b7b8ef18 006e0061 0000001b b689e97c b7b8e408
I/DEBUG ( 266): b7b8ef28 b689e9a4 b7b8ef38 00660072 0000001b
I/DEBUG ( 266): b7b8ef38 00000001 00000002 b7b8ef28 00000000
I/DEBUG ( 266): b7b8ef48 00000000 0000001b b6e9a888 b7b8eff0
I/DEBUG ( 266): b7b8ef58 00000001 00000000 00000010 00000023
I/DEBUG ( 266): b7b8ef68 00000001 00000001 b7b8f0d4 00000001
I/DEBUG ( 266): b7b8ef78 00000000 00000000 00000020 00000043
I/DEBUG ( 266): b7b8ef88 b6e9a944 00000001 00000000 00000001
I/DEBUG ( 266): b7b8ef98 00000000 b7b8ef50 b6e9a858 00000000
I/DEBUG ( 266): b7b8efa8 00000000 00000000 00000010 00000000
I/DEBUG ( 266): b7b8efb8 b7b8a048 b6e9a9ac b7b8efc8 0000001b
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r6:
I/DEBUG ( 266): b688b264 a81047a0 ea4cf7f4 a8104604 ea4ef7f4
I/DEBUG ( 266): b688b274 f7f4a804 4620ea4c bdf0b01d 00014f3c
I/DEBUG ( 266): b688b284 b09db5f0 a8044604 461f4615 f7f4460e
I/DEBUG ( 266): b688b294 a810ea26 ea22f7f4 a804491c f7f44479
I/DEBUG ( 266): b688b2a4 4631ea24 f7f4a804 a803eada f7f46829
I/DEBUG ( 266): b688b2b4 a903ead0 f7f4a804 a803ead2 fe31f7f5
I/DEBUG ( 266): b688b2c4 a8044639 ea16f7f4 a8049922 ea12f7f4
I/DEBUG ( 266): b688b2d4 a8049923 ea0ef7f4 a8049924 ea0af7f4
I/DEBUG ( 266): b688b2e4 210e68a0 68032200 aa049200 ab10695c
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
I/DEBUG ( 266): b688b2f4 a81047a0 ea04f7f4 a8104604 ea06f7f4
I/DEBUG ( 266): b688b304 f7f4a804 4620ea04 bdf0b01d 00014e94
I/DEBUG ( 266): b688b314 1d05b538 f1004604 f7f4004c 4628ee1e
I/DEBUG ( 266): b688b324 fdfff7f5 f7f54620 4620fdfc b538bd38
I/DEBUG ( 266): b688b334 4615460c 4620e004 f7ff3d01 3460ffe9
I/DEBUG ( 266): b688b344 d1f82d00 0000bd38 b09db530 a8044604
I/DEBUG ( 266): b688b354 f7f4460d a810e9c4 e9c0f7f4 23004925
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r8:
I/DEBUG ( 266): beca97c4 b6f6e24e b6899008 b688f9c5 00000000
I/DEBUG ( 266): beca97d4 ffffffff 00000000 b6f6dde5 00000000
I/DEBUG ( 266): beca97e4 b7b8f0a0 00000018 00000001 00000040
I/DEBUG ( 266): beca97f4 00000001 00000034 00000001 b7b8fc40
I/DEBUG ( 266): beca9804 b7b8f0e0 00000000 00000000 00000000
I/DEBUG ( 266): beca9814 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9824 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9834 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9844 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9854 00000000 00000000 beca98b4 beca98b4
I/DEBUG ( 266): beca9864 beca98bc 00000001 b6f3cfd8 b6f6db95
I/DEBUG ( 266): beca9874 00000000 00000000 b6f015a5 00000000
I/DEBUG ( 266): beca9884 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9894 b6f6d594 b6f6f668 b6f6f670 b6f6f678
I/DEBUG ( 266): beca98a4 beca98b0 00000000 b6f57881 00000001
I/DEBUG ( 266): beca98b4 beca99d8 00000000 beca99e7 beca99f8
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sl:
I/DEBUG ( 266): beca99b8 beca99d4 00000000 00000000 5c2cbe0e
I/DEBUG ( 266): beca99c8 6dbb4e08 7c900b9b 76a8a152 006c3776
I/DEBUG ( 266): beca99d8 61622f2e 72637364 636e6565 5f007061
