I stumbled upon this article, and started to wonder if anyone has done anything about it yet? Has it been confirmed, or was it a false positive?
I hope this is a real feature, and excuses about security can't be that good as Comrade Steve -Iron Fist- Jobs and his iPhones have had the feature since the first version?
Hi frapaa!
Have you found any information regarding this issue? I'm also interested in taking screenshot on an unrooted device, but it seems that there is almost no information available at the moment.
Recently, I've digged into the Android' sources and may say the following:
Seems that 2.3.3 really has some progress on screenshooting. There is an SurfaceFlinger service (only lolevel though) which is actually a composite engine. There are methods like ::captureScreen() which do the stuff.
Hovewer, I could not found any userspace API for this stuff. SurfaceFlinger registers itself in the internal ServiceManager, which does not interfaced to the public, AFAIK.
Someone on the internets said that this stuff should be interfaced through the Java's Surface class and it's friends.
So, have you something to add?
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
scholbert said:
Hi kernel hackers,
it is getting very silent recently about possible security hacks on the Milestone platform.
Today i stumbled over some kernel code located in /drivers/misc/sec.
Maybe this had been discussed already.... anyway
There're some interesting functions in the source code and i wonder which application is using this module to enter the secure world of OMAP.
Some of the functions are accessing registers, that are also involved in low level routines of the bootcode (e.g. mbmloader).
Some questions:
Which application in android userspace is using this module?
Could we tweak this module to get access to some of the protected OMAP registers?
Is it a signed module?
Would be nice to use a modified module and activate some of the blocked features (e.g. DAP controller for debugging).
Any comments welcome!!!
Regards,
scholbert
Click to expand...
Click to collapse
Well, I'm not a kernel hacker, but I have an educated guess...
I believe that the radio system uses those functions to check whether the kernel is valid or not, so, we have the radio not working with a replacement kernel that is loaded using kexec...
Perhaps, if it is possible to "change" this function using a module, we could get a function always telling the kernel is valid and have kexec working on Milestone. Again, I'm not a kernel hacker, but that is my guess.
Hi, I'm sorry that I wont be much help but these guys might;
https://www.droid-developers.org/
irc://irc.freenode.net/#milestone-modding
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
scholbert said:
Hi,
thanks for your comments so far.
To be more precisely i think this kernel driver is calling the secure monitor in some way. See here:
https://www.droid-developers.org/wiki/Secure_Monitor
There's also a structure defined in that driver. I think i'll have to compare some of the ioctl entries.
https://www.droid-developers.org/wiki/Secure_Services
I'll do some investigation on this issue and search the web for some userland source code using this driver.
Again, if someone knows more about it, your welcome
Cheers,
scholbert
Click to expand...
Click to collapse
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
SophT said:
you don't have to search for the source, it's on SourceForge:
http://sourceforge.net/projects/milestone.motorola/files/
Click to expand...
Click to collapse
Yeah sure, i knew this
Anyway, thanks for the hyperlink!
In the meantime i grepped all binaries from the latest distribution.
I found out, that two applications are using /dev/sec.
1. dbvc_atvc_property_set
2. tcmd
If someone knows which package of source code they belong to... would save some time searching.
EDIT:
O.K. Google did it for me...
Seems that both binaries are proprietary code. Some early conclusions:
1. dbvc_atvc_property_set
This one is started as a service in init.mapphone_umts.rc and seems to use /dev/sec for granting rights to access OMAP secure world (e.g. read eFuse values for unique device id, IMEI etc.).
This binary contains a certificate which is not Milestone specific (XT720 uses the same).
So right now i don't know, if this certificate is needed to access /dev/sec or the application itself identifies itself as trusted application (signed app).
Would make sense, if the BP uses signed applications to access certain low level functions, e.g. read/write the eFuse bank.
2. tcmd
This one is also started as a service in init.mapphone_umts.rc to access a variety of devices. Seems to be related to data streaming or stuff.
As stated it has an entry for /dev/sec and it got no certifcate.
Would be interesting to get some more info about that.
Further comments....
P.S.: This bloody security stuff is making me sick
Regards,
scholbert
Hi again,
i just compared some of the defines in the kernel driver headers (/drivers/misc/sec/sec_core.h) with the ones xvilka reversed inside mbmloader.
Code:
...
#define API_HAL_KM_SOFTWAREREVISION_READ 33 // 0x21
...
#define API_HAL_NB_MAX_SVC 39 // 0x27
#define API_HAL_MOT_EFUSE (API_HAL_NB_MAX_SVC + 10) // 0x31
#define API_HAL_MOT_EFUSE_READ (API_HAL_NB_MAX_SVC + 15) // 0x36
...
