Hi,found one exploit from 2013 year, but its in exploit database as exploit from Feb.2014 ! Need some help for understanding something. Exploit is http://www.exploit-db.com/exploits/31574/
I understand principe, completed all steps expect 2 things which I not understand!
1. thing 1 - How to get thing which is explined in comment on line 34
2. thing - what is on line 39 !! How to get that || what is that || what is usage of that ??? Is that a phys address of the kernel func adress near sys_ni_syscall || sys_ni_syscall ???
Anyone explain, please?
Anyone?
May be this helps
http://lxr.free-electrons.com/ident?i=sys_ni_syscall
Ps - I have no knowledge of development :/
That not helps
The address 0xc01217c0 is the sys_ni_call
system call, the address 0xc011ac50 is the
sys_exit system call, etc.
http://www.symantec.com/connect/articles/forensic-analysis-live-linux-system-pt-2
Again jz searched... i dont know if this useful or not...
No mate, thats not helpfull, you found adress from kallsyms but thats not what I need! I need a thing how to get into userspace landing point page-aligned address which is defined as a 0x720cd000, since we know only kernel mem which is at 0xcXXXXXXX . I don't understand how|where to get these landing page aligned adress which is 0x7XXXXXXX, how he get them? What is that? How he found them on 0x7xxxxxxx ? Why it is on 0x7xxxxxxx ? Thats a only thing which I need to understand to get started!
If you look into line 34 you will see a comment! Comment is:
/* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly. * you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other * halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from * /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place */
Click to expand...
Click to collapse
Thats what I not understand! He say: we need to know the lower halfword of the original address of sys_ni_syscall
I need original adress of the sys_ni_syscall and NOT ONE FOUND IN KALLSYMS ! Thats what I need to understand!!!
Master munjeni its way beyond my knowledge and scope .this is some veteran android core stuff
:/ m a dental intern :silly:
No problem, you tried to help and I like that, tnx!
Okay sir last attempt...
This link to pdf explains quite a few stuff... (Still i dont know if it is useful or useless)
http://www.google.com/url?q=http://...sQFjAA&usg=AFQjCNHr20jDgbz5jzlF5o1uIsbdx_GvHg
see https://www.codeaurora.org/projects...hecks-putusergetuser-kernel-api-cve-2013-6282
Related
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
scholbert said:
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
Click to expand...
Click to collapse
Well, I'm not a kernel hacker, but I have an educated guess...
I believe that the radio system uses those functions to check whether the kernel is valid or not, so, we have the radio not working with a replacement kernel that is loaded using kexec...
Perhaps, if it is possible to "change" this function using a module, we could get a function always telling the kernel is valid and have kexec working on Milestone. Again, I'm not a kernel hacker, but that is my guess.
Hi, I'm sorry that I wont be much help but these guys might;
https://www.droid-developers.org/
irc://irc.freenode.net/#milestone-modding
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
scholbert said:
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
Click to expand...
Click to collapse
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
SophT said:
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
Click to expand...
Click to collapse
Yeah sure, i knew this
Anyway, thanks for the hyperlink!
In the meantime i grepped all binaries from the latest distribution.
I found out, that two applications are using /dev/sec.
1. dbvc_atvc_property_set
2. tcmd
If someone knows which package of source code they belong to... would save some time searching.
EDIT:
O.K. Google did it for me...
Seems that both binaries are proprietary code. Some early conclusions:
1. dbvc_atvc_property_set
This one is started as a service in init.mapphone_umts.rc and seems to use /dev/sec for granting rights to access OMAP secure world (e.g. read eFuse values for unique device id, IMEI etc.).
This binary contains a certificate which is not Milestone specific (XT720 uses the same).
So right now i don't know, if this certificate is needed to access /dev/sec or the application itself identifies itself as trusted application (signed app).
Would make sense, if the BP uses signed applications to access certain low level functions, e.g. read/write the eFuse bank.
2. tcmd
This one is also started as a service in init.mapphone_umts.rc to access a variety of devices. Seems to be related to data streaming or stuff.
As stated it has an entry for /dev/sec and it got no certifcate.
Would be interesting to get some more info about that.
Further comments....
P.S.: This bloody security stuff is making me sick
Regards,
scholbert
Hi again,
i just compared some of the defines in the kernel driver headers (/drivers/misc/sec/sec_core.h) with the ones xvilka reversed inside mbmloader.
Code:
...
#define API_HAL_KM_SOFTWAREREVISION_READ 33 // 0x21
...
#define API_HAL_NB_MAX_SVC 39 // 0x27
#define API_HAL_MOT_EFUSE (API_HAL_NB_MAX_SVC + 10) // 0x31
#define API_HAL_MOT_EFUSE_READ (API_HAL_NB_MAX_SVC + 15) // 0x36
...
