An app I installed on Nook Touch doesn't even start. I checked the logcat file and realised there is a NullPointer Expection regarding GetDeviceID. I believe Nook Touch just provides a string without the needed 16 characters, which I believe is used by this app to register the device with it's server.
So the question is, is it possible to modify the device id of Nook Simple Touch. I tried this app called Android ID Changer. It does change the id but goes back to the original once the device restarts. I tried manually modifying settings.db in /data/data/com.android.provider.settings but again it reverted to original id on startup.
So is it possible to modify this device id?
Invisman said:
[...] I tried manually modifying settings.db in /data/data/com.android.provider.settings but again it reverted to original id on startup.
Click to expand...
Click to collapse
Renate has done a write up on modifying the init.rc. You could try re-inserting the value for /data/data/com.android.provider.settings in settings.db during the init process. Unfortunately, I don't know enough about the NST boot process to tell you how to guarantee that your entry occurs after whatever clears it each time, but it might be worth a shot.
Everybody's init.rc are all the same.
All the device specific stuff is in the:
Code:
Partition Type Start End Size (bytes) Mount
--------- ---- ----- --- ------------- --------
mmcblk0p2 vfat 39 46 16,777,216 /rom
Um, there's IDs and there are IDs.
Which getDeviceId() was blowing up?
I'd guess that you were using the TelephonyManager getDeviceId()
Since the Nook is not a telephone, it probably returned null.
Thanks guys
Not sure which DeviceID was causing the error but since the log says NullPointer Exception, I guess it is the Telephony one. Anyway to make it return some 16 character string when the TelephonyManager DeviceID request comes in?
Invisman said:
Thanks guys
Not sure which DeviceID was causing the error but since the log says NullPointer Exception, I guess it is the Telephony one. Anyway to make it return some 16 character string when the TelephonyManager DeviceID request comes in?
Click to expand...
Click to collapse
Telephony ID will be IMEI.
The only problem with nook, it does return random IMEI on every call - random, but not null.
Lot's other stuff won't work if IMEI returns null, I guess...
Related
Presently we're running a little short on kernel exploits, with the following being the only one that looks remotely plausible:
http://xorl.wordpress.com/2010/01/14/cve-2009-4141-linux-kernel-fasync-locked-file-use-after-free/
Big hold-up? For all that we have a trigger, we don't have an exploit. I believe it's up to us at this point to make that happen.
If I'm reading it right, it looks like the bug initially rears its head right here:
Code:
void __kill_fasync(struct fasync_struct *fa, int sig, int band)
{
while (fa) {
struct fown_struct * fown;
if (fa->magic != FASYNC_MAGIC) {
printk(KERN_ERR "kill_fasync: bad magic number in "
"fasync_struct!\n");
return;
}
[B]fown = &fa->fa_file->f_owner;[/B]
/* Don't send SIGURG to processes which have not set a
queued signum: SIGURG has its own default signalling
mechanism. */
if (!(sig == SIGURG && fown->signum == 0))
send_sigio(fown, fa->fa_fd, band);
fa = fa->fa_next;
}
}
... as fa_file now points to invalid memory (having been free'd earlier). The f_owner member gets shot out to send_sigio, which look like this:
Code:
void send_sigio(struct fown_struct *fown, int fd, int band)
{
struct task_struct *p;
enum pid_type type;
struct pid *pid;
int group = 1;
read_lock(&fown->lock);
type = fown->pid_type;
if (type == PIDTYPE_MAX) {
group = 0;
type = PIDTYPE_PID;
}
[B]pid = fown->pid;[/B]
if (!pid)
goto out_unlock_fown;
read_lock(&tasklist_lock);
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, group);
} while_each_pid_task(pid, type, p);
read_unlock(&tasklist_lock);
out_unlock_fown:
read_unlock(&fown->lock);
}
... in which we see the f_owner member being dereferenced. Also it gets pushed through several other functions which may be exploitable.
