Hi,
I found information about CVE-2014-7911 and CVE-2014-4322, so I fought this should also work on our Amazon devices with Fire OS 4.5.x. I googled and found this: http://packetstormsecurity.com/files/130112/android-root.zip .It seems that someone had already this idea. I also found out that this method was already used for other devices in this forum. I'm trying to get the source in the zip file to run but it seems that it needs some modifications for Fire OS.
It seems that Fire OS uses a amazon.os.AmazonUserManager instead of Androids UserManager. Has somebody an idea to get information about this class? It looks like that the interface is not found in the Amazon Fire SDK. Has somebody more experience that me with that SDK?
Hope someone is able to help me with this. Root for this device would sincerely improve it in my eyes
Please edit this post so the link will be usable. I do not fulfill the 10 posts restriction.
Follow up to previous post.
I was able to change the code so it will not crash on FireOS. The actual UserManager is in the field mDelegate of the AmazonUserManager.
The change would be:
Code:
UserManager um2 = (UserManager) ctx.getSystemService(Context.USER_SERVICE);
Field fDelegate = um2.getClass().getDeclaredField("mDelegate");
fDelegate.setAccessible(true);
UserManager um = (UserManager) fDelegate.get(um2);
What I achieved is a reset of the device. So I think the ROP chain is wrong for this device. Has somebody ideas in this direction?
EDIT: A right ROP chain on my device (Version 4.5.2) seems to be:
Code:
static int rop_chain_THOR[] = {0x0004eab0,0x000247a4+4+1,0x0003cf90+8,0x0002553d};
Sadly somehow it is still not working.
It seems that we are really able to implement CVE-2014-7911 to work on Fire OS. Attached you will find the log of a crash.
For me it looks like the binary of CVE-2014-4322 is being started but crashes. Could it be that it is not started correctly or that Amazon did already patch CVE-2014-4322?
I will have a further look on this, but I don't have enough time to bring this to a ready solution in a short time. Maybe someone with more experience can have a look on it?
Greetings Phate
why you do not put this in the dev section?
I pretty sure that our devs @vortox , @ggow and @Cpasjuste could help us
ONYXis said:
why you do not put this in the dev section?
I pretty sure that our devs @vortox , @ggow and @Cpasjuste could help us
Click to expand...
Click to collapse
I do not have the permission to create a thread there. Would be nice some mod could move this thread.
I really hope that one of these will work...
Hi, I'll try to take a look this week if I find the time.
Cpasjuste said:
Hi, I'll try to take a look this week if I find the time.
Click to expand...
Click to collapse
This is great. I hope that you can see something.
I confirmed that CVE-2014-7911 is working (with some modifications). The binary of the second stage is started. I could not yet confirm that it is started with system privileges. This would be one of the next steps. Maybe by doing something, that only system can do?
CVE-2014-4322 crashes during the privilege escalation. Maybe Am*zon did something different and we need to change the code.
The second crash of system_server (that causes the partly reset of the device) is normal and is caused by CVE-2014-7911.
More followup:
I added some logcat traces to the binary to be able to find where the second stage crashes.
It is here:
Code:
void* addr = mmap(intArr[0],4096,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,-1,0);
*(int*)addr = 0xE3500000;
*((int*)((int)addr+4)) = 0xe1a0f00e;
memcpy(addr,shell_code2,400);
mmap() and ioctl before are returning 0xffffffff. I really need to find time to read me into this exploit to understand how it works to find a solution to this.
But I confirmed that the binary is running as system user. getuid() reports 1000.
Log is attached. Binary shows itself in the log with the tag msm-ndk.
mmap followup
So I did some digging and was able to duplicate the crash at mmap just as Phate123 however I took it a step further and was able to get it to run through but it doesn't appear to actually escalate to root so the mount doesn't work.
In order to get it to not crash you can change the mmap to the following
void* addr = mmap(intArr[0],4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
Unfortunately this either breaks the exploit or it doesn't work on the 4.5.2. Anyway maybe this will help someone else. I have spent too much time getting this far without any real results and I am way out of my league when it comes to things like mmap.
@awinston: Thx for your reply.
The problem is not mmap. The call to ioctl returns a wrong pointer. It is used again here in inArr[0]. Because of that the call to mmap does not work.
