CobaltDebugger - Android Software/Hacking General [Developers Only]

Latest Version 0.5.1 (beta)
What is CobaltDebugger? An ARM Processor Simulator/Emulator/Debugger. At its current state, it reads Android bootloader files, and runs them in a simulator, giving you control over which instructions execute and when. For optimal experience, use this in conjunction with IDA Pro.
Hint: Try setting the PC Register to an interesting address found in IDA.
https://youtu.be/cwvz8Cj70Ac <- newer but still old
https://youtu.be/L5NDob2rCmI <- even older
Unzip contents
Run CobaltDebugger.exe
Load up your aboot.mbn or sbl1.mbn
If you want to display referenced strings, open your binary in IDA, go to View > Subviews > Strings, then copy and paste the contents of the strings window into a new text file, then load that text file into CobaltDebugger.
Memory file will grow to 4GB
Click "Load Binary"
Then click "Step Into" or "Run"
You can
- Set breakpoints by address: use >, and < to define break-ranges
- Alter register values, condition flags, psr modes, instruction sets (ARM and Thumb)
Memory edits are not yet implemented but will most likely come as time permits
Page Up, Page Down, Up, and Down keys can be used to navigate the memory viewer - or you can type an address and click "Go" to go there - There's a bug in here somewhere - I'll get to it
The output from the bottom right window is saved as output.xxxxxx.txt, although the file may not get flushed until you click "Unload" or close the application.
All ARM and Thumb instructions were implemented in C# by hand by me. There may be bugs here and there as this is a work in progress and beta. Not all instructions have been implemented so you may encounter a message that states such and such instruction not implemented. If you see that, let me know which instruction and I will implement it as time permits, or you can wait until the next release. I plan on continuing this project until all instructions are implemented.
Originally built with the binaries from the AT&T Samsung Galaxy Note 3 (NC2) in mind, but focus switched to the Verizon Samsung Galaxy S4 (NK1), then back to Note 3 (OC1). This should work with other similar binaries as well.
I'm hoping this will help us discover new ways to unlock bootloaders. But at the very least it's fun to watch the files run.
Change Log 0.5.1
Added image verification steps thanks to Tal Aloni
Bug fixes
More instructions implemented
Slight redesign
Change Log 0.5
Bug fixes, UI improvements, a few more instructions implemented
Now the "Next" instruction is actually the Next instruction as opposed to the most recently executed instruction, so you can see the instruction highlighted BEFORE it executes.
Change Log 0.4.1
Fixed some bugs
Implemented some more instructions
AT&T Note 3 NC2 aboot runs to completion again, although you may find some instructions I've missed if you start jumping around editing the PC value.
Change Log 0.4
Complete refactor
Verizon S4 NK1 aboot runs to completion, although you may find some instructions I've missed if you start jumping around editing the PC value.
Broke some things with the Note 3 aboot instructions
Change Log v0.3:
set default breakpoint for Verizon S4 aboot - Either it's actually *supposed* to start executing code at 0x880C7000 after an MCR and BX instruction, or I may have mis-coded something, but it seems odd, so a breakpoint is set to 0x88E0E4BC until I can figure that one out.
Output to file - C:\temp\output.HHmmss.asm - Now you can review the log after the program has run.

Subscribed. This is going to be epic.

Taking the trash out then going to have some fun hopefully with this.

Next feature to add is the ability to load and run elf files like tz and sdi

v0.2
I Implemented the SP Minus Immediate instruction, which should resolve the NotImplemented exception reported by @dmt010 . I also implemented a bunch more instructions needed by the S4 aboot, although I'm still not done. I went ahead and uploaded an update anyway. This one doesn't blow up like the first version, but rather displays the missing instruction if it encounters one. To skip to a specific address and start executing code, you can modify the PC register and click Apply Edits, then step or run. Sometimes you have to do it twice for it to take, for some reason. If you want to play around with this with your own abootmbn or sbl1.mbn, feel free to post any Not Implemented messages here so I can add them, just make sure no one else has already posted it. Make sure you copy and paste the whole line including the instruction mnemonic and "Pattern" which will help me to identify the desired encoding.

Instruction [Thumb16,LDRB] not implemented. Pattern: [01111iiiiinnnttt]. Address: [0x88E1C470]
Cheers

I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...

Cobaltikus said:
I just uploaded v0.3. Now it runs the Verizon S4 aboot file without exception until it gets to a section where keeps incorrectly executing ANDEQ R0, R0, #0x3. I know that's not what it is supposed to do, and that it is a result of BX R14, when R14 is holding 0x880C7000, but 0x880C7000 has only zeros because the s4 aboot is running out of context, isolated. Maybe there is supposed to be code at 0x880C7000, ready and waiting to run. Or maybe there was a calculation error in my code and R14 should not have held the value 0x880C7000. I don't know. I will relook at the preceeding steps and make sure the calculations are correct. Might add a unit test or two. I may need to spend more time looking at the line before the branch (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
What did I say? Glad I snagged the first post, I knew this project would take off.

It is possible that at some point I will consider sharing my source code to the public. But first I need to look into different licensing steps I should take to make sure that if I do release it, it will remain open source and not be stolen and licensed by someone else, forcing me to take my code down, or something else that could be bad for me. I want to make sure that if I do it, I do it right. Another issue for me is that I like to copy and paste the psuedocode from ARM directly into my code, commented, so I have it for reference. I'm fairly certain I would have to take that out before releasing, so I'm not infringing on ARM's copyright policies. But it would be nice to collaborate. Possibly. Maybe.

Cobaltikus said:
... (MCR p15, 0, R0,c1,c0, 0) MCR was one of the first instructions I implemented months ago. I may need to re-look at that logic and make sure I did it right...
Click to expand...
Click to collapse
Yep. I need to re-implement MCR. I wasn't doing all that needed to be done.

v0.4
v0.4 runs Verizon S4 NK1 aboot to completion, and you can view and modify the active Instruction Set (ARM vs Thumb).

v0.5
v0.5

I got a bit side tracked. Thanks to Tal Aloni, Cobalt Debugger now shows and validates the certificate chain and image signature, which started me down the rabbit hole of potentially cracking RSA. When I come back up for air I'll post my latest changes.

ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding

Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.

XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
can you do much with python on android?

What exactly does this thing do ? I"m a bit confused This is some kind of simulator so that you can see how it impacts memory during execution ? But then again, if it can't access hardware then what's the use ? What does it offer over IDA pro ? I'm confused

Not now. Still on the basics of python. I have python and ide on my pc waiting if you need me to test something.

kcarden said:
ive been trying to crack that thing for months now! haha join in the telegram again for info and we can collaborate live. from what i understand we're dealing with an RSA-SHA1 sig with PKCS#11 padding
Click to expand...
Click to collapse
Ah right, getting now what the use of this is As long as stuff is not done in hardware, which it most likely wont be anyway (cause kernel is not up lol) then this could function as a simulator to debug the bootloader. Makes sense

XxD34THxX said:
Sorry to be somewhat off-topic, but RSA is a method of encryption. So Samsung/Verizon used this to encrypt the bootloader. So if we can crack it, we have access to the bootloader and can Loki it/ another exploit?
Oh yeah, I subbed. I'm teaching myself python and Java(was already on my to do list) to try and offer limited help.
Click to expand...
Click to collapse
i've been looking a lot at recovery.img and the recovery partition. and what happens is the image is encrypted and then signed to be accepted by other software sig checks

