Related
The HTC Stocks app has the best widget of all other currency apps, so I was using it on my 1.5 Hero for displaying the EURO/GBP (EURGBP=X) rate.
After the 2.1 rom update I have a strange problem. When I try to add a new ticker for "eurgbp=x", I get the error message: "Unable to recognize the company name or stock symbol you typed. Please try again." However, this worked in the past like a charm. I have to note that adding "gbp=x" or "usd=x" works fine, with no problem at all.
Maybe this problem is related to an updated version of the Stocks app in the new rom. Is anyone experiencing the same problem? I haven't found a similar thread for a Sense Android phone. The same problem exists in the latest rom of HD2, but people have figured a work-around, by changing a file under "Application Data\HTC\", but this file doesn't exist on Android.
Any help would be more than welcome!
I experience the same problem (although I'm on VillainRom12). Previously adding currencies (EURUSD=X etc) was working, but right now I am unable to find it. This could be HTC problem as it was working fine on 1.5, but this could be also some Yahoo search glitch (I am unable to search for that quotes on mobile version of the Yahoo Finance page, while the desktop version works fine). The only workaround to that was to edit manually SQLite database of Stocks application (but this may require root - I can provide details if necessary). Once I added appropriate entries to the list of stocks, it seems to be working fine (it is displaying my currencies, but the search still does not work).
One other deficiency I found was the fact that graphs are not cached anymore - If I open the application and check for example a daily graph, I need to update it in order to see any chart - each time, even if I switch from 1D to 5D and back. It is also automatically updated each time I visit given tab, if I enable the automatic updates. Previously this app displayed previously cached graph. I'm not sure whether this happens also on stock 2.1 ROM.
Now that you mention it, I have the same problem with the graphs in the 2.1, too. It worked (showed the cashed graph) in the 1.5, but not any more. Blank graph until it updates.
Can you provide me some guidance about how to edit the Stocks' database? At least a link to something similar would be much appreciated. Can I access the phone's system folder without rooting it, through my PC (Win, Linux, whatever)?
eeVoskos said:
Can you provide me some guidance about how to edit the Stocks' database? At least a link to something similar would be much appreciated. Can I access the phone's system folder without rooting it, through my PC (Win, Linux, whatever)?
Click to expand...
Click to collapse
I'm new in the business, so I'm not sure if the root is necessary. You can try it, anyway to see if you will be able to push and pull files from the directory where Stocks stores its database.
Here's what I did:
Enable USB Debugging in Settings -> Applications -> Development -> USB Debugging
Download Android SDK from http://developer.android.com/sdk/index.html
In command line go to subdirectory tools of Android SDK
Close Stocks app and remove Stocks widget from the screen
Connect Phone via USB
... (Beginning of the optional part) ...
Go to Android shell
Code:
adb shell
List any processes to see if there's a com.htc.android.Stock process (like in this case)...
Code:
ps | grep Stock
7605 10007 130m S com.htc.android.Stock
7619 0 2156 S grep Stock
Kill any Stock processes (using the value in the first column):
Code:
kill 7605
Exit to command line
Code:
exit
... (End of the optional part) ...
