VPN and AFWall+ - Shield Android TV Q&A, Help & Troubleshooting

I have a Shield TV arriving later today. On my previous Android box I setup a VPN with a kill switch via AFWall+. This involved the installation of the OpenVPN connect application with my VPN provider details, then I used AFWall+ to prevent any data that didn't originate via a VPN connection, effectively making this a kill switch. This involved allowing both the OpenVPN application and Android's VPN api full access. It's the latter I'm enquiring about, does this api exist on the Shield TV? I've heard that native VPN isn't possible as the normal VPN settings aren't present. But does that include the vpn service api itself?

No one?

Beefheart said:
I have a Shield TV arriving later today. On my previous Android box I setup a VPN with a kill switch via AFWall+. This involved the installation of the OpenVPN connect application with my VPN provider details, then I used AFWall+ to prevent any data that didn't originate via a VPN connection, effectively making this a kill switch. This involved allowing both the OpenVPN application and Android's VPN api full access. It's the latter I'm enquiring about, does this api exist on the Shield TV? I've heard that native VPN isn't possible as the normal VPN settings aren't present. But does that include the vpn service api itself?
Click to expand...
Click to collapse
i have the exact same setup on all my devices, including shield tv, although ive only had to allow the openvpn app, wifi/data/vpn access for things to work, ive never had to allow androids vpn ........is their a specific reason you grant android vpn access?does it not work otherwise?
I use the other openvpn app, by the way

I originally set it up on the tutorial in the link below, which mentions that the VPN Networking service needs to have full access. Is that service present on the Shield?
https://www.privateinternetaccess.c...otection-on-android-with-afwall-requires-root

Beefheart said:
I originally set it up on the tutorial in the link below, which mentions that the VPN Networking service needs to have full access. Is that service present on the Shield?
https://www.privateinternetaccess.c...otection-on-android-with-afwall-requires-root
Click to expand...
Click to collapse
I just checked for you, and yes, its there, mind you, im using zulu's full rom, not sure about stock rom but as with all my devices, i havent needed to allow this for vpn to work.
Unless theres a specific reason to do so, try without on your current devices, i suspect, vpn networking may only apply if you use androids inbuilt vpn found in settings
Edit
By the way, i dont know how far you wanna take it, but afwall has tasker plugin support, which i use to apply an afwall profile, i named "secure", that denies everything when screen turns off......aswell as other things in the same vain
Edit
I do it a little differently then what youre link suggests, i only allow the bare minimum of apps, those that i actually need internet for.......if an app has internet capability, but i have no need for that side of it, its denied, i dont whitelist ALL apps for vpn as your link suggests
I also suspect that guide was written for privateinternets method of using vpn on android, so maybe vpn networking applies if using private internet, but as for my openvpn app, its not needed.......neither is "GPS"

Cheers. Everything set up and working perfectly in stock, no DNS leaks. A combination of AFWall+, VPN and Xprivacy has the device locked down pretty well.
And what a device, the speed is in another league compared to other similar boxes and worth the extra money. I'm glad I returned my newly purchased Minix Neo U1, this thing is so much faster and not as restricted as I was lead to believe. With a bit of work the Shield TV, even on stock, can do as much as any other Android based TV box, even one based on vanilla.

Beefheart said:
Cheers. Everything set up and working perfectly in stock, no DNS leaks. A combination of AFWall+, VPN and Xprivacy has the device locked down pretty well.
And what a device, the speed is in another league compared to other similar boxes and worth the extra money. I'm glad I returned my newly purchased Minix Neo U1, this thing is so much faster and not as restricted as I was lead to believe. With a bit of work the Shield TV, even on stock, can do as much as any other Android based TV box, even one based on vanilla.
Click to expand...
Click to collapse
Yep, ive said it before and ill say it again, the shields an impressive piece of kit for sure
Xprivacy.........snap
We seem to have a very similar setup........believe me, if you wanna take it further at some point in the future.......tasker.........although, fair warning, theres a learning curve
Just some of the more basic things i automate with tasker with plugins like afwalls
When screen goes off, tasker......
Turns off wifi/3g
Turns of bluetooth
Afwall secure profile
Greenify all preselected apps
turn off "unknown sources" for extra measure, as tasker turns this off after it detects an apk install anyway
Turn of "debugging", incase i turn it on one day out of need and forget to turn off
Media volume set to 4 edit:this ones a bit out of place
Aplly afwall profiles depending on what app you happen to be using
Many possibilities with tasker, VERY usefull for many things
Non security related....kinda......... could potentially be used for such if modified
I have a small bluetooth media remote which has the numbers 1 to ten, with tasker and xposed additions module, i fooled around with it, pressing 1 connects the shields bluetooth to the bedroom speakers, long pressing 1 connects to the living room speakers..........i can imagine my self doing some neat stuff with these combination of apps and future accesories
Also, i use it to turn the shields light led to dim to let me now at a glance if the shields on or asleep, without having to change the channel
food for thought for those with similar setups
Edit
By the way, you mention dns leak, i assume you used a test site to check for the leak, any chance of a link? Incase its something very new
This ones the one i use,
https://ipleak.net/
Detects webrtc leaks on the specific browser you happen to be using at the time
Edit
For those interested
More on webrtc here
https://www.privateinternetaccess.c...ome-and-mozilla-firefox-while-using-private-i
If you use firefox or chrome, you can disable manually following this guide
https://www.purevpn.com/blog/disable-webrtc-in-chrome-and-firefox-to-protect-anonymity/
I think there are addons aswell
Edit
"and not as restricted as I was lead to believe"
Yep, i had the same thoughts, just my own assumption really, that android tv was completely different, internally, to "standard" android , pleasantly surprised, no incompatibilities so far............................good to know that stock is like that too :good:

Cheers, I'll read into all that.
One issue I'm finding at the moment is that, on a reboot, AFWall+ doesn't apply as default on the Shield and has to be done manually. This doesn't happen on my Note 3 running Lollipop. I'm sure there is a simple explanation, I'll look into it a bit more.
That website is the one I user to check leaks but there are numerous others too.

Beefheart said:
Cheers, I'll read into all that.
One issue I'm finding at the moment is that, on a reboot, AFWall+ doesn't apply as default on the Shield and has to be done manually. This doesn't happen on my Note 3 running Lollipop. I'm sure there is a simple explanation, I'll look into it a bit more.
That website is the one I user to check leaks but there are numerous others too.
Click to expand...
Click to collapse
Im not sure i understand fully, afwall is not enabled? Or, afwall IS enabled, but your prefered profile is not "applied"?
On full android at least, afwall is enabled upon reboot i havent had any issues in that regard, (saw your other post) i dont need init.d script (usefull to have though, if/when possible)
Have you tried reverting all afwalls settings to default, to rule out that likely suspect
Another likely suspect, xprivacy, but that depends if you restrict everything like i do, including system apps , if so, have you checked xprivacies usage data for afwall and global apps?
Another suspect, could be stock firmware, but i have my doubts about that one
Assuming im understanding the issue correctly
Edit
I dont have "fix startup data leak" checked(as we dont have init.d), nor ipv6 support checked as your link described

Related

HTTP POST Capture

I was wondering whether there is such software for the android that can capture http posts before sending. i.e. like the firefox addons you can get and apps like http analyzer?
This would be really useful for testing purposes.
Cheers.
Gazos
You can try some general traffic capture tools (Like tcpdump or airodump-ng). If You have rooted phone, check out Shark for Root (tcpdump on phone).
Thanks for the update but I guess what I want is real time captures (and manipulation) like its possible in Firefox using only the phone.
I currently use tcpdump to capture data but want to edit the data before its sent out.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
ex87 said:
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
Or you could run paros (http://sourceforge.net/projects/paros/files/) on a machine on your network and get the android browser to use it as the proxy (which looks like a bit of a task in it's self.)
The only viable way I can think of to do this (given Android's insane lack of proxy support) is to hack a custom firmware for a Linksys WRT54g so it basically routes everything to a transparent proxy (Fiddler2, Webscarab, Paros, Burp, etc) running on a PC. Something like this:
Android =[wi-fi]=> WRT54g -[ethernet]-> PC with proxy -> internet router
It might even be possible to achieve this without hacking the WRT54g.
The only problem you might still have (not sure) is Android's handling of invalid SSL certs since the proxy would basically be doing a man in the middle attack, and the app running on the Android phone would see an invalid SSL cert.
Be warned that trying this with a Windows host PC is almost guaranteed to fail unless it's Pro/Ultimate, and in any case this is going to involve some seriously hardcore manual routing config that goes beyond anything Windows' config screens were really intended to set up.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
I'm pretty sure I saw this discussed on the android.security list, and the consensus was that the current API doesn't give any way to do this transparently, and it's questionable whether you could even implement something like WebScarab natively on Android using the NDK. I believe the general consensus was that if you want to host something like WebScarab on Android, it's going to take a custom kernel to pull it off, and some solution that lets you offload the actual proxying to a regular PC would be infinitely easier to pull off, and less cumbersome to use for actual security testing (it's enough of a pain trying to use Fiddler2 or Webscarab with a 1280x1024 display, let alone 854x480... not to mention trying to cut and paste examples into Word Documents for vulnerability assessment reports (shudder)).
^^^ OMG. I just installed AOSP ("Buufed") for the CDMA Hero, and it actually HAS the ability to set proxy for WiFi. I haven't tried it yet, and I'm not sure whether it's purely an "AOSP" feature or something I've just overlooked up to now that was in DamageControl, but it looks like at least *some* Android builds DO have it now

How to tether in Gingerbread using built in 3g hotspot.