For comparison see the table here:
https://www.droid-developers.org/wiki/Secure_Services
It is obvious that /dev/sec allows to access OMAP secure world and uses the above mentioned API calls to push information to userspace apps.
The question would be, if ioctl must be certified through the API using some key ...
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
See ya,
scholbert
scholbert said:
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
Click to expand...
Click to collapse
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
mystichobo said:
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
Click to expand...
Click to collapse
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
puffo81 said:
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
Click to expand...
Click to collapse
Thanks a lot for pointing out
Best regards,
scholbert
scholbert said:
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
Click to expand...
Click to collapse
That's what I thought
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Cheers,
hobo
mystichobo said:
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Click to expand...
Click to collapse
I got into contact with xvilka.
Obviously there'd been some investigations concerning this issue.
To be honest, i don't know if it's worth to digg a little deeper or if it will ever led to something useful in the end. Could be fun though
Perhaps it would be nice idea to tweak the driver and put some debug message in the code.
Another interesting thing to do would be a logging function.
This way it would be possible to get some insights of the API to secure monitor.
Anyway, i think it's never useless to discuss about some hacking here. At least were at xda-developers
If you like to tweak some kernel code, join in!!!
Have fun!
scholbert
I'm trying to work with gtk for c. I downloaded c4droid and wrote a small GUI program and I need to include and or add gtk/gtk.h I also wrote a server that uses the errno header but produces errors because the header is not installed/included. BTW i downloaded busybody pro too. So how do I solve this issue?
I have figured out the include issue. I found the include folder and seen that errno.h is in there. To make a long story short the issue was downloading the gcc plugin for c4droid then going in to preferences and setting the compiler to gcc-Bionic. But now the server I wrote wont work properly because you have to run it with CLA's. Example: ./server [IP address] <port number> and c4droid doesn't allow this. Not that I'm aware of at least. They this app is perfect for developers. I would agree that it is suitable for programmers just starting off and just learning. Like a college student....Maybe. it was only a dollar 50, so not a big loss. Currently looking for a gnu gcc port for the terminal. Like the iPhone 4. God I miss that thing! Ideas/insight?
I think you'd have better luck posting in general development thread.
Ok thanks.
Can't post in that sub forum until I have 10 posts. Sucks!
Post number 9.
Here's number 10 and I'm off to the development forum.
Looks like I need one more post.
Latest Version 0.5.1 (beta)
What is CobaltDebugger? An ARM Processor Simulator/Emulator/Debugger. At its current state, it reads Android bootloader files, and runs them in a simulator, giving you control over which instructions execute and when. For optimal experience, use this in conjunction with IDA Pro.
Hint: Try setting the PC Register to an interesting address found in IDA.
https://youtu.be/cwvz8Cj70Ac <- newer but still old
https://youtu.be/L5NDob2rCmI <- even older
Unzip contents
Run CobaltDebugger.exe
Load up your aboot.mbn or sbl1.mbn
If you want to display referenced strings, open your binary in IDA, go to View > Subviews > Strings, then copy and paste the contents of the strings window into a new text file, then load that text file into CobaltDebugger.
Memory file will grow to 4GB
Click "Load Binary"
Then click "Step Into" or "Run"
You can
- Set breakpoints by address: use >, and < to define break-ranges
- Alter register values, condition flags, psr modes, instruction sets (ARM and Thumb)
Memory edits are not yet implemented but will most likely come as time permits
Page Up, Page Down, Up, and Down keys can be used to navigate the memory viewer - or you can type an address and click "Go" to go there - There's a bug in here somewhere - I'll get to it
The output from the bottom right window is saved as output.xxxxxx.txt, although the file may not get flushed until you click "Unload" or close the application.
All ARM and Thumb instructions were implemented in C# by hand by me. There may be bugs here and there as this is a work in progress and beta. Not all instructions have been implemented so you may encounter a message that states such and such instruction not implemented. If you see that, let me know which instruction and I will implement it as time permits, or you can wait until the next release. I plan on continuing this project until all instructions are implemented.
Originally built with the binaries from the AT&T Samsung Galaxy Note 3 (NC2) in mind, but focus switched to the Verizon Samsung Galaxy S4 (NK1), then back to Note 3 (OC1). This should work with other similar binaries as well.
I'm hoping this will help us discover new ways to unlock bootloaders. But at the very least it's fun to watch the files run.
Change Log 0.5.1
Added image verification steps thanks to Tal Aloni
Bug fixes
More instructions implemented
Slight redesign
Change Log 0.5
Bug fixes, UI improvements, a few more instructions implemented
Now the "Next" instruction is actually the Next instruction as opposed to the most recently executed instruction, so you can see the instruction highlighted BEFORE it executes.
