Heya,
I compiled a version of AOSP 2.3.4 for HTC Desire HD; i used the vendor files for Ace from CyanogenMod, plus edited the different android.mk files needed for it to compile (LOCAL_MODULE_TAGS), plus integrated ChainsDD superuser.apk. And, i used common.py from CyanogenMod, otherwise it stops the build while making the ota package or update package with a reference to recovery.fstab being malformed.
But...no matter what i do, it crashes on boot. I have tried building it on Ubuntu 10.04, and then installed openSuse 11.4 x64 and started from scratch. Still no dice.
I build a CyanogenMod from source without any problems, compiled and ran without a problem, but i want to make a pure AOSP, plus whatever alteration i decide when it's working.
I'm really sorry if this is the wrong forum, but i just started poking around in here, and this seemed like the most logical place to post this.
Here is the output from logcat:
Code:
./adb logcat
- waiting for device -
--------- beginning of /dev/log/system
I/Vold ( 1179): Vold 2.1 (the revenge) firing up
D/Vold ( 1179): Volume sdcard state changing -1 (Initializing) -> 0 (No-Media)
D/Vold ( 1179): Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
D/Vold ( 1179): Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted)
D/Vold ( 1179): USB connected
D/Vold ( 1179): Share method ums now available
--------- beginning of /dev/log/main
I/DEBUG ( 1181): debuggerd: Jun 14 2011 12:36:01
I/Netd ( 1180): Netd 1.0 starting
I/rmt_storage( 1190): rmt_storage user app start
I/rmt_storage( 1190): rmt_storage open success
I/rmt_storage( 1190): rmt_storage shared memory ioctl success
I/rmt_storage( 1190): rmt_storage mmap addr = 40009000
E/HtcEbdLog( 1255): /system/bin/logcat2
E/HtcEbdLog( 1255): -v
E/HtcEbdLog( 1255): time
E/HtcEbdLog( 1255): -f
E/HtcEbdLog( 1255): /devlog/system_log
E/HtcEbdLog( 1255): -r
E/HtcEbdLog( 1255): 1024
E/HtcEbdLog( 1255): -n
E/HtcEbdLog( 1255): 50
E/HtcEbdLog( 1255): *:w
E/HtcEbdLog( 1255):
E/HtcEbdLog( 1192): [htc_edblog_kmsg_main] g_outByteCount = 598016
D/AK8975 ( 1189): AK8975 daemon 1.0.8 Start
D/AK8975 ( 1189): (Library version : 1.2.1.1125)
I/recovery( 1257): Recovery image already installed
D/AndroidRuntime( 1183):
D/AndroidRuntime( 1183): >>>>>> AndroidRuntime START com.android.internal.os.ZygoteInit <<<<<<
D/AndroidRuntime( 1183): CheckJNI is OFF
D/dalvikvm( 1183): creating instr width table
I/SamplingProfilerIntegration( 1183): Profiler is disabled.
I/Zygote ( 1183): Preloading classes...
E/Zygote ( 1183): setreuid() failed. errno: 2
D/dalvikvm( 1183): GC_EXPLICIT freed 47K, 78% free 235K/1024K, external 0K/0K, paused 2ms
D/dalvikvm( 1183): GC_EXPLICIT freed 1K, 73% free 285K/1024K, external 0K/0K, paused 2ms
D/dalvikvm( 1183): GC_EXPLICIT freed 20K, 69% free 318K/1024K, external 0K/0K, paused 2ms
I/bluetooth_ScoSocket.cpp( 1183): Entry name = MY-CAR ScoTypes = 0x7f
I/bluetooth_ScoSocket.cpp( 1183): Entry name = Motorola HF850 ScoTypes = 0x7
D/dalvikvm( 1183): GC_EXPLICIT freed 17K, 66% free 356K/1024K, external 0K/0K, paused 3ms
D/dalvikvm( 1183): GC_EXPLICIT freed 26K, 63% free 384K/1024K, external 0K/0K, paused 3ms
D/dalvikvm( 1183): GC_EXPLICIT freed 22K, 57% free 443K/1024K, external 0K/0K, paused 2ms
F/MediaProfiles( 1183): frameworks/base/media/libmedia/MediaProfiles.cpp:283 quality != -1
I/DEBUG ( 1181): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 1181): Build fingerprint: 'generic/htc_ace/ace:2.3.4/GINGERBREAD/eng.jespersp.20110614.122525:userdebug/test-keys'
I/DEBUG ( 1181): pid: 1183, tid: 1183 >>> zygote <<<
I/DEBUG ( 1181): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG ( 1181): r0 00000027 r1 deadbaad r2 40000000 r3 00000000
I/DEBUG ( 1181): r4 00000001 r5 00000000 r6 00000000 r7 ffffffff
I/DEBUG ( 1181): r8 00000000 r9 000a69b8 10 000a87e3 fp 000a6ad8
I/DEBUG ( 1181): ip afd46668 sp be9ffe88 lr afd191d9 pc afd15ca4 cpsr 60000030
I/DEBUG ( 1181): d0 3338323a70706320 d1 7974696c61757121
I/DEBUG ( 1181): d2 616964654d2f613d d3 73656c69666f7220
I/DEBUG ( 1181): d4 2020202020202020 d5 6c656e6e61686320
I/DEBUG ( 1181): d6 3e2f202231223d73 d7 202020202020200a
I/DEBUG ( 1181): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 1181): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 1181): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 1181): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 1181): d16 4214cec44005add8 d17 3fe999999999999a
I/DEBUG ( 1181): d18 0000000000000000 d19 0000000000000000
I/DEBUG ( 1181): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 1181): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 1181): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 1181): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 1181): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 1181): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 1181): scr 20000010
I/DEBUG ( 1181):
I/DEBUG ( 1181): #00 pc 00015ca4 /system/lib/libc.so
I/DEBUG ( 1181): #01 pc 0000143a /system/lib/liblog.so
I/DEBUG ( 1181): #02 pc 00042bd2 /system/lib/libmedia.so
I/DEBUG ( 1181): #03 pc 00043256 /system/lib/libmedia.so
I/DEBUG ( 1181): #04 pc 000059da /system/lib/libexpat.so
I/DEBUG ( 1181): #05 pc 00005f7c /system/lib/libexpat.so
I/DEBUG ( 1181): #06 pc 000020f0 /system/lib/libexpat.so
I/DEBUG ( 1181): #07 pc 0004292a /system/lib/libmedia.so
I/DEBUG ( 1181): #08 pc 00042a36 /system/lib/libmedia.so
I/DEBUG ( 1181): #09 pc 00009b34 /system/lib/libmedia_jni.so
I/DEBUG ( 1181): #10 pc 00011e34 /system/lib/libdvm.so
I/DEBUG ( 1181): #11 pc 00043646 /system/lib/libdvm.so
I/DEBUG ( 1181): #12 pc 00017034 /system/lib/libdvm.so
I/DEBUG ( 1181): #13 pc 0001c0e4 /system/lib/libdvm.so
I/DEBUG ( 1181): #14 pc 0001afdc /system/lib/libdvm.so
I/DEBUG ( 1181): #15 pc 00059c40 /system/lib/libdvm.so
I/DEBUG ( 1181): #16 pc 00059e54 /system/lib/libdvm.so
I/DEBUG ( 1181): #17 pc 00065446 /system/lib/libdvm.so
I/DEBUG ( 1181): #18 pc 00065958 /system/lib/libdvm.so
I/DEBUG ( 1181): #19 pc 0005ef12 /system/lib/libdvm.so
I/DEBUG ( 1181): #20 pc 00060c1e /system/lib/libdvm.so
I/DEBUG ( 1181): #21 pc 00017034 /system/lib/libdvm.so
I/DEBUG ( 1181): #22 pc 0001c0e4 /system/lib/libdvm.so
I/DEBUG ( 1181): #23 pc 0001afdc /system/lib/libdvm.so
I/DEBUG ( 1181): #24 pc 00059c40 /system/lib/libdvm.so
I/DEBUG ( 1181): #25 pc 00046126 /system/lib/libdvm.so
I/DEBUG ( 1181): #26 pc 00032556 /system/lib/libandroid_runtime.so
I/DEBUG ( 1181): #27 pc 00033402 /system/lib/libandroid_runtime.so
I/DEBUG ( 1181): #28 pc 00008cca /system/bin/app_process
I/DEBUG ( 1181): #29 pc 00014b52 /system/lib/libc.so
I/DEBUG ( 1181):
I/DEBUG ( 1181): code around pc:
I/DEBUG ( 1181): afd15c84 2c006824 e028d1fb b13368db c064f8df
I/DEBUG ( 1181): afd15c94 44fc2401 4000f8cc 49124798 25002027
I/DEBUG ( 1181): afd15ca4 f7f57008 2106ec7c edd8f7f6 460aa901
I/DEBUG ( 1181): afd15cb4 f04f2006 95015380 95029303 e93ef7f6
I/DEBUG ( 1181): afd15cc4 462aa905 f7f62002 f7f5e94a 2106ec68
I/DEBUG ( 1181):
I/DEBUG ( 1181): code around lr:
I/DEBUG ( 1181): afd191b8 4a0e4b0d e92d447b 589c41f0 26004680
I/DEBUG ( 1181): afd191c8 686768a5 f9b5e006 b113300c 47c04628
I/DEBUG ( 1181): afd191d8 35544306 37fff117 6824d5f5 d1ef2c00
I/DEBUG ( 1181): afd191e8 e8bd4630 bf0081f0 00028344 ffffff88
I/DEBUG ( 1181): afd191f8 b086b570 f602fb01 9004460c a804a901
I/DEBUG ( 1181):
I/DEBUG ( 1181): stack:
I/DEBUG ( 1181): be9ffe48 00000000
I/DEBUG ( 1181): be9ffe4c 000003bd
I/DEBUG ( 1181): be9ffe50 ffff0208
I/DEBUG ( 1181): be9ffe54 be9ffeb4
I/DEBUG ( 1181): be9ffe58 afd42604
I/DEBUG ( 1181): be9ffe5c afd46784
I/DEBUG ( 1181): be9ffe60 00000000
I/DEBUG ( 1181): be9ffe64 afd191d9 /system/lib/libc.so
I/DEBUG ( 1181): be9ffe68 00000001
I/DEBUG ( 1181): be9ffe6c be9ffe9c
I/DEBUG ( 1181): be9ffe70 00000000
I/DEBUG ( 1181): be9ffe74 ffffffff
I/DEBUG ( 1181): be9ffe78 00000000
I/DEBUG ( 1181): be9ffe7c afd184fb /system/lib/libc.so
I/DEBUG ( 1181): be9ffe80 df002777
I/DEBUG ( 1181): be9ffe84 e3a070ad
I/DEBUG ( 1181): #00 be9ffe88 be9ffe84
I/DEBUG ( 1181): be9ffe8c 00000001
I/DEBUG ( 1181): be9ffe90 a904e13c /system/lib/libmedia.so
I/DEBUG ( 1181): be9ffe94 0000000e
I/DEBUG ( 1181): be9ffe98 be9ffeb4
I/DEBUG ( 1181): be9ffe9c fffffbdf
I/DEBUG ( 1181): be9ffea0 be9ffeb4
I/DEBUG ( 1181): be9ffea4 be9ffeb4
I/DEBUG ( 1181): be9ffea8 a904e13c /system/lib/libmedia.so
I/DEBUG ( 1181): be9ffeac afa0143d /system/lib/liblog.so
I/DEBUG ( 1181): #01 be9ffeb0 bea002cc
I/DEBUG ( 1181): be9ffeb4 6d617266
I/DEBUG ( 1181): be9ffeb8 726f7765
I/DEBUG ( 1181): be9ffebc 622f736b
I/DEBUG ( 1181): be9ffec0 2f657361