Related

GUIDE: In the beginning... There was ROOT

So you’ve got a nice, shiny, new G1 and you’ve been hearing about all the amazing things you can do with it but you “MUST HAVE ROOT”. As far as you know, you’re not a plant (although you may feel as smart as one at this point) and beyond that, you have no clue what any of the terms or concepts mean in context.
Well, I’m bored so I’m going to try and clear some things up.
There are a lot of threads that cover each of these things but I’m going to try and put as many basics into one post as possible. Hopefully it can be a perfect start for n00bs and good reference in lieu of search for others. Please feel free to correct any semantic (or blatant) mistakes I make.
I’ll keep the glossary here and update terms as I add to this post:
Android OS - Like Windows Mobile but based on Linux, using a Java based front end.
Linux - Open Source operating system used instead of Windows XP/Vista, Mac OSX etc... it's free (as in beer).
Open Source (From Wiki) – Free and open source software, also F/OSS, FOSS, or FLOSS (free/libre/open source software) is software which is liberally licensed to grant the right of users to study, change, and improve its design through the availability of its source code.
Root (as in access)- root is like the administrator account on a windows machine (also referred to as su, or superuser). It allows you to have complete access to the underlying OS of a linux or *nix based machine. For the G1, it allows for the use of themes, native backup functionality, manually selecting which apps can utilize root access, auto-rotate screen, multi-touch in browser, moving applications/caches to the sd card etc...
Root (as in location)- the 'root' of a folder or drive is the top most area of that location. In windows, C:\ is the 'root' of your hard drive. The 'root' of your SD card just means you haven't moved into any subfolders.
Shell – (also heard as terminal, bash, command line) This is a loose definition, but it’s basically a command line to run specific actions against the OS.
Bootloader – the SPL and IPL of a flash based device. See jashu’s description here.
SPL (Secondary Program Loader) - You get to the SPL by holding the camera button while powering on your phone. This is where you flash NBH images. See bootloader above.
Recovery Mode - Holding the 'Home' key while while powering on the G1 will take you into Recovery Mode. From here you can perform a NANDroid backup, wipe your phone, access a command line and of course, flash your phone with an update.zip file.
RC## (or release candidate) – In context to the G1, it is an official release of Android from T-Mobile meant specifically for the G1 (not ADP).
ADP (Android Developer Phone) – A Google specific (or carrier non-specific) version of the G1/Dream that has root access by default and is meant for developers writing apps for the G1, or Android in general.
ADP vs. RC## - Neither RC’s or ADP versions are tied to their respective hardware. With the right bootloader, you can flash an ADP image to a G1 or an RC image to an ADP.
JFV1.## - Is a specific Version of a JesusFreke ROM. JesusFreke is a developer on this website that has graciously spent his time to modify the G1 OS to allow us to have root access to our phones. This gives us the ability to explore and modify our phones via a command line.
Cupcake – a development branch of the Android OS that contains many improvements that was merged into the master build of Android and is currently being released to new phones as Android 1.5.
Nandroid – a utility, accessible through Recovery Mode, that allows you to backup your phone and restore to the exact condition at backup.
Apps2SD – Applications moved to your SD card instead of internal memory. Some people like the extra room, some people don’t want to hassle with the partitioning.
Partition – just like the partitions that separate cubicles in an office, a partition separates parts of a drive.
File system – there are many. It’s basically a specific way of organizing data on a partition. FAT(32) is generally windows, ext2 is generally linux. This is not a hard and fast rule, just most common in context with what you’ll see here.
Scripts – scripts are text files that contain a list of commands to perform. Instead of typing each command out multiple times, a script can be run that will initiate all steps listed in the script.
Android SDK (System Developer’s Kit) – This includes all tools (sans fastboot) that a developer needs to create applications for the G1. It also has tools for interacting with the phone via a command line (ADB).
ADB - is a part of the SDK that allows you to run commands against the G1 in lieu of using the terminal on the phone itself.
Fastboot - is a tool used to flash system images (.img files) to the G1 from a command line on your pc. IMG files are created when you do NANDroid backups and official images can be downloaded from HTC as well. To get to fastboot mode on your phone, hold the back button while powering on.
When T-Mobile first released the G1, they left a bug in the Android OS that allowed anything typed on the keyboard to be passed on to a root shell running in the background. This really was a major flaw and needed to be patched. Unfortunately, when they patched it, they really patched it. RC29 was the last version that still had root. With all versions RC30 on, it was removed. It completely denied us any hope at modding our “open-source” phone.
Somehow, the base image for RC29 (dreaimg.nbh) was leaked and some enterprising developers were able get access to the bootloader and return an updated G1 (RC30+) to RC29 and use this to regain root.
Somewhere along this road, Google released the ADP (Android Developer Phone), which has root enabled and uses a specific SPL (EngineeringSPL) that was the base for the modified HardSPL that most of us use now. Nandroid was included to allow us to back up our phones and shortly after, JesusFreke modified RC30 to keep root and still provide the fixes and improvements that came with it.
I’m not sure where it all started, but eventually, LucidREM released a modified version of JesusFreke’s ROM. This made moving applications to SD painless and freed up system storage and now we can have 32 flashlights and 62 tip calculators installed all at once.
Apps2sd has been the bane of many peoples existence. It requires you to partition your SD card in to separate file systems (FAT32 to remain compatible with windows computers as a mass storage device and ext2 to maintain compatibility with the underlying linux OS of the G1). It also requires you to move your apps to the SD card and then create symbolic links (similar to a windows shortcut) from the internal location pointing to the SD card. Lots can go wrong in this process and that’s why LucidREM, MartinFick, MarcusMaximus04 and others have created tools to help simplify the process.
Now of course, to achieve any of the things you want to do with the G1, you have to interact with it. There are at least 2 main ways to do this. Some prefer to do everything from the phone itself using a terminal, while some prefer to use their PC with the phone connected via USB. Others avoid both of these, as best they can, and use other peoples apps or scripts anywhere they can get away with it. This is why you may find many different explanations of the same goal.
In order to interact with your phone from a pc, you need the Android SDK, which includes ADB. ADB is basically a linux shell that communicates with the G1. It is easier to copy and paste from threads and insert commands without worrying about making typos. It also requires it’s own bit of hoops to jump through (unless you use a mac or linux ;-)) and sometimes scares people away. It is highly recommended if you plan on hacking at your phone with any regularity.
Of course, there are some sadists (I once was one) that like to type line after line of code on a tiny keyboard and use the terminal directly from the phone. This is fun and it makes you feel 1337, but it also leaves a lot of room for error. Remember, you are a root user now, and any mistake you make can be potentially huge.
Well, that’s all for now folks. Please feel free to add, subtract, reorganize, correct anything I’ve said, in the comments. Also, I’ve tried to add links to any relevant threads and sources that I used in making this… this, whatever you wanna call it.
Thanks to everyone in this community for doing what you do. We are all geeks and enjoy doing this stuff. It's good to have so many talented people taking an interest in Android and the G1 in general. It is open source communites that keep technology interesting and exciting.
Thanks to Haykuro, TheDudeofLife, all the theme devs, and all the big players that I didn't reference in this post. Oh, and SolemWishing for the Timeline! It helped, thanks!
Reserved for future posting
Awesome post for nuubs. This should be permanently stickied!
Very cool. a couple terms you should add:
Fastboot
SPL
Recovery mode
(including what key strokes you need to hit to get into spl and recov. modes)
Thanks for the feedback!
I added SPL and Recovery... let me get my facts straight on fastboot and I'll add that tomorrow.
I don't know if it is the right place for it, but there seem to have been lots of question about "radio" or more specifically "radio update".
I feel smarter already.
I particularly found the file system explanation useful, i put it together that fat32 and the other were the two partitions but didnt realize which was for cpu. Not ready to attempt but definitely closer (although Im not even sure if I want to partition i have no need for all that space at this point) It doesnt affect performance does it?
Agreed. Good stuff. Definitely noob required reading material.
Yes, indeed a very nice guide for the beginners. Hell we ALL started that way...i remember when I first got this phone ~6 months ago (no root), and there was almost nothing about it, no support, no add-ons, no hacks, nothing. It was boring, and for me I was coming from a motorola (motomodders?), so going to something that was far superior but didnt have community support made me almost cry.
Though look now, 3 months later the market was filling up and being abundent of new stuff to play with (I didnt even try rooting for a while, until it became a lot more well-known [fixes and the likes], and themes became a necessity because they started to get really good), and now 6 months later people are hacking away figuring out soo much stuff about it. Amazing work everyone, seriously.
Something good: It all starts at the roots .
Well, I added info on fastboot and exceeded my 10000 character limit. Now I understand why so many people reserve the second post. lol...
I'll make some changes so I can add info about the radio, however the link to fastboot explains the radio fairly well.
Thanks for the feedback everybody, I hope this helps some people out.
skri11a said:
So you’ve got a nice, shiny, new G1 and you’ve been hearing about all the amazing things you can do with it but you “MUST HAVE ROOT”. As far as you know, you’re not a plant (although you may feel as smart as one at this point) and beyond that, you have no clue what any of the terms or concepts mean in context.
Click to expand...
Click to collapse
When i read those lines i knew that this post would be worth reading
It was a really nice n00b guide, though ive done some WiMo flashing so some of the terms sounded familliar i certanly learned a thing or two
I would say it should be stickied and put on the wiki - oh and perhaps list it in alphabetic order, it would make it more usefull as a "I dont understand this term so ill just look it up"-thread...
Perhaps you can get a mod to give you post #2 & #3
//M
DMaverick50 said:
I feel smarter already.
I particularly found the file system explanation useful, i put it together that fat32 and the other were the two partitions but didnt realize which was for cpu. Not ready to attempt but definitely closer (although Im not even sure if I want to partition i have no need for all that space at this point) It doesnt affect performance does it?
Click to expand...
Click to collapse
I'm glad it helped. As far as performance issues, I've had none. In fact, when I was skating along with 12-19MB of free space, my phone would crall and cause me all sorts of grief. Since I've moved the apps and dalvik-cache, it's been very responsive and reliable. That being said, get a GOOD sd card. I see a lot of people having problems using cheap or < class4 sd cards.
m.klinge said:
When i read those lines i knew that this post would be worth reading
It was a really nice n00b guide, though ive done some WiMo flashing so some of the terms sounded familliar i certanly learned a thing or two
I would say it should be stickied and put on the wiki - oh and perhaps list it in alphabetic order, it would make it more usefull as a "I dont understand this term so ill just look it up"-thread...
Perhaps you can get a mod to give you post #2 & #3
//M
Click to expand...
Click to collapse
lol... I'm glad you liked it.
And thanks for the tips. I'm gone for the weekend, but I'll alphabetize it when I get back. Not sure what I can do about getting it stickied but I'll look into the wiki on monday too.
can you add busybox
in the nandroid instructions it requires busybox but I didnt see an explanation for what busybox is. Thanks and this thread has already been very helpful for me
speaking of stickying this....
who is in charge of stickies? A lot of stickable topics aren't stickied and a lot of topics that should be unstickied are still stuck...
DMaverick50 said:
in the nandroid instructions it requires busybox but I didnt see an explanation for what busybox is. Thanks and this thread has already been very helpful for me
Click to expand...
Click to collapse
Hey sorry for the late reply... Been pretty busy since Friday.
I'll try and add this to the first post shortly. I may have to remove some of the history lesson if I can't get a mod to give me the second/third post.
BusyBox - This is a single executable utility that contains many common Linux commands, instead of having an individual executable for each command. As far as I know this is built into all of the JF releases, as well as Dude's. It is also usable in the JF recovery console by hitting alt-x. To use busybox, just type "busybox" in front of the command you want to use (i.e. #busybox ls -L --to get a list of your directory).
AbsoluteDesignz said:
speaking of stickying this....
who is in charge of stickies? A lot of stickable topics aren't stickied and a lot of topics that should be unstickied are still stuck...
Click to expand...
Click to collapse
If you figure this out, let me know. I haven't tried to PM a mod or anything but I'd still be curious to know what the magic requirements are.
This will definitely help a lot of newcomers. Thanks for taking the time to make it.
Way to get stickied! Now I can stop copying pasting updates worrying I might not be able to find the post...
skri11a:
BusyBox - This is a single executable utility that contains many common Linux commands, instead of having an individual executable for each command. As far as I know this is built into all of the JF releases, as well as Dude's. It is also usable in the JF recovery console by hitting alt-x. To use busybox, just type "busybox" in front of the command you want to use (i.e. #busybox ls -L --to get a list of your directory).
Click to expand...
Click to collapse
Wouldn't "Unix utilities" be more correct than "Linux commands"?
And saying Android is "like windows mobile" is blasphemy! You can't compare Unix to Micro$oft Windoze (Yes, that's a very sophisticated and mature way to express my hatred of the OS )! >:|
Anyway, it's good that you wrote this, theres probably a lot around here not having a clue about how things work in the world of unix