You are right in thinking that this does maybe mean the exploit will not work on 4.5.2 because it is already fixed. But this is yet to confirm. there might be still hope.
ioctl pointer question
So I have been doing more research and cobbling together a variety of the exploits and I wanted to know if I am headed in the right direction, or not, considering I am struggling to understand what I am doing exactly
Here is my most recent log cat attempt
02-13 16:18:13.319 4324-4324/? D/TAG﹕ ROOTUID 1000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ Tzwidevine: 0, app_id: -1098148004
02-13 16:18:13.319 4324-4324/? D/TAG﹕ Keymaster: -1, app_id: 2
02-13 16:18:13.319 4324-4324/? D/TAG﹕ QSEECOM_IOCTL_SEND_CMD_REQ return 0x1 0x1
02-13 16:18:13.319 4324-4324/? D/TAG﹕ ioctl return 0x0
02-13 16:18:13.319 4324-4324/? D/TAG﹕ mmap return 0x400ef000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe59f0004
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe92d0001
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe8bd8000
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x40023d2d
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xb5006803
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xd503005a
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x6122280
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xe0014313
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0x85b005b
02-13 16:18:13.319 4324-4324/? D/TAG﹕ 0xbd0018c0
02-13 16:18:13.319 4324-4324/? D/TAG﹕ QSEECOM_IOCTL_SEND_CMD_REQ
02-13 16:18:13.329 4324-4324/? D/TAG﹕ return 0x1 0x1
02-13 16:18:13.329 4324-4324/? D/TAG﹕ ioctl return 0xffffffff
02-13 16:18:13.329 4324-4324/? D/TAG﹕ ROOTUID 1000
You will notice ioctl returns 0x0 initially which in turn allows me to mmap but it is still not escalating to root. Does this look like what you might expect if I am going in the right direction? That being said if this is promising the next question I have is about the PTMS_FOPS static. I have found versions for 4.4.2, 4.4.4 and 5.0.0 and some unknown version. I have tried all with the same result. Is it possible that we need one for 4.4.3 since that is what 4.5.2 is running?
Anyway if I am barking up the wrong tree just let me know, wanted to throw it out there to see what anyone thought.
Alternatively this means that maybe 4.5.2 isn't vulnerable to this exploit.
I am pretty sure that 4.5.2 is vulnerable. I say this because the qseecom.c provided by Amazon here for 4.5.2 seems to be very close (only some cosmetic changes) to commits 568757f02d9a243bad7f70cebfa414c4a65f361f and ed45a48430e7f67e1648d45514989af0e04f0e97 from Code Aurora.
I did a diff with all the revisions and these two came up with only 3 lines different to the qseecom.c that Amazon released.
I also extracted the kernel image from bootimg.bin and grep-ed after the new format strings included by the patches. The fact that nothing showed up strongly suggests that the kernel build doesn't include the patches.
Now the only step that remains is to get the addresses of the exported symbols (mainly ptmx_fops). The simple way would have been to boot the kernel and get what we need from /proc/kallsyms. Unfortunately the addresses aren't shown by default and the restriction must be dropped by "echo 0 > /proc/sys/kernel/kptr_restrict" as root. As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
p1gl3t said:
I am pretty sure that 4.5.2 is vulnerable. I say this because the qseecom.c provided by Amazon here for 4.5.2 seems to be very close (only some cosmetic changes) to commits 568757f02d9a243bad7f70cebfa414c4a65f361f and ed45a48430e7f67e1648d45514989af0e04f0e97 from Code Aurora.
Click to expand...
Click to collapse
I would not be sure about that. I don't think the provided source does match the actual implementation 100 percent.
p1gl3t said:
I did a diff with all the revisions and these two came up with only 3 lines different to the qseecom.c that Amazon released.
I also extracted the kernel image from bootimg.bin and grep-ed after the new format strings included by the patches. The fact that nothing showed up strongly suggests that the kernel build doesn't include the patches.
Click to expand...
Click to collapse
This is good news. This could really mean that this might really work.
p1gl3t said:
Now the only step that remains is to get the addresses of the exported symbols (mainly ptmx_fops). The simple way would have been to boot the kernel and get what we need from /proc/kallsyms. Unfortunately the addresses aren't shown by default and the restriction must be dropped by "echo 0 > /proc/sys/kernel/kptr_restrict" as root. As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
Click to expand...
Click to collapse
I will try that too, but I'm not sure about which symbols are needed and if I'm able to find them.
p1gl3t said:
As I don't think there is anyone currently running a pre-rooted 4.5.2 rom, the only option remaining is to disassemble the kernel. I hope I'll manage to do this today.
Click to expand...
Click to collapse
Cpasjuste posted a 4.5.2 version for TWRP...
Maybe this helps you with testing...
4.5.2 Kernel addresses and symbols
Code:
[+]mmap
mem=b6553000 length=010cad08 offset=09ab5000
[+]kallsyms_addresses=c0aec330
count=00016d24
[+]kallsyms_num_syms=00016d24
[+]kallsyms_names=c0b477d0
[+]kallsyms_markers=c0c4d070
[+]kallsyms_token_table=c0c4d630
[+]kallsyms_token_index=c0c4d9f0
[+]kallsyms_lookup_name
Code:
c11bf690 ptmx_fops
Full list of symbols see attachement
@awinston
Would you mind trying your code changing the define of PTMX_FOPS in the top of the source to 0xc11bf690?
Also would you share the changes you did to it?