I/DEBUG ( 1181): be9ffec4 6964656d
I/DEBUG ( 1181): be9ffec8 696c2f61
I/DEBUG ( 1181): be9ffecc 64656d62
I/DEBUG ( 1181): be9ffed0 4d2f6169
I/DEBUG ( 1181): be9ffed4 61696465
I/DEBUG ( 1181): be9ffed8 666f7250
I/DEBUG ( 1181): be9ffedc 73656c69
I/DEBUG ( 1181): be9ffee0 7070632e
I/DEBUG ( 1181): be9ffee4 3338323a
I/DEBUG ( 1181): be9ffee8 61757120
I/DEBUG ( 1181): be9ffeec 7974696c
I/DEBUG ( 1181): be9ffef0 203d2120
I/DEBUG ( 1181): be9ffef4 0000312d
I/DEBUG ( 1181): be9ffef8 00000001
I/DEBUG ( 1181): be9ffefc 00010000
I/DEBUG ( 1181): be9fff00 00000000
I/DEBUG ( 1181): be9fff04 0000000b
I/DEBUG ( 1181): be9fff08 00089cc0
I/DEBUG ( 1181): be9fff0c 00089140
I/DEBUG ( 1181): be9fff10 00000000
I/DEBUG ( 1181): be9fff14 00000001
I/DEBUG ( 1181): be9fff18 00089cc0
I/DEBUG ( 1181): be9fff1c 00095c50
I/DEBUG ( 1181): be9fff20 00089cc0
I/DEBUG ( 1181): be9fff24 be9fff90
I/DEBUG ( 1181): be9fff28 000898c8
I/DEBUG ( 1181): be9fff2c ab1c1348 /system/lib/libskia.so
I/DEBUG ( 1181): be9fff30 000000c7
I/DEBUG ( 1181): be9fff34 00000000
I/DEBUG ( 1181): be9fff38 000000db
I/DEBUG ( 1181): be9fff3c 000a64c0
I/DEBUG ( 1181): be9fff40 be9fff9c
I/DEBUG ( 1181): be9fff44 00004200
I/DEBUG ( 1181): be9fff48 000000cb
I/DEBUG ( 1181): be9fff4c 000a6698
I/DEBUG ( 1181): be9fff50 be9fffac
I/DEBUG ( 1181): be9fff54 00004200
I/DEBUG ( 1181): be9fff58 00000004
I/DEBUG ( 1181): be9fff5c 00000000
I/DEBUG ( 1181): be9fff60 000005b6
I/DEBUG ( 1181): be9fff64 afd13ec7 /system/lib/libc.so
I/DEBUG ( 1181): be9fff68 be9fff94
I/DEBUG ( 1181): be9fff6c 00000000
I/DEBUG ( 1181): be9fff70 be9fffac
I/DEBUG ( 1181): be9fff74 00000030
I/DEBUG ( 1181): be9fff78 000a6698
I/DEBUG ( 1181): be9fff7c 000000c0
I/DEBUG ( 1181): be9fff80 000a6698
I/DEBUG ( 1181): be9fff84 be9fffac
I/DEBUG ( 1181): be9fff88 00000030
I/DEBUG ( 1181): be9fff8c ab1a25a8 /system/lib/libskia.so
I/DEBUG ( 1181): be9fff90 000a64c0
I/DEBUG ( 1181): be9fff94 00000000
I/DEBUG ( 1181): be9fff98 00000000
I/DEBUG ( 1181): be9fff9c 0000a000
I/DEBUG ( 1181): be9fffa0 0000a000
I/DEBUG ( 1181): be9fffa4 afd0fc68 /system/lib/libc.so
I/DEBUG ( 1181): be9fffa8 0000000a
I/DEBUG ( 1181): be9fffac 00000000
I/DEBUG ( 1181): be9fffb0 0000000a
I/DEBUG ( 1181): be9fffb4 0000000a
I/DEBUG ( 1181): be9fffb8 00000000
I/DEBUG ( 1181): be9fffbc 0000000a
I/DEBUG ( 1181): be9fffc0 bea00340
I/DEBUG ( 1181): be9fffc4 afd1904f /system/lib/libc.so
I/DEBUG ( 1181): be9fffc8 bea0028c
I/DEBUG ( 1181): be9fffcc bea000bc
I/DEBUG ( 1181): be9fffd0 00000046
I/DEBUG ( 1181): be9fffd4 bea000bc
I/DEBUG ( 1181): be9fffd8 0000000a
I/DEBUG ( 1181): be9fffdc aca9821d /system/lib/libdvm.so
I/DEBUG ( 1181): be9fffe0 bea00064
I/DEBUG ( 1181): be9fffe4 bea0028c
I/DEBUG ( 1181): be9fffe8 00000002
I/DEBUG ( 1181): be9fffec ffffffff
I/DEBUG ( 1181): be9ffff0 ffffffff
I/DEBUG ( 1181): be9ffff4 afd1a86b /system/lib/libc.so
I/DEBUG ( 1181): be9ffff8 00000002
I/DEBUG ( 1181): be9ffffc afd1bb99 /system/lib/libc.so
I/DEBUG ( 1181): bea00000 000a65f8
I/DEBUG ( 1181): bea00004 00097148
I/DEBUG ( 1181): bea00008 00000001
I/DEBUG ( 1181): bea0000c 00000000
I/DEBUG ( 1181): bea00010 000970f0
I/DEBUG ( 1181): bea00014 00000073
I/DEBUG ( 1181): bea00018 bea00108
I/DEBUG ( 1181): bea0001c b0005147 /system/bin/linker
I/DEBUG ( 1181): bea00020 00000005
I/DEBUG ( 1181): bea00024 b0006d44 /system/bin/linker
I/DEBUG ( 1181): bea00028 00000004
I/DEBUG ( 1181): bea0002c bea000bc
I/DEBUG ( 1181): bea00030 a2f3bbba /system/lib/libstagefright.so
I/DEBUG ( 1181): bea00034 b000552f /system/bin/linker
I/DEBUG ( 1181): bea00038 0000000f
I/DEBUG ( 1181): bea0003c bea00124
I/DEBUG ( 1181): bea00040 00000002
I/DEBUG ( 1181): bea00044 b0009468
I/DEBUG ( 1181): bea00048 ffffffff
I/DEBUG ( 1181): bea0004c 00000000
I/DEBUG ( 1181): bea00050 bea003a0
I/DEBUG ( 1181): bea00054 afd1904f /system/lib/libc.so
I/DEBUG ( 1181): bea00058 bea00318
I/DEBUG ( 1181): bea0005c bea0014c
I/DEBUG ( 1181): bea00060 0000000f
I/DEBUG ( 1181): bea00064 bea0014c
I/DEBUG ( 1181): bea00068 00000002
I/DEBUG ( 1181): bea0006c aca87b03 /system/lib/libdvm.so
I/DEBUG ( 1181): bea00070 bea000f4
I/DEBUG ( 1181): bea00074 bea00318
I/DEBUG ( 1181): bea00078 00000003
I/DEBUG ( 1181): bea0007c ffffffff
I/DEBUG ( 1181): bea00080 00000000
I/DEBUG ( 1181): bea00084 afd1a86b /system/lib/libc.so
I/DEBUG ( 1181): bea00088 00000003
I/DEBUG ( 1181): bea0008c afd1bb99 /system/lib/libc.so
I/DEBUG ( 1181): bea00090 000081a4 /system/bin/app_process
I/DEBUG ( 1181): bea00094 00000001
I/DEBUG ( 1181): bea00098 00000000
I/DEBUG ( 1181): bea0009c 00000000
I/DEBUG ( 1181): bea000a0 00000000
I/DEBUG ( 1181): bea000a4 00000073
I/DEBUG ( 1181): bea000a8 00000000
I/DEBUG ( 1181): bea000ac 00000009
I/DEBUG ( 1181): bea000b0 fffffff7
I/DEBUG ( 1181): bea000b4 aca87b00 /system/lib/libdvm.so
I/DEBUG ( 1181): bea000b8 00000000
I/DEBUG ( 1181): bea000bc 00000000
I/DEBUG ( 1181): bea000c0 0000000f
I/DEBUG ( 1181): bea000c4 bea00187
I/DEBUG ( 1181): bea000c8 aca87afb /system/lib/libdvm.so
I/DEBUG ( 1181): bea000cc afd41504
I/DEBUG ( 1181): bea000d0 00000000
I/DEBUG ( 1181): bea000d4 00000000
I/DEBUG ( 1181): bea000d8 4df7cf3e
I/DEBUG ( 1181): bea000dc 0002031e
I/DEBUG ( 1181): bea000e0 afd41588
I/DEBUG ( 1181): bea000e4 afd41588
I/DEBUG ( 1181): bea000e8 a2f3bbba /system/lib/libstagefright.so
I/DEBUG ( 1181): bea000ec aca87b00 /system/lib/libdvm.so
I/DEBUG ( 1181): bea000f0 00000003
I/DEBUG ( 1181): bea000f4 00097c10
I/DEBUG ( 1181): bea000f8 00000009
I/DEBUG ( 1181): bea000fc 7379732f
I/DEBUG ( 1181): bea00100 2f6d6574
I/DEBUG ( 1181): bea00104 2f62696c
I/DEBUG ( 1181): bea00108 7362696c
I/DEBUG ( 1181): bea0010c 65676174
I/DEBUG ( 1181): bea00110 67697266
I/DEBUG ( 1181): bea00114 635f7468
I/DEBUG ( 1181): bea00118 726f6c6f
I/DEBUG ( 1181): bea0011c 6e6f635f
I/DEBUG ( 1181): bea00120 73726576
I/DEBUG ( 1181): bea00124 2e6e6f69
I/DEBUG ( 1181): bea00128 00006f73
I/DEBUG ( 1181): bea0012c 00000000
I/DEBUG ( 1181): bea00130 4892fac0
I/DEBUG ( 1181): bea00134 00000000
I/DEBUG ( 1181): bea00138 4892fac0
I/DEBUG ( 1181): bea0013c 00000000
I/DEBUG ( 1181): bea00140 4df7cf3e
I/DEBUG ( 1181): bea00144 068e7781
I/DEBUG ( 1181): bea00148 00001c83
I/DEBUG ( 1181): bea0014c bea000ec
I/DEBUG ( 1181): bea00150 00000000
I/DEBUG ( 1181): bea00154 00000000
I/DEBUG ( 1181): bea00158 a930428f /system/lib/libmedia_jni.so
I/DEBUG ( 1181): bea0015c 00001c68
I/DEBUG ( 1181): bea00160 000081a4 /system/bin/app_process
I/DEBUG ( 1181): bea00164 7379732f
I/DEBUG ( 1181): bea00168 2f6d6574
I/DEBUG ( 1181): bea0016c 2f62696c
I/DEBUG ( 1181): bea00170 bea0038c
I/DEBUG ( 1181): bea00174 65676174
I/DEBUG ( 1181): bea00178 00000023
I/DEBUG ( 1181): bea0017c 000aa620
I/DEBUG ( 1181): bea00180 000a6760
I/DEBUG ( 1181): bea00184 00000000
I/DEBUG ( 1181): bea00188 00000040
I/DEBUG ( 1181): bea0018c 000a6760
I/DEBUG ( 1181): bea00190 0000000f
I/DEBUG ( 1181): bea00194 afd13ec7 /system/lib/libc.so
I/DEBUG ( 1181): bea00198 000a74ec
I/DEBUG ( 1181): bea0019c 00000023
I/DEBUG ( 1181): bea001a0 000aa620
I/DEBUG ( 1181): bea001a4 000a74ec
I/DEBUG ( 1181): bea001a8 00000023
I/DEBUG ( 1181): bea001ac 000a6760
I/DEBUG ( 1181): bea001b0 aecdfde3
I/DEBUG ( 1181): bea001b4 a8a03bf5 /system/lib/libexpat.so
I/DEBUG ( 1181): bea001b8 bea00038
I/DEBUG ( 1181): bea001bc afd12a9f /system/lib/libc.so
I/DEBUG ( 1181): bea001c0 000a9ba0
I/DEBUG ( 1181): bea001c4 00000018
I/DEBUG ( 1181): bea001c8 ffffffc4
I/DEBUG ( 1181): bea001cc 00000004
I/DEBUG ( 1181): bea001d0 bea00208
I/DEBUG ( 1181): bea001d4 000a69b8
I/DEBUG ( 1181): bea001d8 a8a0a661 /system/lib/libexpat.so
I/DEBUG ( 1181): bea001dc 000a8792
I/DEBUG ( 1181): bea001e0 a8a12290
I/DEBUG ( 1181): bea001e4 00000000
I/DEBUG ( 1181): bea001e8 000a69b8
I/DEBUG ( 1181): bea001ec 000aa620
I/DEBUG ( 1181): bea001f0 000a6ad8
I/DEBUG ( 1181): bea001f4 a8a04c83 /system/lib/libexpat.so
I/DEBUG ( 1181): bea001f8 bea0021c
I/DEBUG ( 1181): bea001fc a8a0aae5 /system/lib/libexpat.so
I/DEBUG ( 1181): bea00200 000a81e4
I/DEBUG ( 1181): bea00204 a8a0f697 /system/lib/libexpat.so
I/DEBUG ( 1181): bea00208 00000413
I/DEBUG ( 1181): bea0020c 000aa720
I/DEBUG ( 1181): bea00210 00000400
I/DEBUG ( 1181): bea00214 a8a12290
I/DEBUG ( 1181): bea00218 000a6bb0
I/DEBUG ( 1181): bea0021c 000a6bb0
I/DEBUG ( 1181): bea00220 00000001
I/DEBUG ( 1181): bea00224 afd13ec7 /system/lib/libc.so
I/DEBUG ( 1181): bea00228 000a7528
I/DEBUG ( 1181): bea0022c a8a12290
I/DEBUG ( 1181): bea00230 000a866c
I/DEBUG ( 1181): bea00234 a8a02fb9 /system/lib/libexpat.so
I/DEBUG ( 1181): bea00238 000a9bc1
I/DEBUG ( 1181): bea0023c 0000000c
I/DEBUG ( 1181): bea00240 000a6b58
I/DEBUG ( 1181): bea00244 000a866c
