Request for _CURRENT_ docs on creating a simple update.zip - Android Software Development

I have searched, read, and tested my butt off on this so, I'm not posting without doing my own homework. I promise.
I'm looking for CURRENT documentation on how to create a standard update.zip file that simply copies a file into /system/foo/bar and chmods it.
All the links I've looked at seem to have old deprecated syntax on the update-script file, or the examples given simply do not work.
I do NOT want to download someone else's script-pak, windows app, or any other such thing that makes it for me.
As for signing, I'm completely comfortable signing using the SDK, although I'll probably take the easy route with ZipSigner/Signapktic running on the phone/tab now that I've discovered those.
Can someone please post a very simple howto?

Thanks for posting this -- I'm with you, I'm not a script-kiddie using someone else's tools, I want to learn it for myself, but like you, I've searched, and what I've found -- while probably correct and accurate -- isn't working the way they say it should. I've even followed the directions on android.com itself and they fail, so I'm starting to suspect my recovery or my ROM is at fault, not the signing itself.
I have a bunch of files I want to place in /system/foo/bar and chmod, as you say, and the error I'm getting is "No signature (172 files) Verification Failed". I do indeed have signatures in the file, as when I open them I see CERT.RSA and others that weren't there before signing, so IDK what the deal is with the error I'm getting (obviously something's missing -- maybe a public key verification from a trusted authority like Thawte or VeriSign).
I see you, too, are getting as much help as I am seeing others get. They start threads, get all sorts of praise from script kiddies who have no clue and just see a point-click solution, and then someone asks for real help and everyone shuts up for months until the thread eventually dies.
But kudos to you, sir, for being in the same boat as I!

cj chitwood said:
Thanks for posting this -- I'm with you, I'm not a script-kiddie using someone else's tools, I want to learn it for myself, but like you, I've searched, and what I've found -- while probably correct and accurate -- isn't working the way they say it should. I've even followed the directions on android.com itself and they fail, so I'm starting to suspect my recovery or my ROM is at fault, not the signing itself.
I have a bunch of files I want to place in /system/foo/bar and chmod, as you say, and the error I'm getting is "No signature (172 files) Verification Failed". I do indeed have signatures in the file, as when I open them I see CERT.RSA and others that weren't there before signing, so IDK what the deal is with the error I'm getting (obviously something's missing -- maybe a public key verification from a trusted authority like Thawte or VeriSign).
I see you, too, are getting as much help as I am seeing others get. They start threads, get all sorts of praise from script kiddies who have no clue and just see a point-click solution, and then someone asks for real help and everyone shuts up for months until the thread eventually dies.
But kudos to you, sir, for being in the same boat as I!
Click to expand...
Click to collapse
See my other reply to you in a similar topic.

I may be wrong but dont you have to sign system apps with the same key that the rom was signed with.
You can compile and sign from source and then add system apps or data
From something awesome

killersnowman said:
I may be wrong but dont you have to sign system apps with the same key that the rom was signed with.
You can compile and sign from source and then add system apps or data
From something awesome
Click to expand...
Click to collapse
System apps must be signed using the same key that is used to sign the platform. This has nothing to do with the ZIP signature that may or may not be present on a recovery update. The actual platform public key is stored within the ROM and gets extracted just like any other file in the system image.
If you compile from source, you use the platform key provided in the source; typically: build/target/product/security/platform.x509.pem. If you are an OEM like say HTC, you'll use your own key to compile the platform and sign the system apps.

Gene Poole said:
System apps must be signed using the same key that is used to sign the platform. This has nothing to do with the ZIP signature that may or may not be present on a recovery update. The actual platform public key is stored within the ROM and gets extracted just like any other file in the system image.
If you compile from source, you use the platform key provided in the source; typically: build/target/product/security/platform.x509.pem. If you are an OEM like say HTC, you'll use your own key to compile the platform and sign the system apps.
Click to expand...
Click to collapse
So in order to put ringtones in the appropriate system folder, I have to sign the update.zip with the same key that e.g. Roalex uses to sign the ROM? Of course that won't work, as I don't have his key, and then there are kernels and themes that other people make that work, and surely they don't have Roalex's key.
So I think I'm misunderstanding this still.
But if I compile from source, I sign with the key that's in the source, so if I know Roalex compiles from source, if he signs with the source key, I can sign an update.zip with that key and it will work?
Also, Recovery says there is NO signature in the file, but does that not necessarily mean really what it says?