Pull the Stock database:
Code:
adb pull /data/data/com.htc.dcs.service.stock/databases/stock.db stock.db
Sample output:
Code:
d:\Projects\Android\tools>adb pull /data/data/com.htc.dcs.service.stock/databases/stock.db stock.db
568 KB/s (5120 bytes in 0.008s)
Backup, just in case:
Code:
copy stock.db stock_backup.db
Run sqlite3
Code:
sqlite3 stock.db
Enable headers in sqlite:
Code:
.headers on
List contents of quotes table:
Code:
select * from quotes;
Sample output:
Code:
sqlite> select * from quotes;
_id|_name|_symbol|_price|_change|_percent|_open|_high|_low|_volume|_link|_type|_sequence|_updatetime
2|CHF/PLN|CHFPLN=X|3.08299994468689|0.0116999996826053|0.381900012493134|3.07209992408752|3.08550000190735|3.07010006904602|0|http://m.yahoo.com/htcwf/search?p=CHFPLN=X||0.0|1278490511305
3|USD/PLN|USDPLN=X|3.27649998664856|0.0200999993830919|0.617200016975403|3.25550007820129|3.27959990501404|3.24499988555908|0|http://m.yahoo.com/htcwf/search?p=USDPLN=X||100.0|1278490511305
4|EUR/PLN|EURPLN=X|4.1217999458313|0.0151000004261732|0.367700010538101|4.11250019073486|4.12349987030029|4.10799980163574|0|http://m.yahoo.com/htcwf/search?p=EURPLN=X||200.0|1278490511305
5|EUR/USD|EURUSD=X|1.25789999961853|-0.00469999993219972|-0.376199990510941|1.26170003414154|1.26259994506836|1.25689995288849|0|http://m.yahoo.com/htcwf/search?p=EURUSD=X||300.0|1278490511305
6|EUR/CHF|EURCHF=X|1.33689999580383|-0.000899999984540045|-0.0710000023245811|1.33879995346069|1.33910000324249|1.33609998226166|0|http://m.yahoo.com/htcwf/search?p=EURCHF=X||400.0|1278490511305
sqlite>
Note the last _id (here 6) and add new currency with _id higher by 1 (so here, 7):
Code:
insert into quotes (_id, _name, _symbol) values (7, "EUR/GBP", "EURGBP=X");
Check if it has been added:
Code:
select * from quotes;
Sample output:
Code:
sqlite> select * from quotes;
_id|_name|_symbol|_price|_change|_percent|_open|_high|_low|_volume|_link|_type|_sequence|_updatetime
2|CHF/PLN|CHFPLN=X|3.08299994468689|0.0116999996826053|0.381900012493134|3.07209992408752|3.08550000190735|3.07010006904602|0|http://m.yahoo.com/htcwf/search?p=CHFPLN=X||0.0|1278490511305
3|USD/PLN|USDPLN=X|3.27649998664856|0.0200999993830919|0.617200016975403|3.25550007820129|3.27959990501404|3.24499988555908|0|http://m.yahoo.com/htcwf/search?p=USDPLN=X||100.0|1278490511305
4|EUR/PLN|EURPLN=X|4.1217999458313|0.0151000004261732|0.367700010538101|4.11250019073486|4.12349987030029|4.10799980163574|0|http://m.yahoo.com/htcwf/search?p=EURPLN=X||200.0|1278490511305
5|EUR/USD|EURUSD=X|1.25789999961853|-0.00469999993219972|-0.376199990510941|1.26170003414154|1.26259994506836|1.25689995288849|0|http://m.yahoo.com/htcwf/search?p=EURUSD=X||300.0|1278490511305
6|EUR/CHF|EURCHF=X|1.33689999580383|-0.000899999984540045|-0.0710000023245811|1.33879995346069|1.33910000324249|1.33609998226166|0|http://m.yahoo.com/htcwf/search?p=EURCHF=X||400.0|1278490511305
7|EUR/GBP|EURGBP=X|||||||||||
sqlite>
Quit sqlite:
Code:
.quit
Push the file back to the phone:
Code:
adb push stock.db /data/data/com.htc.dcs.service.stock/databases/stock.db
Sample output:
Code:
d:\Projects\Android\tools>adb push stock.db /data/data/com.htc.dcs.service.stock/databases/stock.db
341 KB/s (5120 bytes in 0.014s)
Restart phone.
See if that worked
I hope HTC (or Yahoo) will be able to fix that, because the above is really a long process...
Anyway, I can't make it work. Entering "ps | grep Stock" gives me a "grep: permission denied" error message. I did some searching and I believe this is what people mean by saying "you need root access", right? I'll come back when I'm rooted (i.e. when I find a decent guide for rooting 2.1).
Thanks for your time & effort man. I really appreciate it.
eeVoskos said:
Anyway, I can't make it work. Entering "ps | grep Stock" gives me a "grep: permission denied" error message.
Click to expand...
Click to collapse
You can try to omit the "optional" part (steps 6-9) - the ps thing was just to make sure that Stock isn't running. But I noticed anyway that it never ran in the background when I closed it on the phone. Try to adb pull and adb push and see if you'll get any permission issues. If you do, then you indeed need a root (sorry I can't check that as I'm rooted)
A couple of days ago I updated the ROM of my HTC TD2, with the most recent one of HTC (WM6.5, Sense 2.5.20113030.0). Afterwards I noticed that I also could not get the stock app to accept the code EURUSD=X.