I/DEBUG ( 1181): bea00248 000a6b58
I/DEBUG ( 1181): bea0024c a8a12290
I/DEBUG ( 1181): bea00250 000a8670
I/DEBUG ( 1181): bea00254 a8a02fb9 /system/lib/libexpat.so
I/DEBUG ( 1181): bea00258 000aab28
I/DEBUG ( 1181): bea0025c 000a9bc1
I/DEBUG ( 1181): bea00260 a8a12290
I/DEBUG ( 1181): bea00264 000a8670
I/DEBUG ( 1181): bea00268 000a6cb8
I/DEBUG ( 1181): bea0026c 000a6b58
I/DEBUG ( 1181): bea00270 00000004
I/DEBUG ( 1181): bea00274 000a7598
I/DEBUG ( 1181): bea00278 a8a12290
I/DEBUG ( 1181): bea0027c 000a6bb0
I/DEBUG ( 1181): bea00280 000a6bd0
I/DEBUG ( 1181): bea00284 a8a02fe1 /system/lib/libexpat.so
I/DEBUG ( 1181): bea00288 000a69b8
I/DEBUG ( 1181): bea0028c a8a04d9b /system/lib/libexpat.so
I/DEBUG ( 1181): bea00290 00000001
I/DEBUG ( 1181): bea00294 000a74d8
I/DEBUG ( 1181): bea00298 000a6adc
I/DEBUG ( 1181): bea0029c bea002dc
I/DEBUG ( 1181): bea002a0 bea002e0
I/DEBUG ( 1181): bea002a4 bea002c4
I/DEBUG ( 1181): bea002a8 000a87a0
I/DEBUG ( 1181): bea002ac bea002e4
I/DEBUG ( 1181): bea002b0 00000002
I/DEBUG ( 1181): bea002b4 b0c941d6
I/DEBUG ( 1181): bea002b8 000a6bb0
I/DEBUG ( 1181): bea002bc 000a6bb0
I/DEBUG ( 1181): bea002c0 a905ffe0
I/DEBUG ( 1181): bea002c4 a9042bd5 /system/lib/libmedia.so
I/DEBUG ( 1181): bea002c8 a904ea87 /system/lib/libmedia.so
I/DEBUG ( 1181): bea002cc 0000006c
and then it starts over from
I/Netd ( 1259): Netd 1.0 starting
Incase it's a stupid newbie mistake, i apologize profusely...please don't kill me.
And, if you need more information, please let me know, and I'll post it as quickly as I can.
Thanks!
jespersp
Small (non)update...
I tried flashing a different kernel on top of the ROM to see if my mistake was with the kernel, but it didn't do squat, no change at all in the logcat...bleh
jespersp
Well, silly me, I DID post this in the wrong forum. Sorry!
I'm remaking the post in the kitchen instead.
If a mod could please delete this, i would be greatful.
Thanks!
Jespersp
Hi,
I tried to port a rom, but it won't boot properly.
here is the last part of the logcat where it stop:
Code:
I/SystemServer( 351): Battery Service
I/SystemServer( 351): Hardware Service
I/SystemServer( 351): Alarm Manager
I/SystemServer( 351): Init Watchdog
I/SystemServer( 351): Sensor Service
I/SystemServer( 351): Starting Gesture Service.
I/SystemServer( 351): Window Manager
I/SystemServer( 351): Bluetooth Service
I/KeyInputQueue( 351): Device added: id=0x10003, name=h2w headset, classes=1
I/KeyInputQueue( 351): Device added: id=0x10002, name=synaptics-rmi-touchscreen, classes=14
I/KeyInputQueue( 351): X: min=80 max=3400 flat=0 fuzz=0
I/KeyInputQueue( 351): Y: min=32 max=5336 flat=0 fuzz=0
I/KeyInputQueue( 351): Pressure: min=0 max=255 flat=0 fuzz=0
I/KeyInputQueue( 351): Size: min=0 max=15 flat=0 fuzz=0
I/KeyInputQueue( 351): No virtual keys found
I/KeyInputQueue( 351): Device added: id=0x10001, name=trout-nav, classes=8
I/KeyInputQueue( 351): Device added: id=0x0, name=trout-keypad-v3, classes=3
I/DEBUG ( 525): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 525): Build fingerprint: 'google/kila/dream/trout:2.1/ERD79/22607:user/release-keys'
I/DEBUG ( 525): pid: 351, tid: 361 >>> system_server <<<
I/DEBUG ( 525): signal 11 (SIGSEGV), fault addr ffffefbb
I/DEBUG ( 525): r0 ffffefbb r1 ffffffff r2 4a34fa9c r3 00000003
I/DEBUG ( 525): r4 ffffffff r5 00000003 r6 4a34f874 r7 00000000
I/DEBUG ( 525): r8 4a34fb78 r9 4269bedc 10 4269bec4 fp 4a34fed8
I/DEBUG ( 525): ip 80000000 sp 4a34f7e0 lr afe162d1 pc afe0e8c8 cpsr 20000010
I/DEBUG ( 525): #00 pc 0000e8c8 /system/lib/libc.so
I/DEBUG ( 525): #01 pc 000162ce /system/lib/libc.so
I/DEBUG ( 525): #02 pc 00014b3a /system/lib/libc.so
I/DEBUG ( 525): #03 pc 00000882 /system/lib/libbluedroid.so
I/DEBUG ( 525): #04 pc 00000950 /system/lib/libbluedroid.so
I/DEBUG ( 525): #05 pc 00052674 /system/lib/libandroid_runtime.so
I/DEBUG ( 525): #06 pc 00011cb4 /system/lib/libdvm.so
I/DEBUG ( 525): #07 pc 0003cb64 /system/lib/libdvm.so
I/DEBUG ( 525): #08 pc 00016c78 /system/lib/libdvm.so
I/DEBUG ( 525): #09 pc 0001d3d0 /system/lib/libdvm.so
I/DEBUG ( 525): #10 pc 0001c274 /system/lib/libdvm.so
I/DEBUG ( 525): #11 pc 00051ece /system/lib/libdvm.so
I/DEBUG ( 525): #12 pc 000520d2 /system/lib/libdvm.so
I/DEBUG ( 525): #13 pc 000469d2 /system/lib/libdvm.so
I/DEBUG ( 525): #14 pc 000102d0 /system/lib/libc.so
I/DEBUG ( 525): #15 pc 0000fd90 /system/lib/libc.so
I/DEBUG ( 525):
I/DEBUG ( 525): code around pc:
I/DEBUG ( 525): afe0e8b8 f5d0f000 f5d0f020 e58d0004 0a000010
I/DEBUG ( 525): afe0e8c8 e5d03000 e3530000 12802001 158d2004
I/DEBUG ( 525): afe0e8d8 13a03000 1a000005 ea00003e e7d01003
I/DEBUG ( 525):
I/DEBUG ( 525): code around lr:
I/DEBUG ( 525): afe162c0 4288900b 910bdd05 9809e003 eaf0f7f8
I/DEBUG ( 525): afe162d0 466b900b 33ff3320 9c122100 91057019
I/DEBUG ( 525): afe162e0 e17a9112 96102210 9105930a 43179e09
I/DEBUG ( 525):
I/DEBUG ( 525): stack:
I/DEBUG ( 525): 4a34f7a0 4a34fed8
I/DEBUG ( 525): 4a34f7a4 000de090 [heap]
I/DEBUG ( 525): 4a34f7a8 afe39f84 /system/lib/libc.so
I/DEBUG ( 525): 4a34f7ac afe145b1 /system/lib/libc.so
I/DEBUG ( 525): 4a34f7b0 0000000e
I/DEBUG ( 525): 4a34f7b4 00000fe0
I/DEBUG ( 525): 4a34f7b8 4a34f87c
I/DEBUG ( 525): 4a34f7bc ae8141a3 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f7c0 00004200
I/DEBUG ( 525): 4a34f7c4 00000200
I/DEBUG ( 525): 4a34f7c8 0000006c
I/DEBUG ( 525): 4a34f7cc 4a34f8cc
I/DEBUG ( 525): 4a34f7d0 00000002
I/DEBUG ( 525): 4a34f7d4 00000019
I/DEBUG ( 525): 4a34f7d8 df002777
I/DEBUG ( 525): 4a34f7dc e3a070ad
I/DEBUG ( 525): #00 4a34f7e0 4a34fa98
I/DEBUG ( 525): 4a34f7e4 ffffefbb
I/DEBUG ( 525): #01 4a34f7e8 4a34f834
I/DEBUG ( 525): 4a34f7ec 4a34f834
I/DEBUG ( 525): 4a34f7f0 00000001
I/DEBUG ( 525): 4a34f7f4 ae813565 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f7f8 002dcbb8 [heap]
I/DEBUG ( 525): 4a34f7fc ffffffff
I/DEBUG ( 525): 4a34f800 00000058
I/DEBUG ( 525): 4a34f804 afe0c1cb /system/lib/libc.so
I/DEBUG ( 525): 4a34f808 0000004c
I/DEBUG ( 525): 4a34f80c ffffefbb
I/DEBUG ( 525): 4a34f810 00000073
I/DEBUG ( 525): 4a34f814 0000000e
I/DEBUG ( 525): 4a34f818 afe39f84 /system/lib/libc.so
I/DEBUG ( 525): 4a34f81c afe39e08 /system/lib/libc.so
I/DEBUG ( 525): 4a34f820 4a34f86c
I/DEBUG ( 525): 4a34f824 fffffff2
I/DEBUG ( 525): 4a34f828 aea010a4 /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34f82c ae813509 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f830 4a34fa9c
I/DEBUG ( 525): 4a34f834 00000027
I/DEBUG ( 525): 4a34f838 00000000
I/DEBUG ( 525): 4a34f83c 0000000e
I/DEBUG ( 525): 4a34f840 00000000
I/DEBUG ( 525): 4a34f844 00000000
I/DEBUG ( 525): 4a34f848 ae8231ec /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f84c aea01087 /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34f850 4a34f86c
I/DEBUG ( 525): 4a34f854 00000000
I/DEBUG ( 525): 4a34f858 00000000
I/DEBUG ( 525): 4a34f85c 00000000
I/DEBUG ( 525): 4a34f860 afe30c28 /system/lib/libc.so
I/DEBUG ( 525): 4a34f864 00353181 [heap]
I/DEBUG ( 525): 4a34f868 4a34f928
I/DEBUG ( 525): 4a34f86c aea01094 /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34f870 0000000e
I/DEBUG ( 525): 4a34f874 aea01078 /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34f878 0000000e
I/DEBUG ( 525): 4a34f87c 0000000b
I/DEBUG ( 525): 4a34f880 0000006c
I/DEBUG ( 525): 4a34f884 ae81f8a4 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f888 4a34f898
I/DEBUG ( 525): 4a34f88c 00000001
I/DEBUG ( 525): 4a34f890 4a34f900
I/DEBUG ( 525): 4a34f894 00353181 [heap]
I/DEBUG ( 525): 4a34f898 4a34f900
I/DEBUG ( 525): 4a34f89c ae812eef /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f8a0 0000002c
I/DEBUG ( 525): 4a34f8a4 ae8129c1 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f8a8 002e0f64 [heap]
I/DEBUG ( 525): 4a34f8ac 00000000
I/DEBUG ( 525): 4a34f8b0 00000059
I/DEBUG ( 525): 4a34f8b4 00000000
I/DEBUG ( 525): 4a34f8b8 4a34f946
I/DEBUG ( 525): 4a34f8bc 4a34f8c8
I/DEBUG ( 525): 4a34f8c0 00000003
I/DEBUG ( 525): 4a34f8c4 0000006c
I/DEBUG ( 525): 4a34f8c8 0000006c
I/DEBUG ( 525): 4a34f8cc 4a34f86c
I/DEBUG ( 525): 4a34f8d0 00000001
I/DEBUG ( 525): 4a34f8d4 0000000e
I/DEBUG ( 525): 4a34f8d8 00000034
I/DEBUG ( 525): 4a34f8dc ae8231ec /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f8e0 00000000
I/DEBUG ( 525): 4a34f8e4 0000006c
I/DEBUG ( 525): 4a34f8e8 ae8230f0 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f8ec 0035317c [heap]
I/DEBUG ( 525): 4a34f8f0 4a34fa94
I/DEBUG ( 525): 4a34f8f4 afe0f774 /system/lib/libc.so
I/DEBUG ( 525): 4a34f8f8 00000000
I/DEBUG ( 525): 4a34f8fc afe0f658 /system/lib/libc.so