I/DEBUG ( 266): beca99e8 622f2e3d 63736461 6e656572 00706163
I/DEBUG ( 266): beca99f8 48544150 62732f3d 2f3a6e69 646e6576
I/DEBUG ( 266): beca9a08 622f726f 2f3a6e69 74737973 732f6d65
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
I/DEBUG ( 266): beca9a18 3a6e6962 7379732f 2f6d6574 3a6e6962
I/DEBUG ( 266): beca9a28 7379732f 2f6d6574 6e696278 4f4f4c00
I/DEBUG ( 266): beca9a38 4f4d5f50 50544e55 544e494f 6e6d2f3d
I/DEBUG ( 266): beca9a48 626f2f74 4e410062 494f5244 4f525f44
I/DEBUG ( 266): beca9a58 2f3d544f 74737973 56006d65 5f454249
I/DEBUG ( 266): beca9a68 45504950 5441505f 642f3d48 702f7665
I/DEBUG ( 266): beca9a78 73657069 45485300 2f3d4c4c 74737973
I/DEBUG ( 266): beca9a88 622f6d65 732f6e69 4e410068 494f5244
I/DEBUG ( 266): beca9a98 41445f44 2f3d4154 61746164 444e4100
I/DEBUG ( 266): beca9aa8 44494f52 5353415f 3d535445 7379732f
I/DEBUG ( 266):
I/DEBUG ( 266): memory near fp:
I/DEBUG ( 266): beca988c 00000000 00000000 b6f6d594 b6f6f668
I/DEBUG ( 266): beca989c b6f6f670 b6f6f678 beca98b0 00000000
I/DEBUG ( 266): beca98ac b6f57881 00000001 beca99d8 00000000
I/DEBUG ( 266): beca98bc beca99e7 beca99f8 beca9a35 beca9a4e
I/DEBUG ( 266): beca98cc beca9a63 beca9a7d beca9a92 beca9aa5
I/DEBUG ( 266): beca98dc beca9ac0 beca9acb beca9af4 beca9b13
I/DEBUG ( 266): beca98ec beca9b26 beca9b34 beca9b5c beca9e57
I/DEBUG ( 266): beca98fc beca9e83 beca9e9a beca9ebf beca9ee9
I/DEBUG ( 266): beca990c beca9f02 beca9f16 beca9f3d beca9f67
I/DEBUG ( 266): beca991c beca9f8d beca9f9a beca9fb4 beca9fd7
I/DEBUG ( 266): beca992c beca9fe2 00000000 00000010 0007b0d7
I/DEBUG ( 266): beca993c 00000006 00001000 00000011 00000064
I/DEBUG ( 266): beca994c 00000003 b6f68034 00000004 00000020
I/DEBUG ( 266): beca995c 00000005 00000008 00000007 b6f56000
I/DEBUG ( 266): beca996c 00000008 00000000 00000009 b6f6d530
I/DEBUG ( 266): beca997c 0000000b 000007d0 0000000c 000007d0
I/DEBUG ( 266):
I/DEBUG ( 266): memory near ip:
I/DEBUG ( 266): b6ec1f18 b6f1e845 b6f052ef b6f05357 b6f196c1
I/DEBUG ( 266): b6ec1f28 b6f15749 b6f1542c b6f1cb11 b6f1e239
I/DEBUG ( 266): b6ec1f38 b6ee9b54 b6ee9b34 b6ee9b74 b6ee9b0c
I/DEBUG ( 266): b6ec1f48 b6ee9bb8 b6f00de1 b6f2d62f b6f164dd
I/DEBUG ( 266): b6ec1f58 b6f1ba3d b6f1e7b9 b6f2d3bb b6f167db
I/DEBUG ( 266): b6ec1f68 b6f20c55 b6f135e4 b6f20035 b6f05f01
I/DEBUG ( 266): b6ec1f78 b6f05f29 b6f05f71 b6f003d0 b6f05f1b
I/DEBUG ( 266): b6ec1f88 b6f01b38 b6f01a34 b6f13468 b6f13348
I/DEBUG ( 266): b6ec1f98 b6eeb151 b6f06279 b6f13180 b6f1fec3
I/DEBUG ( 266): b6ec1fa8 b6f01810 b6f01f44 b6f02190 b6f0227c
I/DEBUG ( 266): b6ec1fb8 b6f01f84 b6f01ec0 b6f01fa0 b6f140ec
I/DEBUG ( 266): b6ec1fc8 b6ede927 b6f13d10 b6ede919 b6f13510
I/DEBUG ( 266): b6ec1fd8 b6f0086c b6f021ec b6f00ab8 b6f00ad8
I/DEBUG ( 266): b6ec1fe8 b6f13530 b6f14964 b6f14984 b6f138b4
I/DEBUG ( 266): b6ec1ff8 b6f1f0f9 b6f14944 b6ec2000 ffffffff
I/DEBUG ( 266): b6ec2008 00000001 ffffffff b6ebb42d 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sp:
I/DEBUG ( 266): beca9760 0000000c b6f6e268 b7b8fc40 00000000