Gingerbread on Droidx has broken my wifi tether. When attempting to enable wifi tether the default (vzw/moto) 3g tether app comes up in notification area. Anyone have any solutions? If/when I find the solution is will update this post.
Thanks
Sent from my NookColor using Tapatalk
Click to expand...
Click to collapse
I figured out how to fix it. The Team black hat patcher works.
1. Download the file below (from your phone probably easiest)
2. Launch DROID 2 BOOTSTRAPPER which can also be downloaded from below.
3. Bootstrap recovery
4. Reboot recovery
5. Install zip from SDcard
6. If using the default Android browser, the file will be in /download
7. Install the zip
8. Reboot phone, launch 3g hotspot (Wireless Tether for Root users not necessary)
9. Enable 3g, connect with computer/laptop/nook/tablet
10. Enjoy free 3g!!!
Downloads:
1. Team Black Hat Patcher
2. Team Black Hat Unpatcher
3. Droid 2 Bootstrapper
I take no credit for any of this! I just put it together and followed directions. All thanks goes to Koush, P3Droid, Team Black Hat, etc...
Deleted.
sdf
Anyone else can confirm this working?
Brenardo said:
Anyone else can confirm this working?
Click to expand...
Click to collapse
I updated the OP. Works great for me!
why does using the stock app make me nervous
faber78 said:
why does using the stock app make me nervous
Click to expand...
Click to collapse
LOL. Probably because VZW is big and scary and their favorite color is red. All they want from their customers is blood!
LOL. More info on how this works can be found here:
http://www.mydroidworld.com/forums/android-hacks/5156-tbh-droid-3g-hotspot-nvram-hack.html
Here's their explanation:
This thread is intended to explain the principles behind tethering and how to use RadioComm to modify the NVM to allow tethering via all methods
on any Motorola Droid device by all users, regardless of whether they are rooted or not.
This is the method we at TeamBlackHat used to create the Tether_Repair patches that were released recently for rooted DX/D2 users in update.zip format
and applied via the Koush bootstrap recovery.
It is based on years old knowledge developed in the early days of CDMA Motorola hacking on the V710/V3c/e815 devices.
All of the information, techniques and software tools to do this are in the public domain already.
What we did is simply take that knowledge and apply it with the latest Service software and methods to the Droid generation devices and packaged it
in a new format for delivery that was never previously available to us before the advent of Android.
We will be releasing the manual method for RadioComm when we have worked through all the details for doing it on Win 7.
Currently the versions of RadioComm available on the net are for Win XP only.
We did it initially as a Proof of Concept of methods for writing to NV items via update.zip using Motorola's own binaries that we have recently developed.
We were not intending to release it at all and all agreed that it would be very controversial and raise many ethical questions as well as attracting the wrong
kind of attention to us as a group at a time when we had just been served a C&D for leaking the 2.3.9 update.zip file.
All of this really came about as a direct result of the examination of the NVM we did investigating nenolod's claims about an Engineering mode "switch"
that unlocked the bootloader on DX/D2. Those claims turned out to be unfounded and false and our work, and in particular MotoCache1's incisive analysis
of the boot process with help from [mbm], was instrumental in revealing that fact.
Not exactly what we had in mind to do but we were among the few who had the tools and wherewithall to determine the validity of what nenolod was claiming,
particularly in the beginning when he had released very little hard data to back up his suggestion that there was such a string hiding in the NVM.
Nonetheless, while revisiting the NVM and exploring methods to dump the memory we came upon this set of NV items that determines how the radio builds the
authentication strings it autowrites at bootup for data services. I was aware of their existence for month's since they were revealed in a thread
I participated in on HoFo for service programming on the original Droid. That thread was directed towards the methods required to get the Droid on
a different carrier like Cricket or Metro.
In any event, I knew what they would do if modified in this way and decided to use that as a test of MotoCache1's work with the update.zip binaries.
I used RadioComm to edit them individually and MotoCache1 did the really brilliant work of turning this very old school hack into a beautiful,
elegantly delivered package. This proved the power of what we were capable of as a team and we still unanimously decided against releasing
a packaged theft of services hack as not the right thing to do.
We have reconsidered now in the light of these other exploits surfacing which utilize various software level tricks for getting "Free" tethering
with the new 3G Mobile Hotspot app included on DX and D2. I had always felt that this was inevitable and that others would soon put the pieces together
in the same way we had done.
This is a fundamentally different modality but accomplishes exactly the same thing as any other exploit designed to subvert VZW's intent
to differentiate between externally routed modem data and internal data use and charge for that service.
This includes all forms of exploits and applications like PDAnet and WMWiFiRouter(WinMo 6.1) and now Barnacle, whose entire business model is to use
software level methods to mask tethered data and have marketed them as such for years.
All of these methods absolutely violate the TOS agreement with VZW.
This method simply alters that behavior at the lowest level possible on the device, the radio NVM.
It works because of the way VZW chose to setup authentication on their network when they released the first EvDO capable phones in late 2004-2005.
The methods and software tools to access the NVM as well as the blocks put in place by Qualcomm and Motorola for protecting these
authentication components have evolved dynamically over the years with advancements in chipset design and software, but the principles
have always remained the same. Hex editing the NVM items via a given tool to make the Tethered NAI(Network Access Identifier) strings