There are several questions to be answered before we can start attacking this:
Can we resolve the address of the fa_file data structure so we can overwrite the f_owner value?
Can we do anything with it once we've done that? (Presumably we can set it to zero to cause a null-pointer dereference, but we're mmap_min_addr = 32768 on the most recent versions, so unless we can flag the mmap region to grow down and apply memory pressure to reach page 0 this will do us no good.)
Failing the plan above: are any of the functions that f_owner gets pushed into vulnerable? I evaluated this over the weekend, but without the help of a trained kernel dev I'm not going to get very far.
While I studied a lot of this in uni, I'll admit I'm green when it comes to actually writing these exploits. I'm hoping that this will get the creative juices flowing, and perhaps provide a more comprehensive resource in case any hard-core kernel hackers want to take a look at what we're doing or give us pointers (harhar) in the right direction.
Thanks, guys. Great work up to this point.
In the original POC if you change /bin/true to /system/bin/sh you can get a new shell to open just not as root. So I'm guessing that their needs to be more added to the POC to make it a full exploit.
Right, the fork()'s in the PoC exist only to cause the file descriptor's fasync_struct to be erroneously killed, not start a root session. The root session would need to be started (presumably) by the kernel doing something to our maliciously crafted fown_struct.
The tough part is figuring out exactly where and what that fown_struct needs to be.
Well I definetly agree with you that this seems to be our best best bet I am some what of a newbie when it comes to linux allthough i am learning as i go. Do you know of any good sites to read up on kernel hacking?
Sorry Guys just got the word that this one is dead for us.....
Here is the explantion i got.
some_person said:
Nope, the bug didn't exist in 2.6.27. That's why they say >= 2.6.28 are vulnerable.
As far as how the bug works, there are 2 other issues. 1) our kernel probably wasn't compiled with AT_RANDOM 2) we don't have an elf executable.
The exploit you found does not give us root access, it crashes the system. Basically, you open the "random number generator" file, lock it, and close it... but the lock release when you close it. Then you have to call an elf executable because that generates a random number (running an elf executable) provided the kernel was compiled AT_RANDOM. you continue to call that executable (and generating random numbers) until the the lock is released on the "random number generator" file... then it's your program's turn... the kernel tries to send your program notification that the file is available, but your program has moved on. BLAM the kernel stops (or "oops").
Click to expand...
Click to collapse
Sorry to dredge up an old thread:
This exploit *will* work. According to Zanfur, the hole is in our kernel. We need to use it without AT_RANDOM (which I dont know how to do).
http://sourceware.org/ml/libc-alpha/2008-10/msg00016.html
I am pretty sure we do have elf executables, here is proof:
% file m6
m6: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
If our kernel is susceptible to this bug then it should work, as long as there is a way to do it without at random.
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
jballz0682 said:
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
Click to expand...
Click to collapse
This won't get us root. Even zanfur said it. Moving on....
Framework43 said:
This won't get us root. Even zanfur said it. Moving on....
Click to expand...
Click to collapse
To clarify, even if we get AT_RANDOM functionality working, we can't use this to exploit our kernel. All we can do with this is get data from a file that was recently closed. The point of this exploit is to send a signal to a process, but there are no processes we could send a signal to that would give us root.
Our kernel seems practically invulnerable, it appears that almost all exploits are patched
Hey guys,
I finally built omni 4.4 for Gtab2 10.1
My wifi is turned On, but can't find any network.
I used latest blobs from samsung stock rom 4.2.2 to be sure.
logcat:
http://pastebin.com/xm6un9Tg
During the build process i faced an error :
Code:
out/target/common/obj/APPS/framework-res_intermediates/src/com/android/internal/R.java
out/target/common/obj/APPS/framework-res_intermediates/src/android/R.java
expected "}"
public static final class string-array{ }
^
this is not the exact error code but it was almost this.
To bypass this error i just comented both class, i wonder if this can be related?
thanks
I'd suggest looking at other device bringup commits first.