I/DEBUG ( 266): beca9770 b6f6e268 b6885c09 b7b8fc40 beca9808
I/DEBUG ( 266): beca9780 beca97ac b68853b9 beca9800 b688f953
I/DEBUG ( 266): beca9790 b6f4b334 00000002 b7b8f0e0 00000000
I/DEBUG ( 266): beca97a0 b6f3d1d8 b7b8eee8 b7b8fc40 b7b8f0e0
I/DEBUG ( 266): beca97b0 b6f6e08f 00000000 b7b91270 b6f6e268
I/DEBUG ( 266): beca97c0 b7b8f0e0 b6f6e24e b6899008 b688f9c5
I/DEBUG ( 266): beca97d0 00000000 ffffffff 00000000 b6f6dde5
I/DEBUG ( 266): beca97e0 00000000 b7b8f0a0 00000018 00000001
I/DEBUG ( 266): beca97f0 00000040 00000001 00000034 00000001
I/DEBUG ( 266): beca9800 b7b8fc40 b7b8f0e0 00000000 00000000
I/DEBUG ( 266): beca9810 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9820 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9830 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9840 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9850 00000000 00000000 00000000 beca98b4
I/DEBUG ( 266):
I/DEBUG ( 266): code around pc:
I/DEBUG ( 266): b6ee9b3c e1910f9f e080c003 e1812f9c e3520000
I/DEBUG ( 266): b6ee9b4c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b5c e1930f9f e2801001 e1832f91 e3520000
I/DEBUG ( 266): b6ee9b6c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b7c e3e02000 e1930f9f e080c002 e1831f9c
I/DEBUG ( 266): b6ee9b8c e3510000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9b9c f57ff05f e1910f9f e000c003 e1812f9c
I/DEBUG ( 266): b6ee9bac e3520000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9bbc f57ff05f e1910f9f e180c003 e1812f9c
I/DEBUG ( 266): b6ee9bcc e3520000 1afffffa e12fff1e 6883b508
I/DEBUG ( 266): b6ee9bdc 47984608 2140ea6f ea801840 eb023290
I/DEBUG ( 266): b6ee9bec ea831302 bd082093 2203b5f8 46046943
I/DEBUG ( 266): b6ee9bfc 43726846 0f92ebb3 0076d923 46302104
I/DEBUG ( 266): b6ee9c0c ebe4f7ff b1e04605 1e772200 6821e011
I/DEBUG ( 266): b6ee9c1c 3022f851 6858e00a e00cf8d3 0c00ea07
I/DEBUG ( 266): b6ee9c2c 102cf855 f84560d9 4673302c d1f22b00
I/DEBUG ( 266):
I/DEBUG ( 266): code around lr:
I/DEBUG ( 266): b6eba0b4 000078c4 4604b510 ffe2f7ff f7fd4620
I/DEBUG ( 266): b6eba0c4 4620e918 b510bd10 1d206844 ea2af7fd
I/DEBUG ( 266): b6eba0d4 f7fd4620 f1b0ea28 d1085f80 f04f4621
I/DEBUG ( 266): b6eba0e4 f7fd4070 68a0ea26 68996803 bd104788
I/DEBUG ( 266): b6eba0f4 6844b510 f7fd1d20 4620ea16 ea12f7fd
I/DEBUG ( 266): b6eba104 f1b0b138 d1085f80 4070f04f f7fd4621
I/DEBUG ( 266): b6eba114 68a0ea10 68996803 bd104788 68186843
I/DEBUG ( 266): b6eba124 30044770 beb4f003 4604b538 460d3004
I/DEBUG ( 266): b6eba134 ea04f7fd d1192801 07d968e3 6823d409
I/DEBUG ( 266): b6eba144 5f80f1b3 e00cd100 e8bd4620 f0034038
I/DEBUG ( 266): b6eba154 68a0bea7 694a6801 47904629 07c268e0
I/DEBUG ( 266): b6eba164 68a0d504 6801b110 4790684a b570bd38
I/DEBUG ( 266): b6eba174 68444605 4620460e e9e0f7fd d10b2801
I/DEBUG ( 266): b6eba184 463168a0 68da6803 68e04790 d40307c0
I/DEBUG ( 266): b6eba194 46286829 4798684b 46314620 4070e8bd
I/DEBUG ( 266): b6eba1a4 bfc2f7ff 4604b570 460e3004 e9baf7fd
Click to expand...