I don't know who Roalex is. I don't know anything about your device per se. I don't know anything about Amon-Ra recovery. I was hoping some others would jump into this thread to help out with these unknowns. I've always used clockworkmod recovery so that's all I can speak for, but I did D/L an Amon-Ra recovery to analyze it.
As far as custom ROMs go, most are based on some OEM ROM and still contain system files signed by the OEM and the OEM certs are still included with the ROM so no modifications are necessary.
If you have a simple update.zip with just some files to be written to the system partition, then signing the update.zip file is unnecessary. A signed update.zip is only useful when it is distributed by an OEM with an official OEM update since the stock recovery will refuse anything not signed by the OEM. One of the reasons for using a custom recovery on rooted devices is that it gets around this security check to allow you to install custom stuff written by someone other than the OEM.
If you are having trouble installing an update.zip that contains an otherwise valid working "amend" or "edify" script, then I don't know what the issue might be. Clockworkmod recovery (at least all the versions I've run) has an option to toggle signature checks in the "apply update from SD card" sub-menu, but I don't know of any good reason that it is there since it only has one key and it is the same "test" key distributed in official source distributions, and the toggle is off by default.

I've been poking around github and grabbed the current source for amon-ra recovery (https://github.com/packetlss/amonra_bootable_recovery) and interestingly, amon-ra has a signature verifyer that is missing from clockworkmod recovery. It actually parses the zip file for the META information and ensures that the included signing key for the zip is consistent with the manifest and each file's signature.
So, it would seem that your update.zip should be signed the same way an APK is signed, using jarsigner.
Do you have a valid signing certificate and are you signing your update.zip correctly?

After learning to compile cm from source I found it easiest just to edit the .zip and then resigning the zip. I have added a few programs into /system and never had an issue. Perhaps this is because it's cm?

Gene Poole said:
I've been poking around github and grabbed the current source for amon-ra recovery (https://github.com/packetlss/amonra_bootable_recovery) and interestingly, amon-ra has a signature verifyer that is missing from clockworkmod recovery. It actually parses the zip file for the META information and ensures that the included signing key for the zip is consistent with the manifest and each file's signature.
So, it would seem that your update.zip should be signed the same way an APK is signed, using jarsigner.
Do you have a valid signing certificate and are you signing your update.zip correctly?
Click to expand...
Click to collapse
i was just going to conjecture that perhaps the amon-ra recovery is verifying sigs. you however have found proof. thank you
the only way someone would have the valid sig is for it to either be public, or for them to have signed the platform themselves and have there own private key. i ran into this same problem when investigating the android.intent.action.REBOOT intent which can only be broadcast by system apps signed with the same sig as the platform.

Gene Poole said:
I don't know who Roalex is [...]
Click to expand...
Click to collapse
Sorry, he's the guy who put together the COS-DS ROM for G1/HTC Dream based on CyanogenMod and AOSP sources.
Gene Poole said:
As far as custom ROMs go, most are based on some OEM ROM and still contain system files signed by the OEM and the OEM certs are still included with the ROM so no modifications are necessary.
Click to expand...
Click to collapse
Wait... can signing the zip be as easy as including the CERT.MSA and related other two files as found in the other update.zip files I have that work? Seems that would be too easy... I assumed there would be something in the zip file headers that would be modified to reflect a key as well so that they would also have to match. Maybe this is getting too in-depth...
Gene Poole said:
If you have a simple update.zip with just some files to be written to the system partition, then signing the update.zip file is unnecessary.
Click to expand...
Click to collapse
So just put together a common zip file with the update-script and the right folder structure in it, and I'm good? I tried that too and it also failed. Does the NAME of the file have to be update.zip in that case, though? I didn't actually try that. My unsigned one was named "CJ-Audio-Update_unsigned.zip" or something like that.
Gene Poole said:
A signed update.zip is only useful when it is distributed by an OEM with an official OEM update since the stock recovery will refuse anything not signed by the OEM. One of the reasons for using a custom recovery on rooted devices is that it gets around this security check to allow you to install custom stuff written by someone other than the OEM.
If you are having trouble installing an update.zip that contains an otherwise valid working "amend" or "edify" script, then I don't know what the issue might be. Clockworkmod recovery (at least all the versions I've run) has an option to toggle signature checks in the "apply update from SD card" sub-menu, but I don't know of any good reason that it is there since it only has one key and it is the same "test" key distributed in official source distributions, and the toggle is off by default.
Click to expand...
Click to collapse
Okay then. From here it's a lot clearer than a week ago. Thanks for taking the time to explain it so thoroughly... I think so many people understand so little and they're so quick to say "here, just use this other guy's tool LOL!!!111!1 he r0x0r$!!!1!1". I mean, that's great, that there are tools, but I want to understand it, not just be a script kiddie with someone else's tools, blindly trusting that they're doing it right and all that. Not saying the tools are bad or wrong, but by knowing myself, I know whether it's done right, you know? Same reason I learned automotive mechanicals, computers, and electrical wiring. Oh, and plumbing is slowly being added and in a few years roofing
Then it's on to framing as I build a 20-by-20-foot "workshop" in the back yard but I digress...
Thanks again!