[Release] RT Jailbreak Tool

RT Jailbreak Tool
By Netham45, Version 1.20
An all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr​
Usage
Boot your RT device and log in, allow it to sit on the desktop for about a minute.
Extract all files out of the latest version of the .ZIP attached to this post. To do this on Windows RT, right-click on the .zip, choose 'Extract all', and select the destination folder.
Run runExploit.bat. It'll prompt you to either install the jailbreak to run on login, uninstall it not to, or run the jailbreak once.
Choose an option and follow all subsequent prompts. They're all quite easy and self-explanatory.
FAQ
Q) What does this do, in layman's terms?
A) It allows non-Microsoft ARM-compiled .exes to run on the desktop. That is it.
Update (03/01/2013): The jailbreak now allows unsigned drivers to load.
Q) Can I use this to run Photoshop, Steam, AutoCAD, <Insert commercial product here>?
A) While it is -technically- possible for the companies to port their stuff over to Windows RT using the hack it is extremely unlikely. As a rule of thumb, if it's a commercial piece of software it won't run on the ARM.
Q) Can I use this to run PuTTY, VNC, X-Chat, <Insert open-source product here>?
A) Yes! Open-source programs are ones that you, having the source code, can recompile to work on the ARM. If it's not already available (A small but growing number of programs are) it's easy to get started. There are some useful threads in the Windows 8 Development and Hacking board on XDA-Developers.
Please note that not all programs can reasonably be ported over to ARM, due to either program complexity, overuse of inline assembly, or the current lack of a GNU Compiler
Q) Can I use this to run any random x86 app I find on the internet?
A) No. Apps must be recompiled for ARM. Stop asking why Chrome doesn't run.
Q) Can I use this to hack my Android tablet?
A) Not really. Most Android hacks require custom kernel-mode drivers (APX, Odin, ADB all require drivers that are unavailable), and this hack only allows us to run unsigned User-mode code.
If you don't know the difference between User-mode and Kernel-mode, I'm sure Wikipedia has a good article on the subject.
Q) Will Chrome/Firefox be ported over?
A) I don't see any major technical hurdles for those, but I probably won't be the one to do it.
Q) Are there any precompiled apps for this available?
A) Check out THIS THREAD for a list of all currently known compiled apps.
Q) I ran the jailbreak, now where can I download pirated apps from?
A) Nowhere. This jailbreak does not allow for pirated apps, and it is a long ways off from actually supporting pirated apps. If you manage to get pirated apps to run on Windows RT you will be doing the entire community a large disservice, along with ruining what credibility this hack may have in Microsoft's eyes.
Q) I don't know how to recompile code, can I get someone else to do it?
A) If it's a simple project you can likely find someone who will be more than happy to recompile it for you. If it's a large project with numerous dependencies, or a commercial project, I will be willing to take a look at it and quote a price to do it. (On that note, please realize that I am not affiliated with XDA-Developers at all.)
Q) I keep BSoD'ing! What's up?
A) I haven't managed to track down the cause of the BSoDs, except that they seem to happen when the exploit is ran within the first minute or so of the tablet booting and logging in. If you're getting BSoDs, boot your tablet to the desktop and wait 2 or 3 minutes before trying the exploit. Also, make sure that you're up to date with Windows Updates, as of 2/26/2013.
Q) I ran the .bat and it told me it couldn't find it's bin folder. What's wrong?
A) Extract the ZIP in entirety. Don't just open the ZIP and double-click on the runExploit.bat.
Q) It's not working! What do?
A) Post in this thread describing what you're doing and the issue you're having, do not PM me, even if you don't have the number of posts to post in the developer sections. I'll consider it spam and disregard it. Don't message me on Twitter either, the only place that I will provide support for this tool is in this thread.
Q) Is this persistent across reboots?
A) No, it resets every time the device reboots.
Q) Is this a tethered exploit?
A) No. Tethering is connecting the device to a computer, or other device to jailbreak it. This is done entirely on the device. It just has to be redone at reboot.
Q) Will this work with all the latest updates, as of 02/26/2013?
A) There was an updated .zip posted for the latest update (Patch Tuesday, Feburary 2013.) It should work.
Q) How do I compile apps for the Surface RT? It says I'm missing a bunch of .libs!
A) Visual Studio 2012 does not come with all the required ARM .libs for compiling most desktop apps. Please see THIS post by _peterdn for a useful utility for generating .libs and .exps from the .dlls on the tablet.
Q) Why would you want desktop apps? They suck for touch.
A) Mainly for the library of easily ported software, along with the things that metro apps just can't do. I agree, they're more inconvenient to use with touch, but that's the tradeoff for having a huge library of software. You also don't have to use desktop mode, the tablet still is quite good without it (Except the mail client). I also believe that since it's my device I should be able to do whatever I want with it, regardless of what MS says. Traditionally MS has leaned the same way with Windows, which makes it rather disappointing they chose to lock this platform down.
Q) Will this void my warranty?
A) Since it doesn't persist across reboots chances are the support center will never know, though it may be against the terms of your devices warranty.
Q) Is there any warranty for this program?
A) No express or implied warranty exists.
Q) Your hack caused the paint to chip off my tablet, the felt to peel off my type keyboard, the kickstand to fall off, and my tablet to display nothing but satanic messages while it's on! I want you to buy me a new one!
A) No it didn't, and see my warranty policy.
Q) Can Microsoft patch this?
A) Yes and no. They can patch it through Windows Update, but since we have the ability to reinstall from recovery partitions we can revert any Windows Updates they release.
Q) Will this allow people to run viruses on my tablet?
A) Yes and no, if something malicious is compiled and ran while jailbroken it could act like a virus, yes. Once you reset, though, it'll be gone.
Q) I came across a malicious RT application! Who do I tell?
A) If it's a jailbroken application then the most you can do is make a post informing about it. That's one downside to having unsigned code, there's no one regulating body who can decide what is and isn't available, and manage safety. If it's a store application then I suggest you contact Microsoft. If it's a Modern UI app that requires the jailbreak to run you still may have luck contacting Microsoft, as they can blacklist the developer's certificate.
Q) Can any random Store app do this?
A) No, this requires tools and privileges that Windows Store apps can't possess. The appcontainer model that MS uses is very strict and good at preventing things like this from happening. There's a number of things that flat-out aren't possible to do from a Store app that this uses, not to mention that it would get rejected by MS.
Q) Will I (The user) get my developer license banned?
A) It's possible, though I doubt that MS will do that.
Update: With the new payload (as of 1/18/2013) users no longer need to get their own developer certificate.
Q) Won't you (Netham45) get your developer license banned?
A) Time will tell, I knew the risk when I posted this. I suspect that their banning system is more geared towards piracy, though, which this doesn't really enable.
Update: With the new payload (as of 1/18/2013) my developer certificate is no longer required.
Q) I've got this great feature/idea for the jailbreak! Where can I tell you at?
A) Post it in this thread. Note that the area where we can script and such before the exploit is limited and restricted to pretty much batch scripts, and that I am under no obligation to implement a feature if you suggest it. And, seriously, do not PM me about it. If you don't have the prerequisite number of posts to post in the developer section then go get them.
Q) Can I throw money at you for writing the tool to automate this?
A) There's a donate link on the side of this post. (I'd love to get a Surface Pro. )
Q) Can I throw money at clrokr for documenting the exploit?
A) You'll have to talk to him about that.Here's his profile.
FAQ last updated 2/26/2013 10:17 PM MST
Thanks to clrokr for documenting the usage of the exploit, and to the numerous people who contributed positively in the [Q] Hacking Windows RT to Run Desktop Apps thread
Download is attached to this post.
Update log
Update 1.01(1/10/2013): Uncommented pause in the PS script to install the ModernUI app -- It was causing it not to prompt to install a developer license/my cert for some reason.
Update 1.02(1/10/2013): Fixed issue on non-English devices.
Update 1.03(1/11/2013): Fixed issue with usernames with spaces in them, fixed issue where the user running the jailbreak isn't the first user logged in