4.4 requires wifi configuration changes and storage configuration changes.
Entropy512 said:
I'd suggest looking at other device bringup commits first.
4.4 requires wifi configuration changes and storage configuration changes.
Click to expand...
Click to collapse
mmhh still no luck.
I don't have any error message in logcat now but still scanning for network and can't find any.
I based my change on aries bring up commit.
Now my ext sdcard work if i'm root, i may need to change some permission in fstab,
and i add edit this line in init.espresso10.rc
Code:
service wpa_supplicant /system/bin/wpa_supplicant \
-Dnl80211 -iwlan0 -e/data/misc/wifi/entropy.bin [email protected]:wpa_wlan0 \
-c/data/misc/wifi/wpa_supplicant.conf -O/data/misc/wifi/sockets
and if I try to add an ssid by hand i got this error in logcat:
Code:
E/WifiConfigStore( 441): failed to set SSID: "mywifi"
E/WifiConfigStore( 441): Failed to set a network variable, removed network: 0
E/WifiStateMachine( 441): Failed to save network
thanks.
Did you add it, or change the one that was already there?
Entropy512 said:
Did you add it, or change the one that was already there?
Click to expand...
Click to collapse
I add it to try, there is no wifi network, it loop on "searching network"
I wonder if my error can be related to what i said earlier
sevenup30 said:
During the build process i faced an error :
Code:
out/target/common/obj/APPS/framework-res_intermediates/src/com/android/internal/R.java
out/target/common/obj/APPS/framework-res_intermediates/src/android/R.java
expected "{"
public static final class string-array{ }
^
this is not the exact error code but it was almost this.
To bypass this error i just comented both class, i wonder if this can be related?
thanks
Click to expand...
Click to collapse
Do you face this error while building omni? can it be because of my java version? i'm on java 6
finally got it working, it was related in init conf file like you said.
Does someone just know how can I disable hardwar keyboard at first boot?
Because of that keyboard never show up so i have to skip the first settings and disable it in language & input.
sevenup30 said:
finally got it working, it was related in init conf file like you said.
Click to expand...
Click to collapse
Could you precise which mod you did in init conf file ?
Because I've the same problem with a build for Acer A200 : loop on AP scan, no results, no possibilities to configure an AP manually....
Thanks
sevenup30 said:
finally got it working, it was related in init conf file like you said.
Does someone just know how can I disable hardwar keyboard at first boot?
Because of that keyboard never show up so i have to skip the first settings and disable it in language & input.
Click to expand...
Click to collapse
Fix or remove the broken kernel driver that's reporting a keyboard as being present when it's not.
Another possibility is you're missing KL/IDC files for some input device that is being treated as a hardware keyboard when it's not. (See the galaxys2-common family - the sii9234 or whatever it is IDC file was needed to keep that input device from being detected as a HW keyboard)
sm-a500fu, rooted, 4.4.4
My wife got a new sm-a500fu like our daugther has. To save work (after rooting) I restored the data and systems partitions (with Flashfire) of my daughters a5.
I deleted all my duaghters accounts and logged into google with my wifes account.
Still both phones have the same GSF and Androide ID.
I know that the Androide ID can be set like this:
Code:
adb shell ettings put secure android_id nnnn
- But which should I use ? Can I use the one of here old phone ?
- And what about the GSFid ?
Hoping for help now ...
What I found out so far:
android_id: *#*#8255#*#*
/data/data/com.android.providers.settings/databases/settings.db
its name in the database is android_id, value is HEX
gsf id: *#*#GCM#*#*
/data/data/com.google.android.gsf.gservices/databases/gservices.db
its name in the database is android_id too, value is decimal
Theese questions remain:
1 Is it necessary to change both or would GSFid be enough ?
2 If I change the IDs in the databases of the cloned phone to its original, what apps do I have to reinstall ?
3 Or is it cleaner to reinstall GSF and GAPPs ?
3a But would I get another ID this way ?
