Related
This is a basic gui I wrote to unlock my encrypted partitions during boot.
I'm running my /data and /sdcard partitions encrypted, and the "luksunlock" binary is launched from init.rc to read the password and unlock the encrypted partitions.
I have included my somewhat modified init.rc for those interested.
For more information about LUKS on Android see this blogpost, written by shawn (Seems I'm not allowed to have urls in the post, but Google for 'android luks' , first hit)
This works good on Wildfire, altough it should work fine on other phones as well. Just remember that you need to set up your partitions as in the luksunlock.c (or change the defines).
Dont forget to backup before you start playing around!
Good luck!
Thanks! i'll give a try!
Hi,
I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:
I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...
Any clue?
Thanks in advance!
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
tusabe said:
Hi,
I tried to use your cryptsetup binary from your blog, but I have some issues that you'll sure have an answer:
I run ./cryptsetup luksFormat -c aes-plain /dev/block/loop2 and after i put the luks password it says 'Command failed', no logs, no other output, even using the -v flag...
Any clue?
Thanks in advance!
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
Click to expand...
Click to collapse
CM6.1 for wildfire uses a 2.6.32 kernel (see HCDR.jacob's post about his custom kernel for more info)
tusabe said:
PS: the module dm-crypt is necessary for cryptsetup? could be this the error? I don't have it installed on the system because I can't find it for 2.6.35.9-cyanogenmod
Click to expand...
Click to collapse
Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.
sigkill1337 said:
Yeah you really need dm-crypt support, either compiled into the kernel or as a module. You also need the AES ciphers support.
Click to expand...
Click to collapse
Hi! Yeah, that's what I was afraid of.... ok, but the problem is that i'm running CM6.1 with 2.6.35.9 which has no dm-crypt module neither compiled in kernel... where can i find some kernel with this modules included? Is for an HTC Desire (@Sympnotic )
Thanks in advance!
Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.
BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.
wow! awesome work!!! Very exciting news. Gonna give this a go on my MyTouch Slide
NathanFreitas said:
Great work and thanks for sharing @Sigkill. Working on building it here for my NexusOne with CM6.1.
BTW, I’m the lead on a project working on general secure Android distro – we’ve ported Tor, have an OTR IM app, and have supported other projects along those lines. Would love to talk more about supporting anyone working on this specific capability.
Click to expand...
Click to collapse
Seems really nice. I like the secure phone concept.
New Makefile and wiki info up
_hc from the @guardianproject has a new build process up for Crypsetup/LUKS which includes a Makefile compatible with Android NDK r5.
We have new instructions up on our wiki, as well.
I cannot post links under this account, but you can find the info on github if you search "LUKS" or just under our guardianproject account.
How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?
Calavera1 said:
How did you create the encrypted partitions? Could you give some pointers for that. I am familiar with using dmcrypt/cryptsetup on desktop linux, I guess this works similar. What are the relevant device names? Did you run into any problems?
Click to expand...
Click to collapse
Hi, sorry for the late answer,
/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 [email protected] /encrypted-data nosuid nodev
The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted
I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.
The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.
I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.
Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)
Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy
I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.
I hope this post makes sense, it was written in haste =) Good luck!
sigkill1337 said:
Hi, sorry for the late answer,
/dev/block/mtdblock5 is the "userdata" partition. I formatted it and mount it to /encrypted-data during init:
mount yaffs2 [email protected] /encrypted-data nosuid nodev
The only file on this partition is "data.encrypted" file, which gets created in init.rc as a loopback device:
exec /system/bin/losetup /dev/block/loop0 /encrypted-data/data.encrypted
I created the "data.encrypted" file on my computer with cryptsetup and losetup, and copied all files from my old unencrypted userdata partition to it and then copied it back as a file to the formated userdata partition.
The sdcard "/dev/block/mmcblk0p2" partition is formated with "cryptsetup luksFormat", I did this also on my computer, saves some time. And then copy everything from the old unencrypted sdcard.
I did run in to one problem recently, my phone hung during boot, about 4 months after I started encrypting my phone.
Had to copy my data.encrypted file to my computer, mount it as a loopback device and do a fsck, and then copy it back to my phone.
I suspect this has to do with the filesystem not being umounted properly. (I have had this on my to do list for a while hehe)
Probably should make a script run during shutdown to cleanly "luksClose" the encrypted partition and then umount them. Not doing this is probably very crazy
I also want to fix it so my "/dev/block/mmcblk0p2" partition gets presented to my computer when i attach my usb cable (as it should do), so i can unlock it in ubuntu and copy images and files. Right now i have to take my memorycard out and put it into the computer.
I hope this post makes sense, it was written in haste =) Good luck!
Click to expand...