Update 1.1(1/18/2013): Redid functionality; it now gets the kernel base inside the payload, instead of requiring a Metro application. Added a startup folder that gets ran after jailbreak. Cleaned up output. Click for more info
Update 1.11(1/18/2013): Added commandline options, added a simple interface to handle creating scheduled tasks to run, added a powershell script to keep it from running if the system hasn't been up for two minutes, added missing startup folder, added sanity check so it doesn't freak out if the startup folder isn't there
Update 1.12(2/12/2013): Fixed the scheduled task to not require AC power to run, tweaked script to not crash on latest patches, Fixed startup folder not getting executed properly
Update 1.12a(2/12/2013): Fixed it to actually work on the latest updates. Oops.
Update 1.13(2/14/2013): Added the ability to dynamically get the signing level. It now requires internet on the first launch, and after an update changes ntoskrnl.exe. This version is slightly experimental, so if it doesn't work use one of the older versions.
Update 1.13a(2/15/2013): Tweaked the script to return from the hook in a way that seems more robust. If 1.12a or 1.13 work for you there's no need for an update.
Update 1.20(3/01/2013): Made the bat use registry keys instead of files in system32, added registry-based startup folder, altered payload to support unlocking kernel-mode code
Click here to download the latest version​
Older versions may be downloaded here
(Note: If you wish to mirror this post please retain a link to it at http://forum.xda-developers.com/showthread.php?t=2092158 so users can always get the latest version.)
Nice job! Good to have an all-in-one. Is this tool using the decrement by 0x80000 or trying the option of a slightly lesser decrement?
Also, it would be good to have a unified selection of RT-compiled desktop apps. I'm working on porting Pidgin (the Windows Store IM clients kind of suck...) but it's not easy; the "build under Windows" instructions boil down to "make your Windows system as Unix-y as possible, then build it there". There may be a way to target RT from GCC, but I am not aware of it.
EDIT: What I meant to say is, perhaps a thread linking all the various apps that people have built (preferably with links to their source, for those of us mildly paranoid types who like to see what other peoples' code is doing on our systems) would be a good idea.
GoodDayToDie said:
Nice job! Good to have an all-in-one. Is this tool using the decrement by 0x80000 or trying the option of a slightly lesser decrement?
Also, it would be good to have a unified selection of RT-compiled desktop apps. I'm working on porting Pidgin (the Windows Store IM clients kind of suck...) but it's not easy; the "build under Windows" instructions boil down to "make your Windows system as Unix-y as possible, then build it there". There may be a way to target RT from GCC, but I am not aware of it.
Click to expand...
Click to collapse
I'm decrementing by 0x7EFF0, it seems to not get the 0x18 bugcheck at all with that number. The one it gets if you run it too soon is a different bugcheck.
Install Fails
Brilliant!
I tried running it but it keeps going in an endless cycle because the Metro app fails to install.
Using a Surface with the latest patches from Microsoft.
merill said:
Brilliant!
I tried running it but it keeps going in an endless cycle because the Metro app fails to install.
Using a Surface with the latest patches from Microsoft.
Click to expand...
Click to collapse
Does it give you any error messages when it fails to install?
netham45 said:
Does it give you any error messages when it fails to install?
Click to expand...
Click to collapse
When installing the metro app, the installation fails because the certificate isn't added to the cert-store by default and the batch just tries again.
I uncommented the #Pause in PrintMessageAndExit to read the error message and that made it possible to choose to install the certificate, the powershell just closed otherwise.
After that the metro app installs fine, and tries to start it. I can see the app start, though the cmd still doesn't recognize it and tries to install it again...
I wrote my own metro app for that today and installed it instead of yours and it worked fine with mine.
My App is just this:
protected override void OnFileActivated(FileActivatedEventArgs args) {
WriteAddress((StorageFile)args.Files[0]);
}
private async void WriteAddress(StorageFile file) {
using (Stream s = await file.OpenStreamForWriteAsync()) {
using (StreamWriter wrt = new StreamWriter(s)) {
uint adr = GetKernelAddress.Address.Get() + 0x19FFBC;
await wrt.WriteAsync((adr & 255).ToString("X2") + " " + ((adr >> 8) & 255).ToString("X2") + " " + ((adr >> 16) & 255).ToString("X2") + " " + ((adr >> 24) & 255).ToString("X2"));
}
}
App.Current.Exit();
}
Click to expand...
Click to collapse
sebmaster16 said:
When installing the metro app, the installation fails because the certificate isn't added to the cert-store by default and the batch just tries again.
I uncommented the #Pause in PrintMessageAndExit to read the error message and that made it possible to choose to install the certificate, the powershell just closed otherwise.
After that the metro app installs fine, and tries to start it. I can see the app start, though the cmd still doesn't recognize it and tries to install it again...
Click to expand...
Click to collapse
Having the same issue, uncommenting the pause seems to fix it all for me. I'll update the zip in the top in just a second.
Edit: New zip with that uncommented uploaded.
Metro app failed to run. Trying to (re)install the metro app...
Found certificate: C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernUI_App\Get Kernel Base_1.0.
Before installing this package, you need to do the following:
- Install the signing certificate
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernUI_App\Add-AppDevPackage.ps1:497 char:9
+ $IsAlreadyElevated = ([Security.Principal.WindowsIdentity]::GetCurrent() ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
merill said:
Metro app failed to run. Trying to (re)install the metro app...
Found certificate: C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernUI_App\Get Kernel Base_1.0.
Before installing this package, you need to do the following:
- Install the signing certificate
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At C:\Users\Merill\Downloads\RT_Jailbreak\bin\ModernUI_App\Add-AppDevPackage.ps1:497 char:9
+ $IsAlreadyElevated = ([Security.Principal.WindowsIdentity]::GetCurrent() ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
Click to expand...
Click to collapse
Try the new zip I just uploaded, I believe I fixed that.
Edit: I see what happened. The file that MS distributes has a signature at the bottom which allows it to make unrestricted system calls and when I commented out the pause I broke that.
Very Nice job! Thank you again!
Yahoo!!! Works. Have PuTTY running. Now to get all ARM compatible apps in one place!
merill said:
Yahoo!!! Works. Have PuTTY running. Now to get all ARM compatible apps in one place!
Click to expand...
Click to collapse
Glad to hear it's working.
Now, 6 AM, time to go to bed.
merill said:
Yahoo!!! Works. Have PuTTY running. Now to get all ARM compatible apps in one place!
Click to expand...
Click to collapse
I agree! If anyone gets Utorrent working ill be eternally greatful
Sent from my HTC One X using xda premium
vincepg13 said:
I agree! If anyone gets Utorrent working ill be eternally greatful
Click to expand...
Click to collapse
With 7Zip, Putty and an .Net 4.0 FTP Uploader app... all I need now is a Transmission console and I no longer really need my laptop.
Would be great to associate .torrent with Transmission on the Surface.
What other "needed" apps that are projects (like SourceForge) that people can think of?
MediaInfo would be handy... wonder if it could also integrate with explorer...
Perhaps this discussion needs its own thread
I'm actually starting a thread for this topic... but since we're here, one thing that would be awesome (instantly add support for a ton of software) would be a Java runtime. Unfortunately, they're huge and complex beasts, and tend to either require assembly or be buildable only on Linux (sometimes both...).
in asus vivo tab rt , I can not go where I say,
please press the volume down now
Silverlight ideally. But it sounds like thats a no go.
Also Chrome or Firefox would be good!
Filezilla would also be nice.
Nice work guys.
It works, but I still get the SmartScreen filter when I try to run apps from Explorer. When I run them from command line, it works fine.
I believe there's a registry entry that needs to be changed, but I don't remember what it is.
randomned said:
It works, but I still get the SmartScreen filter when I try to run apps from Explorer. When I run them from command line, it works fine.
I believe there's a registry entry that needs to be changed, but I don't remember what it is.
Click to expand...
Click to collapse
in the pop up, click more info then click 'run anyway' - itll never bother you again for that app.
will this work with the latest updates installed