Well this is interesting...
I took the MSA and other two files from the COS-DS update, and put them in a new zip containing my other files (not signed) and it didn't complain about no signature... instead, it failed saying some lib file is missing. Stagefright or some such. Progress is still progress though...
EDIT:
Okay, so it looks like there's something in those signats that says, "hey, look for all these other files too", so I'ma try a different tack...
EDIT2:
I guess I'm just gonna have to use Testkeys. They appear to have worked. :/ But if everyone else is doing it that way, I guess there's no harm.

Related

{TOOL}MetaMorph Builder v3-Linux Only[8-5]

This could be considered part of the development forum or the apps and theme forum depending on how you look at it. if you have an issue, just click the report button and request that it be moved. no need to flame and troll and post that you reported it, just do it and move on.
Lots of people have asked me how to put together a theme control file, and its actually VERY easy but this tool makes it even easier.
this is an example of a theme control file created by this tool
Test-Theme.xml
Code:
<themename>Test-theme</themename>
<author>tater-salad</author>
<phone>Android Phone Codename Hulk</phone>
<rom>CM 8</rom>
<item>Phone.apk</item>
<path>/system/app<path>
<item>framework-res.apk</item>
<path>/system/framework</path>
<description>Requires reboot</description>
<item>FM-Reciever.apk</item>
<path>/data/app<path>
<item>My-custom-app.apk</item>
<path>/data/app<path>
run the mm-builder script and follow the on screen directions. you will of course need to put the correct replacement files in their respective directories, but this script will make all the right folders and set up your theme.xml for you. Bash scrip means linux only. This is also a super easy script, so i may get a batch version soon.
You can extract this file to any directory
All thanks to Stericson. W/O him we wouldnt have a metamorph app to begin with
######################################################################################################
v2
includes these additions
Code:
mkdir $app
mkdir $app/res
mkdir $app/res/drawable
mkdir $app/res/drawable-mdpi
mkdir $app/res/drawable-land-mdpi
mkdir $app/res/drawable-port-mdpi
these are the commonly used directories when it comes to theming. now all the sub-folders should be set up right.
I think this tool will be very helpful for newer themers and the like, looking forward to a windows adaptation.
also, what does it matter if ban_dover was andrizoid, seems to me hes not doing any harm here now, just trying to help people out, so give a guy a chance to rectify himself before you all start the flamethrowers
snyluc13 said:
I think this tool will be very helpful for newer themers and the like, looking forward to a windows adaptation.
also, what does it matter if ban_dover was andrizoid, seems to me hes not doing any harm here now, just trying to help people out, so give a guy a chance to rectify himself before you all start the flamethrowers
Click to expand...
Click to collapse
windows version is certainly viable, but batch is SO alien coming from bash. there isnt even an ls command
im going to have to play around and get a feel for batch before i get to work on it.
v3 is up. ive put together working metamorph themes using v3, so its been pretty well tested.
How about some constructive use of this thread?
ban_dover,
I've got a question. I read through Stericson's announcement post on XDA, and also the project page, and he mentions limitations due to signing checks of market apps.
Does it actually re-sign the .apk with the test key that all the devs use, or does it merely re-zip the .apk so that the manifest and keys are broken (won't pass a jarsigner -verify test)?
If it is the 2nd alternative, I guess that would means that Android does not check "non-market app" installs for valid signatures? Or that it doesn't check system apps but does check market apps?
The reason this piques my interest is that I noticed one of the devs recently released a ROM which had all its apps de-odexed and re-signed with the test key. (Can't remember which ROM, perhaps an xtr* ROM?)
Anyone else that knows how this goes is welcome to answer as well.
bftb0
Im going to lock this thread if the flame war doesn't stop
Play nice
Edit: Thread re-opened, ban_dover and I discussed and hopefully we will not have any more issues.
Thanks
Captainkrtek
bftb0 said:
How about some constructive use of this thread?
ban_dover,
I've got a question. I read through Stericson's announcement post on XDA, and also the project page, and he mentions limitations due to signing checks of market apps.
Does it actually re-sign the .apk with the test key that all the devs use, or does it merely re-zip the .apk so that the manifest and keys are broken (won't pass a jarsigner -verify test)?
If it is the 2nd alternative, I guess that would means that Android does not check "non-market app" installs for valid signatures? Or that it doesn't check system apps but does check market apps?
The reason this piques my interest is that I noticed one of the devs recently released a ROM which had all its apps de-odexed and re-signed with the test key. (Can't remember which ROM, perhaps an xtr* ROM?)
Anyone else that knows how this goes is welcome to answer as well.
bftb0
Click to expand...
Click to collapse
to be honest im not sure. but i can say that the rom your talking about isnt going to have any issues with anything because of the re-signing.
so the those who have downloaded it, what do you think?
ive tested it by putting together a few simple MMs, and it worked fne for me. have any of you ran into any issues?