Phate123 said:
@awinston
Would you mind trying your code changing the define of PTMX_FOPS in the top of the source to 0xc11bf690?
Also would you share the changes you did to it?
Click to expand...
Click to collapse
Attached as msm3.c
Tried but doesn't seem to work. Feel free to give what I have a try, maybe I am missing something obvious. One oddity is that QSEECOM_IOCTL_APP_LOADED_QUERY_REQ only seems to work after a hard restart. Not sure what that means. Another thing to note is that this version of the exploit is considerably different than some of the other versions I have seen floating around so maybe making some more changes to this one will prove fruitful. The biggest change I made was adding the QSEECOM_IOCTL_APP_LOADED_QUERY_REQ along with some changes to the ion_alloc_data. These changes seem to match more closely the giefroot version that was reverse engineered.
4.5.3 update
Just got 4.5.3 pushed, crap. WARNING to others, not sure what this means for this potential exploit.
Phate123 said:
4.5.2 Kernel addresses and symbols
Code:
[+]mmap
mem=b6553000 length=010cad08 offset=09ab5000
[+]kallsyms_addresses=c0aec330
count=00016d24
[+]kallsyms_num_syms=00016d24
[+]kallsyms_names=c0b477d0
[+]kallsyms_markers=c0c4d070
[+]kallsyms_token_table=c0c4d630
[+]kallsyms_token_index=c0c4d9f0
[+]kallsyms_lookup_name
Code:
c11bf690 ptmx_fops
Full list of symbols see attachement
Click to expand...
Click to collapse
For thor-ship_452-kitkat-build I got C11BF250 b ptmx_fops. Here you have all the symbols and here is the IDA script (credits go to Igor Skochinsky).
---------- Post added at 10:02 PM ---------- Previous post was at 10:00 PM ----------
awinston said:
Just got 4.5.3 pushed, crap. WARNING to others, not sure what this means for this potential exploit.
Click to expand...
Click to collapse
Do a factory reset to delete the downloaded ota and try to use a proxy to block the requests.
Hello I am trying to port the beloved OmniRom to my device which is a KLTE (Samsung Galaxy S5) I have successfully built the ROM from source using kernel and device configs from CM and of course some fixes and cherry picking. The issue I have now is that the ROM will not boot.
I stays at my carrier logo (Samsung) so it does not even let me cat-log. I tried to install the ROM and then restored a backup of Cyanogenmods system directory. It boots to android but all apps forceclose. I did this to see if it was an issue with the boot image and since it can boot to a different system partition I don't believe its a boot.img issue or kernel issue for that matter. Or is it?
Any help getting this to boot would be appreciated. I can provide build logs and my device repo if needed.
gigoo25 said:
Hello I am trying to port the beloved OmniRom to my device which is a KLTE (Samsung Galaxy S5) I have successfully built the ROM from source using kernel and device configs from CM and of course some fixes and cherry picking. The issue I have now is that the ROM will not boot.
I stays at my carrier logo (Samsung) so it does not even let me cat-log. I tried to install the ROM and then restored a backup of Cyanogenmods system directory. It boots to android but all apps forceclose. I did this to see if it was an issue with the boot image and since it can boot to a different system partition I don't believe its a boot.img issue or kernel issue for that matter. Or is it?
Any help getting this to boot would be appreciated. I can provide build logs and my device repo if needed.
Click to expand...
Click to collapse
MSM8974 is our first CAF chipset we're working on supporting.
I'd suggest looking at the Oppo find7/msm8974-common repos as nearly all initial CAF 8974 work is being done on the Find7.
you need android-5.1-caf branches for frameworks/av and frameworks/native for a CAF device until I finish the merge effort
Entropy512 said:
MSM8974 is our first CAF chipset we're working on supporting.
I'd suggest looking at the Oppo find7/msm8974-common repos as nearly all initial CAF 8974 work is being done on the Find7.
you need android-5.1-caf branches for frameworks/av and frameworks/native for a CAF device until I finish the merge effort
Click to expand...
Click to collapse
Thank you! That explains a lot. Maybe you can help me again? I keep coming across building with legacy opposed to CAF and to change it in the configs... What configs are they talking about?
Sent from my SM-G900T using XDA Free mobile app
gigoo25 said:
Thank you! That explains a lot. Maybe you can help me again? I keep coming across building with legacy opposed to CAF and to change it in the configs... What configs are they talking about?
Sent from my SM-G900T using XDA Free mobile app
Click to expand...
Click to collapse
You mean AOSP HALs? It's pretty rare for a CAF device to work with vanilla AOSP HALs.
It's the various QCOM_blah_VARIANT flags - 8974s are caf-bfam
Entropy512 said:
You mean AOSP HALs? It's pretty rare for a CAF device to work with vanilla AOSP HALs.
It's the various QCOM_blah_VARIANT flags - 8974s are caf-bfam
Click to expand...