match the NAI strings for internal data.
These are basically your user name on the network and consist of the MIP profile byte, a line length byte and your 10 digit telephone number
followed by either @dun.vzw3g.com for tethered NAI or @vzw3g.com for the NAI. By removing the "dun." from the tethered NAI string
you enable all forms of data use to appear to the network as internal and using the normal NAI string.
The difference between the current technique and former methods is that the items edited for this hack are not those strings themselves,
but actually where the default values are stored that the radio uses to build the full strings that it autowrites to the fixed, protected locations in the NVM
for the authentication components in the MIP(Mobile Internet Protocol) profile itself, which happens at bootup.
This is the means by which they prevented the items from being modified by typical service programming tools like QPST.
But, because we know the location for those hidden partial strings, it actually makes our work much simpler.
After editing these four strings, the phone itself uses those values to autowrite the properly configured MIP profile strings for you.
It couldn't be any easier!
Despite our initial concern about releasing this publicly, we have decided after much discussion to do so anyway.
With all of the recent exploits that are directly targeting the 3g Mobile Hotspot app we feel that revealing the way to do it properly
will level the playing field for everyone as well as giving the community a truer and more complete understanding of how it works.
This way users can make up their own minds as to whether to use any of the available methods of "free" tethering with a clear view
of the ethical and technical issues involved.
Hopefully this thread will generate a healthy discussion about the issues.
We at TeamBlackHat believe in providing the knowledge so users can make their own decisions with the best information available.
Please use your own judgment about whether to use this or any tethering modifications.
Enjoy!
Click to expand...
Click to collapse
So can anyone else confirm this working? Besides snwagner?
Works perfectly.....
Been using TBH's 3G hotspot patch since they released it. Worked fine on Froyo and fine now on GB
Works perfect did it before and after gb leak
Sent from my DROIDX using XDA Premium App
Works for past 4 months no extra on vzw bill either
Beamed from my Gingerbreaded DroidXtreme
Works for me.
Followed the steps, still no go...
I came from Liberty 1.5 and used the wifi tether for root with no problems. I followed the steps and installed the Tether Patcher. My laptop can get an IP address from the phone but I cant do anything more than that. Any Ideas?
I am having the same issue with the tether patch. I get an ip address, but no data comes through (tried on multiple computers). I, however, did not come from liberty - stock rom / (but rooted, obviously).
+++edit to add+++
When I first upgraded to GB, I installed the Android Wifi Tether app (3.0-pre12). That didn't work correctly (both the wifi app and hotspot app icons came on in the tray and it was really buggy), so I uninstalled the wifi app and applied the patch. The patch, as I said, would assign an ip but not transmit any data. So, I just reinstalled the tether app (with the patch still applied) and it works! Now only the stock icon appears in the tray and it works faster than ever. Using it as I type.
wifi tether app: hxxp://code.google.com/p/android-wifi-tether/downloads/detail?name=wifi_tether_v3_0-pre12.apk&can=2&q=
bndggle said:
I am having the same issue with the tether patch. I get an ip address, but no data comes through (tried on multiple computers). I, however, did not come from liberty - stock rom / (but rooted, obviously).
+++edit to add+++
When I first upgraded to GB, I installed the Android Wifi Tether app (3.0-pre12). That didn't work correctly (both the wifi app and hotspot app icons came on in the tray and it was really buggy), so I uninstalled the wifi app and applied the patch. The patch, as I said, would assign an ip but not transmit any data. So, I just reinstalled the tether app (with the patch still applied) and it works! Now only the stock icon appears in the tray and it works faster than ever. Using it as I type.
wifi tether app: hxxp://code.google.com/p/android-wifi-tether/downloads/detail?name=wifi_tether_v3_0-pre12.apk&can=2&q=
Click to expand...
Click to collapse
Thanks! I Installed the Android Wifi Tether app and managed to get it working too. Initially after installing the Wifi Tether, it would get an IP, I could ping the gateway but still couldn't get to the outside world even though the computer said it had internet access. (incidently I would also have both the wifi and builtin app icons in the tray). What worked for me was to enable access control and then disable access control. Now I have just the Wifi Icon in the tray and Im using it flawlessly right now.
After a reboot, I do have both icons in the tray again but it still works without issue. That works for me!
In order to get the stock tethering app working I had to change my dns servers.
I was in the same boat as bndggle. Tryed his fix and nothing happened. The only thing that worked before I tried his fix and after is just leaving the tether running. After a few min I will get a message on my status bar saying that my 3g connection failed. I lose 3g, then it returns and I magically have internet access.
An other thing I noticed is that when I start the tether not only is the host not connected to the internet, the phone is also.
I don't get the point of this when you can just download the wireless tether app from the store for free. What's the difference? OR is the reason that people are using this method because the wireless tether app doesn't work on GB? if that is true, than I'll stay with froyo until that gets fixed in the OTA release of GB.
do you patch , and unpatch???? or just patch... i tried to patch, and the tether still does not work... any suggestions
iammebane said:
do you patch , and unpatch???? or just patch... i tried to patch, and the tether still does not work... any suggestions
Click to expand...
Click to collapse
Uninstall the Android Wifi Tether app (3.0-pre12) and reinstall. Then reboot. Thats what worked for me. I have not removed the patch.