I/DEBUG ( 525): 4a34f900 ae823640 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f904 00823748
I/DEBUG ( 525): 4a34f908 00000009
I/DEBUG ( 525): 4a34f90c 002e0f64 [heap]
I/DEBUG ( 525): 4a34f910 00000000
I/DEBUG ( 525): 4a34f914 4a34fb78
I/DEBUG ( 525): 4a34f918 4269bedc
I/DEBUG ( 525): 4a34f91c 4269bec4
I/DEBUG ( 525): 4a34f920 4a34fed8
I/DEBUG ( 525): 4a34f924 0031f528 [heap]
I/DEBUG ( 525): 4a34f928 002dcb88 [heap]
I/DEBUG ( 525): 4a34f92c ae818ed9 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f930 002e0f64 [heap]
I/DEBUG ( 525): 4a34f934 00000059
I/DEBUG ( 525): 4a34f938 002e0f64 [heap]
I/DEBUG ( 525): 4a34f93c 00353128 [heap]
I/DEBUG ( 525): 4a34f940 002e0f64 [heap]
I/DEBUG ( 525): 4a34f944 ae818dd3 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f948 00000050
I/DEBUG ( 525): 4a34f94c 00000009
I/DEBUG ( 525): 4a34f950 003511d8 [heap]
I/DEBUG ( 525): 4a34f954 afe0f774 /system/lib/libc.so
I/DEBUG ( 525): 4a34f958 00000000
I/DEBUG ( 525): 4a34f95c afe0f658 /system/lib/libc.so
I/DEBUG ( 525): 4a34f960 ae823640 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f964 ae8233a0 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f968 000001d8
I/DEBUG ( 525): 4a34f96c 00000000
I/DEBUG ( 525): 4a34f970 4a34fb78
I/DEBUG ( 525): 4a34f974 4269bedc
I/DEBUG ( 525): 4a34f978 4269bec4
I/DEBUG ( 525): 4a34f97c ae819a8f /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f980 002e4b78 [heap]
I/DEBUG ( 525): 4a34f984 afe0f774 /system/lib/libc.so
I/DEBUG ( 525): 4a34f988 002e4b78 [heap]
I/DEBUG ( 525): 4a34f98c 0014db00 [heap]
I/DEBUG ( 525): 4a34f990 002e4b78 [heap]
I/DEBUG ( 525): 4a34f994 afe0f774 /system/lib/libc.so
I/DEBUG ( 525): 4a34f998 002e4b78 [heap]
I/DEBUG ( 525): 4a34f99c 0014db00 [heap]
I/DEBUG ( 525): 4a34f9a0 002d14d0 [heap]
I/DEBUG ( 525): 4a34f9a4 00000000
I/DEBUG ( 525): 4a34f9a8 4a34fb78
I/DEBUG ( 525): 4a34f9ac 4269bedc
I/DEBUG ( 525): 4a34f9b0 4269bec4
I/DEBUG ( 525): 4a34f9b4 ae819aa7 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f9b8 00000000
I/DEBUG ( 525): 4a34f9bc afe0f658 /system/lib/libc.so
I/DEBUG ( 525): 4a34f9c0 002db688 [heap]
I/DEBUG ( 525): 4a34f9c4 00000004
I/DEBUG ( 525): 4a34f9c8 002e4b78 [heap]
I/DEBUG ( 525): 4a34f9cc afe0f774 /system/lib/libc.so
I/DEBUG ( 525): 4a34f9d0 4a34faa0
I/DEBUG ( 525): 4a34f9d4 ae811615 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f9d8 4a34fa90
I/DEBUG ( 525): 4a34f9dc 4a34fa90
I/DEBUG ( 525): 4a34f9e0 00000000
I/DEBUG ( 525): 4a34f9e4 ae813565 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34f9e8 4269bec4
I/DEBUG ( 525): 4a34f9ec 00000009
I/DEBUG ( 525): 4a34f9f0 002d3ea8 [heap]
I/DEBUG ( 525): 4a34f9f4 4a34fa90
I/DEBUG ( 525): 4a34f9f8 4a34fb04
I/DEBUG ( 525): 4a34f9fc 00000000
I/DEBUG ( 525): 4a34fa00 4a34fa50
I/DEBUG ( 525): 4a34fa04 ae813661 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa08 4a34fa90
I/DEBUG ( 525): 4a34fa0c ae8233a0 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa10 4a34fa90
I/DEBUG ( 525): 4a34fa14 ae812f1f /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa18 4a34faf0
I/DEBUG ( 525): 4a34fa1c ae8155f1 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa20 00000000
I/DEBUG ( 525): 4a34fa24 afe0f658 /system/lib/libc.so
I/DEBUG ( 525): 4a34fa28 00000003
I/DEBUG ( 525): 4a34fa2c 00000000
I/DEBUG ( 525): 4a34fa30 00000073
I/DEBUG ( 525): 4a34fa34 4a34fa90
I/DEBUG ( 525): 4a34fa38 4a34fb50
I/DEBUG ( 525): 4a34fa3c 4a34fa88
I/DEBUG ( 525): 4a34fa40 4a34fa70
I/DEBUG ( 525): 4a34fa44 4a34fa70
I/DEBUG ( 525): 4a34fa48 ae8233a0 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa4c 4a34fa6c
I/DEBUG ( 525): 4a34fa50 4a34faec
I/DEBUG ( 525): 4a34fa54 ae8146f1 /system/lib/libdbus.so
I/DEBUG ( 525): 4a34fa58 4a34fa88
I/DEBUG ( 525): 4a34fa5c 4a34fa90
I/DEBUG ( 525): 4a34fa60 4a34fa90
I/DEBUG ( 525): 4a34fa64 a9365b6c
I/DEBUG ( 525): 4a34fa68 002dcb88 [heap]
I/DEBUG ( 525): 4a34fa6c aea020cc /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34fa70 aea01078 /system/lib/libbluedroid.so
I/DEBUG ( 525): 4a34fa74 ffffffff
I/DEBUG ( 525): 4a34fa78 4269bee4
I/DEBUG ( 525): 4a34fa7c afe14b3f /system/lib/libc.so
I/ASIF ( 351): AMSettingsHelper.getValue(Broadcast_Timeout) = 60000
I/ASIF ( 351): AMSettingsHelper.getValue(Launch_Timeout) = 10000
I/ASIF ( 351): AMSettingsHelper.getValue(Idle_Timeout) = 10000
I/ASIF ( 351): AMSettingsHelper.getValue(Service_Timeout) = 20000
I/ASIF ( 351): AMSettingsHelper.getValue(Proc_Start_Timeout) = 10000
I/ASIF ( 351): AMSettingsHelper.getValue(GC_Timeout) = 5000
I/ASIF ( 351): AMSettingsHelper.getValue(Pause_Timeout) = 500
I/ASIF ( 351): AMSettingsHelper.getValue(Destroy_Timeout) = 10000
I/ASIF ( 351): AMSettingsHelper.getValue(KeyDispatching_Timeout) = 60000
E/installd( 327): eof
E/installd( 327): failed to read size
I/installd( 327): closing connection
If somebody wants to have this rom, to find the error, I can send it to him.
Okay.. over 100 views and no answer...
Here is the rom to test: http://www.multiupload.com/1HRUC99PJT
This is a motorola backflip 2.1 port.
You will need a 135M MTD and after flashing the boot patch must applied...
Maybe so someone can help me...
To fix the problem, all you need is some luck by taking aosp dalvikvm and runtime libs and replacing them lol
can you tell me which libs? All or just some?
dalvikvm.so
libandroid_runtime.so
system/bin/dalvikvm
Hello,
I got a One XL(Asia version), when i tired to change the default font on it, my phone won't work again.
I am just changing:
/system/fonts/DroidSans-Bold.ttf
/system/fonts/DroidSansFallback.ttf
My device are rooted, after replacing the file and doing backup, i tired to reboot, and the phone won't boot up again, it stuck on the "htc logo", adb still work, but the problem still exists when i copy the backup-ed file back to /system/fonts (via ADB), still, i can't get into the system.
I tired to logcat, and i find this:
Code:
W/Zygote ( 645): Class not found for preloading: android.graphics.Bitmap$2
F/libc ( 645): Fatal signal 11 (SIGSEGV) at 0x0000000c (code=1)
I/DEBUG ( 182): handle_crashing_process(8)
I/DEBUG ( 182): reading tid
I/DEBUG ( 182): BOOM: pid=645 uid=9999 gid=9999 tid=645
I/DEBUG ( 182): not ready yet
I/DEBUG ( 182): waitpid: n=645 status=0000137f
I/DEBUG ( 182): stopped -- continuing
I/DEBUG ( 182): not ready yet
I/DEBUG ( 182): waitpid: n=645 status=00000b7f
I/DEBUG ( 182): stopped -- fatal signal
I/DEBUG ( 182): debuggerd: 2012-07-12 21:42:34
I/DEBUG ( 182): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 182): Build fingerprint: 'htc_asia_hk/evita/evita:4.0.3/IML74K/57351.3:user/release-keys'
I/DEBUG ( 182): pid: 645, tid: 645 >>> zygote <<<
I/DEBUG ( 182): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000000c
I/DEBUG ( 182): r0 00000000 r1 00000001 r2 00000000 r3 00000000
I/DEBUG ( 182): r4 01403400 r5 40776894 r6 01403840 r7 013fd920
I/DEBUG ( 182): r8 00000000 r9 01403840 10 00000002 fp 01403f50
I/DEBUG ( 182): ip 00000008 sp befbe458 lr 000d874c pc 4069e11c cpsr 60000010
I/DEBUG ( 182): d0 6c00610074004952 d1 0042020c0040026f
I/DEBUG ( 182): d2 0046020d00440262 d3 004a020d0048026f
I/DEBUG ( 182): d4 0029010800280108 d5 00300410002c0410
I/DEBUG ( 182): d6 0038041000340410 d7 003d0108003c0108
I/DEBUG ( 182): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 182): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 182): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 182): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 182): d16 d648c34d40abae50 d17 41274f0000000000
I/DEBUG ( 182): d18 41cb27cdb1800000 d19 0000000000000000
I/DEBUG ( 182): d20 0000000000000000 d21 0000000000000000
I/DEBUG ( 182): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 182): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 182): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 182): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 182): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 182): scr 80000010
I/DEBUG ( 182):
I/DEBUG ( 182): #00 pc 0005511c /system/lib/libskia.so
I/DEBUG ( 182): #01 pc 000555d4 /system/lib/libskia.so (_ZN10SkFontHost14CreateTypefaceEPK10SkTypefacePKcPKvjNS0_5StyleE)
I/DEBUG ( 182): #02 pc 000a1b4c /system/lib/libskia.so (_ZN10SkTypeface14CreateFromNameEPKcNS_5StyleE)
I/DEBUG ( 182): #03 pc 00077dc0 /system/lib/libandroid_runtime.so
I/DEBUG ( 182): #04 pc 0001fcf0 /system/lib/libdvm.so (dvmPlatformInvoke)
I/DEBUG ( 182): #05 pc 0005aeec /system/lib/libdvm.so (_Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread)
I/DEBUG ( 182):
I/DEBUG ( 182): code around pc:
I/DEBUG ( 182): 4069e0fc e3580000 0a000002 e598c004 e154000c ..X...........T.