I realize this is an old thread which I found by searching for more information on changing the GSF-ID, where I'll just point people who may come here to a new method I found which changes the GSF_ID using basic Windows tools on a non-rooted Android phone without having to Factory Reset the darn thing (which is kind of nice indeed).
---
---
---
---
---
For owners of Xiaomi Air 12 or 13 that are facing static sound in Audio cause of Windows 10 please update your Realtek driver from their own website and not use windows update or general update. You need to download the latest 64bit driver dated ' 14-Jun-17 - 6.0.1.8186 '
@Wootever, sorry for my unrelated question. But, I have a Xiaomi Air 13 2016 and I've set a supervisor password when I changed to Linux. I then removed the password when I changed back to Windows 10, but it's still asking me for one...
Do you happen to know a way on how to remove the BIOS password on this laptop? I've extracted the executable from Insyde H20 A06 updater and changed the platform.ini, so it does a force flash of the password area (Password=1), however, it's still asking for one.. Any help would be greatly appreciated! Thanks in advance
@r00tPT
Try to set the password again and then set it to blank.
Wootever said:
@r00tPT
Try to set the password again and then set it to blank.
Click to expand...
Click to collapse
Thanks, but I cannot set the a new password, as when I try to access the BIOS, it asks me for a password..
I wanted to reset this password altogether, so I can access my BIOS and set a new one =/
@r00tPT
You can try to flash this default BIOS A06 Package, it will overwrite all device specific data (Serial, Windows Key, NVstore).
All settings should be set to default (including the password), but i haven't tested this (no guarantee and at your own risk).
Edit:
Don't forget to create a backup using the Backup.cmd file, it should be possible to restore the Serial number on the "empty" default BIOS.
Wootever said:
@r00tPT
You can try to flash this default BIOS A06 Package, it will overwrite all device specific data (Serial, Windows Key, NVstore).
All settings should be set to default (including the password), but i haven't tested this (no guarantee and at your own risk).
Edit:
Don't forget to create a backup using the Backup.cmd file, it should be possible to restore the Serial number on the "empty" default BIOS.
Click to expand...
Click to collapse
Thank you, Wootever! I think it's worth a try.
Would it make sense to create the backup, flash the default package, confirm if there's no password and then flash back the original Xiaomi BIOS to restore the Serial number?
Sorry, as I have near to none experience related to bios. thanks once again
@r00tPT
The backup includes all current settings (including the password), restoring it would also re-enable the password protection.
I made a little script to restore the device serial from the backup.bin file.
This is necessary because the Windows Activation seems linked with the device serial number.
Edit:
Updated the script.
Wootever said:
@r00tPT
The backup includes all current settings (including the password), restoring it would also re-enable the password protection.
I made a little script to restore the device serial from the backup.bin file.
This is necessary because the Windows Activation seems linked with the device serial number.
Edit:
Updated the script.
Click to expand...
Click to collapse
Wouldn't it be best to make a backup of the current bios with a flash programmer? I still haven't done this, as I'm trying to figure out what password I put.. (I basically set a supervisor password when I disabled secure boot, but then when I tried to set a new blank password it didn't change it back)
I have a friend who has the exact same laptop. Would it be fine if I made a backup of his bios and restore it into mine?
Could there be an issue or some missing information? Probably only the device serial number, which I could write again using your script? Would that be feasible?
By the way, sorry for asking these questions here/to you, but it's hard to find some guidance regarding this topic. Thanks once again
@Wootever, it worked!! You're the greatest man! I'm now able to access my BIOS again!
Is there any way to re-enable the flash protected range register again, just in case?
Wootever said:
I just got my hands on a Xiaomi Air 13 (2016 version) and wanted to share my findings.
The BIOS version of this device is A07, which is not yet made available by Xiaomi and originally, BIOS updates can only be flashed with the Insyde tools.