Click to collapse
I figured most of that out without your post and tried it on my desire (I created the luks partitions with adb on the phone though, worked anyway ). Then I couldn't figure out where my regular init.rc is stored (I could only find the one used by Clockwork Recovery), and then I figured I already spent enough time, tried a reboot (which of course didn't work). Then I couldn't even get into recovery (probably because its init.rc tries to mount /data which doesn't work? I didn't investigate any further). Flashed my backup with fastboot and was stuck again with my un-encrypted pre-experiment state
Oddly enough, it was no problem to unlock my encrypted SD-card from my computer (running ubuntu) while in recovery (clockword has an option to present the sd card to a computer connected via usb). Maybe the booted system handles this differently than recovery though? I didn't get a chance to try, as I couldn't boot after my encryption attempt.
I will try again after my algorithm and data structure exam this friday and report back
Is anybody using the UI on another device than the Wildfire? Does it work?
How much is the performance drain when using an encrypted /data partition?
Amazing work!
Did anyone manage to make sigkill1337's luksunlock build from source ?
I would like to change the path of the data/sdcard partitions to match my device but I tried many ways using the NDK and I can't get it to compile properly.
Is there any way to do this ?
I have been trying for days, I am getting literaly insane !
@sigkill1337 : could you give me some pointers ? I would appreciate a lot.
mount manpage said:
The bind mounts.
Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
mount --bind olddir newdir
or shortoption
mount -B olddir newdir
or fstab entry is:
/olddir /newdir none bind
After this call the same contents is accessible in two places. One can also remount a single file (on a single file).
This call attaches only (part of) a single filesystem, not possible submounts. The entire file hierarchy including submounts is attached a second place using
mount --rbind olddir newdir
or shortoption
mount -R olddir newdir
Note that the filesystem mount options will remain the same as those on the original mount point, and cannot be changed by passing the -o option along with --bind/--rbind. The mount options can be changed by a separate remount command, for example:
mount --bind olddir newdir
mount -o remount,ro newdir
Click to expand...
Click to collapse
If nothing helps, you should always be able to bindmount it
I'd rather get sigkill1337's UI to compile...
Lots of nice security tweaks and settings could be done with a pre-boot GUI
Anyway, concerning encryption, I'll use the bind option for now, thanks for the tip.
But if anyone here could give me some pointers about compiling this stuff it would be great.
I managed to compile it by integrating luksunlock in Android source externals and main.mk but when I push it to my phone and modify init.rc to call it, it just does not work...
Other modifications are working (mount, mkdir, etc.) but the GUI won't show up
Sorry for the late reply.. But you could try running it from a shell when the phone is booted, just to verify that the binary starts (thats how I tested it without having to reboot my phone all the time)
My environment for building the source was setup using one of the tutorials online, nothing out of the ordinary
Im still running this on my phone, for almost 8 months now, I havent noticed that much in performance problems, the Wildfire was slow before i started using luks.
When i get a new phone (maybe SE Arc) i will be easier to see if performance is affected
There is an Issue for getting CM support for encrypted filesystems during boot:
Issue 2736: support encrypted filesystem from boot
If you want to get that feature, just "star" it, so it may get more attention.
Hi all,
has anyone been able to do this? Following the guide here, no longer works for Android N. The phone boots, but ignores all changes to system. How do I modify both build.prop and hosts? It seems that there are now possibly two system partitions?
Thanks!
Same issue on Nexus 5X
No answer on this? How is it that nobody else seems to be having this issue?
What I've done
It looks to me like everyone has moved to systemless and the /system partition cannot be adequately modified in this way anymore.
Maybe this will help others:
I was modifying the system directory for two reasons: 1. modify /system/etc/hosts to remove ads and modifying build.prop to increase lcd.density. I found that here are the alternatives for each:
Removing Ads
Using something similar to AdAway_systemless_hosts_v2.zip (google it for a copy) and modifying the hosts file in that zip file to be the one I use (and rezipping, deploying on the Android device). This basically mounts over /system/etc/hosts with a custom hosts file instead of actually modifying the system specific hosts file which is no longer writable.
The alternative is to use Netguard which routes non https network traffic through a private VPN where you can block ads according to a hosts file. This seems to work OK, but I have noticed that websites seem to take longer to load.
Modifying lcd.density
You can use the same trick as AdAway_systemless_hosts_v2.zip uses, but modify it to also mount a modified copy of build.prop. Alternatively just use the Android N Display settings that are small (what I did anyhow).
I have been able to edit build.prop and still maintain systemless root.
Sent from my Nexus 6P using XDA-Developers mobile app
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
ArminasAnarion said:
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
Click to expand...
Click to collapse
Have you been able to do this with simply fastboot boot <twrp-image>, mounting system in rw mode and modifying it? I did that as I didn't want to root the phone, and while it looks like it did the write, it does not affect the system partition that is used by the phone after boot. I think there are two system partitions, and twrp mounts only one in rw mode. It does seem like it may be possible to do what you say using adb though after the phone is fully booted up. I'll try that!
dontblinkwatchout said:
Have you been able to do this with simply fastboot boot <twrp-image>, mounting system in rw mode and modifying it? I did that as I didn't want to root the phone, and while it looks like it did the write, it does not affect the system partition that is used by the phone after boot. I think there are two system partitions, and twrp mounts only one in rw mode. It does seem like it may be possible to do what you say using adb though after the phone is fully booted up. I'll try that!
Click to expand...