You mention the following
The same problem exists in the latest rom of HD2, but people have figured a work-around, by changing a file under "Application Data\HTC\", but this file doesn't exist on Android.
Click to expand...
Click to collapse
Can you tell me what that work-around is or point me to it? Hopefully this can help me.
Thank you in advance.
Check this thread:
http://forum.xda-developers.com/showthread.php?t=706732
eeVoskos said:
Check this thread:
Click to expand...
Click to collapse
Thank you for the link (which I am not allowed to repost ).
Last Monday I wrote an e-mail to HTC about this problem and a couple of days later I got a reply. They told me they tried to search for the currency rate (eurusd) and that they got a result. So I tried again and lo and behold I got a result as well. Searching for eurusd=x gave me a result while last weekend it was not working.
So I tried several other currency rates and they all rendered a result, also eurgbp=x. Perhaps it is also fixed for the Android app.
[Extra information added below]
Tried again and nothing
I was connected with a data connection to my carrier, so I switched to my wifi connection. Tried again and... result.
So it seems to be a difference in communication between an ordinary data connection and a wifi connection. Maybe this will help someone
Wird problem. I tried it too on both UK and Greek carriers and on WiFi, but nothing. No result for either of them: "eurgbp=x", "eurgbp", "eurusd=x", "eurusd". I have been trying occasioanly more than one month now.
I think I should drop them an email too...
Why don't you do a soft (temporary) root and make the database entries as described in here? I did it and now I got all the stuff I need, and no trace of root on the device.
Hi all,
I might have discovered a bug in the Android 2.2.1 for Galaxy S.
the following is the case:
My Galaxy S is running 2.2.1, and is completely standard, I have for 100% sure not messed with root access or lagfixes or whatssoever.
It Appears that when you de-install an app from the phone, it sometimes does not remove the preferences file.
The result is, when you reinstall the same app, it gets a new uid, and it can not save its preferences, because the apps preferences file is still on the phone, with a different uid.
in my case:
ps output:
USER PID PPID VSIZE RSS WCHAN PC NAME
app_17 19411 2366 223648 21104 ffffffff 00000000 S klwinkel.huiswerk
ls -l output:
-rw-rw---- app_107 app_107 292 2011-01-22 20:13 klwinkel.huiswerk_preferences.xml
Did more people see this problem?
does anyone how to report this to Samsung?
Can somebody give me an overview of the nook filesystem? There are some files I would like to change but I'm not sure what to change it to.
NMGxda said:
Can somebody give me an overview of the nook filesystem? There are some files I would like to change but I'm not sure what to change it to.
Click to expand...
Click to collapse
Your question is way too general to be answered. The Nook Color has an Android file system, dependent on whether it's stock or the various versions of Android that can be loaded on it. What files do you want to change? What are you trying to accomplish? Maybe then help and advice.
Sorry about that
I think my file://sys/power files may be messed up because it always says "Not Charging" in the quick settings when plugged in. It could also be because I used the wrong cord once. It could also be both. Could you maybe give me the default values in the files (if you have a Nook)? You can use the OpenExplorer app and open the files with a browser.
NMGxda said:
I think my file://sys/power files may be messed up because it always says "Not Charging" in the quick settings when plugged in. It could also be because I used the wrong cord once. It could also be both. Could you maybe give me the default values in the files (if you have a Nook)? You can use the OpenExplorer app and open the files with a browser.
Click to expand...
Click to collapse
What ROM are you using? Stock, rooted, CM7, CM9? I'll upload the file once I know.
OK
It's running stock v1.4.3
I had trouble copying my files values last post so I backspaced them all. I'm going to try again.