Click to collapse
Updated my repo to 5.1 source but still getting errors. Here is the device configs that I am using. I am getting the same errors throughout.
First error was
Code:
frameworks/base/core/jni/android_view_Surface.cpp:206:14: error: 'class android::Surface' has no member named 'setDirtyRect'
surface->setDirtyRect(&rect);
Which I solved by cherry-picking THIS
Next I get an error that msmcal-hwdep.h is not found not sure how to fix this yet...
I recreated my devices config from scratch and uploaded it to git... Maybe you can take a look when you have some free time? It would mean alot! https://github.com/Gigoo25/android_device_samsung_klte
gigoo25 said:
Updated my repo to 5.1 source but still getting errors. Here is the device configs that I am using. I am getting the same errors throughout.
First error was
Code:
frameworks/base/core/jni/android_view_Surface.cpp:206:14: error: 'class android::Surface' has no member named 'setDirtyRect'
surface->setDirtyRect(&rect);
Which I solved by cherry-picking THIS
Next I get an error that msmcal-hwdep.h is not found not sure how to fix this yet...
I recreated my devices config from scratch and uploaded it to git... Maybe you can take a look when you have some free time? It would mean alot! https://github.com/Gigoo25/android_device_samsung_klte
Click to expand...
Click to collapse
msmcal_hwdep - look at the stiff in your kernel source under include/ - all of that header-y stuff in some of the Kconfigs
You shouldn't be cherrypicking that, I'm not sure why Max even put that up. Until I finish the CAF av/native merge, anyone declaring QCOM_HARDWARE should be using the android-5.1-caf branches of av and native
Entropy512 said:
msmcal_hwdep - look at the stiff in your kernel source under include/ - all of that header-y stuff in some of the Kconfigs
You shouldn't be cherrypicking that, I'm not sure why Max even put that up. Until I finish the CAF av/native merge, anyone declaring QCOM_HARDWARE should be using the android-5.1-caf branches of av and native
Click to expand...
Click to collapse
Awesome! alright will look into that
Sent from my SM-G900T using XDA Free mobile app
Entropy512 said:
msmcal_hwdep - look at the stiff in your kernel source under include/ - all of that header-y stuff in some of the Kconfigs
You shouldn't be cherrypicking that, I'm not sure why Max even put that up. Until I finish the CAF av/native merge, anyone declaring QCOM_HARDWARE should be using the android-5.1-caf branches of av and native
Click to expand...
Click to collapse
Having issues compiling the camera I get the error
Code:
device/samsung/klte/camera/CameraWrapper.cpp: In function 'char* camera_fixup_setparams(int, const char*)':
device/samsung/klte/camera/CameraWrapper.cpp:161:20: error: 'KEY_DIS' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_DIS, android::CameraParameters::DIS_DISABLE);
^
device/samsung/klte/camera/CameraWrapper.cpp:161:56: error: 'DIS_DISABLE' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_DIS, android::CameraParameters::DIS_DISABLE);
^
device/samsung/klte/camera/CameraWrapper.cpp:162:20: error: 'KEY_ZSL' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_OFF);
^
device/samsung/klte/camera/CameraWrapper.cpp:162:56: error: 'ZSL_OFF' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_OFF);
^
device/samsung/klte/camera/CameraWrapper.cpp:164:20: error: 'KEY_ZSL' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_ON);
^
device/samsung/klte/camera/CameraWrapper.cpp:164:56: error: 'ZSL_ON' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_ON);
^
make: *** [/home/rob/android/omni51/out/target/product/klte/obj/SHARED_LIBRARIES/camera.msm8974_intermediates/CameraWrapper.o] Error 1
make: *** Waiting for unfinished jobs...
Is this a framework issue?
gigoo25 said:
Having issues compiling the camera I get the error
Code:
device/samsung/klte/camera/CameraWrapper.cpp: In function 'char* camera_fixup_setparams(int, const char*)':
device/samsung/klte/camera/CameraWrapper.cpp:161:20: error: 'KEY_DIS' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_DIS, android::CameraParameters::DIS_DISABLE);
^
device/samsung/klte/camera/CameraWrapper.cpp:161:56: error: 'DIS_DISABLE' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_DIS, android::CameraParameters::DIS_DISABLE);
^
device/samsung/klte/camera/CameraWrapper.cpp:162:20: error: 'KEY_ZSL' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_OFF);
^
device/samsung/klte/camera/CameraWrapper.cpp:162:56: error: 'ZSL_OFF' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_OFF);
^
device/samsung/klte/camera/CameraWrapper.cpp:164:20: error: 'KEY_ZSL' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_ON);
^
device/samsung/klte/camera/CameraWrapper.cpp:164:56: error: 'ZSL_ON' is not a member of 'android::CameraParameters'
params.set(android::CameraParameters::KEY_ZSL, android::CameraParameters::ZSL_ON);
^
make: *** [/home/rob/android/omni51/out/target/product/klte/obj/SHARED_LIBRARIES/camera.msm8974_intermediates/CameraWrapper.o] Error 1
make: *** Waiting for unfinished jobs...