I/DEBUG ( 182): 4069e10c 1afffff0 e088c10a e59fe3b8 e1a09006 ................
I/DEBUG ( 182): 4069e11c e58c6004 e08f000e ebff8054 e59f33a8 .`......T....3..
I/DEBUG ( 182): 4069e12c e59d2020 e7920003 e2801008 e4891014 ..............
I/DEBUG ( 182): 4069e13c e1a00009 ebff9801 e59d0014 ebff97ff ................
I/DEBUG ( 182):
I/DEBUG ( 182): code around lr:
I/DEBUG ( 182): 000d872c ffffffff ffffffff ffffffff ffffffff ................
I/DEBUG ( 182): 000d873c ffffffff ffffffff ffffffff ffffffff ................
I/DEBUG ( 182): 000d874c ffffffff ffffffff ffffffff ffffffff ................
I/DEBUG ( 182): 000d875c ffffffff ffffffff ffffffff ffffffff ................
I/DEBUG ( 182): 000d876c ffffffff ffffffff ffffffff ffffffff ................
I/DEBUG ( 182):
I/DEBUG ( 182): stack:
I/DEBUG ( 182): befbe418 00000002
I/DEBUG ( 182): befbe41c 400d7d11 /system/lib/libc.so
I/DEBUG ( 182): befbe420 014036f0 [heap]
I/DEBUG ( 182): befbe424 01403400 [heap]
I/DEBUG ( 182): befbe428 40776894
I/DEBUG ( 182): befbe42c 01403f50 [heap]
I/DEBUG ( 182): befbe430 013fd920 [heap]
I/DEBUG ( 182): befbe434 00013000
I/DEBUG ( 182): befbe438 01403400 [heap]
I/DEBUG ( 182): befbe43c 40776894
I/DEBUG ( 182): befbe440 01403840 [heap]
I/DEBUG ( 182): befbe444 013fd920 [heap]
I/DEBUG ( 182): befbe448 40772ce0 /system/lib/libskia.so
I/DEBUG ( 182): befbe44c 000d87cc
I/DEBUG ( 182): befbe450 df0027ad
I/DEBUG ( 182): befbe454 00000000
I/DEBUG ( 182): #00 befbe458 40b56ae0 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe45c 00000000
I/DEBUG ( 182): befbe460 01403420 [heap]
I/DEBUG ( 182): befbe464 01403880 [heap]
I/DEBUG ( 182): befbe468 00000010
I/DEBUG ( 182): befbe46c befbe4e4 [stack]
I/DEBUG ( 182): befbe470 befbe4a4 [stack]
I/DEBUG ( 182): befbe474 00000002
I/DEBUG ( 182): befbe478 4077513c /system/lib/libskia.so
I/DEBUG ( 182): befbe47c 013fd910 [heap]
I/DEBUG ( 182): befbe480 befbe4e8 [stack]
I/DEBUG ( 182): befbe484 40776894
I/DEBUG ( 182): befbe488 fffff9f4
I/DEBUG ( 182): befbe48c 000d85b0
I/DEBUG ( 182): befbe490 01403400 [heap]
I/DEBUG ( 182): befbe494 407768a4
I/DEBUG ( 182): befbe498 fffffb7c
I/DEBUG ( 182): befbe49c 00000000
I/DEBUG ( 182): befbe4a0 40b56b18 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe4a4 40774158 /system/lib/libskia.so
I/DEBUG ( 182): befbe4a8 00000001
I/DEBUG ( 182): befbe4ac 4f81b000
I/DEBUG ( 182): befbe4b0 00013000
I/DEBUG ( 182): befbe4b4 00000000
I/DEBUG ( 182): befbe4b8 40b56b00 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe4bc ffffffff
I/DEBUG ( 182): befbe4c0 4f81b000
I/DEBUG ( 182): befbe4c4 00013000
I/DEBUG ( 182): befbe4c8 012fdc40 [heap]
I/DEBUG ( 182): befbe4cc 40928da0
I/DEBUG ( 182): befbe4d0 40b56aa8 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe4d4 408e587f /system/lib/libdvm.so
I/DEBUG ( 182): befbe4d8 00000000
I/DEBUG ( 182): befbe4dc 00000000
I/DEBUG ( 182): befbe4e0 00000000
I/DEBUG ( 182): befbe4e4 014036f0 [heap]
I/DEBUG ( 182): befbe4e8 01402520 [heap]
I/DEBUG ( 182): befbe4ec 00ac9410
I/DEBUG ( 182): befbe4f0 befbe4f8 [stack]
I/DEBUG ( 182): befbe4f4 00000007
I/DEBUG ( 182): befbe4f8 64726576
I/DEBUG ( 182): befbe4fc 00616e61
I/DEBUG ( 182): befbe500 40000061
I/DEBUG ( 182): befbe504 012ffd20 [heap]
I/DEBUG ( 182): befbe508 40922068 /system/lib/libdvm.so
I/DEBUG ( 182): befbe50c 40247f4a /system/lib/libandroid_runtime.so
I/DEBUG ( 182): befbe510 40ac9410 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe514 012ffd20 [heap]
I/DEBUG ( 182): befbe518 40922068 /system/lib/libdvm.so
I/DEBUG ( 182): befbe51c 408e12e1 /system/lib/libdvm.so
I/DEBUG ( 182): befbe520 00000010
I/DEBUG ( 182): befbe524 00000030
I/DEBUG ( 182): befbe528 00000001
I/DEBUG ( 182): befbe52c 0133a658 [heap]
I/DEBUG ( 182): befbe530 40922068 /system/lib/libdvm.so
I/DEBUG ( 182): befbe534 013a95d8 [heap]
I/DEBUG ( 182): befbe538 40ac9410 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe53c d648c34d
I/DEBUG ( 182): befbe540 40aa5018 /dev/ashmem/dalvik-heap (deleted)
I/DEBUG ( 182): befbe544 4bd3cdc8 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG ( 182): befbe548 00000000
I/DEBUG ( 182): befbe54c 00000000
I/DEBUG ( 182): befbe550 48aa8e58
I/DEBUG ( 182): befbe554 befbe5a8 [stack]
I/DEBUG ( 182): befbe558 48aa8e50
I/DEBUG ( 182): befbe55c 4d120a68 /system/framework/framework.odex
I/DEBUG ( 182): befbe560 befbe5bc [stack]
I/DEBUG ( 182): befbe564 4069e5d8 /system/lib/libskia.so
I/DEBUG ( 182): #01 befbe568 4bd3cdc8 /dev/ashmem/dalvik-LinearAlloc (deleted)
I/DEBUG ( 182): befbe56c 00000000
I/DEBUG ( 182): befbe570 00000004
I/DEBUG ( 182): befbe574 406eab50 /system/lib/libskia.so
I/DEBUG ( 182): detaching
I/DEBUG ( 182): waiting for connection
I/ServiceManager( 179): service 'media.audio_flinger' died
I/ServiceManager( 179): service 'media.player' died
I/ServiceManager( 179): service 'media.camera' died
I/ServiceManager( 179): service 'media.audio_policy' died
This error keep raising, it seems that the system server died(?)
The only way to recover is flash my phone using RUU
Any solutions? I tired three time, and the error are SAME(lol i flashed my phone 3 times and i lost all apps and data..)
Anyone have this issue?
Just use font changer from the market.
I'm using windows phone 8 font, works great
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my HTC One X using xda app-developers app
shawn1224 said:
Just use font changer from the market.
I'm using windows phone 8 font, works great
Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse
Thanks, finally, it works!
I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
To begin with I try to write down what I have found. This is just a compilation of information so they might look mixed up.
The class GraphicBuffer is utilized by the system service SurfaceFlinger. My current understanding is that the vulnerable method "unflatten" is used to create a GraphicBuffer object from raw data that is sent to the service by IPC using Binder. A forged message might be easiest supplied via adb shell using this commando
Code:
[email protected]:/ $ service call SurfaceFlinger ...
I am not sure yet how the parcel get's eventually to the GraphicBuffer. It is a lot of code and I do not understand the low level graphics system of Android yet. The IGraphicBufferConsumer interface has a sub class BufferItem which has also an unflatten method which will call unflatten on GraphicBuffer. My gut tells me that the Parcel class is also involved in that process, but I'm not sure how yet.
One important piece of information that I'm still missing is how the unflattened data is used in the further processing of SurfaceFlinger. I don't think it is possible to freely write in the memory of SurfaceFlinger with this bug. There are still a lot of sanity checks to come by.
This could also effect on how we have to implement the communication with SurfaceFlinger. Maybe it's also possible with some forged objects and a SurfaceView.
Maybe together we are able to bring some light into this. A little bump in the right direction might help.
Phate123 said:
I hope that with this thread we are able to gain system privileges with the help of CVE-2015-1474.
Click to expand...
Click to collapse
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
awinston said:
Take a look at the thread below, It looks like there is already some research begin done but I can't quite get my head around whether they are on the right track. This might help us get going in the right direction though.
http://forum.xda-developers.com/not.../rd-rooting-n910a-n910v-models-t3042045/page6
Click to expand...
Click to collapse
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
I'll upload the code on github, but first I want to briefly explain how I did it.
In Android everything that is a graphical element is represented by an GraphicBuffer.
GraphicBuffers are wrapped in BufferItems and managed by BufferQueues.
Each Queue has two sites, a producer side (IGraphicBufferProducer) and a consumer side (IGraphicBufferConsumer). In the basic scenario an app is the producer and the surfaceflinger is the consumer. These are obviously two different processes, but both must use the same BufferQueue.
BufferQueues are always created and owned by the consumers and consequently live in the same address space as the consumer. Producers must go through Binder to access their side of the queue.
As with everything in Android, the BufferQueue provides the same interface for both native (in the same process) and remote usage. The remote interface is implemented by a proxy that communicates through Binder with the other side.
In android KK BufferQueue implements the native side of the interface for both the producer (BnGraphicBufferProducer) and the consumer (BnGraphicBufferConsumer). These native implementations must provide a handler (onTransact) for requests that come from the remote proxies.
You can read more at https://source.android.com/devices/graphics/architecture.html.
Naturally, the first idea that comes into mind is to attack the native implementations of the BufferQueue that reside in the surfaceflinger. As the bug is in the unflatten routine of GraphicBuffer, we would like to craft a rogue parcel that represents a GraphicBuffer and then wait for the surfaceflinger to choke with it.
Unfortunately, from my findings, the bugged unflatten method is not called from the onTransact handler in the native implementations.
Only the proxy implementations seem to be a valid target, through BpGraphicBufferProducer::requestBuffer and BpGraphicBufferConsumer::aquireBuffer. Now we have a problem: as the BufferQueue resides in the surfaceflinger, there is no proxy implementation to attack.
Our only hope is to somehow create the BufferQueue in our process, so that we are the consumers, and use the surfaceflinger as the producer. This way the surfaceflinger would be accessing the BufferQueue through the bugged proxy (BpGraphicBufferProducer::requestBuffer). One way to use the surfaceflinger as a producer is to make screen captures.