Filename/data
file:///sys/power/sr_vdd2_autocomp
1
file:///sys/power/sr_vdd1_autocomp
1
file:///sys/power/sr_steps
37500
file:///sys/power/sr_steps_1g
62500
file:///sys/power/sr_vnom_steps
50000
file:///sys/power/sr_adjust_vsel
oppid: [nominal v] [dynamic Vnom] [calib v] [calib step v] mpu 1: 0x20 0x1b 0x14 0x17 mpu 2: 0x2d 0x26 0x1f 0x22 mpu 3: 0x38 0x2f 0x28 0x2b l3 1: 0x1e 0x18 0x18 0x18 l3 2: 0x2d 0x20 0x20 0x20
file:///sys/power/vdd2_lock
0
file:///sys/power/vdd1_lock
0
file:///sys/power/vdd2_opp
2
file:///sys/power/vdd1_opp
2
file:///sys/power/dsp_freq
520000000
file:///sys/power/tick
I get this error
Web page not available
The Web page at file:///sys/power/tick could not be loaded as: Invalid argument
file:///sys/power/fb_state
awake
file:///sys/power/wait_for_fb_wake
awake
file:///sys/power/wait_for_fb_sleep
It would not load.
file:///sys/power/wake_unlock
It would not load.
file:///sys/power/wake_lock
It would not load.
file:///sys/power/pm_test
It would not load.
file:///sys/power/state
It would not load.
Mine always says "not charging" when plugged into my computer.
turdferguson92 said:
Mine always says "not charging" when plugged into my computer.
Click to expand...
Click to collapse
It happens when I plug it into the wall.
NMGxda said:
It's running stock v1.4.3
I had trouble copying my files values last post so I backspaced them all. I'm going to try again.
--SNIP--
Click to expand...
Click to collapse
Based on the number of files, the fact that it's not rooted, and other things, I think your best option is to go the 8 boot route and reinstall the software.
Hi,
I found information about CVE-2014-7911 and CVE-2014-4322, so I fought this should also work on our Amazon devices with Fire OS 4.5.x. I googled and found this: http://packetstormsecurity.com/files/130112/android-root.zip .It seems that someone had already this idea. I also found out that this method was already used for other devices in this forum. I'm trying to get the source in the zip file to run but it seems that it needs some modifications for Fire OS.
It seems that Fire OS uses a amazon.os.AmazonUserManager instead of Androids UserManager. Has somebody an idea to get information about this class? It looks like that the interface is not found in the Amazon Fire SDK. Has somebody more experience that me with that SDK?
Hope someone is able to help me with this. Root for this device would sincerely improve it in my eyes
Please edit this post so the link will be usable. I do not fulfill the 10 posts restriction.
Follow up to previous post.
I was able to change the code so it will not crash on FireOS. The actual UserManager is in the field mDelegate of the AmazonUserManager.
The change would be:
Code:
UserManager um2 = (UserManager) ctx.getSystemService(Context.USER_SERVICE);
Field fDelegate = um2.getClass().getDeclaredField("mDelegate");
fDelegate.setAccessible(true);
UserManager um = (UserManager) fDelegate.get(um2);
What I achieved is a reset of the device. So I think the ROP chain is wrong for this device. Has somebody ideas in this direction?
EDIT: A right ROP chain on my device (Version 4.5.2) seems to be:
Code:
static int rop_chain_THOR[] = {0x0004eab0,0x000247a4+4+1,0x0003cf90+8,0x0002553d};
Sadly somehow it is still not working.
It seems that we are really able to implement CVE-2014-7911 to work on Fire OS. Attached you will find the log of a crash.
For me it looks like the binary of CVE-2014-4322 is being started but crashes. Could it be that it is not started correctly or that Amazon did already patch CVE-2014-4322?
I will have a further look on this, but I don't have enough time to bring this to a ready solution in a short time. Maybe someone with more experience can have a look on it?
Greetings Phate
why you do not put this in the dev section?
I pretty sure that our devs @vortox , @ggow and @Cpasjuste could help us
ONYXis said:
why you do not put this in the dev section?
I pretty sure that our devs @vortox , @ggow and @Cpasjuste could help us
Click to expand...
Click to collapse
I do not have the permission to create a thread there. Would be nice some mod could move this thread.
I really hope that one of these will work...
Hi, I'll try to take a look this week if I find the time.
Cpasjuste said:
Hi, I'll try to take a look this week if I find the time.
Click to expand...
Click to collapse
This is great. I hope that you can see something.
I confirmed that CVE-2014-7911 is working (with some modifications). The binary of the second stage is started. I could not yet confirm that it is started with system privileges. This would be one of the next steps. Maybe by doing something, that only system can do?
CVE-2014-4322 crashes during the privilege escalation. Maybe Am*zon did something different and we need to change the code.