Click to collapse
I had the same problem. I don't want to root but I do make a few changes to my /system partition through adb in recovery such as the hosts file and some font files (namely the Emoji font file). I had modified stock boot image to not enforce encryption. I would boot back up into the system and couldn't see any changes made. The only thing I found that worked was installing a custom kernel (I use ElementalX). After that, changes I made to /system in TWRP were reflected in the OS. I don't know enough about kernel development to understand why on (mostly) stock kernel my changes couldn't be seen but on a custom one they were.
I never had this "problem" prior to Nougat.
Same issue here. Something has changed with how this is handled in Nougat.
I don't want to root just to overwrite the hosts file...
I'll keep debugging but my capability in this is definitely limited!
I use a similar approach as described in the OP's linked guide except I use my own recovery image that I compiled as an engineering build from source, and I am also experiencing the same behavior. Modifying the hosts file seems to have no impact on the system though the changes persist. Comparing the host file I installed and the host file from the latest Nexus 5X image with 'ls -lZ' the SELinux info looks to be the same. The only information that appears to differ is the modified date and one additional line in the file itself for testing. I thought I was doing something wrong with my hosts file, even though I have been using this approach since Android 6.0. However, I agree, it appears that changes to system are being ignored. Further, changing the system partition no longer shows the red warning at boot about the system being corrupted.
---------- Post added at 09:58 PM ---------- Previous post was at 09:38 PM ----------
DanRyb;68654939 I would boot back up into the system and couldn't see any changes made.[/QUOTE said:
Oooh. You're right. Neither /etc/hosts or /system/etc/hosts is modified in the booted OS after I modify it from live image, but the change is retained when I reboot into live image and mount system. Hmm, so either:
1) Need to figure out where the the system files are being loaded from and modify them from live image if possible
2) Use a mechanism similar to what dontblinkwatchout described AdAway is using of having a custom mount setup (have to reverse engineer AdAway I guess to see what it's doing)
3) ?
Click to expand...
Click to collapse
There's absolutely no way to modify or mount system partition r+w unless you disable dm-verity
Enviado desde mi Nexus 6P mediante Tapatalk
alexiuss said:
There's absolutely no way to modify or mount system partition r+w unless you disable dm-verity
Enviado desde mi Nexus 6P mediante Tapatalk
Click to expand...
Click to collapse
dm-verity has been around since Android 4.4. Are you saying there is something new around this in Android 7.0?
You can modify the system partition by compiling an engineering build of Android and booting it, then mounting the system partition and modifying it. I've been doing this to update the hosts file since Android 6.0 for every OTA update (since more recently OTA updates bomb out unless you reflash the clean "uncorrupted" system.img first). Changing the system image before Android 7.0 did result in an extra screen with a red warning about a corrupted something or other (I'm sure because dm-verity checking failed). Regardless, you can still change the system partition, the information just no longer seems to be used, which is a bit perplexing to me atm.
crashenx said:
dm-verity has been around since Android 4.4. Are you saying there is something new around this in Android 7.0?
Click to expand...
Click to collapse
Android 7.0 introduced redundant bits for reed solomon forward error correction into the system and vendor partitions and code in the kernel to perform the error correction.
Your changes are being written to emmc but when you boot with 7.0 kernel with dm-verity enabled your changes are being treated as data corruption and on-the-fly error corrected back to original.
You can see your changes if you boot into twrp because it has dm-verity disabled. However if you boot into android with dm-verity enabled it will look like original image again even though your changes are technically still there.
It took me a day to figure out what was really going on because i initially had no idea they added this feature to Android N.
The simple way to disable dm-verity is to install SuperSU, but you can also accomplish the same patching your own kernel, installing pre-patched kernel, installing custom kernel, etc.
sfhub said:
Android 7.0 introduced redundant bits for reed solomon forward error correction into the system and vendor partitions and code in the kernel to perform the error correction.
Your changes are being written to emmc but when you boot with 7.0 kernel with dm-verity enabled your changes are being treated as data corruption and on-the-fly error corrected back to original.
You can see your changes if you boot into twrp because it has dm-verity disabled. However if you boot into android with dm-verity enabled it will look like original image again even though your changes are technically still there.
It took me a day to figure out what was really going on because i initially had no idea they added this feature to Android N.
The simple way to disable dm-verity is to install SuperSU, but you can also accomplish the same patching your own kernel, installing pre-patched kernel, installing custom kernel, etc.
Click to expand...
Click to collapse
That's good info and makes total sense. Thanks! Pretty neat actually, just a bummer for me.
Yeah so SuperSU path is not really one I want to pursue. I could learn how to update the dm-verity shas used for verification. That'd probably be the most secure, but it's gonna be a PITA I bet. I imagine I'd need to compile my own image similar to how I made my live image and update a few things. Might have to deal with encryption which is probably an even bigger headache. Also, I bet it would break OTA and have to reflash to update, though that's true now.
I'm really curious what AdAway is doing. Maybe I should pursue reverse engineering that.
I really appreciate you pointing us in the right direction.
I am glad found this thread..willing to assist here without permanent root..