pre-rooted stock 6.2.1 update

See: http://forum.xda-developers.com/showthread.php?t=1402440
Sorry - don't have enough posts to reply directly in the dev tree, but it would seem to me that if all the updates are just zip files, couldn't they be modified to include root? Then the normal update system would handle the installation? You wouldn't need root then.. Just dump it into the "kindleupdates" folder and let it do its thing. It would just install it.
It looks like the install is just running a script.. one of the first things it does is wipe the system folder.. doesn't mean you can't include additional files and copy them in afterwards with the script does it?
AndrewTL said:
See: http://forum.xda-developers.com/showthread.php?t=1402440
Sorry - don't have enough posts to reply directly in the dev tree, but it would seem to me that if all the updates are just zip files, couldn't they be modified to include root? Then the normal update system would handle the installation? You wouldn't need root then.. Just dump it into the "kindleupdates" folder and let it do its thing. It would just install it.
It looks like the install is just running a script.. one of the first things it does is wipe the system folder.. doesn't mean you can't include additional files and copy them in afterwards with the script does it?
Click to expand...
Click to collapse
You need to go through all the lines of code for that and I believe some of them are binary files as well. Possible but will take much time. For now we must wait until someone finds a better solution.
Sent from my Kindle Fire using Tapatalk
signature issues.
6.2.1 experiment?
transfuntioner said:
signature issues.
Click to expand...
Click to collapse
Maybe I don't follow the process.. but I'm guessing no signatures..
not a signed bootloader.. no signatures required...
Get beyond compare and look at the differences between the OTA updates and the zip that Eldarerathis put together.
The ".bin" files are just ".zip" files renamed.
Look at
META-INF/com/google/android/updater-script in the bin files they release.
It is just a script.
And to do the things that it is doing, it has to be getting root permissions while it is running.
I don't know how to recover if it doesn't work, but I half wonder if you were to take the zip that fellow created, change the extension to ".bin" and just dump it into the update folder if the fire would install it for you?
He took out the image files from the script. He's just updating the system tree directly. He doesn't update the bootloader, recovery or backup trees.
For that matter if those contained something nasty, they could probably be pulled from an earlier update.
== cut ===
package_extract_file("recovery.img", "/dev/block/platform/mmci-omap-hs.1/by-name/recovery");
show_progress(0.100000, 10);
package_extract_file("u-boot.bin", "/dev/block/platform/mmci-omap-hs.1/by-name/bootloader");
format("ext4", "EMMC", "/dev/block/platform/mmci-omap-hs.1/by-name/backup");
mount("ext4", "EMMC", "/dev/block/platform/mmci-omap-hs.1/by-name/backup", "/backup");
package_extract_file("backup_userdata.zip", "/backup/backup_userdata.zip");
== cut ===
Please nobody try this idea that doesn't know enough to recover if it doesn't work, because I've not a clue how.
But could someone explain why wouldn't it work?
Worst case the rev might need to be manually edited to bump it one for the script.
Seems like it might be an easy way to get around headaches with OTA updates.
Andrew,
Are you having issues with getting into recovery so that you can test this? The Devolopers have a copy of TWRP 2 working perfectly on the device so you can get a clean backup of the OS before you test.
You sound like you may know what to do to fix the issue and I just want to help you get a good recovery in case it doesn't pan out or for testing.
~enjoy.
Actually I'm just afraid of messing up what I have working now.
I've got TWRP 2 running with the 6.2.1 image.
I'm setting these up as gifts. I spent a good 12 hours yesterday fighting the darn things. Guess I'm getting gun shy. Had a lot of issues with adb. Kudos to the new utility and setting the second ports up. I'm learning.
The OTA install wipes the system directory. It's in the script.
I was tempted to just comment that line out and see if it would leave the rest alone.
If I brick the thing its going to be painful for me to sort out.
I also didn't want to risk losing root. I also haven't tried loading an older OTA version.
At the time, I couldn't ask the fellow that developed the rooted 6.2.1 zip the question in his thread as I didn't have enough posts.
I'm going to be out of pocket for quite some time. I'm not going to have time to spend like this again for at least a few days.
But I was checking the zip he made versus the .bin/.zip files that the OTA releases using beyond compare. I wanted to see what files had actually changed.
That's when I found that script. It is manipulating permissions directly. It has to be running at a root level. I don't see anything like a signature on it, so why couldn't their own update system be used to tweak their own updates to allow for root?