The second crash of system_server (that causes the partly reset of the device) is normal and is caused by CVE-2014-7911.
More followup:
I added some logcat traces to the binary to be able to find where the second stage crashes.
It is here:
Code:
void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
*(int*)addr = 0xE3500000;
*((int*)((int)addr+4)) = 0xe1a0f00e;
memcpy(addr,shell_code2,400);
mmap() and ioctl before are returning 0xffffffff. I really need to find time to read me into this exploit to understand how it works to find a solution to this.
But I confirmed that the binary is running as system user. getuid() reports 1000.
Log is attached. Binary shows itself in the log with the tag msm-ndk.
mmap followup
So I did some digging and was able to duplicate the crash at mmap just as Phate123 however I took it a step further and was able to get it to run through but it doesn't appear to actually escalate to root so the mount doesn't work.
In order to get it to not crash you can change the mmap to the following
void* addr = mmap(intArr[0],4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
Unfortunately this either breaks the exploit or it doesn't work on the 4.5.2. Anyway maybe this will help someone else. I have spent too much time getting this far without any real results and I am way out of my league when it comes to things like mmap.
@awinston: Thx for your reply.
The problem is not mmap. The call to ioctl returns a wrong pointer. It is used again here in inArr[0]. Because of that the call to mmap does not work.
You are right in thinking that this does maybe mean the exploit will not work on 4.5.2 because it is already fixed. But this is yet to confirm. there might be still hope.
ioctl pointer question
So I have been doing more research and cobbling together a variety of the exploits and I wanted to know if I am headed in the right direction, or not, considering I am struggling to understand what I am doing exactly
Here is my most recent log cat attempt
02-13 16:18:13.319 4324-4324/? D/TAG﹕ ROOTUID 1000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ Tzwidevine: 0, app_id: -1098148004
02-13 16:18:13.319 4324-4324/? D/TAG﹕ Keymaster: -1, app_id: 2
02-13 16:18:13.319 4324-4324/? D/TAG﹕ QSEECOM_IOCTL_SEND_CMD_REQ return 0x1 0x1
02-13 16:18:13.319 4324-4324/? D/TAG﹕ ioctl return 0x0
02-13 16:18:13.319 4324-4324/? D/TAG﹕ mmap return 0x400ef000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe59f0004
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe92d0001
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe8bd8000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x40023d2d
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xb5006803
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xd503005a
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x6122280
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe0014313
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x85b005b
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xbd0018c0
02-13 16:18:13.319 4324-4324/? D/TAG﹕ QSEECOM_IOCTL_SEND_CMD_REQ
02-13 16:18:13.329 4324-4324/? D/TAG﹕ return 0x1 0x1
02-13 16:18:13.329 4324-4324/? D/TAG﹕ ioctl return 0xffffffff
02-13 16:18:13.329 4324-4324/? D/TAG﹕ ROOTUID 1000
You will notice ioctl returns 0x0 initially which in turn allows me to mmap but it is still not escalating to root. Does this look like what you might expect if I am going in the right direction? That being said if this is promising the next question I have is about the PTMS_FOPS static. I have found versions for 4.4.2, 4.4.4 and 5.0.0 and some unknown version. I have tried all with the same result. Is it possible that we need one for 4.4.3 since that is what 4.5.2 is running?
Anyway if I am barking up the wrong tree just let me know, wanted to throw it out there to see what anyone thought.
Alternatively this means that maybe 4.5.2 isn't vulnerable to this exploit.
I am pretty sure that 4.5.2 is vulnerable. I say this because the qseecom.c provided by Amazon here for 4.5.2 seems to be very close (only some cosmetic changes) to commits 568757f02d9a243bad7f70cebfa414c4a65f361f and ed45a48430e7f67e1648d45514989af0e04f0e97 from Code Aurora.
I did a diff with all the revisions and these two came up with only 3 lines different to the qseecom.c that Amazon released.
I also extracted the kernel image from bootimg.bin and grep-ed after the new format strings included by the patches. The fact that nothing showed up strongly suggests that the kernel build doesn't include the patches.