Improving the jailbreak

So, I'm working on a new jailbreak that I hope will be more reliable and faster. I have my DLL injected into csrss.exe and now need to exploit the kernel.
The exploit itself is rather limiting: you can only decrement an aligned dword whose new value will be greater than zero in a signed sense. If you decrement a dword whose value then becomes zero or negative, the kernel will bugcheck (BSOD). Same if you try to decrement an unaligned dword, because the InterlockedDecrement instructions will throw an exception on ARM.
The ultimate goal is to set g_ciEnabled in ntoskrnl.exe to zero. The current jailbreak works by decrementing that dword almost 0x80000 times to lower g_ciEnabled from 8 to 0. However, this is unreliable for several reasons, mostly due to other flags in that same dword.
The other way to accomplish this is to get arbitrary code running in the kernel, then just write to g_ciEnabled directly. This is a lot easier said than done.
Directly attacking function pointers in the kernel or drivers doesn't work. This is because all kernel pointers have their high bit set, and therefore would bugcheck when decremented.
Setting bits in g_CiDeveloperMode in ci.dll would allow loading of kernel drivers signed with a self-signed certificate - this is test signing mode from the desktop Windows. However, this value is zero, and decrementing it to -1 bugchecks due to being negative.
The function pointers in the system service dispatch table are encoded specially, such that they end up not having their high bit set. This makes them interesting targets. However, this table is stored at an unknown runtime address. This address is unknowable to user mode. Also, the ARM kernel has PatchGuard, meaning that changing the SSDT will bugcheck the next time the PatchGuard DPC runs.
Another idea I had is to poke at our trap frame from a second thread, in order to set the saved status register's privilege level to system - to make the kernel return to a kernel thread but in our space. This is problematic because the trap frame is at an unknown address.
A timing attack could be used, where one thread pokes at the kernel stack of another thread while it executes a system call. This has interesting possibilities, but how would we know the address of the kernel stack for a thread?
Getting a handle to \Device\PhysicalMemory would be nice, but difficult. Also, how would we get the physical address of ntoskrnl.exe? The virtual address is easy by comparison.
Just ramblings of my thought process on this. =)
Myriachan said:
So, I'm working on a new jailbreak that I hope will be more reliable and faster. I have my DLL injected into csrss.exe and now need to exploit the kernel.
Click to expand...
Click to collapse
The main speed issue is that something is out of sync for the first 100 seconds or so after booting that causes the kernel call we exploit to crash.
Myriachan said:
The exploit itself is rather limiting: you can only decrement an aligned dword whose new value will be greater than zero in a signed sense. If you decrement a dword whose value then becomes zero or negative, the kernel will bugcheck (BSOD). Same if you try to decrement an unaligned dword, because the InterlockedDecrement instructions will throw an exception on ARM.
The ultimate goal is to set g_ciEnabled in ntoskrnl.exe to zero. The current jailbreak works by decrementing that dword almost 0x80000 times to lower g_ciEnabled from 8 to 0. However, this is unreliable for several reasons, mostly due to other flags in that same dword.
Click to expand...
Click to collapse
I haven't noticed many, if any issues with it doing that (except that we're not editing g_ciEnabled)
Myriachan said:
The other way to accomplish this is to get arbitrary code running in the kernel, then just write to g_ciEnabled directly. This is a lot easier said than done.
Click to expand...
Click to collapse
Especially since g_ciEnabled doesn't exist on ARM.
Myriachan said:
Directly attacking function pointers in the kernel or drivers doesn't work. This is because all kernel pointers have their high bit set, and therefore would bugcheck when decremented.
Click to expand...
Click to collapse
All kernel code is loaded at 0x80000000 or higher.
Myriachan said:
Setting bits in g_CiDeveloperMode in ci.dll would allow loading of kernel drivers signed with a self-signed certificate - this is test signing mode from the desktop Windows. However, this value is zero, and decrementing it to -1 bugchecks due to being negative.
Click to expand...
Click to collapse
I've been trying to do something like that, but I've hit a wall since all the pointers, as you said, have the negative bit set. I wanted to hijack a pointer in the HalDispatchTable.
Myriachan said:
The function pointers in the system service dispatch table are encoded specially, such that they end up not having their high bit set. This makes them interesting targets. However, this table is stored at an unknown runtime address. This address is unknowable to user mode. Also, the ARM kernel has PatchGuard, meaning that changing the SSDT will bugcheck the next time the PatchGuard DPC runs.
Click to expand...
Click to collapse
Again, all kernel code is loaded at 0x80000000 or higher.
Myriachan said:
Another idea I had is to poke at our trap frame from a second thread, in order to set the saved status register's privilege level to system - to make the kernel return to a kernel thread but in our space. This is problematic because the trap frame is at an unknown address.
A timing attack could be used, where one thread pokes at the kernel stack of another thread while it executes a system call. This has interesting possibilities, but how would we know the address of the kernel stack for a thread?
Click to expand...
Click to collapse
Even if you somehow pull that off, how is that going to be better than the current tool?
Myriachan said:
Getting a handle to \Device\PhysicalMemory would be nice, but difficult. Also, how would we get the physical address of ntoskrnl.exe? The virtual address is easy by comparison.
Click to expand...
Click to collapse
A handle to PhysicalMemory can only be opened by ring-0 code.
g_ciEnabled doesn't exist on arm, we're editing an unnamed variable that controls the required signing level (not rather signing is enabled). See clrokr's blog for more information, and read/search through the Hacking Windows RT to run Desktop Apps thread to see that we've tried quite a few of the things you listed.
All the things you suggested are either impossible (with current knowledge, or just flat out impossible), or far more likely to cause issues than the current jailbreak. Also, what stability issues are you having with the current jailbreak? It works 100% of the time for me.

[QPST 2.7 build 402]

Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
---------- Post added at 04:36 PM ---------- Previous post was at 03:44 PM ----------
:good:
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
Ummmm...Yeah. If you say so.
solcam said:
Ummmm...Yeah. If you say so.
Click to expand...
Click to collapse
Anyone managed to download this?
No. It says that it belongs to an unvalidated account. I know that 418 is now out too if anyone might have this one.
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
---------- Post added at 10:56 PM ---------- Previous post was at 10:32 PM ----------
cezar1 said:
This file infected by troyan. Thanks a lot
Click to expand...
Click to collapse
I did some checking and a few people DID have issues with this. Thank you for bringing it to my attention...
If you install this via "setup.exe" it will put a backdoor on your system. It lives at "C:\Users\Admin\AppData\Roaming\Qualcomm". It will also add itself to the "HKCU/Software/Microsoft/Windows/Current Version/Run" key in the registry. There is no virus in the MSI file.
You should be able to detect it, remove it and use build 422. Again, I am using it without issue.
rekamyenom said:
I had no issues with it... and still use it. I will look into it. I did not upload it, I just posted the link.
Click to expand...
Click to collapse
Hello, fellow QPST users.
QPST 2.7 Build 4.2.2 is a fake version with keylogger.
Some a$$hole downloaded latest public QPST build (4.0.2) and decompiled MSI installer package, then edited all "4.0.2" to "4.2.2", added "fake changelog", added keylogger (qualcomm.exe), then repackaged and spread around web!
Everyone who downloaded QPST build "4.2.2" should change all his passwords.
More info about malware from fake 4.2.2 build (QPST.2.7.422.msi)
MSI package (QPST.2.7.422.msi) was embedded/tampered with qualcomm.exe which is a .NET based malware that logs your keystrokes and sends it to attacker's server.
How to delete the actual malware from your system?
Look at the startup from msconfig or CCleaner, there should be a file called qualcomm.exe thats set to start everytime system starts. Delete both registry and file.
If you wanted to see what data thief was stolen from you. Just open the .dc file (in "dclogs" folder) with Notepad and see for yourself.
In XP, dc file is located here!
C:\Documents and Settings\Administrator\Application Data\dclogs
there should be a file called "201X-XX-XX-X.dc
if you open that DC files with Notepad, you'll see all your keystrokes.
Here is mine. I've intentionally entered paypal site with fake info.
:: Run (3:01:51 AM)
Script kiddie. NET Based malware, huh?[ESC]
:: Program Manager (3:02:14 AM)
e
:: Firefox (3:02:18 AM)
www.paypal.com
[email protected][TAB]
mypaypalpass
[ENTER]
:: Documents and Settings (3:02:19 AM)
[UP]
:: Administrator (3:02:28 AM)
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
[DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN][DOWN]
d
:: (3:02:34 AM)
:: Administrator (3:02:34 AM)
d
:: (3:03:11 AM)
mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
:: [Release] QPST 2.7 BUILD 422 - Download Here - Enjoy - Mozilla Firefox (3:03:57 AM)
crap
How to delete?d
:: Clipboard Change : size = 16 Bytes (3:03:57 AM)
QPST.2.7.422.msi
:: (3:04:23 AM)
cccccc
Click to expand...
Click to collapse
Keylogger sends the logs from keylogger to "qpst.hopto.me"
So please report about this incident where and when you encounter QPST 4.2.2 somewhere (forums, posts, sharing-sites, etc)
Copy my whole post and paste it where you see 4.2.2 mentioned.
Bonus: Fake Changelog
If you've installed this 422 build, then open the Readme.txt in C:\Program Files\Qualcomm\QPST\Documents
Scroll down and see the "6/12/13 QPST 2.7.422 changelog"
6/12/13 QPST 2.7.422
1) EFS Hello commands will not be sent unless the device is in a compatible mode. Sending this command when the
device is in download mode can cause a "server busy" message for a few seconds because of command retries.
2) Support for the Sahara device protocol (see 80-N1008-1 or equivalent) is now built in to the QPST server process.
This protocol is only supported by USB Serial ports, not TCP/IP connections. In QPST Configuration a device in
this mode will display as "Q/QCP-XXX (Sahara Download)". This mode can only be detected (1) when the QPST server
process starts or a COM port in this mode added to QPST, or (2) when a device enters Sahara mode on a port assigned
to QPST. This is because the device only sends its Hello message once, as soon as the COM port is opened.
Click to expand...
Click to collapse
Changelog above is actually cloned from QPST 2.7.394 Just scroll down and see Build 2.7.394 changelog. Its same!
So forget about Build 422. It doesn't exist.
Use QPST 2.7 Build 402. It's the latest public build
Sorry about my english
Best Regards
AnycallMongolia
can somebody give proper qpst latest version.
pl provide dropbox link
madroamer said:
can somebody give proper qpst latest version.
pl provide dropbox link
Click to expand...
Click to collapse
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Thread cleaned, potentially unsafe file and posts are gone. All members are to be reminded that whenever you flash anything, regardless of what it is, you take chances.
Thanks for the report, and thanks for not being disrespectful regarding the matter.
Now, back to development.
Thanks for your sharing this.
solcam said:
Mods please move this post if in the wrong place. OK, I couldn't find it ANYWHERE on XDA but, I did find it by doing extensive baidu (China's Equivalent of Google Search engine) searches and translations. So I give to you all QPST 2.7 build 402. I have the newest and latest QXDM and QCAT also. They were uploaded to the Chinese site on February 13, 2013. QXDM requires activation so I wont post it. I will post QCAT if anyone requests it though, as it does not require activation and neither does this version of QPST. I have seen numerous posts over the net where people wanted QPST 2.7 build 385 but this one surpasses that version. Annoyingly enough though, I still cant write settings to my girlfriends LGL55CV3 Straight Talk android phone with it . So if anyone here can help me out on this, please feel free to do so. So enjoy and hit thanks if I've helped you out.:good: http://www.mediafire.com/?yya85byog8kqtxn
Click to expand...
Click to collapse
anycallmongolia said:
Okey, someone (HuaweiDevices.ru) leaked QPST v2.7.411 to the public. I've installed it myself and confirmed that its legit build.
Here is original link of the leak..
Here is my link.
http://d-h.st/qAy
Click to expand...
Click to collapse
Link works. Thank you.
Hello guys, i have a LG G2 with 3g issue , it works just in 2g, somebody can upload his QCN file so i try to replace mine with it? Thank you so much
!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!
!!! TROJAN AGAIN !!!
Some time ago in Feb 2014 man named anycallmongolia posted a link to QPST 2.7 build 411
Link points to the site HuaweiDevices.ru
h_t_t_p_://_huaweidevices._ru/ROMS/QPST_2.7.411.rar
Later I'd personally downloaded this version from this topic a few times in 2014 and this was normal non fake QPST which i'd installed on a few PC's. (Can't remember particular link now). Today I would like to install QPST to a new NB PC, so assumed this topic as the best source. Being a recovery/data structures expert I always inspect code (mostly by viewing in text/hex). As most of members I've very high trust level to xda (certainly it's much higher then one related to the "famous and respectable" corps like Google/MS/Apple/etc, who aren't on my side, I'm sure).
I've installed QPST got from this topic a few times, so I'd almost pressed Enter (I use FAR most of time and advice you to do the same) over the DL'd file "qpst 2 7 411.exe".... What??? - EXE??? And it's just about 500Kb long... But QPST installer occupies about 16Mb.
I've explored body - I's typical malware with slightly "encoded" (to prevent direct reading) data inside. QXDM offered on the neighbor page is the same malware of the same size.
If you'll try to dl QPST from above link you'll got 404 error in the center of normal html page with site menu etc... What normal man would think in this case? He'll think page/product have moved (e.g. due to overload protection) and what he'll do next? He'll try to find where page have moved and... will got link in menu just at the bottom of 404 page. It's just trivial (but very good working!) "social engineering" - publish real app in trusted place and when it will pass checks replace it with malware. (Or may be domain was sold to the criminals as it often occures in Russia for a few latest years). Even if you will check DL url in the status bar it will show link to the .RAR archive, but ASAY click the link it will be redirected to .exe!
PLEASE PUBLISH BIG WARNING on TOPIC START and remove links to HUAWEIDEVICES.RU!!!
Furthermore. Situation is much worse because huaweidevices shows 1ST position in search request "QPST 2.7.411" by Yandex.ru (#1 search engine in Russia) and 2ND position in Google results with the same request!!! It's VERY DANGEROUS situation! Thousands if not millions of peoples are at risk of infection.
I'm going to write abuses to Google and Yandex NOW!
Please spread info on such a new attack manner/technique around your friends, collegues and internet.!
Always check what you run!!!
QPST 2.7 build 425 (The REAL Thing!)
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
h_t_t_p_://_w_w_w.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc bull****, my phones are always free of any contracts). Full modem FW reversing seems too difficult to me (i'm 'not so strong' in ARM assembly and there is too much code in modem FW). I'm sure for a such long period (over decade) of EFS life there should be methods around to manipulate it independently of mfr/commercial products, but I can't find them for a long time. Trust me, it's fully idiotic situation I'm (you're) not able to do with my (yours) computer (PDA is computer, not the "phone") all I want to do being "restricted" to access only data some f...n mfr "allowed" me to access. It's my device, I'd paid for it and I will decide what me to do with it.