Analysis of Huawei's GMS installer

As many of you know, Huawei released a GMS installer so that we can (FINALLY!) have google on our Chinese model phones.
I was wondering how it worked, so I looked into it, and I'd like to share what I've found.
The APK is signed with Huawei's key. I guess the way it's installed, it runs as a system app.
Inside the APK file, you will find assets/update_data_public.zip -- this is the payload. The payload zip file is not mentioned in the manifest file, but it is a flashable update file signed by huawei. The payload simply flashes the GoogleServicesFramework, GoogleLoginService, and GmsCore folders to /system/app
Where it gets interesting is, we can use this to flash whatever we want onto the phone (as long as it's something signed by Huawei, of course). Simply replace update_data_public.zip with whatever file you want to flash (rename it to update_data_public.zip of course) and if it's signed by Huawei, it will install.
Theoretically, you could put, for example, a European firmware zip file, and it would flash. I haven't tried this yet, though.
So then, this begs the question, "How does it do this?" Here's how.
It moves the payload file (update_data_public.zip) to the folder /data/update and runs the following command:
Code:
/cache/recovery/command --update_package=/data/update/update_data_public.zip
And that's basically it.
I don't have my USB cable with me at work to try anything over ADB, but if anyone wants to try any of this, go for it! I don't think this will lead to root or anything, but it will probably lead to an easier way of installing packages, which means we don't have to do everything via eRecovery.
That is a very interesting find. Cannot wait to see someone tests your theory.
duraaraa said:
As many of you know, Huawei released a GMS installer so that we can (FINALLY!) have google on our Chinese model phones.
I was wondering how it worked, so I looked into it, and I'd like to share what I've found.
The APK is signed with Huawei's key. I guess the way it's installed, it runs as a system app.
Inside the APK file, you will find assets/update_data_public.zip -- this is the payload. The payload zip file is not mentioned in the manifest file, but it is a flashable update file signed by huawei. The payload simply flashes the GoogleServicesFramework, GoogleLoginService, and GmsCore folders to /system/app
Where it gets interesting is, we can use this to flash whatever we want onto the phone (as long as it's something signed by Huawei, of course). Simply replace update_data_public.zip with whatever file you want to flash (rename it to update_data_public.zip of course) and if it's signed by Huawei, it will install.
Theoretically, you could put, for example, a European firmware zip file, and it would flash. I haven't tried this yet, though.
So then, this begs the question, "How does it do this?" Here's how.
It moves the payload file (update_data_public.zip) to the folder /data/update and runs the following command:
Code:
/cache/recovery/command --update_package=/data/update/update_data_public.zip
And that's basically it.
I don't have my USB cable with me at work to try anything over ADB, but if anyone wants to try any of this, go for it! I don't think this will lead to root or anything, but it will probably lead to an easier way of installing packages, which means we don't have to do everything via eRecovery.
Click to expand...
Click to collapse
Excellent idea. Modifying the apk will remove Huawei's signature, no?
onslaught86 said:
Excellent idea. Modifying the apk will remove Huawei's signature, no?
Click to expand...
Click to collapse
Yeah. I tried modifying the APK and it was a failure, of course. So I don't think any new flashing method will become of this. At the very least, though, we know more about how it works.
onslaught86 said:
Excellent idea. Modifying the apk will remove Huawei's signature, no?
Click to expand...
Click to collapse
Yes . We can compile/decompile but when install we'll have error in installation packet just because there is a bad sign. No possibility to recover a keystore from apk. So waste of time
So sorry it's out of topic, couldn't find it. I have huawei enjoy 7 or the kfc limited phone. Downloaded the gms installer but never work. Tried several gms installer and google installer
Here is the error on gms installer
Software install failed
Get help from emui.com/...
Reboot system now
I really like this phone. One of a kind, even though I promoted KFC indirectly ?

Possible way to self-sign Recovery and Rom's on S7, Just need some help.