Now the only step that remains is to get the addresses of the exported symbols (mainly ptmx_fops). The simple way would have been to boot the kernel and get what we need from /proc/kallsyms. Unfortunately the addresses aren't shown by default and the restriction must be dropped by "echo 0 > /proc/sys/kernel/kptr_restrict" as root. As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
p1gl3t said:
I am pretty sure that 4.5.2 is vulnerable. I say this because the qseecom.c provided by Amazon here for 4.5.2 seems to be very close (only some cosmetic changes) to commits 568757f02d9a243bad7f70cebfa414c4a65f361f and ed45a48430e7f67e1648d45514989af0e04f0e97 from Code Aurora.
Click to expand...
Click to collapse
I would not be sure about that. I don't think the provided source does match the actual implementation 100 percent.
p1gl3t said:
I did a diff with all the revisions and these two came up with only 3 lines different to the qseecom.c that Amazon released.
I also extracted the kernel image from bootimg.bin and grep-ed after the new format strings included by the patches. The fact that nothing showed up strongly suggests that the kernel build doesn't include the patches.
Click to expand...
Click to collapse
This is good news. This could really mean that this might really work.
p1gl3t said:
Now the only step that remains is to get the addresses of the exported symbols (mainly ptmx_fops). The simple way would have been to boot the kernel and get what we need from /proc/kallsyms. Unfortunately the addresses aren't shown by default and the restriction must be dropped by "echo 0 > /proc/sys/kernel/kptr_restrict" as root. As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
Click to expand...
Click to collapse
I will try that too, but I'm not sure about which symbols are needed and if I'm able to find them.
p1gl3t said:
As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
Click to expand...
Click to collapse
Cpasjuste posted a 4.5.2 version for TWRP...
Maybe this helps you with testing...
4.5.2 Kernel addresses and symbols
Code:
[+]mmap
mem=b6553000 length=010cad08 offset=09ab5000
[+]kallsyms_addresses=c0aec330
count=00016d24
[+]kallsyms_num_syms=00016d24
[+]kallsyms_names=c0b477d0
[+]kallsyms_markers=c0c4d070
[+]kallsyms_token_table=c0c4d630
[+]kallsyms_token_index=c0c4d9f0
[+]kallsyms_lookup_name
Code:
c11bf690 ptmx_fops
Full list of symbols see attachement
@awinston
Would you mind trying your code changing the define of PTMX_FOPS in the top of the source to 0xc11bf690?
Also would you share the changes you did to it?
Phate123 said:
@awinston
Would you mind trying your code changing the define of PTMX_FOPS in the top of the source to 0xc11bf690?
Also would you share the changes you did to it?
Click to expand...
Click to collapse
Attached as msm3.c
Tried but doesn't seem to work. Feel free to give what I have a try, maybe I am missing something obvious. One oddity is that QSEECOM_IOCTL_APP_LOADED_QUERY_REQ only seems to work after a hard restart. Not sure what that means. Another thing to note is that this version of the exploit is considerably different than some of the other versions I have seen floating around so maybe making some more changes to this one will prove fruitful. The biggest change I made was adding the QSEECOM_IOCTL_APP_LOADED_QUERY_REQ along with some changes to the ion_alloc_data. These changes seem to match more closely the giefroot version that was reverse engineered.
4.5.3 update
Just got 4.5.3 pushed, crap. WARNING to others, not sure what this means for this potential exploit.
Phate123 said:
4.5.2 Kernel addresses and symbols
Code:
[+]mmap
mem=b6553000 length=010cad08 offset=09ab5000
[+]kallsyms_addresses=c0aec330
count=00016d24
[+]kallsyms_num_syms=00016d24
[+]kallsyms_names=c0b477d0
[+]kallsyms_markers=c0c4d070
[+]kallsyms_token_table=c0c4d630
[+]kallsyms_token_index=c0c4d9f0
[+]kallsyms_lookup_name
Code:
c11bf690 ptmx_fops
Full list of symbols see attachement
Click to expand...
Click to collapse
For thor-ship_452-kitkat-build I got C11BF250 b ptmx_fops. Here you have all the symbols and here is the IDA script (credits go to Igor Skochinsky).
---------- Post added at 10:02 PM ---------- Previous post was at 10:00 PM ----------
awinston said:
Just got 4.5.3 pushed, crap. WARNING to others, not sure what this means for this potential exploit.