I found the screencap command to be a very nice starting point to tinker with the idea as it does exactly what we wanted - it uses the surfaceflinger as a producer and pulls screen captures from it. Next I only had to hook the vtable entry of BpGraphicBufferProducer:: onTransact.
Now we have to control the overflow in GraphicsBuffer::unflatten.
p1gl3t said:
Good news ( @Phate123, @awinston )! I have managed to crash the surfaceflinger on 4.5.2 (should also work on 4.5.3).
Click to expand...
Click to collapse
Wow you are really good! I had started to piece some of this together and wanted to document it for good measure even though you are going to clearly beat the rest of us to this exploit. Arguably I could never figure it out, but never hurts to try. At least I am learning.
https://charleszblog.wordpress.com/2014/02/20/understanding-android-internals-graphics-basics-i/
http://translate.google.com/transla...dyhuabing/article/details/7489776&prev=search
http://4.bp.blogspot.com/-qQxyvr2Vc8w/VFYLxdacwpI/AAAAAAAAAes/HMMrUIwC9OY/s1600/Selection_043.png
https://android.googlesource.com/platform/frameworks/native/+/master/libs/gui/tests/Surface_test.cpp
The screenshot test is where I was focusing but wasn't really getting very far.
Crashed unflatten as well
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
awinston said:
Okay so I crashed unflatten as well.
Click to expand...
Click to collapse
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
awinston said:
Okay so I crashed unflatten as well. Trying to figure out where to go from here. I am a little confused though because I did it natively by calling unflatten directly from a cpp program I wrote with a few lines of code. When you crash it like this how do I know it was the buffer overflow? Sorry, still trying to learn as I go.
03-05 17:06:47.380 2652-2652/? A/libc﹕ Fatal signal 11 (SIGSEGV) at 0x52464247 (code=1), thread 2652 (screenshot)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 17:06:47.490 258-258/? I/DEBUG﹕ AM write failure (32 / Broken pipe)
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Build fingerprint: 'Amazon/thor/thor:4.4.3/KTU84M/13.4.5.2_user_452004220:user/release-keys'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ Revision: '0'
03-05 17:06:47.490 258-258/? I/DEBUG﹕ pid: 2652, tid: 2652, name: screenshot >>> ./screenshot <<<
03-05 17:06:47.490 258-258/? I/DEBUG﹕ signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 52464247
03-05 17:06:47.490 955-1055/? W/NativeCrashListener﹕ Couldn't find ProcessRecord for pid 2652
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r0 b723dfb8 r1 47424652 r2 be94a600 r3 00000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r4 b723dfb8 r5 be94a618 r6 52464247 r7 be94a604
03-05 17:06:47.500 258-258/? I/DEBUG﹕ r8 be94a600 r9 00000000 sl be94a618 fp be94a6ec
03-05 17:06:47.500 258-258/? I/DEBUG﹕ ip b6f08f44 sp be94a590 lr b6f04f4b pc b6e34b94 cpsr 200b0030
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d0 0000000000000000 d1 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d2 0000000000000000 d3 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d4 0000000000000000 d5 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d6 0000000000000000 d7 55ab5f0000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d8 0000000000000000 d9 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d10 0000000000000000 d11 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d12 0000000000000000 d13 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d14 0000000000000000 d15 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d16 0000002000000001 d17 0000000000000020
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d18 b723a630b723a618 d19 b723a658b723a648
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d20 b723a678b723a668 d21 b723a698b723a688
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d22 b723aaf8b723a6a8 d23 b723af58b723af48
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d24 0000000000000000 d25 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d26 0000000000000000 d27 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d28 0000000000000000 d29 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ d30 0000000000000000 d31 0000000000000000
03-05 17:06:47.500 258-258/? I/DEBUG﹕ scr 00000010
03-05 17:06:47.510 258-258/? I/DEBUG﹕ backtrace:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #00 pc 00005b94 /system/lib/libui.so (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int const*&, unsigned int&)+23)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #01 pc 00002f47 /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #02 pc 0000e4db /system/lib/libc.so (__libc_init+50)
03-05 17:06:47.510 258-258/? I/DEBUG﹕ #03 pc 0000308c /data/local/tmp/screenshot
03-05 17:06:47.510 258-258/? I/DEBUG﹕ stack:
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a550 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a554 b6010001
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a558 00000000
03-05 17:06:47.510 258-258/? I/DEBUG﹕ be94a55c b6e0d44b /system/lib/libgui.so
---------- Post added at 12:26 AM ---------- Previous post was at 12:12 AM ----------
Is the trick to do it through the surfaceflinger process because it is running with escalated privileges?
Click to expand...
Click to collapse
Surfaceflinger runs under the system user (+drmrpc group) and should have access to /dev/qseecom, through which we can get root using CVE-2014-4322.
The problem is that the heap buffer overflow triggered by unflatten seems very difficult to exploit.
We must consider the following to achieve a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the pros would have already implemented an exploit by now, if it could have been done.
p1gl3t said:
We must consider the following to obtain a controlled memory write:
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts) must overflow 32 bits and remain small enough that the malloc succeeds and returns a valid heap address in h->data. If the malloc were to fail, we would memcpy to address 0 and get a seg fault.
as even after the malloc, numInts and numFds are used only after being multiplied by 4 (sizeof(int)), we can ignore the 2 most significant bits from both of them. This means that the only way to get any kind of bof is to generate transport from bit 29 to bit 30 on the sum numFds+numInts. Consequently, at least one of numInts or numFds must have bit 29 set. This doesn't sound very good because next we will do a memcpy of numFds * 4 bytes and next a memcpy of numInts * 4 bytes, meaning that at least one of the two memcpy calls will try to copy at least (1<<31) bytes. This will certainly lead to a segfault before we can trigger something from another thread...
the executable code is position independent so we would need to leak an address to be able to use rop.
Things don't look good at all... I really hope that I have made a mistake or that there is another approach to the problem.
I'm afraid that the exploit pros would have already implemented an exploit if it could have been done.
Click to expand...
Click to collapse
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Phate123 said:
That have been my thoughts too. There is a memory corruption but it is difficult to use and it is not on areas that could be used to manipulate the return stack or a vtable entry. Or I just can't see the way. I have experience in this area,but it is kinda limited.
BTW: These drivers are not used by the Fire HDX by chance? https://www.codeaurora.org/projects...le-camera-drivers-cve-2014-4321-cve-2014-4324
Sadly I cannot find enough time to spend hours on digging. I hope there are some to be find this weekend though.
Click to expand...
Click to collapse
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
p1gl3t said:
I don't think a stack attack would have been feasible at all as the code should be compiled with stack protector on and we can't do a brute force on the canary value. Hijacking a vtable pointer or a got entry would have been the way to go, but we still wouldn't know what to write as everything is aslr'd.
Click to expand...
Click to collapse
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
awinston said:
Would you mind sharing your code even though it doesn't look like you will be able to exploit this overflow? I am still trying to get my head around the basic attack through surface flinger and it would help me greatly to better understand how at least in theory this works. No worries if you don't want to.
Click to expand...
Click to collapse
Here you go: https://github.com/p1gl3t/CVE-2015-1474_poc.
p1gl3t, great job on creating a poc of the exploit :good:
p1gl3t said:
Regarding those camera drivers, I think someone over at the Samsung section also mentioned them. I'll look into them and report back.
Click to expand...
Click to collapse
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
ZPaul2Fresh8 said:
@jcase Says no on those camera group holes. http://forum.xda-developers.com/showpost.php?p=58945240&postcount=18
It's good to see other's working on 2015-1474 also :good:
Click to expand...
Click to collapse
@jcase is right, only mediaserver is executed under group camera so that it can access /dev/video*. You can see that in init.base.rc and ueventd.qcom.rc.
Now returning to the original topic... I fiddled around with unflatten, giving some input that should have made it crash.
What I did is I left numInts untouched and set numFds = -numInts. I was expecting surfaceflinger to crash every single time when it did the first memcpy. Somehow it didn't. I was baffled and had to gdb the process to see where my assumptions were wrong.
I breaked just before the first memcpy and printed the params:
Code:
(gdb) p $r0
$19 = 3074255348
(gdb) p $r1
$20 = 3074340312
(gdb) p $r2
$21 = 4294967248
r0 is the destination, r1 the source and r2 the number of bytes to copy. r2 is the unsigned representation of 4 * (-12) = 4 * numFds = -4 * numInts.
How did the program NOT crash???!! It even worked a second time, but crashed with SIGABRT in a free() because of heap corruption (I suppose). So even the second memcpy passed without segfault.
Here you have the memory map of surfaceflinger.
LE I have traced the memcpy. It looks like this on my Apollo 14.4.5.2
Code:
.text:0002218C __memcpy_base
.text:0002218C CMP R2, #4
.text:0002218E BLT.W loc_222DC
.text:00022192 CMP R2, #0x10
.text:00022194 BLT.W loc_222BE
.text:00022198 CMP R2, #0x20
.text:0002219A BLT.W loc_222AE
.text:0002219E CMP R2, #0x40
.text:000221A0 BLT loc_222A2
It seems like R2 (number of bytes) is treated like a signed int and the first branch is taken and the following instructions are executed
Code:
.text:000222DC loc_222DC ; CODE XREF: __memcpy_base+2
.text:000222DC LSLS R2, R2, #0x1F
.text:000222DE ITT CS
.text:000222E0 LDRCSH.W R3, [R1],#2
.text:000222E4 STRCSH.W R3, [R0],#2
.text:000222E8 ITT MI
.text:000222EA LDRMIB R3, [R1]
.text:000222EC STRMIB R3, [R0]
This ends up copying only n & 3 bytes, which is < 4. Basically, only the 2 least significant bits from n matter).
So... I guess we are able to write to h->data + numFds*4 as long as numFds*4 is negative. But having numFds as an offset may hurt us on the malloc side.
Now we have to defeat aslr somehow.
Any chance
I hope you are still working on this, we really need to get ride of the crappy Amazon OS and unlock the full potential of these amazing tablet specs.
I have an open tablet that I should repair, if there is need to take some photos of components please let me know, I am not into software hacking yet and it will takes me some time to get into it... but I want to contribute to make this possible, I hope more smart guys from around here join their effort to do it.
I wish if there is another tablet on the market who is as good as this one right now at an affordable price, to just see how CM12.1 behave on it, I tried it on a KFHD before I get it bricked it was fine but little bit laggy due to limited specs and low ram.
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
dadreamer said:
Hi, p1gl3t!
I'm interesting in your PoC and have to ask... Is your work on this done? And how might I use that for my specific device?
Click to expand...
Click to collapse
Not sure what this thread was all about (didn't look back) but the last post was over 2 years ago. A lot has happened since then; every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-unlocking-bootloader-firmware-t3463982
https://forum.xda-developers.com/kindle-fire-hdx/general/thor-4-5-5-2-easy-to-root-unlock-t3571240
Davey126 said:
every 3rd gen HDX can be bootloader unlocked opening the door to custom ROMS ranging from Android 4.4.4 to 7.1.1.
Click to expand...
Click to collapse
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
dadreamer said:
Well, that's true but not for my device I still have a slightly outdated smartphone. It is Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. And it's got no public firmwares at all, no bootloader unlock and no root in easy ways. Besides of that, there's one "pleasant" addition - PXN (Privilege Execute-Never), which doesn't let me to root the phone with simple ways or common tools.
To bypass PXN I have to use some JOP approach but for it I need to get boot.img or kernel memory dump somehow. Because I have no factory ROMs I'm trying to pull out boot.img through known vulnerabilities of my dev. One of them is CVE-2015-1474 (GraphicBuffer integer overflow), which potentially might give me system privilegies to copy boot.img from that phone.
So I wonder if p1gl3t's code is ready to use and is able to give the system privilegies. It seems it should be compiled together with AOSP codebase. But I'm unsure if it would work well when I get it compiled.
Checked your links. There I see that the presence of root is required. But I can't gain root so can't use those tools.
Click to expand...
Click to collapse
Have not seen @p1gl3t on this thread/forum in awhile; not sure if s/he is still active on XDA. Might try a PM. Given the age and, err, uniqueness of device in question I suspect you're in for quite a ride. Good luck.