However, those require a valid certificate to correctly sign the binary file, thus a provided backup of version A07 won't be applicable as a update.
Intel Flash Programming tool is another alternative which allows to flash unsigned/customized versions, but in practice FPT can't access the BIOS region due to the protected range register which prohibits write access.
Code:
Error 316: Protected Range Registers are currently set by BIOS, preventing flash access.
Please contact the target system BIOS vendor for an option to disable Protected Range Registers.
Fortunately there is an undocumented variable switch that i found by coincidence which deactivates the flash protected range register.
For this i made a little tool which automatically patches the variable to allow BIOS update via FPT.
Note: modifying your BIOS is at your own discretion, i am not responsible for any damage caused by this procedure.
Download my variable patcher, extract it and execute Patcher.cmd
Reboot your device.
Download BIOS A07 for the Xiaomi Air 13 (2016)
Execute Backup.cmd to create a backup of your current BIOS.
Then execute Update.cmd to install version A07.
Use Serial.cmd to restore the device serial number from the backup BIOS.
Reboot your device.
I also made a few changes for this BIOS:
Updated microcode to 0xBA
Increased PWM frequency to 5000 Hz
Click to expand...
Click to collapse
I tried but I have this problem with patcher, any suggestion?
@Wootever
1) after upgrading the bios, how do i re-activate the flash protected range register?
2) do you have the default clean A07 bios (without the microcode and PWM changes)?
thank you!
May I ask if there is an easy way to unlock BIOS totally on Xiaomi Air 13? Because previously I opened a topic about it in biosmods.com , someone reached to me and told that due to write protection it needs quoting from him: "Bios mod can be flashed using SPI-programmer+SOIC8 clip only". That requires opening laptop up and connecting clip on chip physically. I love to tinker things in my laptop but that is a bit scary for me. So is there another way to do it, anyone knows??
THANK YOU!! This is pure gold! By the way, does the flag you found also unlock the ME region?
Update: nevermind. The answer is no unfortunately
bigorbi said:
May I ask if there is an easy way to unlock BIOS totally on Xiaomi Air 13? Because previously I opened a topic about it in biosmods.com , someone reached to me and told that due to write protection it needs quoting from him: "Bios mod can be flashed using SPI-programmer+SOIC8 clip only". That requires opening laptop up and connecting clip on chip physically. I love to tinker things in my laptop but that is a bit scary for me. So is there another way to do it, anyone knows??
Click to expand...
Click to collapse
No, you can flash any bios mod with the flag found by @Wootever. However, you may want to get a programmer (Altera USB blaster has cheap Chinese clones supported by flashrom) and a SOIC8 clip anyway just in case. They're dirt cheap and allow for recovery when things go wrong.
As a bonus, an external programmer enables you to get rid of the management engine.
CARLiCiOUS said:
THANK YOU!! This is pure gold! By the way, does the flag you found also unlock the ME region?
Update: nevermind. The answer is no unfortunately
Click to expand...
Click to collapse
It might be possible if the variable for ME Image Re-Flash is set:
Code:
Me FW Image Re-Flash, Variable: 0xD08
Disabled, Value: 0x0 (default)
Enabled, Value: 0x1
Variable to unlock protected range register:
Code:
BIOS SPI Lock:, Variable: 0x258
Enabled, Value: 0x1 (default)
Disabled, Value: 0x0
Edit:
Here is another variable patcher that also enables the ME Re-Flash variable.
(Note: not tested, use with caution)
As you may noticed since last week google wants us, the custom rom users to manually register our android_id to the link https://www.google.com/android/uncertified/
It looks simple isn't it?
But there's a catch. Each google account can register up to 100 ids. So if you keep registering new ids after every clean install you'll more likely to hit that 100 ids limit soon. That's even worse for fhe rom developers as they may flash up to 20-30 roms a day.