Reasons, Advantages and Disadvantages to unlock/root the G5 Plus

I am asking myself - specifically for the G5 Plus, but probably in a more general sense - where the huge advantages and disadvantages of rooting are, considering that the G5 plus comes with a relativly clean Android 7.XXX and a not an old overloaded android version, which didn't use to have many of the capabilities that Android 7 offers. I know that my questions might particularily overlap with questions in other topics, but for sure not every question, especially specific G5 Plus questions.
Overall I am interested in the topics security and product-experience, if you want to call it like that. I ask myself: Is root still worth losing warranty or is it not? Keywords or keyquestions that cross my mind are:
OTA updates: I guess those won't be possible anymore?
Encryption: Will it still work and increase security if the phone is lost?
Backup functionality, especially in combination with cloud services: Is there something like -backup my whole phone down to the very core on some google server (best proteced with a password and some AES256 encryption)- so that I can restore it some day in an easy manner? How would you backup your phone and settings, etc. with and without root?
Safety: What could happen if I lose my (bootloader unlocked and) rooted phone: Will someone be able to read my passwords (e.g. google...) and other sensitive information directly from the phone, even if it was locked, in the moment I lost it? What is the worst thing that could happen?
Root Functionality: How does the root access / superuser specificly work, e.g. if I'd accidentally install an app or similar, which might contain a virus: Is an app like this instantly capable of messing my whole system or will I be able to manually confirm specific security related changes, especially system changes, that an app might try to do? With other words: Does root mean that the system will be wasted by even the tiniest mistake or is there some security buffer?
Unlock Bootloader only: Is it an option (or make any sense to you) to just unlock the bootloader and install a the G5 Plus TWRP recovery without rooting the phone and does this give any advantages or is this just a totally nonsensical option, which is maybe not even possible? If I got it right, rooting does not necessarily need to reset the phone in any way, while unlocking the bootloader enforces to do a reset, right? In this context I was also asking myself if unlocking the bootloader (now that I don't have wasted precious time on customizing my phone, yet) right now is a useful option (without any disadvantage besides losing the warranty) and if I ever experience the necessity to root, I will only need like 2 commands and it is done - without having to reset my phone again?
Root Must Have: Is there any specific functionality or reason - you would say - one should definitly root the phone for, as it is a must have functionality, which would be locked without root?: I only have virtual examples, e.g. if Nougat would prevent me from changing the volume to a level higher than 50 % and the absolute exclusive possibility to change this was to get root access. Another example , although really not that critical one, could be: I noticed that I am only allowed to install 5 different finger prints... root could give me the possibility to install infinite finger prints?
Feature Loss: Does one lose some other neat features or functionality that is usually provided by Google or Motorola if the phone is not rooted but not possible anymore if it is rooted?
Third Party Trust: How can you people trust the TWRP Backup or custom ROMs? Don't you fear that there might be a virus or trojan horse within?
Best regards and thanks in advance for your patience with a newbie
No response?
172 view, no answers :-/. Guys tell me: Is it due to the length of the text? Is it something else? I could split it up in several questions, but I though that this would be unwanted.
And I will be thankful for every help on either of the bold buzzwords, it is not like you need to comment on everything
Must have for me: correct timestamps when moving or copying files using TC. Only possible with root.
Unlock only: yes makes sense. Unlock is the part where you lose all data, and then you can use fastboot boot to make backup. Rooting itself should not lose any data, so it is advantageous to unlock early. Root has time.
Lost functionality: on most devices using Magisk 12 you can pass SafetyNet, which means you can use Android pay, play Pokemon go etc, but the apps trying to detect root/unlocked devices get changed and may not work anymore at some time. Probably you will have lost this possibility when starting with unlocked bootloader and need to install Magisk to get green SafetyNet. Magisk hides the unlocked bootloader.
OTA: do a backup of boot partition before rooting, do no modifications on other partitions than data, cache and boot and you should be fine restoring boot partition to do OTA. It's easy to overlook some app using root to write system, logo, recovery, something, but backup should help. Or install complete firmware, then OTA is possible again.
Note: I do not have the device, just saw the questions which have the same answers for all current Motorola Android devices - you may search in general forums or forums for similar devices for answers
OTA updates: if you are rooted you have tempered with the system partition and therefore ota are not easily installed
Encryption:it is possible to wipe the phone and use if you are unlocked
Backup functionality Google already does backup some settings natively. you can still do an adb backup even without root