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
Code:
[email protected]:/data/local/tmp $ ./badscreencap
pid 24824
display.update ret 0
IGraphicBufferConsumer::consumerDisconnect 0x18
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0x40
BnGraphicBufferProducer::onTransact 0x34
BBinder::onTransact 0xb6889759
BnGraphicBufferProducer::onTransact 0xb6889391
BBinder::onTransact = 0xb6899048
*BBinder::onTransact = 0xb6889759
BBinder::onTransact = 0xb7b912b0
*BBinder::onTransact = 0xb6889759
--------
f1 04 00 ff f7 18 be 38 b5 04 46 0d 46 11 b1 08 46 f6 f7 50
--------
[1] + Stopped (signal) ./badscreencap
When I issue any one command after that I get
Code:
[email protected]:/data/local/tmp $
[1] + Segmentation fault ./badscreencap (core dumped)
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
F/libc (24824): Fatal signal 11 (SIGSEGV) at 0x00000004 (code=1), thread 24824 (badscreencap)
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
D/wpa_supplicant(10784): wlan0: Control interface command 'PKTCNT_POLL'
I/DEBUG ( 266): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 266): Build fingerprint: 'DOCOMO/F01F/F01F:4.4.2/V10R22A/F01F.20150107.043237:user/release-keys'
I/DEBUG ( 266): Revision: '37'
I/DEBUG ( 266): pid: 24824, tid: 24824, name: badscreencap >>> ./badscreencap <<<
I/DEBUG ( 266): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000004
W/NativeCrashListener( 1119): Couldn't find ProcessRecord for pid 24824
I/DEBUG ( 266): r0 00000004 r1 beca97ac r2 b6f6f82c r3 00000004
I/DEBUG ( 266): AM write failure (32 / Broken pipe)
I/DEBUG ( 266): r4 00000000 r5 b7b8eee8 r6 b688b285 r7 00000000
I/DEBUG ( 266): r8 beca97e4 r9 00000000 sl beca99d8 fp beca98ac
I/DEBUG ( 266): ip b6ec1f38 sp beca9780 lr b6eba0d5 pc b6ee9b5c cpsr 000b0010
I/DEBUG ( 266): d0 0000000000000000 d1 0000000000000000
I/DEBUG ( 266): d2 0000000000000000 d3 0000000000000000
I/DEBUG ( 266): d4 0000000000000000 d5 0000000000000000
I/DEBUG ( 266): d6 0000000000000000 d7 3849498000000000
I/DEBUG ( 266): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 266): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 266): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 266): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 266): d16 7265646e6942422a d17 6e6172546e6f3a3a
I/DEBUG ( 266): d18 b6e8d399b6e8d4af d19 b6e8d07fb6e8d377
I/DEBUG ( 266): d20 b68827d1b6e8d071 d21 b6889759b68827f3
I/DEBUG ( 266): d22 0000000000000000 d23 0000000000000000
I/DEBUG ( 266): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 266): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 266): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 266): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 266): scr 00000010
I/DEBUG ( 266):
I/DEBUG ( 266): backtrace:
I/DEBUG ( 266): #00 pc 00003b5c /system/lib/libcutils.so (android_atomic_inc+8)
I/DEBUG ( 266): #01 pc 0000d0d1 /system/lib/libutils.so (android::RefBase::incStrong(void const*) const+6)
I/DEBUG ( 266): #02 pc 0002a3b5 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+20)
I/DEBUG ( 266): #03 pc 0003494f /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+78)
I/DEBUG ( 266): #04 pc 000349c1 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&)+14)
I/DEBUG ( 266): #05 pc 00005de1 /data/local/tmp/badscreencap
I/DEBUG ( 266): #06 pc 0000e5a3 /system/lib/libc.so (__libc_init+50)
I/DEBUG ( 266): #07 pc 00005590 /data/local/tmp/badscreencap
I/DEBUG ( 266):
I/DEBUG ( 266): stack:
I/DEBUG ( 266): beca9740 00000000
I/DEBUG ( 266): beca9744 b6885b8b /system/lib/libgui.so (android::CpuConsumer::releaseAcquiredBufferLocked(int)+150)
I/DEBUG ( 266): beca9748 00000000
I/DEBUG ( 266): beca974c b68a0154 /system/lib/libgui.so
I/DEBUG ( 266): beca9750 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9754 b7b900f0 [heap]
I/DEBUG ( 266): beca9758 b7b8fc40 [heap]
I/DEBUG ( 266): beca975c b7b8fc40 [heap]
I/DEBUG ( 266): beca9760 0000000c
I/DEBUG ( 266): beca9764 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9768 b7b8fc40 [heap]
I/DEBUG ( 266): beca976c 00000000
I/DEBUG ( 266): beca9770 b6f6e268 /data/local/tmp/badscreencap
I/DEBUG ( 266): beca9774 b6885c09 /system/lib/libgui.so (android::CpuConsumer::unlockBuffer(android::CpuConsumer::LockedBuffer const&)+92)
I/DEBUG ( 266): beca9778 b7b8fc40 [heap]
I/DEBUG ( 266): beca977c beca9808 [stack]
I/DEBUG ( 266): #00 beca9780 beca97ac [stack]
I/DEBUG ( 266): ........ ........
I/DEBUG ( 266): #01 beca9780 beca97ac [stack]
I/DEBUG ( 266): beca9784 b68853b9 /system/lib/libgui.so (android::sp<android::IBinder>::sp(android::sp<android::IBinder> const&)+24)
I/DEBUG ( 266): #02 beca9788 beca9800 [stack]
I/DEBUG ( 266): beca978c b688f953 /system/lib/libgui.so (android::ScreenshotClient::update(android::sp<android::IBinder> const&, unsigned int, unsigned int, unsigned int, unsigned int)+82)
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r1:
I/DEBUG ( 266): beca978c b688f953 b6f4b334 00000002 b7b8f0e0
I/DEBUG ( 266): beca979c 00000000 b6f3d1d8 b7b8eee8 b7b8fc40
I/DEBUG ( 266): beca97ac b7b8f0e0 b6f6e08f 00000000 b7b91270
I/DEBUG ( 266): beca97bc b6f6e268 b7b8f0e0 b6f6e24e b6899008
I/DEBUG ( 266): beca97cc b688f9c5 00000000 ffffffff 00000000
I/DEBUG ( 266): beca97dc b6f6dde5 00000000 b7b8f0a0 00000018
I/DEBUG ( 266): beca97ec 00000001 00000040 00000001 00000034
I/DEBUG ( 266): beca97fc 00000001 b7b8fc40 b7b8f0e0 00000000
I/DEBUG ( 266): beca980c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca981c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca982c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca983c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca984c 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca985c beca98b4 beca98b4 beca98bc 00000001
I/DEBUG ( 266): beca986c b6f3cfd8 b6f6db95 00000000 00000000
I/DEBUG ( 266): beca987c b6f015a5 00000000 00000000 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r2:
I/DEBUG ( 266): b6f6f80c b6f6f9d0 b6f6f8ac b6f6f8fc b6f6f958
I/DEBUG ( 266): b6f6f81c b6f6f9a8 0000058c 00000000 00000000
I/DEBUG ( 266): b6f6f82c b6f6d769 b6f6d7e1 b6f6d5eb b6f6d5f9
I/DEBUG ( 266): b6f6f83c b6f6d899 b6883bd5 b6883ce9 b68843d1
I/DEBUG ( 266): b6f6f84c b6882dd5 b68828f1 b68829e9 b6883a59
I/DEBUG ( 266): b6f6f85c b6f6d8f5 b6889391 b6881f99 b6884cf1
I/DEBUG ( 266): b6f6f86c b6884ac9 b688372d b68839b9 b6884fb9
I/DEBUG ( 266): b6f6f87c b68822a9 b6882889 b68826f5 b6882679
I/DEBUG ( 266): b6f6f88c b6882383 b6882359 b688232f b6882305
I/DEBUG ( 266): b6f6f89c b688241d 00000588 fffffffc 00000000
I/DEBUG ( 266): b6f6f8ac b6f6d92d b6f6d5fd b6e8d075 b6e8d071
I/DEBUG ( 266): b6f6f8bc b6e8d071 b6e8d1e9 b6e8d079 b6e8d079
I/DEBUG ( 266): b6f6f8cc b6e8d071 b6e8d4af b6e8d399 b6e8d377
I/DEBUG ( 266): b6f6f8dc b6e8d07f b6e8d071 b6f6d7cf b6f6d805
I/DEBUG ( 266): b6f6f8ec b6889759 0000057c fffffff0 00000000
I/DEBUG ( 266): b6f6f8fc b6f6d7c9 b6f6d7ff b6f6d5eb b6884fb1
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r5:
I/DEBUG ( 266): b7b8eec8 b7b8eed0 0000001b 00000001 00000001
I/DEBUG ( 266): b7b8eed8 b7b8eec4 00000001 00000000 00000023
I/DEBUG ( 266): b7b8eee8 b689d17c b689d1d0 b7b8ef88 b7b8efc8
I/DEBUG ( 266): b7b8eef8 00000001 b689d200 b7b8ef08 0000001b
I/DEBUG ( 266): b7b8ef08 00000002 00000002 b7b8eefc 00000001
I/DEBUG ( 266): b7b8ef18 006e0061 0000001b b689e97c b7b8e408
I/DEBUG ( 266): b7b8ef28 b689e9a4 b7b8ef38 00660072 0000001b
I/DEBUG ( 266): b7b8ef38 00000001 00000002 b7b8ef28 00000000
I/DEBUG ( 266): b7b8ef48 00000000 0000001b b6e9a888 b7b8eff0
I/DEBUG ( 266): b7b8ef58 00000001 00000000 00000010 00000023
I/DEBUG ( 266): b7b8ef68 00000001 00000001 b7b8f0d4 00000001
I/DEBUG ( 266): b7b8ef78 00000000 00000000 00000020 00000043
I/DEBUG ( 266): b7b8ef88 b6e9a944 00000001 00000000 00000001
I/DEBUG ( 266): b7b8ef98 00000000 b7b8ef50 b6e9a858 00000000
I/DEBUG ( 266): b7b8efa8 00000000 00000000 00000010 00000000
I/DEBUG ( 266): b7b8efb8 b7b8a048 b6e9a9ac b7b8efc8 0000001b
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r6:
I/DEBUG ( 266): b688b264 a81047a0 ea4cf7f4 a8104604 ea4ef7f4
I/DEBUG ( 266): b688b274 f7f4a804 4620ea4c bdf0b01d 00014f3c
I/DEBUG ( 266): b688b284 b09db5f0 a8044604 461f4615 f7f4460e
I/DEBUG ( 266): b688b294 a810ea26 ea22f7f4 a804491c f7f44479
I/DEBUG ( 266): b688b2a4 4631ea24 f7f4a804 a803eada f7f46829
I/DEBUG ( 266): b688b2b4 a903ead0 f7f4a804 a803ead2 fe31f7f5
I/DEBUG ( 266): b688b2c4 a8044639 ea16f7f4 a8049922 ea12f7f4
I/DEBUG ( 266): b688b2d4 a8049923 ea0ef7f4 a8049924 ea0af7f4
I/DEBUG ( 266): b688b2e4 210e68a0 68032200 aa049200 ab10695c
D/wpa_supplicant(10784): wlan0: Control interface command 'SIGNAL_POLL'
I/DEBUG ( 266): b688b2f4 a81047a0 ea04f7f4 a8104604 ea06f7f4
I/DEBUG ( 266): b688b304 f7f4a804 4620ea04 bdf0b01d 00014e94
I/DEBUG ( 266): b688b314 1d05b538 f1004604 f7f4004c 4628ee1e
I/DEBUG ( 266): b688b324 fdfff7f5 f7f54620 4620fdfc b538bd38
I/DEBUG ( 266): b688b334 4615460c 4620e004 f7ff3d01 3460ffe9
I/DEBUG ( 266): b688b344 d1f82d00 0000bd38 b09db530 a8044604
I/DEBUG ( 266): b688b354 f7f4460d a810e9c4 e9c0f7f4 23004925
I/DEBUG ( 266):
I/DEBUG ( 266): memory near r8:
I/DEBUG ( 266): beca97c4 b6f6e24e b6899008 b688f9c5 00000000
I/DEBUG ( 266): beca97d4 ffffffff 00000000 b6f6dde5 00000000
I/DEBUG ( 266): beca97e4 b7b8f0a0 00000018 00000001 00000040
I/DEBUG ( 266): beca97f4 00000001 00000034 00000001 b7b8fc40
I/DEBUG ( 266): beca9804 b7b8f0e0 00000000 00000000 00000000
I/DEBUG ( 266): beca9814 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9824 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9834 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9844 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9854 00000000 00000000 beca98b4 beca98b4
I/DEBUG ( 266): beca9864 beca98bc 00000001 b6f3cfd8 b6f6db95
I/DEBUG ( 266): beca9874 00000000 00000000 b6f015a5 00000000
I/DEBUG ( 266): beca9884 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9894 b6f6d594 b6f6f668 b6f6f670 b6f6f678
I/DEBUG ( 266): beca98a4 beca98b0 00000000 b6f57881 00000001
I/DEBUG ( 266): beca98b4 beca99d8 00000000 beca99e7 beca99f8
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sl:
I/DEBUG ( 266): beca99b8 beca99d4 00000000 00000000 5c2cbe0e
I/DEBUG ( 266): beca99c8 6dbb4e08 7c900b9b 76a8a152 006c3776
I/DEBUG ( 266): beca99d8 61622f2e 72637364 636e6565 5f007061
I/DEBUG ( 266): beca99e8 622f2e3d 63736461 6e656572 00706163
I/DEBUG ( 266): beca99f8 48544150 62732f3d 2f3a6e69 646e6576
I/DEBUG ( 266): beca9a08 622f726f 2f3a6e69 74737973 732f6d65
D/wpa_supplicant(10784): signal_poll nl80211_signal_poll:10508 rssi:[-47]
D/wpa_supplicant(10784): nl80211: survey data missing!