Ericarthurc said:
I was able to modify my system partition; by installing busy box to /su/xbin and running "su busybox mount -o rw,remount system" (no quotes) in material terminal with root
Click to expand...
Click to collapse
I was trying to create a /system/xbin/post-boot but couldn't remount /system, and so I added busybox to the front of my command. I am not using adb so I cut that part off. Thanks a lot!
Hello there!
I'm not sure wether this is the right Forum thread, nor if it's even possible.
English is not my first language, but i hope i can make myself clear and explain my problem.
As in the title mentioned I just want to mount a nfs share into my filesystem so that i can access my media through a vpn whereever I go.
I'm using a Synology Diskstation as NAS and created some NFS-shares (tried version 3 and 4) which are accessable in my Network. It's working flawless with my raspberry pi and with my debian system. I don't want to use smb (cfis).
I want to use my favorit musicplayer to listen to my music, mounted via fstab in the musicfolder for example.
Right now i'm using the yatse app, works fine - but it's just a workaround....
I tried FreedomOS(stock kernel and elementalx)+busybox and Resurrection Remix(stockkernel and lightningkernel)+ busybox. All i get is Invalid argument or error messages. I just can't get it to work. It's a linux system, why can't i use a simple nfs share?
Any help would be apreciated.
Thanks in advance!
I used to mount a nfs share with busybox so be sure to have that installed.
next be sure to have a working VPN connection to your home network.
One more thing to check is that VPN connections are allowed to access the nfs shares. Dont know if you need to set this up with synology or that it's enabled by default.
Thanks for the response.
I have all permissions set to get access to the nfs-share, tried it without vpn aswell. The vpn itself is working like a charm.
I have access to my NAS via webinterface and sftp, i can control and stream from my raspberry pi aswell. No problems with the vpn for sure.
I'm using busybox aswell. Can you post me your mount command or your fstab line for the mount?
the1weasel said:
Thanks for the response.
I have all permissions set to get access to the nfs-share, tried it without vpn aswell. The vpn itself is working like a charm.
I have access to my NAS via webinterface and sftp, i can control and stream from my raspberry pi aswell. No problems with the vpn for sure.
I'm using busybox aswell. Can you post me your mount command or your fstab line for the mount?
Click to expand...
Click to collapse
I used this i believe.
Your kernel needs to support it.
https://gist.github.com/aldur/4a3f90a111b71662f056
maikvitesse said:
I used this i believe.
Your kernel needs to support it.
https://gist.github.com/aldur/4a3f90a111b71662f056
Click to expand...
Click to collapse
Thats exactly what i was told over here https://forum.xda-developers.com/oneplus-5/development/kernel-elementalx-op3-1-00-t3626808/post73156290#post73156290
I will follow up on that, thanks for pointing me in the right direction aswell.
Ok, i was able to mount the share.
Now that it's getting a general question i will follow up here. I posted what i did over here aswell and got it solved to this state.
I can see the files in the Terminal, but not in any App (explorer, musicplayer etc.).
As i already wrote here: https://forum.xda-developers.com/showpost.php?p=73161675&postcount=437 I'm guessing it's because i mounted as root so normal users can't use it. Or at least thats what I'm thinking.
I searched the forum already and just found a thread with someone having the same problem without solution.
Is there a way that i can use the mounted share with any app I want?
Just for the roundup.
Here is whats working:
mount a nfs-share through an terminal app. => Files are visible/browsable
whats not working:
Use the mounted nfs-share systemwide with any other app.
What i tried (used Termux):
mount into /mnt/remotenfs => files show up in terminal, just there.
mount into /storage/emulated/0/Music/remote => files show up in terminal, just there.
mounted the share and then started an explorer (solidexplorer) from terminal - same result. No fileaccess through explorer.
the1weasel said:
Just for the roundup.
Here is whats working:
mount a nfs-share through an terminal app. => Files are visible/browsable
whats not working:
Use the mounted nfs-share systemwide with any other app.
What i tried (used Termux):
mount into /mnt/remotenfs => files show up in terminal, just there.
mount into /storage/emulated/0/Music/remote => files show up in terminal, just there.
mounted the share and then started an explorer (solidexplorer) from terminal - same result. No fileaccess through explorer.
Click to expand...
Click to collapse
I think I suggested something like this as a way to glean some information about this problem in the other thread, but don't recall for certain what the outcome if any was:
At least since V5 and above of Android OS, there's been some sort of thread insularity that keeps another thread from seeing what some of the first one sees. (moreso than before V5). I figured that since fstab.qcom (or whatever the name of the actual startup file where "mount -a" is pointed) must contain the mounted partitions that are visible to all. If that's the case, it's either the startup mount daemon, or it is in one of the columns of each "mount" entry in fstab.*.
I think I suggested adding a mount entry without the "automount at start" parameter for your remote music. Just curious if that was tried? Also, I thought the file where these were entries were kept in M & N (6 & 7) had "*vold*" in the title.
I'm also curious about this and will look around for some better answer because it seems very non-linux / android that only the thread performing the action can see the result (although that is how local actions / variables act).