Click to collapse
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
dadreamer said:
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
When I issue any one command after that I get
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
Click to expand...
Click to collapse
Is your goal to gain root on FireOS v3/v4/5 or are you experimenting with this for other reasons? If the former there are far easier methods (FireOS version dependent) of achieving this; even a theoretical way to unlock the bootloader sans root.
Hello all,
We have ported Android 4.4 (kitkat) version on a custom board with iMX6 processor and are successful in getting Android running on the custom board. Now, when tried to add support for 3G modem provided by ZTE, the rild daemon is crashing continuously there disabling the complete telephony.
Android service for rild in init.rc file is as below
service ril-daemon /system/bin/rild -l /system/lib/libreference-ril.so -- -d /dev/ttyUSB2
class main
socket rild stream 660 root radio
socket rild-debug stream 660 radio system
user root
group radio cache inet misc audio
The sockets are getting created with the specified permissions as specified in the init.rc but unfortunately rild daemon is crashing throwing segmentation fault (SIGSEGV). The core dump of the crash
F/libc ( 2810): Fatal signal 11 (SIGSEGV) at 0x0000000c (code=1), thread 2821 (rild)
I/DEBUG ( 2387): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 2387): Build fingerprint: 'HKI/indus_1012/i1012:4.4.2/1.0.0-rc3/20140630:user/dev-keys'
I/DEBUG ( 2387): Revision: '405525'
I/DEBUG ( 2387): pid: 2810, tid: 2821, name: rild >>> /system/bin/rild <<<
I/DEBUG ( 2387): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
I/DEBUG ( 2387): r0 0000000c r1 00000000 r2 00000011 r3 00000000
I/DEBUG ( 2387): r4 0000000c r5 00000000 r6 00000000 r7 4021909c
I/DEBUG ( 2387): r8 40219157 r9 4021d02c sl 402190fc fp 4021d028
I/DEBUG ( 2387): ip 4021cf00 sp 405f7cd8 lr 4015315d pc 4014f708 cpsr 200d0010
I/DEBUG ( 2387): d0 0000000000000000 d1 0000000000000000
I/DEBUG ( 2387): d2 0000000000000000 d3 0000000000000000
I/DEBUG ( 2387): d4 0000000000000000 d5 0000000000000000
I/DEBUG ( 2387): d6 0000000000000000 d7 0243d58000000000
I/DEBUG ( 2387): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 2387): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 2387): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 2387): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 2387): d16 41826b235ab851ec d17 3f50624dd2f1a9fc
I/DEBUG ( 2387): d18 41c2ab23a6000000 d19 0000000000000000
I/DEBUG ( 2387): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 2387): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 2387): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 2387): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 2387): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 2387): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 2387): scr 00000010
I/DEBUG ( 2387):
I/DEBUG ( 2387): backtrace:
I/DEBUG ( 2387): #00 pc 0000e708 /system/lib/libc.so
I/DEBUG ( 2387): #01 pc 00012159 /system/lib/libc.so (readdir+10)
I/DEBUG ( 2387): #02 pc 000026fd /system/lib/libreference-ril-mw3820.so
I/DEBUG ( 2387): #03 pc 00004069 /system/lib/libreference-ril-mw3820.so
I/DEBUG ( 2387): #04 pc 0000d248 /system/lib/libc.so (__thread_entry+72)
I/DEBUG ( 2387): #05 pc 0000d3e0 /system/lib/libc.so (pthread_create+240)
I/DEBUG ( 2387):
I/DEBUG ( 2387): stack:
I/DEBUG ( 2387): 405f7c98 00000000
I/DEBUG ( 2387): 405f7c9c 00000000
I/DEBUG ( 2387): 405f7ca0 00000000
I/DEBUG ( 2387): 405f7ca4 00000000
I/DEBUG ( 2387): 405f7ca8 00000000
libc.so is not getting loaded but libc.so and libreference-ril-mw3820.so are all available in the system/lib folder. and the contents of system.prop is
rild.libpath=/system/lib/libreference-ril-mw3820.so
rild.libargs=-d /dev/ttyUSB2
but still the above crash persists. Any help on this would be of great help.
Hello and thank you for using XDA Assist.
XDA Assist is for new users to receive guidance on how to navigate through XDA to find the information they seek.
It does not sound like you are an inexperienced user. Your best bet is to ask in the specific device forum or the main Android Q&A section.
We here at XDA Assist will never give you a technical answer.
Good Luck
Ragnar
EDIT 2DAYS NO REPLY. THREAD CLOSED.