I/DEBUG ( 266): beca9a18 3a6e6962 7379732f 2f6d6574 3a6e6962
I/DEBUG ( 266): beca9a28 7379732f 2f6d6574 6e696278 4f4f4c00
I/DEBUG ( 266): beca9a38 4f4d5f50 50544e55 544e494f 6e6d2f3d
I/DEBUG ( 266): beca9a48 626f2f74 4e410062 494f5244 4f525f44
I/DEBUG ( 266): beca9a58 2f3d544f 74737973 56006d65 5f454249
I/DEBUG ( 266): beca9a68 45504950 5441505f 642f3d48 702f7665
I/DEBUG ( 266): beca9a78 73657069 45485300 2f3d4c4c 74737973
I/DEBUG ( 266): beca9a88 622f6d65 732f6e69 4e410068 494f5244
I/DEBUG ( 266): beca9a98 41445f44 2f3d4154 61746164 444e4100
I/DEBUG ( 266): beca9aa8 44494f52 5353415f 3d535445 7379732f
I/DEBUG ( 266):
I/DEBUG ( 266): memory near fp:
I/DEBUG ( 266): beca988c 00000000 00000000 b6f6d594 b6f6f668
I/DEBUG ( 266): beca989c b6f6f670 b6f6f678 beca98b0 00000000
I/DEBUG ( 266): beca98ac b6f57881 00000001 beca99d8 00000000
I/DEBUG ( 266): beca98bc beca99e7 beca99f8 beca9a35 beca9a4e
I/DEBUG ( 266): beca98cc beca9a63 beca9a7d beca9a92 beca9aa5
I/DEBUG ( 266): beca98dc beca9ac0 beca9acb beca9af4 beca9b13
I/DEBUG ( 266): beca98ec beca9b26 beca9b34 beca9b5c beca9e57
I/DEBUG ( 266): beca98fc beca9e83 beca9e9a beca9ebf beca9ee9
I/DEBUG ( 266): beca990c beca9f02 beca9f16 beca9f3d beca9f67
I/DEBUG ( 266): beca991c beca9f8d beca9f9a beca9fb4 beca9fd7
I/DEBUG ( 266): beca992c beca9fe2 00000000 00000010 0007b0d7
I/DEBUG ( 266): beca993c 00000006 00001000 00000011 00000064
I/DEBUG ( 266): beca994c 00000003 b6f68034 00000004 00000020
I/DEBUG ( 266): beca995c 00000005 00000008 00000007 b6f56000
I/DEBUG ( 266): beca996c 00000008 00000000 00000009 b6f6d530
I/DEBUG ( 266): beca997c 0000000b 000007d0 0000000c 000007d0
I/DEBUG ( 266):
I/DEBUG ( 266): memory near ip:
I/DEBUG ( 266): b6ec1f18 b6f1e845 b6f052ef b6f05357 b6f196c1
I/DEBUG ( 266): b6ec1f28 b6f15749 b6f1542c b6f1cb11 b6f1e239
I/DEBUG ( 266): b6ec1f38 b6ee9b54 b6ee9b34 b6ee9b74 b6ee9b0c
I/DEBUG ( 266): b6ec1f48 b6ee9bb8 b6f00de1 b6f2d62f b6f164dd
I/DEBUG ( 266): b6ec1f58 b6f1ba3d b6f1e7b9 b6f2d3bb b6f167db
I/DEBUG ( 266): b6ec1f68 b6f20c55 b6f135e4 b6f20035 b6f05f01
I/DEBUG ( 266): b6ec1f78 b6f05f29 b6f05f71 b6f003d0 b6f05f1b
I/DEBUG ( 266): b6ec1f88 b6f01b38 b6f01a34 b6f13468 b6f13348
I/DEBUG ( 266): b6ec1f98 b6eeb151 b6f06279 b6f13180 b6f1fec3
I/DEBUG ( 266): b6ec1fa8 b6f01810 b6f01f44 b6f02190 b6f0227c
I/DEBUG ( 266): b6ec1fb8 b6f01f84 b6f01ec0 b6f01fa0 b6f140ec
I/DEBUG ( 266): b6ec1fc8 b6ede927 b6f13d10 b6ede919 b6f13510
I/DEBUG ( 266): b6ec1fd8 b6f0086c b6f021ec b6f00ab8 b6f00ad8
I/DEBUG ( 266): b6ec1fe8 b6f13530 b6f14964 b6f14984 b6f138b4
I/DEBUG ( 266): b6ec1ff8 b6f1f0f9 b6f14944 b6ec2000 ffffffff
I/DEBUG ( 266): b6ec2008 00000001 ffffffff b6ebb42d 00000000
I/DEBUG ( 266):
I/DEBUG ( 266): memory near sp:
I/DEBUG ( 266): beca9760 0000000c b6f6e268 b7b8fc40 00000000
I/DEBUG ( 266): beca9770 b6f6e268 b6885c09 b7b8fc40 beca9808
I/DEBUG ( 266): beca9780 beca97ac b68853b9 beca9800 b688f953
I/DEBUG ( 266): beca9790 b6f4b334 00000002 b7b8f0e0 00000000
I/DEBUG ( 266): beca97a0 b6f3d1d8 b7b8eee8 b7b8fc40 b7b8f0e0
I/DEBUG ( 266): beca97b0 b6f6e08f 00000000 b7b91270 b6f6e268
I/DEBUG ( 266): beca97c0 b7b8f0e0 b6f6e24e b6899008 b688f9c5
I/DEBUG ( 266): beca97d0 00000000 ffffffff 00000000 b6f6dde5
I/DEBUG ( 266): beca97e0 00000000 b7b8f0a0 00000018 00000001
I/DEBUG ( 266): beca97f0 00000040 00000001 00000034 00000001
I/DEBUG ( 266): beca9800 b7b8fc40 b7b8f0e0 00000000 00000000
I/DEBUG ( 266): beca9810 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9820 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9830 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9840 00000000 00000000 00000000 00000000
I/DEBUG ( 266): beca9850 00000000 00000000 00000000 beca98b4
I/DEBUG ( 266):
I/DEBUG ( 266): code around pc:
I/DEBUG ( 266): b6ee9b3c e1910f9f e080c003 e1812f9c e3520000
I/DEBUG ( 266): b6ee9b4c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b5c e1930f9f e2801001 e1832f91 e3520000
I/DEBUG ( 266): b6ee9b6c 1afffffa e12fff1e e1a03000 f57ff05f
I/DEBUG ( 266): b6ee9b7c e3e02000 e1930f9f e080c002 e1831f9c
I/DEBUG ( 266): b6ee9b8c e3510000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9b9c f57ff05f e1910f9f e000c003 e1812f9c
I/DEBUG ( 266): b6ee9bac e3520000 1afffffa e12fff1e e1a03000
I/DEBUG ( 266): b6ee9bbc f57ff05f e1910f9f e180c003 e1812f9c
I/DEBUG ( 266): b6ee9bcc e3520000 1afffffa e12fff1e 6883b508
I/DEBUG ( 266): b6ee9bdc 47984608 2140ea6f ea801840 eb023290
I/DEBUG ( 266): b6ee9bec ea831302 bd082093 2203b5f8 46046943
I/DEBUG ( 266): b6ee9bfc 43726846 0f92ebb3 0076d923 46302104
I/DEBUG ( 266): b6ee9c0c ebe4f7ff b1e04605 1e772200 6821e011
I/DEBUG ( 266): b6ee9c1c 3022f851 6858e00a e00cf8d3 0c00ea07
I/DEBUG ( 266): b6ee9c2c 102cf855 f84560d9 4673302c d1f22b00
I/DEBUG ( 266):
I/DEBUG ( 266): code around lr:
I/DEBUG ( 266): b6eba0b4 000078c4 4604b510 ffe2f7ff f7fd4620
I/DEBUG ( 266): b6eba0c4 4620e918 b510bd10 1d206844 ea2af7fd
I/DEBUG ( 266): b6eba0d4 f7fd4620 f1b0ea28 d1085f80 f04f4621
I/DEBUG ( 266): b6eba0e4 f7fd4070 68a0ea26 68996803 bd104788
I/DEBUG ( 266): b6eba0f4 6844b510 f7fd1d20 4620ea16 ea12f7fd
I/DEBUG ( 266): b6eba104 f1b0b138 d1085f80 4070f04f f7fd4621
I/DEBUG ( 266): b6eba114 68a0ea10 68996803 bd104788 68186843
I/DEBUG ( 266): b6eba124 30044770 beb4f003 4604b538 460d3004
I/DEBUG ( 266): b6eba134 ea04f7fd d1192801 07d968e3 6823d409
I/DEBUG ( 266): b6eba144 5f80f1b3 e00cd100 e8bd4620 f0034038
I/DEBUG ( 266): b6eba154 68a0bea7 694a6801 47904629 07c268e0
I/DEBUG ( 266): b6eba164 68a0d504 6801b110 4790684a b570bd38
I/DEBUG ( 266): b6eba174 68444605 4620460e e9e0f7fd d10b2801
I/DEBUG ( 266): b6eba184 463168a0 68da6803 68e04790 d40307c0
I/DEBUG ( 266): b6eba194 46286829 4798684b 46314620 4070e8bd
I/DEBUG ( 266): b6eba1a4 bfc2f7ff 4604b570 460e3004 e9baf7fd
Click to expand...
Click to collapse
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
dadreamer said:
Well, I have compiled that badscreencap by p1gl3t along with android 4.4.2 codebase and then pushed it to my dev. But whenever I run it I receive segfault:
When I issue any one command after that I get
Of course, no any signs of system privileges for my id. Checked this with logcat and it has got the following trace:
Besides of the crash it seems to be incomplete because the code lacks any final ways of gaining elevated privileges (payload w/ reverse shell or something like that).
I assume it all makes no sense due to the loss of relevance for others. So I'll turn my attention to another CVE's out there. This could be the most elegant and shortest way of getting system though.
Click to expand...
Click to collapse
Is your goal to gain root on FireOS v3/v4/5 or are you experimenting with this for other reasons? If the former there are far easier methods (FireOS version dependent) of achieving this; even a theoretical way to unlock the bootloader sans root.