Change Log 0.4.1
Fixed some bugs
Implemented some more instructions
AT&T Note 3 NC2 aboot runs to completion again, although you may find some instructions I've missed if you start jumping around editing the PC value.
Change Log 0.4
Complete refactor
Verizon S4 NK1 aboot runs to completion, although you may find some instructions I've missed if you start jumping around editing the PC value.
Broke some things with the Note 3 aboot instructions
Change Log v0.3:
set default breakpoint for Verizon S4 aboot - Either it's actually *supposed* to start executing code at 0x880C7000 after an MCR and BX instruction, or I may have mis-coded something, but it seems odd, so a breakpoint is set to 0x88E0E4BC until I can figure that one out.
Output to file - C:\temp\output.HHmmss.asm - Now you can review the log after the program has run.
Subscribed. This is going to be epic.
Taking the trash out then going to have some fun hopefully with this.
Next feature to add is the ability to load and run elf files like tz and sdi
v0.2
I Implemented the SP Minus Immediate instruction, which should resolve the NotImplemented exception reported by @dmt010 . I also implemented a bunch more instructions needed by the S4 aboot, although I'm still not done. I went ahead and uploaded an update anyway. This one doesn't blow up like the first version, but rather displays the missing instruction if it encounters one. To skip to a specific address and start executing code, you can modify the PC register and click Apply Edits, then step or run. Sometimes you have to do it twice for it to take, for some reason. If you want to play around with this with your own abootmbn or sbl1.mbn, feel free to post any Not Implemented messages here so I can add them, just make sure no one else has already posted it. Make sure you copy and paste the whole line including the instruction mnemonic and "Pattern" which will help me to identify the desired encoding.
Instruction [Thumb16,LDRB] not implemented. Pattern: [01111iiiiinnnttt]. Address: [0x88E1C470]
Cheers
I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Cobaltikus said:
I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
What did I say? Glad I snagged the first post, I knew this project would take off.
It is possible that at some point I will consider sharing my source code to the public. But first I need to look into different licensing steps I should take to make sure that if I do release it, it will remain open source and not be stolen and licensed by someone else, forcing me to take my code down, or something else that could be bad for me. I want to make sure that if I do it, I do it right. Another issue for me is that I like to copy and paste the psuedocode from ARM directly into my code, commented, so I have it for reference. I'm fairly certain I would have to take that out before releasing, so I'm not infringing on ARM's copyright policies. But it would be nice to collaborate. Possibly. Maybe.
Cobaltikus said:
... (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
Yep. I need to re-implement MCR. I wasn't doing all that needed to be done.
v0.4
v0.4 runs Verizon S4 NK1 aboot to completion, and you can view and modify the active Instruction Set (ARM vs Thumb).
v0.5
v0.5
I got a bit side tracked. Thanks to Tal Aloni, Cobalt Debugger now shows and validates the certificate chain and image signature, which started me down the rabbit hole of potentially cracking RSA. When I come back up for air I'll post my latest changes.
ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
can you do much with python on android?
What exactly does this thing do ? I"m a bit confused This is some kind of simulator so that you can see how it impacts memory during execution ? But then again, if it can't access hardware then what's the use ? What does it offer over IDA pro ? I'm confused
Not now. Still on the basics of python. I have python and ide on my pc waiting if you need me to test something.
kcarden said:
ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding
Click to expand...
Click to collapse
Ah right, getting now what the use of this is As long as stuff is not done in hardware, which it most likely wont be anyway (cause kernel is not up lol) then this could function as a simulator to debug the bootloader. Makes sense
XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
i've been looking a lot at recovery.img and the recovery partition. and what happens is the image is encrypted and then signed to be accepted by other software sig checks
Info:
my device is rooted (fully) and my phone consist of Supersu, Nethunter terminal, bcmon, Reaver.
(below are the codes i modified for my device)
The history
when I first started running reaver i would receive many errors; [...not found] [...can't enable] [...can't change permissions (appearently you can't change permissions within sdcard folder... anyways, moving on.)]
[...no internet connection found]
my point is after looking at the custom scripts I had installed (with notepad++) i noticed that the actual scripts were the big issue. so I started changing things one by one in-order to not mess-up everything. yeah sure, I made some errors that made things last longer- way longer than normal. Nevertheless, at some point I actually started making things better and slowly started knocking down those errors!! until i hit the 'test' button and sure enough
"Cannot link executable... libfake_driver.so is 32 instead of 64.... only PIE are supported."
Truth Be Told
as you might can tell from the kind of question I'm asking, I am not an expert.