For comparison see the table here:
https://www.droid-developers.org/wiki/Secure_Services
It is obvious that /dev/sec allows to access OMAP secure world and uses the above mentioned API calls to push information to userspace apps.
The question would be, if ioctl must be certified through the API using some key ...
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
See ya,
scholbert
scholbert said:
O.K. i see this is deep down code creeping, but maybe someone understands what i try to work out
Click to expand...
Click to collapse
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
mystichobo said:
I think I know what you are trying to work out, but I can't think of any way to help
You're pretty much comparing the results of your findings with that of the mbmloader dump right?
Click to expand...
Click to collapse
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
puffo81 said:
I would like so much to fully understand what you are doing, but I can understand just a little..
btw I hope that you'll be glad to know that you have all my psychological support!
Click to expand...
Click to collapse
Thanks a lot for pointing out
Best regards,
scholbert
scholbert said:
Yeah, kind of... we know for sure there's an API to access security functions on OMAP. I just digged out some parallels in kernel code and mbmloader.
If we could make use of security functions from within kernel space (by using a tweaked module) this would be a nice playground.
Perhaps, there's any bug or backdoor we could shamelessly exploit to:
a. boot custom kernel with second boot
b. tweak the security system and enable some hidden functions inside OMAP
Click to expand...
Click to collapse
That's what I thought
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Cheers,
hobo
mystichobo said:
Surprised noone has looked into it earlier really
Anyway good luck with it, adding my moral support too.
Click to expand...
Click to collapse
I got into contact with xvilka.
Obviously there'd been some investigations concerning this issue.
To be honest, i don't know if it's worth to digg a little deeper or if it will ever led to something useful in the end. Could be fun though
Perhaps it would be nice idea to tweak the driver and put some debug message in the code.
Another interesting thing to do would be a logging function.
This way it would be possible to get some insights of the API to secure monitor.
Anyway, i think it's never useless to discuss about some hacking here. At least were at xda-developers
If you like to tweak some kernel code, join in!!!
Have fun!
scholbert
I purchased a Samsung GTi9505 S4 running Android 4.2.2 from Euope recently and can anyone explain to me on how to install this APP?
I have these on my phone (pls see attached pics).
http://www.engadget.com/2013/02/25/samsung-safe-with-knox/
There are NO instructions on installing it. I looked all over on the web and nothing.
Only downloaded the KNOX Whitepaper.
I presume, this only works for North American based phones. But can someone shed some light on this please?
Thanks
It'll probably require some form of MAM (Mobile Application Management) product to be able to manage the applications within this 'sandboxed' environment. Applications will probably need to be specifically written to utilise it so its probably early days yet mate.
Unless I've got it completely wrong of course!
Working for a large organisation that requires this level of security - I requested further information from samsungs website but havn't had a single response yet. I'm assuming its still in development.
zoomee said:
It'll probably require some form of MAM (Mobile Application Management) product to be able to manage the applications within this 'sandboxed' environment. Applications will probably need to be specifically written to utilise it so its probably early days yet mate.
Unless I've got it completely wrong of course!
Working for a large organisation that requires this level of security - I requested further information from samsungs website but havn't had a single response yet. I'm assuming its still in development.
Click to expand...
Click to collapse
I know that the DoD got it approved from DISA.
http://gcn.com/articles/2013/05/29/disa--ios-android-stig.aspx
But Im not working in that environment. Its more like I want to keep my personal data apart from the enterprise environment.So, I want to have my business data under KNOX and personal data on the normal Interface like shown on this video.
Thats all.
http://www.youtube.com/watch?v=t_jTit_RCdI
And on the box itself, it DOES have the "SAFE" on it. (Samsung For Enterprise)
That vid is a very brief overview mate. Looking at the feature list for knoxx it seems to me to be an enterprise level function. Integration with Active Directory, single sign-on and other MDM products sort of implies that, thats what it will work with and not just for normal end users.
For normal end users - it would just be 'another profile' feature which I don't see much benefit for, as android phones/devices tend to be personal devices. However for the enterprise where we regularly deploy BYOD solutions and corporate devices it seems much more fitting
Sorry bud - probably not what you wanted to hear but until we get further information from them theres not much we can do to utilise it (i'm sure i've seen a knoxx.apk on our devices already)......
If anyone else knows anything else it would be great to hear from them.....