Is this a framework issue?
Click to expand...
Click to collapse
Looks like maybe some missing Samsung patches
Entropy512 said:
Looks like maybe some missing Samsung patches
Click to expand...
Click to collapse
I appreciate all the help you have been giving me in trying to port Omni to the KLTE! I could not have done it without you!
I ended up having a booting and working build when I removed the camera and RIL
RIL gives me an error of
Code:
frameworks/opt/telephony/../../../device/samsung/klte/ril/telephony/java/com/android/internal/telephony/KlteRIL.java:282: error: no suitable constructor found for SignalStrength(int,int,int,int,int,int,int,int,int,int,int,int,int,boolean)
return new SignalStrength(gsmSignalStrength, gsmBitErrorRate, cdmaDbm, cdmaEcio, evdoDbm,
^
constructor SignalStrength.SignalStrength(Parcel) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(SignalStrength) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(int,int,int,int,int,int,int,boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(int,int,int,int,int,int,int,int,int,int,int,int,boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength() is not applicable
(actual and formal argument lists differ in length)
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
1 error
It should be a frameworks/opt/telephony issue correct? Except it doesn't display the full file path?
gigoo25 said:
I appreciate all the help you have been giving me in trying to port Omni to the KLTE! I could not have done it without you!
I ended up having a booting and working build when I removed the camera and RIL
RIL gives me an error of
Code:
frameworks/opt/telephony/../../../device/samsung/klte/ril/telephony/java/com/android/internal/telephony/KlteRIL.java:282: error: no suitable constructor found for SignalStrength(int,int,int,int,int,int,int,int,int,int,int,int,int,boolean)
return new SignalStrength(gsmSignalStrength, gsmBitErrorRate, cdmaDbm, cdmaEcio, evdoDbm,
^
constructor SignalStrength.SignalStrength(Parcel) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(SignalStrength) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(int,int,int,int,int,int,int,boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(int,int,int,int,int,int,int,int,int,int,int,int,boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength(boolean) is not applicable
(actual and formal argument lists differ in length)
constructor SignalStrength.SignalStrength() is not applicable
(actual and formal argument lists differ in length)
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
1 error
It should be a frameworks/opt/telephony issue correct? Except it doesn't display the full file path?
Click to expand...
Click to collapse
It looks like the KLTE actually specifies its own RIL subclass (interesting trick, I've never seen that before) and that subclass is depending on something in frameworks/opt/tel that Omni doesn't have.
Either find the missing patch in f/opt/tel or figure out how to adapt KlteRIL.java
Entropy512 said:
It looks like the KLTE actually specifies its own RIL subclass (interesting trick, I've never seen that before) and that subclass is depending on something in frameworks/opt/tel that Omni doesn't have.
Either find the missing patch in f/opt/tel or figure out how to adapt KlteRIL.java
Click to expand...
Click to collapse
I seem to have gotten everything working fine besides the camera. The app and libraries compile fine but when the rom boots I cannot see it in the app drawer. When I try to launch it through the lockscreen it just force closes. Not sure what could be causing the problem? All the permissions seem to be checking out, and messing with the BoardConfiv and Device make files has not seemed to help. Any suggestions on how to fix this? Could it be a framework issue?
gigoo25 said:
I seem to have gotten everything working fine besides the camera. The app and libraries compile fine but when the rom boots I cannot see it in the app drawer. When I try to launch it through the lockscreen it just force closes. Not sure what could be causing the problem? All the permissions seem to be checking out, and messing with the BoardConfiv and Device make files has not seemed to help. Any suggestions on how to fix this? Could it be a framework issue?
Click to expand...
Click to collapse
Look through the logcat for camera errors, especially any errors about missing libraries.
Not appearing in app drawer indicates that Android doesn't think there is a camera present. There are 2349734297320 different things that could cause this - missing camera HAL dependency, kernel/HAL mismatch, many other things.
Entropy512 said:
Look through the logcat for camera errors, especially any errors about missing libraries.
Not appearing in app drawer indicates that Android doesn't think there is a camera present. There are 2349734297320 different things that could cause this - missing camera HAL dependency, kernel/HAL mismatch, many other things.
Click to expand...