Click to expand...
Click to collapse
Do a factory reset to delete the downloaded ota and try to use a proxy to block the requests.
I have included Phone and Mobile data related settings to the lineage OS build for SM-P555 gt5note10lte (Galaxy Tab A 9.7 SPen)
but the sim card is not getting detected. The sim is working well when switched back to Stock ROM.
My sources are available here.
Device Tree for gt5note10lte
Kernel for msm8916 gt5note10lte
Vendor files for gt5note10lte
@retiredtab requesting your assistance on this.
Issue Video
Your browser is not able to display this video.
Thanks in advance.
Your best bet to get this working is to study/copy the RIL/radio settings from a phone device that works using the msm8916 repos at
https://github.com/orgs/Galaxy-MSM8916/repositories
Look through that list and see which phone device has an active maintainer or is officially supported by LineageOS and then look at their settings for RIL/radio code.
You also need to look through your adb logcat for RIL/radio errors or messges to tell you what is wrong with your build. I have NO RIL/radio devices in my collection, only wifi devices.
retiredtab said:
Your best bet to get this working is to study/copy the RIL/radio settings from a phone device that works using the msm8916 repos at
https://github.com/orgs/Galaxy-MSM8916/repositories
Look through that list and see which phone device has an active maintainer or is officially supported by LineageOS and then look at their settings for RIL/radio code.
You also need to look through your adb logcat for RIL/radio errors or messges to tell you what is wrong with your build. I have NO RIL/radio devices in my collection, only wifi devices.
Click to expand...
Click to collapse
Thanks for your prompt response.
I have followed the gtesqltespr device tree for a start and integrated my changes
I have also read online where they suggested the MODEM files, I flashed them from my TWRP backup, still no luck.
Looking into logcat as per your suggestion
Attaching the logcat file here too
Your problem probably lies here.
Code:
11-16 21:44:25.397 223 2135 E hwservicemanager: Failed to set property for starting [email protected]::IRadio/slot1
11-16 21:44:25.596 2136 2136 F linker : CANNOT LINK EXECUTABLE "/vendor/bin/hw/rild": cannot locate symbol "ril_service_name" referenced by "/system/vendor/bin/hw/rild"...
11-16 21:44:25.599 1 1 W libc : Unable to set property "ro.init.updatable_crashing_process_name" to "ril-daemon": error code: 0xb
11-16 21:44:25.599 1 1 W libc : Unable to set property "ro.init.updatable_crashing" to "1": error code: 0xb
11-16 21:44:26.396 1209 1209 W ServiceManagement: Waited one second for [email protected]::IRadio/slot1
Fix the CANNOT LINK EXECUTABLE and maybe the android.hardware.radio will stop crashing.
retiredtab said:
Your problem probably lies here.
Code:
11-16 21:44:25.397 223 2135 E hwservicemanager: Failed to set property for starting [email protected]::IRadio/slot1
11-16 21:44:25.596 2136 2136 F linker : CANNOT LINK EXECUTABLE "/vendor/bin/hw/rild": cannot locate symbol "ril_service_name" referenced by "/system/vendor/bin/hw/rild"...
11-16 21:44:25.599 1 1 W libc : Unable to set property "ro.init.updatable_crashing_process_name" to "ril-daemon": error code: 0xb
11-16 21:44:25.599 1 1 W libc : Unable to set property "ro.init.updatable_crashing" to "1": error code: 0xb
11-16 21:44:26.396 1209 1209 W ServiceManagement: Waited one second for [email protected]::IRadio/slot1
Fix the CANNOT LINK EXECUTABLE and maybe the android.hardware.radio will stop crashing.
Click to expand...
Click to collapse
Yes, trying to figure out how to fix it.
@DJABHipHop Hi, can help me on this if you have already enabled sim for Galaxy Tab E device ?
psuryatej said:
@DJABHipHop Hi, can help me on this if you have already enabled sim for Galaxy Tab E device ?
Click to expand...
Click to collapse
PM me on Telegram.
DJABHipHop said:
PM me on Telegram.
Click to expand...
Click to collapse
Also my Source is 100% bug free on the Samsung Galaxy Tab E 9.6 MSM9816 & an fo the most part on Samsung Galaxy Tab E 8.0 MSM9816