After some poking around: I think this link explains some possible reasons for this behavior, not that there isn't some way around it. Probably there is no way around it without some compromise of whatever privacy additions android OS is after. It sounds a lot like an SELinux & /proc FS change. https://stackoverflow.com/questions/38590140/file-system-changes-in-android-nougat
hachamacha said:
I think I suggested something like this as a way to glean some information about this problem in the other thread, but don't recall for certain what the outcome if any was:
At least since V5 and above of Android OS, there's been some sort of thread insularity that keeps another thread from seeing what some of the first one sees. (moreso than before V5). I figured that since fstab.qcom (or whatever the name of the actual startup file where "mount -a" is pointed) must contain the mounted partitions that are visible to all. If that's the case, it's either the startup mount daemon, or it is in one of the columns of each "mount" entry in fstab.*.
I think I suggested adding a mount entry without the "automount at start" parameter for your remote music. Just curious if that was tried? Also, I thought the file where these were entries were kept in M & N (6 & 7) had "*vold*" in the title.
I'm also curious about this and will look around for some better answer because it seems very non-linux / android that only the thread performing the action can see the result (although that is how local actions / variables act).
After some poking around: I think this link explains some possible reasons for this behavior, not that there isn't some way around it. Probably there is no way around it without some compromise of whatever privacy additions android OS is after. It sounds a lot like an SELinux & /proc FS change. https://stackoverflow.com/questions/38590140/file-system-changes-in-android-nougat
Click to expand...
Click to collapse
Thanks for the response, looks like you are much more into that android thing....
I just added
"10.11.12.10:/volume1/Audio /storage/emulated/0/Music/remote nfs nolock,ro defaults"
to the fstab.qcom . Doesn't mount at startup.
I realized some inconsitency in the ssh thing, sometimes it works mounting via ssh, sometimes not....strange. (mount: applet not found)
To be sure i'm doing all that stuff without ssh.
Edit:
For everyone else reading this. It's not about music, the musicfolder is just a random folder to see if it's working.
the1weasel said:
Thanks for the response, looks like you are much more into that android thing....
I just added
"10.11.12.10:/volume1/Audio /storage/emulated/0/Music/remote nfs nolock,ro defaults"
to the fstab.qcom . Doesn't mount at startup.
I realized some inconsitency in the ssh thing, sometimes it works mounting via ssh, sometimes not....strange. (mount: applet not found)
To be sure i'm doing all that stuff without ssh.
Edit:
For everyone else reading this. It's not about music, the musicfolder is just a random folder to see if it's working.
Click to expand...
Click to collapse
To add to that: It doesn't seem like any surprise that just putting an entry in the fstab.qcom doesn't work the same as the others. As I search around for a way to do this it becomes apparent that even a Synology app designed to do this (DS File) (Mounts a NFS share on Synology box and allows file transfers) isn't able to allow others to see it's mounted share.
Before I mounted a Synology folder using Synology DS File, I created a tmp folder and cd there and then did a mount > mountbefore.log. After the mount of the share while still running DS File pointing to my Synology folder, I did a mount > ./mountafter.log. I then did a diff -urN (and just a diff) ./mountbefore.log ./mountafter.log that showed no differences. That seems telling.
Also, I did the same with /proc/mounts /proc/mountinfo /proc/mountstatus before and after, and nothing showed up as different. Also I did a ps | grep DS to see whether the ps output gave me any clue as to what local mount point was used, but though I could see the DS process, I couldn't see it's mountpoints.
I'm pretty sure there's an SELINUX (or many) entrie(s) for the mounted share that prevent the usual visibility. I recall reading that "fixing" the /proc exploits was a big priority with the advent of SElinux so I'll look at that angle too. I don't think that the fact that DLNA works is of much use in this problem. It's really a solution to a different and specific problem.
hachamacha said:
To add to that: It doesn't seem like any surprise that just putting an entry in the fstab.qcom doesn't work the same as the others. As I search around for a way to do this it becomes apparent that even a Synology app designed to do this (DS File) (Mounts a NFS share on Synology box and allows file transfers) isn't able to allow others to see it's mounted share.
Before I mounted a Synology folder using Synology DS File, I created a tmp folder and cd there and then did a mount > mountbefore.log. After the mount of the share while still running DS File pointing to my Synology folder, I did a mount > ./mountafter.log. I then did a diff -urN (and just a diff) ./mountbefore.log ./mountafter.log that showed no differences. That seems telling.
Also, I did the same with /proc/mounts /proc/mountinfo /proc/mountstatus before and after, and nothing showed up as different. Also I did a ps | grep DS to see whether the ps output gave me any clue as to what local mount point was used, but though I could see the DS process, I couldn't see it's mountpoints.
I'm pretty sure there's an SELINUX (or many) entrie(s) for the mounted share that prevent the usual visibility. I recall reading that "fixing" the /proc exploits was a big priority with the advent of SElinux so I'll look at that angle too. I don't think that the fact that DLNA works is of much use in this problem. It's really a solution to a different and specific problem.
Click to expand...