Click to collapse
Here is what I found in the logcat
Code:
--------- beginning of crash
[ 06-01 20:08:07.366 3437: 3437 E/AndroidRuntime ]
FATAL EXCEPTION: main
Process: com.android.camera2, PID: 3437
java.lang.RuntimeException: Unable to start activity ComponentInfo{com.android.camera2/com.android.camera.CameraActivity}: java.lang.NullPointerException: Attempt to invoke virtual method 'void com.android.camera.util.PhotoSphereHelper$PanoramaViewHelper.onStart()' on a null object reference
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2325)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2387)
at android.app.ActivityThread.access$800(ActivityThread.java:151)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1303)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:135)
at android.app.ActivityThread.main(ActivityThread.java:5254)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
Caused by: java.lang.NullPointerException: Attempt to invoke virtual method 'void com.android.camera.util.PhotoSphereHelper$PanoramaViewHelper.onStart()' on a null object reference
at com.android.camera.CameraActivity.onStartTasks(CameraActivity.java:1885)
at com.android.camera.util.QuickActivity.onStart(QuickActivity.java:111)
at android.app.Instrumentation.callActivityOnStart(Instrumentation.java:1236)
at android.app.Activity.performStart(Activity.java:6006)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2288)
... 10 more
gigoo25 said:
Here is what I found in the logcat
Code:
--------- beginning of crash
[ 06-01 20:08:07.366 3437: 3437 E/AndroidRuntime ]
FATAL EXCEPTION: main
Process: com.android.camera2, PID: 3437
java.lang.RuntimeException: Unable to start activity ComponentInfo{com.android.camera2/com.android.camera.CameraActivity}: java.lang.NullPointerException: Attempt to invoke virtual method 'void com.android.camera.util.PhotoSphereHelper$PanoramaViewHelper.onStart()' on a null object reference
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2325)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2387)
at android.app.ActivityThread.access$800(ActivityThread.java:151)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1303)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:135)
at android.app.ActivityThread.main(ActivityThread.java:5254)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:903)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:698)
Caused by: java.lang.NullPointerException: Attempt to invoke virtual method 'void com.android.camera.util.PhotoSphereHelper$PanoramaViewHelper.onStart()' on a null object reference
at com.android.camera.CameraActivity.onStartTasks(CameraActivity.java:1885)
at com.android.camera.util.QuickActivity.onStart(QuickActivity.java:111)
at android.app.Instrumentation.callActivityOnStart(Instrumentation.java:1236)
at android.app.Activity.performStart(Activity.java:6006)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2288)
... 10 more
Click to expand...
Click to collapse
Pretty much - if you can't figure out what is wrong from reading a logcat, most likely, you can't figure out what parts of the logcat are relevant and which are not.
That excerpt basically tells me nothing.
I assume that was from trying to forcefully start the camera with no camera actually present as far as Android was concerned. That's a symptom, not the root cause of the problem. Based on what you've described, the root cause of the problem will likely be visible even if no attempt is made to use the camera.
Entropy512 said:
Pretty much - if you can't figure out what is wrong from reading a logcat, most likely, you can't figure out what parts of the logcat are relevant and which are not.
That excerpt basically tells me nothing.
I assume that was from trying to forcefully start the camera with no camera actually present as far as Android was concerned. That's a symptom, not the root cause of the problem. Based on what you've described, the root cause of the problem will likely be visible even if no attempt is made to use the camera.
Click to expand...
Click to collapse
I've been messing around with the device configurations and logcats. I I think I have found the culprit for my camera not working. It shows that it loads the module but then fails to open it? Is this a CameraWrapper issue? Still trying to fix the camera so I can use this as a daily build but I have limited experience as a developer.
EDIT: Also the camera shows up on first boot but then disappears and says that the application is not installed. I'm trying to logcat it but not sure how to do that on the first boot without allowing my PC
EDIT2: From the looks of it searching the web it seems to be an issue with frameworks/av/camera/CameraParameters.cpp & frameworks/av/camera/include/CameraParameters.h
Code:
I/CameraService( 381): CameraService started (pid=381)
I/CameraService( 381): Loaded "MSM8974 Camera Wrapper" camera module
I/CameraWrapper( 381): camera_get_number_of_cameras
I/CameraWrapper( 381): check_vendor_module
I/PackageManager( 741): /system/priv-app/MmsService changed; collecting certs
I/PackageManager( 741): /system/priv-app/OmniSwitch changed; collecting certs
E/HAL ( 381): load: module=/system/lib/hw/camera.vendor.msm8974.so
E/HAL ( 381): dlopen failed: cannot locate symbol "_ZN7android16CameraParameters25KEY_DYNAMIC_RANGE_CONTROLE" referenced by "camera.vendor.msm8974.so"...
E/CameraWrapper( 381): failed to open vendor camera module
gigoo25 said:
I've been messing around with the device configurations and logcats. I I think I have found the culprit for my camera not working. It shows that it loads the module but then fails to open it? Is this a CameraWrapper issue? Still trying to fix the camera so I can use this as a daily build but I have limited experience as a developer.