Safety: if they are techies they know how to access files via twrp etc. but worst thing is they just wipe it and use the phone
Root Functionality: root gives some apps access to the system partition which is not possible normaly. if you installe some dubious app which wants access to root to mess with your system you are lost.
Unlock Bootloader only: you need to unlock the phone to root it. by unlocking your phone is wiped clean. than you can root it. the advantage of installing twrp are the "easy backups" and installing custom roms or even root. there are no real advantages or disadvantages anymore. earlier you had to unlock/root/install custom rom to have some extra functionalities but android did mature and has most functions built in
Root Must Have: there may be some system limits which you can bypass with root like headphne volume limit, reading wifi passwords or/and having systemwide adblock. I personally do not see a benefit anymore. I used to root for having system-wide adblock but I can achieve it with rootless apps like adguard.
Feature Loss: you will lose android pay. you can not use some apps like mario run or pokemon go. you will lose OTA feature.
Third Party Trust: actually I dont know. with the custom rom base growing I only trust official lineageOS as it is review by many people before building. therefore the chance is reduced to have some spyware feature in it
I too would like to know, has the source code to ANY custom ROMs been reviewed by third party to verify no malicious code?
Although I worry that some ROMs could violate my data privacy, root is something that I simply cannot willingly go without - if I don't have root access, it's simply not *MY* phone, it's a phone that is configured to someone else's [some company's] desires and priorities.
I'm disappointed that the built in tethering does an "entitlement" check - AFAIK it's actually illegal (or, at least against contracts the companies signed with the FCC) for the cell phone provider to attempt to control what a user does with their allotted amount of cell data. Yes, the cell provider company can decide how MUCH data you are allowed based on what plan you pay for, but they are not supposed to restrict HOW you use YOUR data. Therefore, I demand unrestricted "tethering" from any smart phone that I use.
There are other apps I like to use that require root access: Root file explorers, Titanium Backup, Smarter WiFi Manager, Greenify/Servicely etc., but most of all, I CANNOT STAND the intrusive obnoxious awful ads which seem to be prevalent these days! A good ad blocker is an absolute must! The blame rests squarely on the shoulders of the websites which allow such awful advertisements such as "pop behind" windows and particularly, ads which cause the web page scroll to constantly keep jumping away from what you are trying to read making the site basically unusable. There is also lately a prevalence of "click bait" ads/links which brings you to malicious/obnoxious websites which popup dialogs trying to stop you from closing the web page or navigate away - they put up big flashing red letters and say things like "We have detected a virus on your computer do not close this window or your passwords will be stolen and your data lost" and when you try to close the page it keeps popping up a dialog making it difficult. Sorry, but, such ads simply can't be tolerated - even this [xda] website sometimes has unpleasant ads, or at least there were times when I really regretted turning off my ad blocker when visiting this site in the past, that is for sure!
I usually use a "custom ROM", I miss exposed very much, but, I suspect there are too many malwares in the xposed repository these days? (I'm not sure of this, just suspicious).
I like to be able to change the color of my status bar clock to green and position it in the center as that is easier for me to use (see it quickly when I want). However, the standard launcher is far too limited in how customizable it is, so I use a combination of Nova Prime (requires root for some features) and Chronos Weather/Clock/Calendar widget which puts a larger clock right in the upper middle of my desktop so I turn off the status bar clock (Nova Prime feature, one that requires root).
Oh, and I like to use a custom "System Font", I'm not sure if we can do that without root? It really makes the phone feel like MY phone and look (and operate) how I want it to.
critofur said:
[...]
I'm disappointed that the built in tethering does an "entitlement" check - AFAIK it's actually illegal (or, at least against contracts the companies signed with the FCC) for the cell phone provider to attempt to control what a user does with their allotted amount of cell data. Yes, the cell provider company can decide how MUCH data you are allowed based on what plan you pay for, but they are not supposed to restrict HOW you use YOUR data. Therefore, I demand unrestricted "tethering" from any smart phone that I use.
There are other apps I like to use that require root access: Root file explorers, Titanium Backup, Smarter WiFi Manager, Greenify/Servicely etc., but most of all, I CANNOT STAND the intrusive obnoxious awful ads which seem to be prevalent these days! A good ad blocker is an absolute must! [...]
[...]
Click to expand...
Click to collapse
Could you explain the entitlement check a little further? Does it mean that with the current Android version and an unrooted/locked G5 plus it is impossible to use the Smartphone Mobile data connection, e.g. on a notebook via wifi tethering? This would be a real argument to root.