Furthermore, modern public licenses don't allow to hide parts of object (device) code, where GNU/GPL code is the main part. Is anybody here who think that Linux/Unix value in ALL there f...n "modern" Android devices less than 90%? Most router mfrs have already forced by requirements GNU/GPL to publish full compilable code of their firmware. I shouldn't have clue what all they want to hide related to their "commercial" and manipulating interests. Using 30years of thousands people's free labor in their commercial products , they're obligated to publish full sources and should DO IT.
Apple is today wealthiest corp on this planet, but If you'll look into the Apple's internals you'll find tons of MODERN Linux code (protected by modern GNU/GPL) simply stolen from open source depositories, then adopted to MacOS/iOS then closed and sold as commercial product . Is it fair game?
TheDrive said:
Very very very BIG Thank you!!!
That's really new one and it contains new very promising QFIL util. Didn't explored much yet!
God bless on you man!
BTW does anybody know how to descramble (decrypt)/scramble (encrypt) back EFS/NVRAM partitions (in most cases modemst*). I'd like to be able to patch/change every byte in EFS (not just locks etc ...................
Click to expand...
Click to collapse
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
unimatrix725 said:
I use EFS Pro for BackUp and Restore.... Sadly its windows only, but works great with VirtualBox on Linux Mint Cinnamon/MATE 17.1 x64.
Hosted on the wonderful XDA:
http://forum.xda-developers.com/gal...ol-updated-09-06-14-efs-professional-t1308546
Click to expand...
Click to collapse
Thank you! Certainly I know this good product. It can manipulate NVRAM through COM-port, just the way QPST does it communicating w/modem FW. Is has many advanced options but seems not to be reliable enough (too many OEM customizations around, it's difficult to reverse all) As you stated it can also backup some partitions (like EFS). but you can do this yourself just by simple ADB/Unix shell commands (e.g. "dd if=/dev/block/mmcblk0p?? of=/sdcard/mmcblk0p??.img")
You can write simple scripts and perform such backups directly from device (to SD). Furthermore, you can customize CWM/TWRP for your device to perform such backups from recovery.
To do it you should know which partition numbers to backup/restore (to backup/restore what data you want).
There are methods/commands available to get needed info to build full device partition map (e.g. some devices contains "folders" named "by-names" deeper in /dev/block/... (where partitions are named), but in some cases (e.g. some 2013 MSM7227 based Samsung phones like GT-S756x) there is no names associated with particular proprietary partitions in the device, (at all) so the only way to find what data reside there is to backup and look (hex) with your own "experienced" eyes what these data seems to be (or search what others found on the theme). EFSPro "from the box" also knows only a few device's partition maps so, in most cases you should build configuration for your device manually with full knowledge of it.
There is no problem to locate and backup encrypted modem data partitions (modemst*/efs/etc...) if your device is rooted. Moreover, if your device has standard Qualcomm bootloader (not OEM's cut) you can switch device to the standard Qualcom DM (download mode) when all your eMMC contents will be exposed to USB bus as mass storage device (just like UFD or SDCard) and you can backup/restore whole drive contents or particular partitions just like PC's own partitions (try some "chnese" stuff (made of quality parts) instead of "branded" ones and you'll see superiority of the "open world".
But main question is how to decrypt modem data to explore and change them as I want at any time. Mfrs (i.e. Qualcomm and OEMs hide serials, locks etc BS there, but there is a lot of other interesting stuff related to modem configuration which is also closed and encrypted. This drives me wild because it's my device and my serials/locks and other stuff too, so it's my option to do with is what I want and no one else. I'm definitely know and sure modem FW/config and even mask ROM (which we most probably never will be able to explore) contains many hidden features that may lead to remotely force device to collect info about user and perform actions without his knowledge and consent. I have no matter what all these sec... services planned to do with all these exploits they forced OEMs/chipmakers to implement., but (sic!) they allowed information about these exploits to leak wild! So some "generic" engineers who simply have job and low level access to cellular provider's equipment (which able to broadcast custom service packets) to make "what they want with user's phones (e.g. switch it on or request GPS data) just "for fun". F them all, but most idiotic is fact that being an 25y experienced "lowest level" service engineer I can't get access and control over my own devices (i.e. computers). It's incorrect. It would be difficult but we should pay more attention to explore internals and get clue what goes on.
unimatrix725 said:
FWIW
I hear you about Apple, used to be a hardcore fan, when they were nearly bankrupt. I still swear by OS X, but not the iTard line of devices. I tell my nieces and nephews to get an Android cause they are not ignorant! lol There should be more of an effort to make people understand that Apple is using allot of *BSD (Linux) source. The GUI is closed, but some of the other source is available in the dev program site they host.
Click to expand...
Click to collapse
I've personally explored OSX files and partitions and seen much modern Linux code inside. They even don't hide "copyrights". Nobody will explore anyway and nobody cares. Old 80x-90x versions of public licenses allowed to do "anything" with free open sources (including to make changes, then close sources and sell product). After some smartasses like Apple used this hole to sell free labor of thousands of peoples, public license had changed. Modern licenses allows you to sell derived product, but obligate you to open sources (with same license) so anyone else can use them to and sell too. You can't close your part of sources if free code is most valuable part of your product. E.g. router mfr can't close part his own sources to make firmware sources "uncompilable" because Linux definitely is most valuable part of router FW. This warrant later development of free open source programs and free community n whole. Apple stated that they used only old 80x code in their OS'es and then developed it separately and thus they are not obligated to open sources to everyone. They would be right unless they didn''t used a lot of modern code protected by modern public license's requirements. I didn't explored deeply. May be they publish all derived code for free. Today we can't say accurately if some modern Linux components they adopt for Mac/iOS are most valuable part of their systems or not. We should explore all the code to make decision. but anyway it's not fair to use a lot of thousand's people's free labor just to make money. Google's position here is not ideal but much more fair. They publish most of sources and support open source community. They don't try to make system "unbreakable" and they don't force you to use their accounts too much. I've NO Google "phone" account AT ALL. I've no need in any "markets", "clouds" ect BS., which lead absolutely no problem to me to effectively use Android devices. There are lots of free APK's around
It practice, I have 2-3 old iPhones just for experiments. Yes we have Jailbreaks and some other stuff, but even if you break and get access to your device it's very uncomfortable to work with it at low level. On my sight just one ADB interface costs more then all "jingles and bells" of iOS's GUI. All these "tethered-untethered", "unbreakable" bootloaders in Mask ROM, lack of normal tools to explore and manage data on any level, total control and extraction of my data by mfr via strongly encrypted obfuscated protocols and hidden services make these devices useless for me in practice.
Windows Phone is even far more closed OS then iOS. You have no control over your data at all. You can't do a thing with WP device unless you sign up with MS account. You can't get access to your own data (except MM files) unless you sync it with MS cloud, i.e. you will be forced to send all your private data to MS and MS will decide whether to give piece of it back to you or not. Matrix in action. I've absolutely no clue what thought MS bosses when they decided to close ALL in OS that have had less than 1% of market. Their 1st goal was to attract developers to write apps for their OS and there was no better way to kick them than "close All". There is no matter does it perform GUI actions good or not when devs and users have no effective way to collect and use "useful" results of device's work.
drkcobra said:
It is so irritating to see all of the jerks who are trying to spread viruses and malware nowadays.
Here is the REAL build 425:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Click to expand...
Click to collapse
The new versions got rid of QXDM and RF NV Manager.
Build 415
etirkca said:
The new versions got rid of QXDM and RF NV Manager.
Click to expand...
Click to collapse
I have not used this version, so do not know if it has been removed from this one or not, but here is a legitimate copy of build 415:
http://www.mediafire.com/download/ac6yh57yye363mx/QPSTWIN2700415.rar