EDIT: Also the camera shows up on first boot but then disappears and says that the application is not installed. I'm trying to logcat it but not sure how to do that on the first boot without allowing my PC
EDIT2: From the looks of it searching the web it seems to be an issue with frameworks/av/camera/CameraParameters.cpp & frameworks/av/camera/include/CameraParameters.h
Code:
I/CameraService( 381): CameraService started (pid=381)
I/CameraService( 381): Loaded "MSM8974 Camera Wrapper" camera module
I/CameraWrapper( 381): camera_get_number_of_cameras
I/CameraWrapper( 381): check_vendor_module
I/PackageManager( 741): /system/priv-app/MmsService changed; collecting certs
I/PackageManager( 741): /system/priv-app/OmniSwitch changed; collecting certs
E/HAL ( 381): load: module=/system/lib/hw/camera.vendor.msm8974.so
E/HAL ( 381): dlopen failed: cannot locate symbol "_ZN7android16CameraParameters25KEY_DYNAMIC_RANGE_CONTROLE" referenced by "camera.vendor.msm8974.so"...
E/CameraWrapper( 381): failed to open vendor camera module
Click to expand...
Click to collapse
Looks like a patch for CameraParameters needed by your device is missing since no one has tried to bring that device up before, or hasn't tried bringing it up with 5.x
Since it's a Qualcomm-based device and likely using CAF repos, you'll probably have to patch frameworks/av-caf and not frameworks/av - see https://lists.omnirom.org/pipermail/maintainers/2015-June/000101.html for details (we need to add this info to the wiki...)
Entropy512 said:
Looks like a patch for CameraParameters needed by your device is missing since no one has tried to bring that device up before, or hasn't tried bringing it up with 5.x
Since it's a Qualcomm-based device and likely using CAF repos, you'll probably have to patch frameworks/av-caf and not frameworks/av - see https://lists.omnirom.org/pipermail/maintainers/2015-June/000101.html for details (we need to add this info to the wiki...)
Click to expand...
Click to collapse
So I would have to split av into two folders then applying I believe THIS patch to av-caf in order to compile it properly?
Also does native-caf branch still have to be merged before compiling?
gigoo25 said:
So I would have to split av into two folders then applying I believe THIS patch to av-caf in order to compile it properly?
Also does native-caf branch still have to be merged before compiling?
Click to expand...
Click to collapse
Well, the splitting of av is already done. Native is already merged with ifdefs (it didn't require nearly as much ifdefing as av, so we have a "unified" CAF+AOSP native). The only thing that is needed for device maintainers is adding av-caf to omni.dependencies - see the maintainers list post I linked to, or look at the Oppo find7 history.
So once you're pulling in av-caf via omni.dependencies, you should be able to apply that patch to av-caf and then submit it to Gerrit for review.
You might want to start idling in IRC, #omni is where most device maintainers are (in fact, all maintainers for supported devices idle their routinely, it's now a requirement for maintainers to routinely idle in IRC so they can see what's going on/people can ping them with questions.)
Entropy512 said:
Well, the splitting of av is already done. Native is already merged with ifdefs (it didn't require nearly as much ifdefing as av, so we have a "unified" CAF+AOSP native). The only thing that is needed for device maintainers is adding av-caf to omni.dependencies - see the maintainers list post I linked to, or look at the Oppo find7 history.
So once you're pulling in av-caf via omni.dependencies, you should be able to apply that patch to av-caf and then submit it to Gerrit for review.
You might want to start idling in IRC, #omni is where most device maintainers are (in fact, all maintainers for supported devices idle their routinely, it's now a requirement for maintainers to routinely idle in IRC so they can see what's going on/people can ping them with questions.)
Click to expand...
Click to collapse
Turns out I might of fixed the problem. Instead of messing with frameworks/av I can just override it with a file inside include/camera? Looking back at the Cyanogenmod repo for my device THIS is present while in my source it is not.
Compiling now. Will post results after.
OmniRom 6.0
make update-api doesn't help.
Code:
Checking API: checksystemapi-current
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/system-api.txt:2065: error 17: Field android.R.style.TextAppearance_Material_Widget_Button_Inverse has changed value from 16974548 to 16974565
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/system-api.txt:2110: error 17: Field android.R.style.ThemeOverlay_Material_Dialog has changed value from 16974550 to 16974564
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/system-api.txt:2111: error 17: Field android.R.style.ThemeOverlay_Material_Dialog_Alert has changed value from 16974551 to 16974566
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/system-api.txt:2220: error 17: Field android.R.style.Theme_Material_Light_LightStatusBar has changed value from 16974549 to 16974563
******************************
You have tried to change the API from what has been previously released in
an SDK. Please fix the errors listed above.