Hey, I noticed while looking through the Stock Firmware AP file, that in meta-data/fota.zip there are .jar files that have to do with package signing. Only issue is that the zip is password protected. If someone has the Compute power and skills to decrypt a zip and look at the jar files and ****, maybe we could find a way to sign our own TWRP recoveries and roms. Just a thought, i'll post a link to the fota.zip file i was talking about in a bit if anyone wants to take a crack at it. (Google drive is taking forever to upload cause of AT&T's ****ty DSL speeds, sorry)
Download Link: htt*ps:/*/drive.*google*.com/file/*d/0B9tb-svjqaVD*b3Y0V0tXR3drSzA/vie*w?usp=sharing (Remove all *'s from link, stupid 10 post until you can post links limitation)
Thanks,
Lavavex
Did you saw this Thread?
https://forum.xda-developers.com/an...signing-boot-images-android-verified-t3600606
About fota.zip...
Did you heard about plain text attack?
In few Seconds... minutes done... no password required but you can unpack.
Best Regards
Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...
Here are the 3 keys to decrypt if somebody want try...
Code:
2b4d493c
6142b289
1b7024aa
Code:
Key0
Key1
Key2
I have used Advanced Archive Password Recovery from elcomsoft...
Best Regards
adfree said:
Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...
Here are the 3 keys to decrypt if somebody want try...
Code:
2b4d493c
6142b289
1b7024aa
Code:
Key0
Key1
Key2
I have used Advanced Archive Password Recovery from elcomsoft...
Best Regards
Click to expand...
Click to collapse
Which will allow unpacking of the above zip? I thought it needed a zip password.
osm0sis said:
Which will allow unpacking of the above zip? I thought it needed a zip password.
Click to expand...
Click to collapse
We never found the Password... but for Decryption you need only these 3 Keys...
They can be easily found in few Minutes... with the right Tool...
Code:
2b4d493c
6142b289
1b7024aa
Here Key0 Key1 Key2 for Samsungs fota.zip...
This is really no rocket science...
Simple read about plain-text attack...
You can see all filenames...
You can see all filesizes etc...
Many files are floating around the Internet... to create ZIP for attack...
Then result is in few Minutes possible... :angel:
Use these 3 Keys in Tool:
Code:
Advanced Archive Password Recovery
And try self to unpack...
Best Regards
Edit 1.
Screenshot added...
Then maybe more clear...
Trial Version have mabye limtations... but to see it work... it is enough to play with trial.
@adfree or to anyone who can answer.
Quick question, what are the legal limitations to what is going on here? I may or not have a file from inside the fota.zip, but will sharing it put me in the legal wrong? If it is within the legal boundaries, I'd be happy to upload it for anyone to take a look at, but I don't want to land on the wrong side of the law by doing so. Please do let me know, as this is the most exciting development we've had when it comes to bootloader unlocking in a while. Also, it seems as though we can't view the entirety of the contents of the fota.zip with the trial version of the zip extraction tool mentioned in this thread, so if someone with more knowledge about this can confirm we could unlock our bootloaders with the contents of the zip (based on what is currently known about this), I'd be happy to bite the bullet of paying for the premium version given we can do this within the boundaries of the law.
Thanks.
1.
Maybe you can answer your question self...
Samsung PROTECTED this ZIP with password.
2.
IMHO it is Kernel related...
Yeah I know... Boot is every irritating...
But it is not sboot.bin related...
3.
About decrypting all files...
There are floating around Command Line Tool...
Code:
pkcrack
Try to Google it...
I have not tried...
I am 1 click Button user...
Best Regards
zipdecrypt from the pkcrack package plus those 3 keys worked flawlessly. :good:
Edit: Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.
the password for that zip is fotatest1234
Correct. All fota zips passwords are fotatest1234
Drdra3 said:
Correct. All fota zips passwords are fotatest1234
Click to expand...
Click to collapse
@lavavex , @osm0sis
Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.
Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?
Delgoth said:
@lavavex , @osm0sis
Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.
Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?
Click to expand...
Click to collapse
Presumably what I previously said still stands:
osm0sis said:
Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.
Click to expand...
Click to collapse

Janus Vulnerability Allows Attackers to Modify Apps without Affecting their Signature