Did you try adguard, as ckret suggested? Is there a huge difference between an adblocker with root or an adblocker like adguard without root on the phone? I basically assume that with nougat it is possible to grant apps access to almost anything (except for root) - including to block features other apps use, e.g. advertisements. But I am actually not sure.
Maybe ckret knows more on this aspect, as he seems to know both adblock concepts - the rooted and the unrooted one with adguard?
Comparing DNS66 (local DNS server without root) with adaway (root):
+ You can select blocking per app with DNS66, adaway modifies hosts file which always is valid for all apps and system services
- You can not use another VPN while DNS66 is active
- You need to disable VPN under Nougat while using Download Manager (bug in Nougat, for all VPN services)
Personally I have root, but use DNS66. I don't need adblock when connecting to my computer at home (that's when I need to use another VPN) and am using Marshmallow ATM, but probably would continue using DNS66 when on Nougat. For PlayStore there is a workaround implemented, and if some download fails I'd know I need to disable VPN.
This is why I only said Total Commander copying timestamp is my only real killer app (besides Titanium Backup) which makes me need root. Android O is supposed to change the behavior implementing SDCardFS which shall allow setting timestamp without root.
sky-head said:
Could you explain the entitlement check a little further? Does it mean that with the current Android version and an unrooted/locked G5 plus it is impossible to use the Smartphone Mobile data connection, e.g. on a notebook via wifi tethering? This would be a real argument to root.
Did you try adguard, as ckret suggested? Is there a huge difference between an adblocker with root or an adblocker like adguard without root on the phone? I basically assume that with nougat it is possible to grant apps access to almost anything (except for root) - including to block features other apps use, e.g. advertisements. But I am actually not sure.
Maybe ckret knows more on this aspect, as he seems to know both adblock concepts - the rooted and the unrooted one with adguard?
Click to expand...
Click to collapse
adaway:
adaway replaces the hosts file in your system with a custom hosts file which redirects some requests to 127.0.0.1 which results in ads not being shown
since it is deeplevel change of the hosts file the app requires root to change the file
pro:
* ads are blocked when resources are requested
* it is system-wide and everything is checked on demand
con:
* system slows down with big hosts file as every request must be checked everytime a site/app is opened
* if a wrong request is blocked your app/site might not show/work at all since it is a system-wide check
adguard:
this app has two different ways of blocking ads
vpn: a local vpn server is created on the system and all requests are rerouted through it. works the same way as adaway but without a root access.
pro:
* rootless method
* you can create a bypass for different sites/apps
con:
* you can not use a 2nd vpn connection while the app is active
* it may use a bit more battery as it creates a server but this should be negligible
proxy: this is nearly the same as vpn just you should be able to use a vpn connection
so big pro and con for me is that i do not have to reroute all apps through the adblock check
important apps (banking e.g.) are free to use the connection without being rerouted.
I know it might seem like a stupid question, but how often (and for which reason) do you use/need a(nother) VPN connection?
Does this also mean things like tethering or a WLAN access like eduroam - or is this something different?
I am actually not sure if I ever needed VPN on my smartphone
sky-head said:
I know it might seem like a stupid question, but how often (and for which reason) do you use/need a(nother) VPN connection?
Does this also mean things like tethering or a WLAN access like eduroam - or is this something different?
I am actually not sure if I ever needed VPN on my smartphone
Click to expand...
Click to collapse
you need a vpn connection if you want to access the intranet without being physically there
e.g. intranet of a company to access emails or if you are a student and got some special tool/e.g. which can only be accessed through the university connection
most times you will only use vpn on a notebook or pc but I hardly doubt most people will use it on their phones
ckret said:
you need a vpn connection if you want to access the intranet without being physically there
e.g. intranet of a company to access emails or if you are a student and got some special tool/e.g. which can only be accessed through the university connection
most times you will only use vpn on a notebook or pc but I hardly doubt most people will use it on their phones
Click to expand...
Click to collapse
... exactly what I was thinking about it. I've never been needing a VPN on my phone. On the notebook I need it on a regular basis, thats true.
I should have been asking "I know it might seem like a stupid question, but how often (and for which reason) do you use/need a(nother) VPN connection on your smartphone?", to state my question more precisely.
Using AVM Fritzbox as router makes it possible to use the standard phone via SIP. This only does work when you're in your intranet, directly or via VPN. Also I need to access my documents on my computer, my media library at home, to configure the router and more and therefore I use VPN on a regular basis. Yes, I do these things using the smartphone. But when using VPN, I do not need adblock.

