My question is: In what ways am I trusting the build author of a ROM build?
My assumptions: I think I know that there are two distinct (groups of) developers (at least for unofficial custom ROM builds which my question is concerned with):
A) ROM developers who develope a version of Android (e.g. the developers of Lineage os, Evolution X, Havoc OS etc)
B) Build authors who make a certain ROM (eg Lineage os, Evolution X, Havoc OS etc) work for a specific device.
An observation I have made: In these [unofficial] [ROM] threads the only open source code I usually find is the one that links to the main ROM project (ROM development). Example: https://forum.xda-developers.com/poco-f1/development/rom-corvus-rom-t4073433/amp/ links to https://github.com/Corvus-ROM
I could imagine three ways in which security/review works (or doesn't work) here:
1) The build author doesn't add any code himself that would need to be trusted / reviewed. The build author just compiles the source code of the ROM project and since anyone who does this arrives at a build file with the same source code it is possible to verify the authenticity of the build (comparing the hash of the build file which is offered for download by the build author and the hash of a self compiled build file).
This gives the build author a strong incentive to not be malicious because even the mere possiblity that someone could verify the authenticity of his build implies the a potential reputation loss.
2) The build author adds code that needs to be reviewed / trusted but the build author publishes this code and compiles a build file which is based on the open source code of the ROM project (e.g. https://github.com/Corvus-ROM) and his own code (also open source). Like in (1) anyone could compile the same build file from the "rom code" and the "build code" and compare the hash of this file to the hash of the file which is offered for download.
3) The build author adds code to the "ROM code" which should be reviewed like in (2) but doesn't make it public so that there is no way to verify whether the build is actually trustworthy because not only could the code added by the build author be malicious, there is also no way to verify whether the public code of the official ROM project has been used for this build because even if it was used no one could verify this because no one could replicate the build file and it's hash because besides the open source code of the ROM project there is a closed source component to the build.
The only way to verify the trustworthiness of the ROM in this case would be to observe whether the ROM behaves maliciously / unexpectedly in any way.
Related
Hi all,
I'm having trouble trying to check out a version of the android source code from the git repository, with a known build.
For example, my Droid 1 is running:
2.6.32.9-g68eeef5
[email protected] #1
frg83d
I first figured that g68eeef5 referred to the git hash, but using gitk it appears that this is not a valid hash.
Does anyone know how I might be able to grab the kernel code for this build?
Thanks!
George
You could check out this guide http://stackoverflow.com/questions/315911/git-for-beginners-the-definitive-practical-guide#316055, in case you haven't already. It's got info on checking out branches - you'll need to know its name - and a lot more.
It seems g68eeef5 is kernel-specific - it might correspond to a revision/version of the kernel only (as opposed to the android system). That would not correspond to a branch though - kernel or android - rather to a revision inside a branch I'd think.
right, i'm trying to find the exact kernel branch or revision. g68eeef5 can't be a hash, since it has a 'g' in it, so i'm not sure what it corresponds to exactly.
I am working with some large open source projects and some smaller custom C code. I can successfully compile and link these using the ndk-build API even when linking against shared object files within the Android tree. I get functional shared object files and executables for the Android platform. However, it seems that when the applications are built as stand alone (meaning outside the Android source code tree using only ndk-build) the stdio functions do not operate properly. When the same code is placed under external within the Android source code tree and built with Android, the stdio functions work exactly as expected.
I have tried building with ndk r4 and r6, then we tried building with the ndk r4 from within the Android tree. (2.2.1)
the functions in question are
close() - hangs a process when the process is forked
fprintf() - nothing gets written
fopen() for write - the file does not get created as a new file
remove()
unlink()
etc.
I have not tested beyond these functions.
The question is why does the stand alone built code not function properly while the same code built within the Android tree executes properly?
Any insight would be greatly appreciated.
Thanks,
Adam
Edit your post and add a meaningfull thread title.
additional info
Seems in particular that close(0), close(1), and close(2) cause a process hang when fork() is used.
When built with Android code under the external directory, everything works as expected.
Hi guys,
I was working on this since some time and here it is
Please read FAQ first
FAQ :
Can I compile a MT6589 kernel for every phone ?
As you know, a MT6589 kernel won't fit in every MT6589 smartphone because of specific configs/files in the kernel source tree.
So, if you compile my kernel which is expected to work on a Faea F2S don't expect it to work on a Acer Liquid E3 for example.
Conclusion : You have to get the kernel source for your phone
How can I check my kernel source ?
Of course, this is not enough to see "source code for ZTE N986", you have to check if it's full or not and if it works.
Most people don't know what is working kernel source. You just have to read the GPL guidelines that every manufacturer have to complain with :
“ The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. ”
The part which has not to be included is the toolchain but there should reference to it (which toolchain to use)
For MT6589 kernel, the toolchains arm-eabi-4.6 and arm-linux-androideabi-4.6 should be used. (mtk used arm-linux-androideabi-4.6 for kernel but it should be arm-eabi-4.6)
So now you know which toolchain to grab and then for kernel source you have to check this minimal structure :
bionic
kernel
mediatek
build
config
custom
kernel
platformREADME
If I have kernel source, can I build it for my device ?