In various thread scattered around the Fire and Kindle forums here on XDA, I talked about the possibility of decompiling an Amazon system APK, modifying the contents such as settings for the framework or changing permissions in an attempt to escalate privileges to some degree, maybe even root. I ran into several issues when attempting such a thing:
1) Using a PC, I found it almost impossible to successfully recompile a modified APK. Many of the tools like APKtool are just too complicated and missing even the slightest step will cause it to fail.
2) Surprisingly, I've had the opposite outcome using two apps. Using APK Export, I was able to export an APK from the system and use APK Editor Pro to modify permissions. I have been able to, on a consistent basis, use APK Editor Pro to decompile the Android Live Wallpaper system APKs to add or remove any permission from the APKs manifest. Installing the APKs did not result in getting them into /system/priv-app on my HD 8, but all modifications held over and over. But every time the signature is ruined, and installing as a system app fails again.
Janus can help escalating permissions even further when using the above method and maybe others, to modify system APKs. The question is: Can we use Janus to modify an APK in some form, to install an update to an Amazon system app, which would on install, execute code that would install SU binaries? What about any other known exploit patched or not? Could we fake the system into thinking a one-click-root app is a system app and install it? Link to XDA article.
Janus takes advantage of the fact that extra bytes go unnoticed in APK files and DEX files. The GuardSquare report explains that an APK file is a ZIP archive which can contain arbitrary bytes at the start, before and between its ZIP entries. The JAR signature scheme only takes into account the ZIP entries, ignoring any extra bytes when computing or verifying the application’s signature.
It goes on to explain that a DEX file, on the other hand, can contain arbitrary bytes at the end – after the regular sections of strings, classes, method definitions, etc. Therefore, a file can be a valid APK file and a valid DEX file at the same time.
GuardSquare also mentions that a key element of the vulnerability is a “harmless” feature of the Dalvik/ART virtual machine. The report states that in theory, the Android runtime loads the APK file, extracts its DEX file and then runs its code. However, in practice, the virtual machine (VM) can load and execute both APK files and DEX files. The issue is that when the VM gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is: DEX or APK. On finding a DEX header, it loads the file as a DEX file. If it doesn’t find a header, it loads the file as an APK file containing a zip entry with a DEX file. Thus, it can misinterpret dual DEX/APK files.
GuardSquare says that an attacker can leverage this duality feature of the VM to add a malicious DEX file to a normal APK file without affecting its signature. The Android runtime will accept the APK file as a valid update to a legitimate earlier app version, but the Dalvik VM will load the code from the DEX file, which has been injected with malicious code.
Click to expand...
Click to collapse
This is a good point. I brought up something similar a few months ago in another thread.
With all the exploits discovered this year where's someone trying these exploits on this hw sw combo we have with FireOS.
Where's the fuzzer for all the system calls while trying the known exploits?
Where is the systematic approach to testing these from the pedants on the forum?
Sure you can reply with the usual comebacks, but try a different approach instead of more of the same.
With
Sent from my iPhone using Tapatalk
Robius said:
Where is the systematic approach to testing these from the pedants on the forum?
Click to expand...
Click to collapse
Totally agree! Those selfish tech elitists who put real life above the desires of strangers. They should dedicate themselves (without compensation) and their community resources to methodically crack this very important nut. Ya know, because exploiting a $50 entertainment gizmo should rise to the top of THEIR priority list. Sorry sweetie, daddy won't becoming to any of your soccer games this year; he has important work to do.
My point exactly.
You spent enough energy to respond to this in a sarcastic manner. Thank you
Sent from my iPhone using Tapatalk
Robius said:
My point exactly.
You spent enough energy to respond to this in a sarcastic manner. Thank you
Click to expand...
Click to collapse
Time well spent; appreciate the opportunity to respond in kind.
I have seen a bunch of hashes running through the terminal last time. Amazon may compare the hashes of the apks against a whitelist.
All right, I am ready to take this exploit on my 5th Gen. What I have to do??
Adyatan said:
All right, I am ready to take this exploit on my 5th Gen. What I have to do??
Click to expand...
Click to collapse
I haven't sat down and looked into this too much so I'm not sure how to execute the exploit yet.
The idea I had been working on months ago was to somehow insert SU binaries into an Amazon system APK, and get it to install the modified APK as an update to an existing system app. The issue back then was the signature getting destroyed. If we can modify an Amazon system APK to contain a script to execute installation of SU binaries, the exploit might allow the APK to install as an update to an existing Amazon app and in theory install the SU binaries. Based on what little I've read, we would have to either 1) modify the existing DEX file of an Amazon system APK to contain code/script to install SU binaries or 2) create a new DEX file with the code and replace it with the original. My opinion is a better chance at the first method.
Now how to do all that using the Janus exploit? I do not yet know.