PS - You might want to recommend either Excitors DME product or Good's BYOD one to your IT department
I also work at a large enterprise shop and we are looking at deploying Samsung devices with the Knox functionality. However, I read somewhere that the Knox software was not ready for the worldwide release of the Galaxy S4. It will be available later in the summer on the Galaxy S4 (later for other Samsung devices) on what I assume will be a firmware update. So there is no way to get it on your device right now. Hope this helps.
itsonlyme999 said:
I purchased a Samsung GTi9505 S4 running Android 4.2.2 from Euope recently and can anyone explain to me on how to install this APP?
I have these on my phone (pls see attached pics).
http://www.engadget.com/2013/02/25/samsung-safe-with-knox/
There are NO instructions on installing it. I looked all over on the web and nothing.
Only downloaded the KNOX Whitepaper.
I presume, this only works for North American based phones. But can someone shed some light on this please?
Thanks
Click to expand...
Click to collapse
zoomee said:
It'll probably require some form of MAM (Mobile Application Management) product to be able to manage the applications within this 'sandboxed' environment.
Click to expand...
Click to collapse
^^^^^
This.
And it offers no value to an individual user even if they managed to get it set up. For basic remote device management Find my Mobile (ex-Samsung Dive) offers what most users are looking for without all the complexity.
Ok, well thats that...
Anyway, even if I did have it installed and working on my phone, then I would be concerned of more memory use and more battery drainage with this KNOX feature enabled.
Think about it, its like running two versions of Android on ONE phone. So this might be draining even more battery.
Thanks guys.
Hi all,
First post here - looking forward to participating and working hard towards competency in Android development!
In the short time that I've been at this, I've noticed a great emphasis put on the importance of building a layout that will work across a range of Android hardware, or at least work well with both phones and tablets.
From what I've seen so far, the way to deal with this challenge is to compromise, and to not use absolute sizing for views etc..
I'm wondering if there is any kind of API available that would make it possible to detect hardware (at least screen size?) upon start up, which would then allow for switching to the appropriate XML layout?
I've not encountered it in any of the tutorials I've seen so far....
If this API *doesn't* exist, I would guess that the fact that the apps run on a VM might make any kind of hardware detection problematic if not impossible....
I'd appreciate any enlightenment on this that I can get!
Thanks in advance!
russ6100 said:
Hi all,
First post here - looking forward to participating and working hard towards competency in Android development!
In the short time that I've been at this, I've noticed a great emphasis put on the importance of building a layout that will work across a range of Android hardware, or at least work well with both phones and tablets.
From what I've seen so far, the way to deal with this challenge is to compromise, and to not use absolute sizing for views etc..
I'm wondering if there is any kind of API available that would make it possible to detect hardware (at least screen size?) upon start up, which would then allow for switching to the appropriate XML layout?
I've not encountered it in any of the tutorials I've seen so far....
If this API *doesn't* exist, I would guess that the fact that the apps run on a VM might make any kind of hardware detection problematic if not impossible....
I'd appreciate any enlightenment on this that I can get!
Thanks in advance!
Click to expand...
Click to collapse
OK to bump?
Hello everyone.
I was just curious as i'm trying to explore the build.prop variables a bit (and maybe some other files if they exist on Android, i know there are tons of released "tweak" packages out there, but i would like to study a bit myself.
Is there a full-list somewhere of all the variables for tweaking or some explanation on what each variable does (like a wiki), i use Cyanogenmod 13 and i think these have it's own custom CM-variables too?
It's mainly for gaming purposes (CPU/GPU Rendering variables). i would like to test to see if it makes a difference.
where are the variables located? (are they pre-programmed or listed in a certain file for example?).
I have a rooted HTC One M8 (Vodafone) (S-On) with CM13 Nightly and latest TWRP Recovery.
Trackah123 said:
Hello everyone.
I was just curious as i'm trying to explore the build.prop variables a bit (and maybe some other files if they exist on Android, i know there are tons of released "tweak" packages out there, but i would like to study a bit myself.
Is there a full-list somewhere of all the variables for tweaking or some explanation on what each variable does (like a wiki), i use Cyanogenmod 13 and i think these have it's own custom CM-variables too?
It's mainly for gaming purposes (CPU/GPU Rendering variables). i would like to test to see if it makes a difference.
where are the variables located? (are they pre-programmed or listed in a certain file for example?).
I have a rooted HTC One M8 (Vodafone) (S-On) with CM13 Nightly and latest TWRP Recovery.
Click to expand...
Click to collapse
1)Pls make a backup first:silly:
https://www.viraltecho.com/build-prop-tweaks-for-jellybean-kitkat-lollipop-android-smartphones/
Thanks, i also have found this one (which is a bit more recent with Marshmallow 6.0.1).
https://irisbuddies.blogspot.com/2016/06/best-build-prop-tweaks-for-android.html