******************************
build/core/tasks/apicheck.mk:92: ошибка выполнения рецепта для цели «/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/checksystemapi-last-timestamp»
make: *** [/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/checksystemapi-last-timestamp] Ошибка 38
make: *** Ожидание завершения заданий…
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/public_api.txt:1966: error 17: Field android.R.style.TextAppearance_Material_Widget_Button_Inverse has changed value from 16974548 to 16974565
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/public_api.txt:2011: error 17: Field android.R.style.ThemeOverlay_Material_Dialog has changed value from 16974550 to 16974564
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/public_api.txt:2012: error 17: Field android.R.style.ThemeOverlay_Material_Dialog_Alert has changed value from 16974551 to 16974566
/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/public_api.txt:2120: error 17: Field android.R.style.Theme_Material_Light_LightStatusBar has changed value from 16974549 to 16974563
******************************
You have tried to change the API from what has been previously released in
an SDK. Please fix the errors listed above.
******************************
build/core/tasks/apicheck.mk:46: ошибка выполнения рецепта для цели «/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/checkpublicapi-last-timestamp»
make: *** [/home/daniil/working_directory/android/OmniRom/6.0/out/target/common/obj/PACKAGING/checkpublicapi-last-timestamp] Ошибка 38
How to fix it?
Hmm. Does this disappear if you use "brunch <device>" instead of "make"?
Obviously it needs to be fixed (someone screwed up...) but if it doesn't fail when using brunch, that explains how this issue was missed (most developers use brunch - which is usually far easier BUT does cause API-check failures to get hidden for some reason.)
Entropy512 Thank you.
Solution: Assemble a team brunch instead of make.
Topic can be closed.
DANIIL2017 said:
Entropy512 Thank you.
Solution: Assemble a team brunch instead of make.
Topic can be closed.
Click to expand...
Click to collapse
While you've worked around the problem, I think there's still some investigation on the end of others to figure out why it's breaking - because that's an indication of a potential problem there.
I had the same problem when building my rom for P8 Lite.
I tried "make update-api" but the problem was still present.
Entropy512 said:
While you've worked around the problem, I think there's still some investigation on the end of others to figure out why it's breaking - because that's an indication of a potential problem there.
Click to expand...
Click to collapse
Is there already a solution for this problem, i still have the same problem while building for a non official Omnirom device.
Finally found a solution for the problem:
In the file "build/core/tasks/apicheck.mk" change line 21.
Code:
ifeq (,$(filter true, $(WITHOUT_CHECK_API) $(TARGET_BUILD_PDK)))
change to
Code:
ifeq (,$(filter true, true $(WITHOUT_CHECK_API) $(TARGET_BUILD_PDK)))
It's a workaround but now i can finally build my tree.
I've been trying tons of different gcam versions, some of them open up with a compatibility pop up, but do seem to work. However a lot of confirmed working ones, by other people, close immediately after opening them. My phone has been running China developer Rom for quite a while now, flashed through XiaomiToolV2 and was recognized as Lavender. It was also bought from the Xiaomi online store in China.
Here is a the error log MIUI gives me when I press View Summary after the crash:
java.lang.RuntimeException: Unable to create application com.google.android.apps.camera.legacy.app.app.CameraApp: java.lang.SecurityException: Failed to find provider com.google.android.gsf.gservices for user 0; expected to find a valid ContentProvider for this authority
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5954)
at android.app.ActivityThread.access$1200(ActivityThread.java:200)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1673)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:201)
at android.app.ActivityThread.main(ActivityThread.java:6810)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:547)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:873)
Caused by: java.lang.SecurityException: Failed to find provider com.google.android.gsf.gservices for user 0; expected to find a valid ContentProvider for this authority
at android.os.Parcel.createException(Parcel.java:1953)
at android.os.Parcel.readException(Parcel.java:1921)
at android.os.Parcel.readException(Parcel.java:1871)
at android.content.IContentService$Stub$Proxy.registerContentObserver(IContentService.java:849)
at android.content.ContentResolver.registerContentObserver(ContentResolver.java:1988)
at android.content.ContentResolver.registerContentObserver(ContentResolver.java:1977)
at lhq.a(Unknown Source:34)
at lhq.b(Unknown Source:3)
at lhq.a(Unknown Source:0)
at com.google.android.apps.camera.legacy.app.app.CameraApp.onCreate(Unknown Source:24)
at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1155)
at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5949)
... 8 more
Caused by: android.os.RemoteException: Remote stack trace:
at com.android.server.content.ContentService.registerContentObserver(ContentService.java:340)
at android.content.IContentService$Stub.onTransact(IContentService.java:76)
at com.android.server.content.ContentService.onTransact(ContentService.java:262)
at android.os.Binder.execTransact(Binder.java:730)
Hope someone can decipher this and help me out here.
This should be causing because of China dev. rom, I think.
Its been the same situation since I bought this phone, so same happened on China stable as well. Never seen anyone talk about having a similar problem.
kogadin said:
Its been the same situation since I bought this phone, so same happened on China stable as well. Never seen anyone talk about having a similar problem.
Click to expand...
Click to collapse
Unlock bootloader and flash Global EEA stable ROM and try again. But don't lock the bootloader.