"An attacker exploiting the flaw could replace a trusted application that already has high privileges, such as a system app, with one of their updates to abuse the permissions that have already been granted. This could enable the attack to access sensitive information stored in the devices or enable the attacker to seize control over the device completely."
https://www.scmagazine.com/janus-vu...-android-50-devices-and-newer/article/713449/
So how would one go about updating a DEX file to contain 1) SU binaries that install upon 'updating' the app on installation? Or 2) clone a system app and edit or change the DEX file? 3) add an exploit script to a DEX file that would gain root (then you would install SU binaries and app)?
It seems the editing of the DEX file itself doesn't damage the signature and that's the nature of the exploit?
Hey is it possible to modify the permissions ota updater and remove the internet permissions so it can't update
I just found this https://github.com/odensc/janus don't have a computer anymore or would try it
Asadullah said:
Hey is it possible to modify the permissions ota updater and remove the internet permissions so it can't update
Click to expand...
Click to collapse
I cannot recall if I've ever tried with that APK. I have tried with others, unsuccessfully. Either the APK will fail to recompile into a proper installation file, or it would 'install', but with none of the modifications holding.
Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures
While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files. If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.
Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.
In other words, the hack doesn't require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.
Click to expand...
Click to collapse
So we would need to write a script or other code that would be placed into a Amazon System APK. Now would we be able to add SU binaries to an APK? What about a root script like DirtyCow. Although DC is patched, would that be different if the exploit was installed into the /system-priv-app and then executed? I really don't want to sound dumb here so please help me pout guys. Any feedback, negative or not is appreciated.
Maybe this tool can help https://forum.xda-developers.com/android/software/tool-dex-manager-v1-0-designed-to-play-t2988532
Robius said:
Maybe this tool can help https://forum.xda-developers.com/android/software/tool-dex-manager-v1-0-designed-to-play-t2988532
Click to expand...
Click to collapse
I can't find a working download link. Apparently it has been discontinued and i was directed to this: Uret Android Reverser Toolkit v1.6. I downloaded it.
I did find the other one but it says it's for a Galaxy Note. Not sure if that's really the case though.
DragonFire1024 said:
Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures
So we would need to write a script or other code that would be placed into a Amazon System APK. Now would we be able to add SU binaries to an APK? What about a root script like DirtyCow. Although DC is patched, would that be different if the exploit was installed into the /system-priv-app and then executed? I really don't want to sound dumb here so please help me pout guys. Any feedback, negative or not is appreciated.
Click to expand...
Click to collapse
It's beyond my knowledge but if you were to maybe add a script to the dex giving it the permisions I gotta look more into this
---------- Post added at 04:13 PM ---------- Previous post was at 03:54 PM ----------
DragonFire1024 said:
I can't find a working download link.
Click to expand...
Click to collapse
here's smali baksmali for editing dex files https://github.com/JesusFreke/smali I havent used it in a while but used to work good
Asadullah said:
It's beyond my knowledge but if you were to maybe add a script to the dex giving it the permisions I gotta look more into this
---------- Post added at 04:13 PM ---------- Previous post was at 03:54 PM ----------
here's smali baksmali for editing dex files https://github.com/JesusFreke/smali I havent used it in a while but used to work good
Click to expand...
Click to collapse
Editing DEX is pretty much out of my league too. I wouldn't know where to start. I don't even know how to install or use the tool you posted.
DragonFire1024 said:
Editing DEX is pretty much out of my league too. I wouldn't know where to start. I don't even know how to install or use the tool you posted.
Click to expand...
Click to collapse
https://github.com/JesusFreke/smali/wiki/DeodexInstructions
It's really pretty simple used to use it take out the ads from angry birds and what not when it first came out. But it's easier said than done. If you do try first thing I would suggest is that you decompile then recompile to see if it works right the dependencies sometimes will get you or we can try and beg another developer to make us a modified apk..... Please pretty please with sugar on topwe'll like all your posts???
Check this thread for root possibility:
https://forum.xda-developers.com/hd8-hd10/general/complete-guide-root-hd7-8-106th-gen-t3545411
Robius said:
Check this thread for root possibility:
https://forum.xda-developers.com/hd8-hd10/general/complete-guide-root-hd7-8-106th-gen-t3545411
Click to expand...
Click to collapse
FYI - nothing new in that thread. Same familiar tools/techniques targeting a different gen/suite of Amazon devices. Similar outcomes too. Vulnerability patched in FireOS 5.3.2.x as so far proven impenetrable by generic rooting tools of common origin (KingRoot, KingORoot, etc).
Davey126 said:
FYI - nothing new in that thread. Same familiar tools/techniques targeting a different gen/suite of Amazon devices. Similar outcomes too. Vulnerability patched in FireOS 5.3.2.x as so far proven impenetrable by generic rooting tools of common origin (KingRoot, KingORoot, etc).
Click to expand...
Click to collapse
Not sure if the following report is true: (HD10 7th Gen on 5.6.0.0)
https://forum.xda-developers.com/hd8-hd10/general/rooted-fire-hd-10-7th-generation-t3718629

Categories

Resources