And I understand these kind of questions comes with others looking at the questioner as annoying- and with the thought of 'these beginners just want everyone to give answers instead of learning themselves...' It's NOT COMPLETELY wrong, since now days a comment like such is ... pretty much true-
So i'll say this: Not Every One Is The Same.
I am a programmer. my programming is mostly within game design/ game development so if more coding is needed to solve my issue at hand, then let me know and please (at the lease) point me in the right direction.
if I need to google something, please clarify what to search. For I am just one person, so it is possible I haven't thought of something to type in- however, that does not mean I haven't type MANY searches in already.
The Question
Am I able to use Rfa and bcmon on nexus 5x, and if so, then what is needed to get my phone operating (the app(s)) correctly? This is the complete error i am receiving in RfA.
CANNOT LINK EXECUTABLE: "/system/app/bcmon/assets/libs/libfake_driver.so" is 32-bit instead of 64-bit page record for 0x7f98e8c010 was not found (block_size=64)
error: only position independent executables (PIE) are supported.
My Done Work
with the rfa settings you can choose to use custom scripts the following shows the scripts i used and it's placement.
these scripts i had to modify to get the device's errors fixed ( not all though )
Activation Script:
#!/bin/bash
svc wifi disable
LD_LIBRARY_PATH=/sdcard/bcmon/assets/libs
LD_PRELOAD=/data/sdcard/bcmon/assets/libs/libfake_driver.so sh
cd /sdcard/bcmon/assets/tools
./enable_bcmon
echo “rfasuccess”
exit
Warm-up Script
#!/bin/bash
LD_LIBRARY_PATH=/sdcard/bcmon/assets/libs
LD_PRELOAD=/sdcard/bcmon/assets/libslibfake_driver.so sh
cd /sdcard/bcmon/assets/tools
Stop Script
#!/bin/bash
svc wifi enable
echo “rfasuccess”
Will you care to help me?
Hi,
Try posting your question here:
http://forum.xda-developers.com/google-nexus-5/help
The experts there may be able to help.
Good luck!
Info:
my device is rooted (fully) and my phone consist of Supersu, Nethunter terminal, bcmon, Reaver.
(below are the codes i modified for my device)
The history
when I first started running reaver i would receive many errors; [...not found] [...can't enable] [...can't change permissions (appearently you can't change permissions within sdcard folder... anyways, moving on.)]
[...no internet connection found]
my point is after looking at the custom scripts I had installed (with notepad++) i noticed that the actual scripts were the big issue. so I started changing things one by one in-order to not mess-up everything. yeah sure, I made some errors that made things last longer- way longer than normal. Nevertheless, at some point I actually started making things better and slowly started knocking down those errors!! until i hit the 'test' button and sure enough
"Cannot link executable... libfake_driver.so is 32 instead of 64.... only PIE are supported."
Truth Be Told
as you might can tell from the kind of question I'm asking, I am not an expert.
And I understand these kind of questions comes with others looking at the questioner as annoying- and with the thought of 'these beginners just want everyone to give answers instead of learning themselves...' It's NOT COMPLETELY wrong, since now days a comment like such is ... pretty much true-
So i'll say this: Not Every One Is The Same.
I am a programmer. my programming is mostly within game design/ game development so if more coding is needed to solve my issue at hand, then let me know and please (at the lease) point me in the right direction.
if I need to google something, please clarify what to search. For I am just one person, so it is possible I haven't thought of something to type in- however, that does not mean I haven't type MANY searches in already.
The Question
Am I able to use Rfa and bcmon on nexus 5x, and if so, then what is needed to get my phone operating (the app(s)) correctly? This is the complete error i am receiving in RfA.
CANNOT LINK EXECUTABLE: "/system/app/bcmon/assets/libs/libfake_driver.so" is 32-bit instead of 64-bit page record for 0x7f98e8c010 was not found (block_size=64)
error: only position independent executables (PIE) are supported.
My Done Work
with the rfa settings you can choose to use custom scripts the following shows the scripts i used and it's placement.
these scripts i had to modify to get the device's errors fixed ( not all though )
Activation Script:
#!/bin/bash
svc wifi disable
LD_LIBRARY_PATH=/sdcard/bcmon/assets/libs
LD_PRELOAD=/data/sdcard/bcmon/assets/libs/libfake_driver.so sh
cd /sdcard/bcmon/assets/tools
./enable_bcmon
echo “rfasuccess”
exit
Warm-up Script
#!/bin/bash
LD_LIBRARY_PATH=/sdcard/bcmon/assets/libs
LD_PRELOAD=/sdcard/bcmon/assets/libslibfake_driver.so sh
cd /sdcard/bcmon/assets/tools
Stop Script
#!/bin/bash
svc wifi enable
echo “rfasuccess”
Will you care to help me?