Click to collapse
Hmm I just found this: https://forum.xda-developers.com/showthread.php?t=2106480 and will have a closer look into it later, I'm running out of time right now and have to leave.
But what I've read so far looks similar to the problem we are facing right now. Maye thats the way to go. I'll try it, as I said, later.
At this point i don't even care if it's smb or nfs as long as i can mount my stuff into the filesystem.
One other thing I noticed but haven't messed around with yet is that I was looking at the various mount commands for different implementations (not that any will just work like 2 versions ago), and noticed that only /system/xbin/mount is a soft link to /system/xbin/busybox (standard busybox link to allow using it various look-alike-to-linux commands.
But then I realized that /system/bin/mount is also there, also a soft-link to /system/bin/toybox (another busybox clone) and am wondering if it behaves any differently. Might be worth a look (but I doubt it). /system/bin/toybox is at least a different version of busybox and not linked to it.
Just looked at your last reply and realized that unfortunately the two links of interest are at the now nonexistant domain cyanogenmod.org. Maybe the diffs are worthwhile. Gotta work, Later.
hachamacha said:
One other thing I noticed but haven't messed around with yet is that I was looking at the various mount commands for different implementations (not that any will just work like 2 versions ago), and noticed that only /system/xbin/mount is a soft link to /system/xbin/busybox (standard busybox link to allow using it various look-alike-to-linux commands.
But then I realized that /system/bin/mount is also there, also a soft-link to /system/bin/toybox (another busybox clone) and am wondering if it behaves any differently. Might be worth a look (but I doubt it). /system/bin/toybox is at least a different version of busybox and not linked to it.
Just looked at your last reply and realized that unfortunately the two links of interest are at the now nonexistant domain cyanogenmod.org. Maybe the diffs are worthwhile. Gotta work, Later.
Click to expand...
Click to collapse
I'm back home already a little late but enaugh time for more researches.
This link:
https://github.com/mkasick/android_...mmit/b358bf82c079a577f011c167da8b65faef73a06e
is working. And really worth reading it and explains the visibility problem.
mkasick said:
Android 4.2 breaks Dalvik-apps that mount file systems to be shared with other apps. This includes CifsManager, Mount Manager, essentially anything that mounts cifs shares, FUSE file sytems, etc. The symptom is that the mounted contents appear fine to app that peforms the mount operation (assuming the app itself provides the ability to browse the contents), but every other app only sees an empty directory at the mount point.
It turns out that this problem is a side-effect of the approach used to implement multi-user storage in Android 4.2. I've explained the problem in detail in the commit log for a Gerrit issue we're reviewing for CyanogenMod 10.1 that addresses the problem:
Ideally, any 4.2 ROM can provide support for CifsManager by applying a change to Dalvik, and a second change to the boot ramdisk's init.rc:
Dalvik change: Zygote: Restrict slave mountspace so Dalvik apps can mount system-wide volumes
init.rc change: init.rc: Create /storage mountpoint so Dalvik can mark as slave in zygotes
Alternatively, ROMs that can't/prefer not to use a source-build Dalvik (libdvm), I've also provided a kernel patch that implements a similar workaround within the kernel. It also requires the above init.rc modification:
Kernel commit: Restrict slave mountspace so Dalvik apps can mount system-wide volumes
init.rc change: init.rc: Create /storage mountpoint so Dalvik can mark as slave in zygotes
With either of the above two fixes, CifsManager et al. should work when using a mountpoint outside /storage (and /mnt/shell/emulated). I'd recommend using "/mnt/cifs" or something similar. Attempting to mount inside /storage retains the previous behavior where the mount can not be seen by other apps.
Note that ROMs only need one of the above two fixes, although they are compatible with each other and will function correctly if both are present. The Dalvik approach is preferred over the kernel workaround where feasible. Attached are the three patches referenced in the issues/commits.
Attachments: (sry for editing the quote)
dalvik.diff: https://forum.xda-developers.com/attachment.php?attachmentid=1656555&d=1358548352
nitrc.diff: https://forum.xda-developers.com/attachment.php?attachmentid=1656556&d=1358548352
kernel.diff: https://forum.xda-developers.com/attachment.php?attachmentid=1656557&d=1358548352
Click to expand...
Click to collapse
Look at the attached files, the answer is in there, but i don't know what to do with it
Thanks. I've got to do some work from home before I go back to messing around with this. I read the zygote/Dalvik page. I'm sure I've read it before but had the impression that the information was obsolete, but maybe not!
I guess there a couple of problems for me with that information.
1) It is pretty old (2013 or so): I can't even find the pertinent file in my source tree anymore.
2) dalvik has undergone a lot of revisions since this was tried. I'm not at all sure the change looks very different from the way tmpfs is /storage mounted already.
(but I could try this one. I figure in real time, if it'd let me remount it with the changes, the worst it could do is lock me up).
3) the kernel I'm using doesn't appear to have that line in it, besides, I'd have to rebuild the kernel.
I guess I'd much rather find a userspace way around this problem if possible. I seems almost unthinkable that there'd be no other way (via the mount cmd for example and careful choice of mount folder) to mount something that could be seen by any process. I'll keep trying from that angle.