OTA update block with AdAway (no root)

Edit: WARNING A few reports of AdAway temporarily stopping the service. You could possibly double up with Adguard or a similar connection blocker. But it's not going to be 100%. Router blocking or a Pi-Hole setup is going to be more secure, so only use this as a temporary measure.
---
I have been able to block FireTV updates using the latest AdAway. It still has the normal rooted method for the lucky folks (edit hosts) but now has VPN "emulation" for those without root. This supposedly uses "VPN API but does not connect to a VPN server" like with editing the DNS but all local to the device. It's open source, on XDA, and has been around forever, so I trust it more than the OpenDNS option.
I don't know how well this works and for how long, but update checks are coming back with errors. It also has a request logger and shows softwareupdates.amazon.com is being triggered & denied. No other domains are checked by the updater after that one fails FWIW.
Latest version 5.11.0
[APP][ROOT/NONROOT][OFFICIAL] AdAway v6.1.0
AdAway AdAway is an open source ad blocker for Android using the hosts file. Google Play Store notice According the Google Play Developer Policy, especially the "Device and Network Abuse" section, ad blocker like AdAway violates the "Apps that...
forum.xda-developers.com
TLDR setup: Sideload it, select the VPN option during setup, let it sync their block lists (mine kept going, so I just force closed and restarted after a few min), add the 5 domains under the router block method here: AFTV, ensure it's set to autostart in preferences. I also turned on "monitor connection" and IPv6 support but may not be needed. Restart.
INSTALL / SETUP​
Sideload it
Select the VPN option during first run. I had to use my remote w/cursor but may be able to get around this if you just click ok after moving around a bit or force close it and can get it to start up w/out setup.
Let it sync their default block lists. Mine kept going, so I force closed AdAway after a few minutes.
ADDING AMAZON UPDATE DOMAINS​On the main page, select "Blocked" at the top. Add these from the AFTV article then hit APPLY.
d1s31zyz7dcc2d.cloudfront.net
amzdigital-a.akamaihd.net
amzdigitaldownloads.edgesuite.net
softwareupdates.amazon.com
updates.amazon.com
Click to expand...
Click to collapse
If there are any more, please share. This seems to do the trick though, and the built-in logger doesn't show any other connections triggered when softwareupdates.amazon.com fails. If this prevents another app from working, you can add the app to the exclude list in preferences.
PREFERENCES​
Go to Preferences (bottom left) -> click VPN based ad blocker
Make sure it's enabled at startup
I also selected monitor connection and IPv6 support but no idea if its needed
You can exclude apps. Useful if something isn't working OR one of the domains they block by default messes with an app.
Restart the device
Once you're back up, check the notifications and there should be a persistent notification for AdAway, showing it is active. Go check for an update in the FireTV settings. It should show a connection error.
OPTIONAL AUTOMATION​If you're super paranoid and want to get fancy, AdAway also responds to external commands. If you use something like Tasker or Automagic, you can send intents to start & stop the service. Example workflow: periodically test the update URLs, if they come back with a normal response then AdAway isn't blocking and probably isn't active, send start service intent.
Automation
AdAway is a free and open source ad blocker for Android. - AdAway/AdAway
github.com
thank you very much, looks like it worked! now i get the update error.
i hope this method will stay, but i cant see why not. nothing will update on the firetv now so it should stay.
5.11 will not install due to an error that it requires newer SDK version in Fire OS 6.2.8.1.
I tried this method with Blokada and it seems to work the same so for people having trouble with AdAway I recommend this app instead.
l_p_4_7 said:
I tried this method with Blokada and it seems to work the same so for people having trouble with AdAway I recommend this app instead.
Click to expand...
Click to collapse
Thanks, I have Blokada installed in Nox from a few weeks ago and it works great. I had forgotten about it since I only used it for blocking the VM ads and it didn't occur to me that I could also use it for the FS4K.
l_p_4_7 said:
I tried this method with Blokada and it seems to work the same so for people having trouble with AdAway I recommend this app instead.
Click to expand...
Click to collapse
thanks for the info, i tried adaway one my first firetv cube and it works great, but on my second one somehow it adaway doesnt use a VPN. will give blokada a try.
is there anything special to mind when using blokada?
I just added the domains listed above to the blocked hosts list and then excluded a few apps that might be affected by the VPN (I've excluded YouTube, Plex and Kodi). I haven't noticed any other problems so far.
some feedback:
adaway seems to not autostart anymore on my devices, so i switched completely to blockada.
Blockada seems to work fine now and also autostarts.
Time to set up a pihole it seems.
Codiox said:
some feedback:
adaway seems to not autostart anymore on my devices, so i switched completely to blockada.
Blockada seems to work fine now and also autostarts.
Time to set up a pihole it seems.
Click to expand...
Click to collapse
Yeah unfortunately I think it's having problems for me as well. I caught it mid-update today. Got the pihole planned for this weekend. But all this effort just to use the launcher we want... No idea how the devs here stay motivated to stick around.
psymsi said:
Yeah unfortunately I think it's having problems for me as well. I caught it mid-update today. Got the pihole planned for this weekend. But all this effort just to use the launcher we want... No idea how the devs here stay motivated to stick around.
Click to expand...
Click to collapse
Actually i just set up the pihole last night, was really easy following a tutorial and it works great.
I recommend using RaspberryOS light without a Desktop. With this the RaspPi only uses about 1-3% CPU and like 5MB RAM while operating.
i used an old RaspPi 1B+ i bought back in 2012.
l_p_4_7 said:
I tried this method with Blokada and it seems to work the same so for people having trouble with AdAway I recommend this app instead.
Click to expand...
Click to collapse
Did you enter those 5 lines in blocked hosts in Blokada? Or where did you enter them? Someone on another posts mentioned they entered them in the blocked hosts so i did the same but it did not work or block updates.

Walmart Onn 4K Android TV - networking question on blocking OTA updates

Hey everyone - little new around XDA as this is my first post. Recently I had constructed a video tutorial of sorts for the average Onn TV box owner to get it running, achieve an unlocked boot loader and root, and use Tasker to remap the hardware based buttons (as the remap module zip I found on here did not work for me).
There is a Reddit thread here with more context and the video link:
See here
Anyways, I am trying to think about and implement a way to have the option to block OTA updates from happening automatically as I could not find any menu item to disable them. I’ve recently left the Amazon TV ecosystem as for I was tired of trying to always block updates / conform with their launcher and their software. I guess I’m slowly worrying that this TV may eventually have the same fate in terms of being locked down but I suppose I want to fight for this one over the Amazon products lol.
I have had 2 ideas that I have tried, one of which I’m at a dead end with and the other I am asking for a little assistance with - albeit I’m unsure it’ll work but I feel it makes sense and is worth a shot.
The first idea, I was trying to find and stop the service(s) associated with system updates through an app called Servicely. I am able to find 2 services related to system updates but am unable to stop/trial disabling them as the app quits when I try to do so.
The second idea is somehow devising a way to block network traffic specific to wherever the Onn Tv visits to check if there is a new update. I feel this would be a cleaner and safer method too. I tried using a couple of network traffic tracking apps and then navigating to settings and selecting “check for update” to generate the respective traffic with no avail.
So I am asking for help with this please, I’m sure there is a better or more thorough way to detect where the Onn TV is visiting online to check if there are new updates. Does anyone have an idea on how to detect / block this from happening to stop the automatic and manual check for updates (and thus hopefully the auto-update) from happening? Thank you.
You can try to remotely connect to the Onn using ADB and then freeze/disable those packages.
What are the package names for the OTA files you found?

Categories

Resources