Wayland server for Android

ABANDONED
Hi! Does anyone here use Linux desktop distributions in chroot environment on Android device?
I am developing wayland protocol server for Android devices. If anyone is interested in checking my project, latest version of apk is always available here:
ftp://ftp.drivehq.com/mogryph/sparkle/
Currently I am only focused on running Xwayland as client. Also apk supports audio output.
Simplest instruction:
1. Android 6 or newer required, busybox required, root required
2. Prepare linux distribution in directory, image or on partition. Make sure you have Xwayland installed in it. Make sure you specify which DE to run (or at least xterm) in ~/.xinitrc
3. Install and start sparkle.apk
4. Press "edit user.sh", uncomment (remove #) line starting with start_generic_container. Change rest of this line to match your device:
first arg - image or partition where distribution is installed. If distribution is installed in directory and mouting is not needed, leave this arg unchanged.
second arg - mount point or directory with distribution. If you use mounting (first arg), this arg can be left unchanged.
third arg - name of the user which will be used to start Xwayland and DE. Its better to specify non-root. Also this is the user who must have .xinitrc in his home dir (see step 2).
5. Save user.sh and click "Start".
6. Any problems and crashes will be reflected in the log.
If you want audio output:
1. Compile and install driver from pcm_sparkle.tar.gz in your distribtion
2. cp 1.asoundrc ~/.asoundrc
If you have blinking problem, change upload_mode from 1 to 2 in settings. If you have bad performance, setting no_damage to true may help, but in most cases no_damage=false is better. Fastest upload mode is 0 (if it works).
If you don't trust me and don't want to give sparkle root permissions (I perfectly understand this) you don't have to. Also you can do without busybox.
But in this case, you need to understand and do a lot of things. Check sparkle's user.sh to get idea about what needs to be done. Basically:
1. You need to make /data/data/com.sion.sparkle/files accessible from inside chroot container. You can use bind bound.
2. Make sure you have tmpfs mounted over /tmp in container.
3. You may need to change selinux context on /tmp to match sparkle's context or disable SELinux.
4. You need to create new directory in /tmp, symlink sparkle's wayland socket from /data/data/com.sion.sparkle/files/wayland-0 to this dir. And export XDG_RUNTIME_DIR to point to this dir. Dir must be (ch)owned by user who will be running Xwayland and DE.
5. After all this, you can try to start Xwayland and your DE.
new version
New version
rgho.st/8Fbz64Rxj
Added x86 and x86_64 support. Actually it is rewritten almost from scratch but x86 support is the only thing others can notice...
Hello! This project is interesting. I tried you app and it works on my Xiaomi Redmi Note 4X(chromium and glmark from chrooted environment works very well)! Can you publish source code on Github, because it really interesting project?
Also I'm interested, please post it on github!
Did you put this up on github or move this thread? Looks very interesting.
1
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Hentacler said:
Argh, sorry, I decided to abandon this project. You are free to delete thread. Also no copyleft-licensed components were used so I don't have to bother releasing sources.
Click to expand...
Click to collapse
Check your PM please!
1
Hello again.
For last two weeks I was rewriting it from scratch (yes. again... yes, third time).
Probably need another week to make it stable.
Currently I am not sure it runs on any device except my own 5-year old phone (LineageOS 14).
I will maintain last version here:
ftp://ftp.drivehq.com/mogryph/sparkle/
There is no English documentation, but you can see script "user.sh" to get idea about how to start xwayland. In most cases it should be enough to edit few lines in that script to make it work on another device. If you execute this script on your device with "install" argument, it is supposed to place itself into sparkle's directory and sparkle is supposed to run it ("start" function) automatically. Sparkle doesn't request root unless script does.
Here is video of sparkle working:
https://www.youtube.com/watch?v=tOSFYxCF7Q8
But it seems that KDE + video recording was too much for my old phone
Still, if you going to see video, don't close it until 2:00 where I turned of composition which caused lags.
Also on device everything looks much smoother than on video, even after 2:00.
When I watch fullscreen (1280x720) video on my device, sparkle + xwayland together add just 5% of CPU load (20% load of single core).
Thats it I guess... I tried to to discuss sparkle on 4pda.ru (russian forums), but got very bad reception. "xsdl is perfect, dont reinvent the wheel" they say. So I started to hate humanity and I decided to make sparkle personal project. Also this is last time I am solving reCAPTCHA to leave post on XDA.
Still alive
We are still alive. I've changed first post to reflect actual state. Now sparkle supports audio, auto-mouting containers and is lot more stable.
Yet there are still many things I want to improve in sparkle's core before adding new functions.
Also there are few demo videos on ftp.
Amazing!
Working great on my redmi 6 pro. Stock miui 9.9.3 rom. With linuxdeploy and sparkle from your ftp. No lag on visual and sound. My Linux distribution is alpinelinux arm64 arch.
Since first time I see your posting on 4pda. I'm interested in it. And finally it's on xda.
Thanks dev.
---------- Post added at 02:52 AM ---------- Previous post was at 02:44 AM ----------
For anyone interested in the topic. Please follow the instructions in documentation from ftp. And Translate it to eng from rus.
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
I now have it working very well on my Samsung Tab S3 using Xwayland and a tiling window manager. Firefox runs amazingly well!
Is it meant to be used only with Xwayland or will it also work with native Wayland applications?
BTW, I think if you open sourced this project and promoted it a bit, it could become quite popular. It's basically the first way to run X11 GUI applications on Android devices at full speed. If you set up a donation link, you could also get compensated for your time and effort. I'll personally contribute $20 if it's open sourced, and I'm sure others will chip in as well.
robsmith11 said:
This sounds amazing! Just curious, is it related to https://github.com/twaik/sparkle ?
Click to expand...
Click to collapse
Thanks for feedback. Nice to hear that someone managed to start this thing
Twaik's repository is clone of my very very old version of sparkle. I made that version years ago when I was just starting to learn linux and C++. Sparkle was rewritten from scratch two or three times since that version. And (I believe) current version is much better.
Regarding making it open source... Few months ago I had to find real job. Can't spend much time on personal projects any more. But I have my own strange programming style and my own vision of what sparkle should be. Not sure I want others to paint on my picture. It's probably all because of Twaik! I hate how he used old open source version of sparkle. He did terrible things to it, outraging all my beliefs Sorry!
P.S.: Yesterday I've uploaded another apk to my ftp. The file is called "sparkle-testing.apk". This version is much newer and has many fixes. But I've also changed to many things since tested version including some fundamental changes. No guarantee it will run at all on other devices. Interest is mega low and I get no test reports at all.
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
tillum said:
Hi Hentacler, I've just found your project - it looks really promising. Unfortunately, the only link currently working on this thread is to github. Is this project still live?
I have a samsung galaxy note 10+, and am using it as a laptop replacement. In addition to the android apps using Samsung Dex (Samsung's desktop solution), I have several linux distributions installed inside a chroot using userLand - so far, its working great. I'd be keen to give you project a try if it's still live, and am happy to help out with testing from my device.
Re open source - while I like your project, I'm not super interested in investing time into something that's not open sourced - I appreciate your concerns about wanting to maintain the direction, but having transparent development is pretty important to me. Is Twaik's fork of your project a better place to go?
Cheers.
Click to expand...
Click to collapse
ftp://ftp.drivehq.com/mogryph/sparkle/
Link to FTP should work and there you can get two versions:
sparkle.apk - old version, but confirmed to work by 3-4 people.
sparkle-testing.apk - latest version, but only briefly tested by me.
I don't ask anyone to invest anything... Sparkle doesn't request root access or any other dangerous permissions (unless you enable automatic container mounting and starting) so it's safe to try for anyone who wants.
Btw, somewhere between these two versions I've replaced BASH container initialization script with LUA version. That was probably a bad idea. LUA script is harder to start directly as root and hacks I used may not work (currently may even cause application freeze if root access is denied). Going to revert to BASH probably. But this only touches people who want sparkle to mount container and launch everything automatically on single button press.
p.s.: Why I need to solve captcha every time I post something?
Thanks for the new release! I've updated and everything seems to be working without any changes on my Samsung Tab S3 with chroot and Arch Arm Linux.
Your changes also solved the flickering for me! The old version would flicker the screen whenever my keyboard's trackpoint activated, but it's not flickering at all any more. Performance seems to be about the same.
I think this could be quite popular, but not many people know about it. Perhaps a post on Hacker News or Reddit would raise awareness.
I understand your position on open source and maintaining control. One idea if you haven't already considered it is releasing the code with a restrictive license that forbids any forks. But either way, I'm enjoying being to properly use X11 on my tablet.
BTW, have you tried any native Wayland compositors? I don't really understand the Wayland ecosystem that well. I gave Sway a brief try, but it didn't seem to work. I've only been using XWayland.
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
tillum said:
@Hentacler Thanks for your reply! Very keen to get this working, but having a few issues. I'm unsure how to configure the user.lua file - I'm using your latest apk.
I have a non-rooted device, and am running archlinux under termux. Works fine with xsdl. I have installed xorg-server-wayland for X11. I'd appreciate any advice you have.
@robsmith11 Are you able to share how you got this working on Arch? Thanks!!!!
Click to expand...
Click to collapse
I am not sure it is possible to use sparkle without root...
Sparkle makes it's directory accessible for everyone (chmod 777). Before Android 8 or 9 this was enough and xwayland from termux was able to connect to sparkle. Here is how people used to start it:
export XDG_RUNTIME_DIR=/data/data/com.sion.sparkle/files
Xwayland
But newer versions of Android brought more restrictions and termux can no longer connect to sparkle. These new restrictions are implemented using SELinux if you know what it is. Applications now have different security contexts.
But that is not all. Newest versions of android brought even more terrible meaningless restrictions effectively "killing" applications like termux and many others.
In short, from now one applications are not allowed to execute code (binary) that comes from "untrusted" sources. Termux used to download a lot of such code from it's own repositories. And now it can't. We can't even unpack binaries from assets.
So I can only help with rooted devices.
P.S. Please forgive me, but I am leaving this website. Making people solve recaptcha every time they want to post something is unacceptable level of contempt.
My mail: [email protected]
Thanks for that, will have a play. I could always just root my device. Weird about recaptcha, not having this issue. Currently through termux I have access to the whole sdcard, and am able to download packages (and distros) in it - will have a play and see what else is possible.
@tillum
I basically just followed the instructions on the first post for using Sparkle without busybox. I didn't need to modify the Lua scripts.
I'm guessing SELinux may be a problem without root. I'll try setting it up without root when I have a chance later.

Categories

Resources