Regrouping: I was ssh'd into the synology server poking around when I noticed that the running nfs daemon (as shown by ps -ef | grep nfs) was nfs4. I didn't see that Android supported that so I decided to just move the entire exercise of mount.nfs4 over to Ubuntu 16.04 box.
I made sure I had all the NFS stuff installed and pretty much did these statement:
mount -t nfs -o ro x.x.x.x/share /mnt/remote # failed with bad argument
mount -t nfs4 -o ro x.x.x.x/share /mnt/remote # failed with bad argument
mount.nfs4 x.x.x.x/share /mnt/remote #failed with bad argument.
At that point I decided that android didn't matter if I couldn't figure out how to mount NFS shares from linux.
I then tried mount -t cifs -o ro,user=me,pass=pwd //server/share /mnt/remote
It mounted up immediately. I need to look up some working examples of someone using mount.nfs / 4 from anywhere to synology. While I'm sure I've used it before, I'm also pretty sure I don't recall how exactly the setup and syntax works.
On stock ROM, I can not edit the build prop because it just gives me system can not be mounted errors and on custom ROMs (7.1 because I can't use 8.0 due to WiFi calling and volte not working for me) I am able to edit the build prop just fine but then the camera won't launch. After deleting the line and restarting cameras still don't work. What gives?
you have to restore your build.prop permission to rw-r-r
jackydroid68 said:
you have to restore your build.prop permission to rw-r-r
Click to expand...
Click to collapse
Stock it won't let me do that. I prefer stock so I wish I could remember how I fixed the Mount issue. I believe I've done it before.
Are you stock and rooted... or just "stock" and using TWRP to modify the file? If you are using TWRP to modify the file, you will have to change it's permissions with adb in TWRP after you have mounted system read-write in TWRP, like this:
Code:
adb shell
cd system
chmod 644 build.prop
- Source
acejavelin said:
Are you stock and rooted... or just "stock" and using TWRP to modify the file? If you are using TWRP to modify the file, you will have to change it's permissions with adb in TWRP after you have mounted system read-write in TWRP, like this:
- Source
Click to expand...
Click to collapse
I'm stock rooted. However on stock rom, it won't even let me mount the system in TWRP. I check the box and nothing happens.
carnivalrejectq said:
I'm stock rooted. However on stock rom, it won't even let me mount the system in TWRP. I check the box and nothing happens.
Click to expand...
Click to collapse
Since your not really explaining how you are trying to do it, I am going to assume adb (which is easiest)...
Code:
adb shell
su
mount -o rw,remount -t ext4 /system
chmod 644 /system/build.prop
if the mount command doesn't work, try it like this...
mount -o rw,remount /dev/block/dm-0 /system
Then exit and reboot the phone, should be good after that.
I haven't tried rooting my G5 yet, probably never will, but I do know that many newer phones have special security in place and you cannot remount from adb.
I assume you have tried mounting /system RW in ES File Manager or Solid Explorer?
acejavelin said:
Since your not really explaining how you are trying to do it, I am going to assume adb (which is easiest)...
if the mount command doesn't work, try it like this...
mount -o rw,remount /dev/block/dm-0 /system
Then exit and reboot the phone, should be good after that.
I haven't tried rooting my G5 yet, probably never will, but I do know that many newer phones have special security in place and you cannot remount from adb.
I assume you have tried mounting /system RW in ES File Manager or Solid Explorer?
Click to expand...
Click to collapse
Yeah I haven't even tried it through adb yet because my laptop is slow as molasses but I have tried through TWRP and solid explorer. Everything mounts fine on custom roms, just not stock.
I just went through this a few days ago, I was going bonkers. I managed in the end to mount system in TWRP, but it was like a different set of files... build.prop was there, I pulled it, edited, and pushed it back, but reboot into system had a DIFFERENT build.prop. Made no sense. I rebooted back into TWRP, mounted system again, found the build.prop there had my changes. It was like there were two versions of /system, one that TWRP gave me and one that the system used. It was maddening, to say the least. Somewhere around 2 or 3am, I started getting sloppy trying to get to the bottom of all this, and I accidentally deleted my system partition and soft bricked the phone.
Thankfully I found this thread:
https://forum.xda-developers.com/g5-plus/development/rom-twrp-flashable-stock-builds-t3675616
These are stock roms that are flashable in TWRP, but modified in that Dm-verity and force encryption have been disabled in the boot images. With this installed, my phone booted properly again and TWRP had no problem accessing the file system... and thankfully this time around, it was the same /system being mounted as the booted phone, everything actually made sense for a change.
I would strongly recommend flashing that modified stock rom and starting over. Camera2 and everything are running properly and I couldn't be happier.
Dishe said:
I just went through this a few days ago, I was going bonkers. I managed in the end to mount system in TWRP, but it was like a different set of files... build.prop was there, I pulled it, edited, and pushed it back, but reboot into system had a DIFFERENT build.prop. Made no sense. I rebooted back into TWRP, mounted system again, found the build.prop there had my changes. It was like there were two versions of /system, one that TWRP gave me and one that the system used. It was maddening, to say the least. Somewhere around 2 or 3am, I started getting sloppy trying to get to the bottom of all this, and I accidentally deleted my system partition and soft bricked the phone.