Erm... Sometimes the structure is here but the kernel source is messy... Why ?
Because you were not provided the matching source of the kernel used on your smartphone and the reasons are multiple (I won't give details).
So, the idea is to run a first build. If you get errors, then check the step above about toolchain and structure.
The next step for fixing errors is to play with source. Good luck for that.
What are the benefits of a custom kernel for MT6589 ?
First big benefit is to introduce kitkat compatibility because there was an issue on android binder driver in mtk kernel source.
Next benefit is to be able to remove some stuff from mtk which is useless on user side and waste ressources (a lot of debug for example).
Others benefits will be in optimizations or new features (see frandom for example)
HOWTO :
Build from my repo (specific devices supported) - It's not for compiling your kernel source but to understand how kernel build worksI explain how to build from my repo first because it can help you to understand how you should build kernel source
Prerequisites : A build environment (actually Ubuntu Saucy x64 with build-essentials, ccache, repo, java, perl v5.14+ and openssl) and I won't explain how to get one as there is multiple howto on the net.
For repo, the idea is to create a bin directory in your $HOME (usually /home/accountname/), copy repo binary inside it and then add this bin to $PATH var.
BE CAREFULL TO WHAT YOU DO WITH $PATH VAR ! I always see people doing :
Code:
export PATH=/home/foo/bin
this is erasing $PATH var, just check before and after with echo $PATH
So the idea is to introduce your path AFTER the actual $PATH var
This is easy...
Code:
export PATH=[COLOR="red"]$PATH:[/COLOR]/home/foo/bin
And of course, $PATH is reset once you close terminal and I won't explain how to set $PATH automatically.
Once you got this, everything should be working and it will be easy
Code:
mkdir workdir
cd workdir
repo init -u https://github.com/Dr-Shadow/android_kernel_mt6589_manifest.git -b master
repo sync
Then you should get this in your workdir :
kernel
manifest
mtk-tools
out
ramdisk
scripts
toolchainJust do :
Code:
cd kernel
./certificates.sh
./build.sh
./certificates.sh is needed only once (it's for signing flashable zip and it will setup some keys for it, just reply to questions and don't add passphrase)
And of course, the build.sh contains most things you need to know on steps for building kernel (which commands to use) and you need to know how it works Build from your own kernel source
I'm building the doc... I have to remind which vars need to be overriden
Reserved
Reserved #2
Thanks for making this thread brother it will help us to learn... Subscribed
Looking forward to the how-to to build with your own kernel source.
Dr-Shadow said:
Hi guys,
I was working on this since some time and here it is
Click to expand...
Click to collapse
Thank you Dr-Shadow! This is very cool. I'm going to try it out!
Great
It's always nice to see further development on MTK Based Devices.
Regards
I'll chip in and say thanks too. Finally getting around to trying to compile Alcatel's OneTouch Hero (aka TCL Y910) provided sources.
I might be in as well with A820, but I'm relatively new to Android and have only done porting of 4.1 and 4.2 so far.
Haven't built anything although I have some knowledge about the source code and SDK, which I've only used for reference purposes and the tools from it.
Will try to compile the stock kernel this weekend, but I'm not quite sure if something else is needed, even if the kernel source seems complete to me.
I'm a quick learner and have a lot of programming experience in other technologies, even thought I'm more of a front-end developer these days.
I know that this source is not Lineage but I would think the basic principles for building for an supported device under Lineage would also be applicable to any other source repository.
All of the guides I have found only tell you how to build for a supported device and not any help for an unsupported one. I figured out how to sync a suitable device tree and kernel etc but since the rom source repository does not support my device I can't go any further. I can't get it to build from my sync'd local sources it keeps trying to pull stuff from the original source repository so builds fail at the start.
I have setup a local manifest for this project that sync's the device tree and a kernel and the proprietary blobs and this sync completes without error. next I ran - source build/envsetup.sh and then brunch hlte (not a supported device I know) but that throws up this error -
build/core/product_config.mk:248: * Can not locate config makefile for product "gzosp_hlte". Stop.
Device hlte not found. Attempting to retrieve device repository from GZOSP-Devices Github (http://github.com/GZOSP-Devices).
Repository for hlte not found in the GZOSP-Devices Github repository list.
If this is in error, you may need to manually add it to your .repo/local_manifests/gzosp_manifest.xml
build/core/product_config.mk:248: * Can not locate config makefile for product "gzosp_hlte". Stop.
So I think that the error basically means that github.com/GZOSP-Devices does not have the hlte device listed so can anyone tell me how to make the build point to my local repository after I have sync'd so that it at least starts to build ?
I am a newbie to rom building and have much to learn but I would really appreciate any help you guys could give.
Thanks in advance for any an all help offered.
Hello, can someone give me a hint, howto build Lineage (based on the work of @SyberHexen) on my own?
I think the most work is done, but I wan't to dig a bit deeper into it.
I know there are several guides, specific to one device but I don't know how to include the sources of SyberHexen.
Thanks!
Setup your build environment with Java and all the required packages. Setup repo and grab the source code. Clone the device, kernel and vendor trees. Go through the steps to initialize your build system then build the ROM.