I'm figuring out that in a different way though. The procedure I'm following is:
A. BEFORE ANYTHING
If you're doing this first time:
1) Copy this database from /data/data/com.google.android.gsf/databases/gservices.db
2.1) Open the database with a sql editor or from adb shell or a terminal emulator in sqlite3, see android_id with this sql command:
SELECT *
FROM main
WHERE name="android_id";
2.2) OR from adb shell:
$ adb root
$ adb shell 'sqlite3 /data/data/com.google.android.gsf/databases/gservices.db "SELECT * FROM main WHERE name = \"android_id\";"'
3) Then save the value you're seeing to somewhere else, and register to your account at https://www.google.com/android/uncertified/
B. THEN FOR EVERY CLEAN INSTALL
1) Backups and wipes.
2) Flash rom (pt roms with vendors have the firmware included).
3) Flash gapps.
4) Optionally flash a custom kernel.
5) Reboot and configure your device.
6) Flash magisk, reboot.
THEN THIS PART IS IMPORTANT:
7.1) Again copy this database /data/data/com.google.android.gsf/databases/gservices.db and open in a sql editor (or with sqlite3 in terminal emulator, or adb shell) and execute this sql command:
UPDATE main
SET value=XXXXXXXXXXXXXXXXXXX
WHERE name="android_id";
7.2) OR from adb shell:
$ adb root
$ adb shell 'sqlite3 /data/data/com.google.android.gsf/databases/gservices.db "UPDATE main SET value=XXXXXXXXXXXXXXXXXXX WHERE name = \"android_id\";"'
Note: XXXXXXXXXXXXXXXXXXX is your android_id as you've learned and registered to your account before (You can see the android_id s you've registered at the same google link).
I just registered my IMEI, that one stays the same across factory resets.
Also, Titanium backup has an option to restore a previously used android ID.
Deleted
Deleted
muff99 said:
I just registered my IMEI, that one stays the same across factory resets.
Also, Titanium backup has an option to restore a previously used android ID.
Click to expand...
Click to collapse
Yes that works too but this is the manual method for the gsf android_id. Wifi only devices doesn't have IMEI for example.
https://www.xda-developers.com/google-removes-100-device-registration-limit-uncertified-device-page/
G4B33 said:
https://www.xda-developers.com/google-removes-100-device-registration-limit-uncertified-device-page/
Click to expand...
Click to collapse
Yes so now we don't have to do that much of hacky-wacky stuff just to get gsf certified status anymore. #YayGoogle? ?
What if you don't do that?
seems not working. After rebooting, it went back to previous id
You know I've just realized that doing exactly what's written on Google's page (that I've shared link of it) doesn't change my status too. My id is exactly what I've registered on the id registration page but no it stays uncertified so you can ignore this post too... I hope we can find a solution soon :/
ccelik97 said:
You know I've just realized that doing exactly what's written on Google's page (that I've shared link of it) doesn't change my status too. My id is exactly what I've registered on the id registration page but no it stays uncertified so you can ignore this post too... I hope we can find a solution soon :/
Click to expand...
Click to collapse
I think the display will always stay on "not certified", but you are atill able to use the Google services (which unregistered custom ROM users are not any more, if I understood correctly).
This is just a guess on my side, I have not tested this (and I can't since I added all kinds of IDs to that registration page ...).
All in all the information flow from Google on this topic has been spectacularly bad, imho.
When I register my GSF id, its not saved or a different number is display, see my correct I'd in the enter field vs ones registered.
image45 said:
When I register my GSF id, its not saved or a different number is display, see my correct I'd in the enter field vs ones registered.
Click to expand...
Click to collapse
That's because you entered it in hex format, it gets converted into decimal.
Also, don't post your id here ... Not sure what happens if other people register your id with their Google account.
muff99 said:
That's because you entered it in hex format, it gets converted into decimal.
Also, don't post your id here ... Not sure what happens if other people register your id with their Google account.
Click to expand...
Click to collapse
Do I need to convert it or is that an accepted way to submit the information please?
If I try to resubmit it advises already registered.