Thankfully I found this thread:
https://forum.xda-developers.com/g5-plus/development/rom-twrp-flashable-stock-builds-t3675616
These are stock roms that are flashable in TWRP, but modified in that Dm-verity and force encryption have been disabled in the boot images. With this installed, my phone booted properly again and TWRP had no problem accessing the file system... and thankfully this time around, it was the same /system being mounted as the booted phone, everything actually made sense for a change.
I would strongly recommend flashing that modified stock rom and starting over. Camera2 and everything are running properly and I couldn't be happier.
Click to expand...
Click to collapse
I believe I AM using one of those zips so im not sure how this ended up happening but I'll flash again and see if it helps. Thank you so very much for the reply. Really appreciate it. How's camera2 working for you? You using that modified Google cam with HDR+ or is it just helping the stock camera even more so?
carnivalrejectq said:
I believe I AM using one of those zips so im not sure how this ended up happening but I'll flash again and see if it helps. Thank you so very much for the reply. Really appreciate it. How's camera2 working for you? You using that modified Google cam with HDR+ or is it just helping the stock camera even more so?
Click to expand...
Click to collapse
Stock camera still seems to have sharpening and NR that reduces details. I think it improved some other apps, especially enabling the use of Camera2 on apps that use it (and even allows some apps to record in RAW, which is neat but too much trouble to get working properly). But apps that don't necessarily use Camera2 will still look similar I think, including the stock app.
The Google HDR+ app really makes the hardware here shine, I've got to admit. Its a shame that since I'm running the stock firmware we're stuck with the 32-bit buggy version. It isn't very stable, and the focusing is kind of frustrating when it decides not to cooperate. There's a workaround to use video mode to focus, then switch back to camera mode and lock AE/AF, but even then sometimes I find that on close-focus objects, the focus will shift a bit upon reinit on photo mode before I can lock AF. But when it works... man, it REALLY makes a difference! I went from wanting to return the phone to being rather pleased with it.
Attaching a couple of samples. One of harsh contrasting light by a window, and another in a dark alley outside my office.
Dishe said:
Stock camera still seems to have sharpening and NR that reduces details. I think it improved some other apps, especially enabling the use of Camera2 on apps that use it (and even allows some apps to record in RAW, which is neat but too much trouble to get working properly). But apps that don't necessarily use Camera2 will still look similar I think, including the stock app.
The Google HDR+ app really makes the hardware here shine, I've got to admit. Its a shame that since I'm running the stock firmware we're stuck with the 32-bit buggy version. It isn't very stable, and the focusing is kind of frustrating when it decides not to cooperate. There's a workaround to use video mode to focus, then switch back to camera mode and lock AE/AF, but even then sometimes I find that on close-focus objects, the focus will shift a bit upon reinit on photo mode before I can lock AF. But when it works... man, it REALLY makes a difference! I went from wanting to return the phone to being rather pleased with it.
Attaching a couple of samples. One of harsh contrasting light by a window, and another in a dark alley outside my office.
Click to expand...
Click to collapse
Those do look pretty good. I'm gonna flash one of the zips when I can finally get a chance and try and do this build prop edit again. Any idea which camera apps from the play store use the API?
Off the top of my head I do not. There was a link to a modified one here somewhere which supported RAW in DNG format, but I found it unreliable and a major pain to edit and make look like anything on the phone.
Meanwhile, I found this thread about modifying the in-camera processing to reduce the sharpening and noise reduction:
https://forum.xda-developers.com/showpost.php?p=72246474&postcount=9
Flashed the zip in that post to my stock rom and it cleaned up a lot of apps, including the stock photo app. Cam2 api is necessary for google's HDR plus, but if you just want a better image out of the stock apps, I think that flash is what you need.
Dishe said:
Off the top of my head I do not. There was a link to a modified one here somewhere which supported RAW in DNG format, but I found it unreliable and a major pain to edit and make look like anything on the phone.
Meanwhile, I found this thread about modifying the in-camera processing to reduce the sharpening and noise reduction:
https://forum.xda-developers.com/showpost.php?p=72246474&postcount=9
Flashed the zip in that post to my stock rom and it cleaned up a lot of apps, including the stock photo app. Cam2 api is necessary for google's HDR plus, but if you just want a better image out of the stock apps, I think that flash is what you need.
Click to expand...
Click to collapse
I ended up flashing the stock zip from the post you linked and after that the change to build prop for sure worked and now I'm playing around with one of the Google cams so thanks a lot for sure man. I've been wanting to try it for months while still being able to remain stock. Really appreciate it.
carnivalrejectq said:
I ended up flashing the stock zip from the post you linked and after that the change to build prop for sure worked and now I'm playing around with one of the Google cams so thanks a lot for sure man. I've been wanting to try it for months while still being able to remain stock. Really appreciate it.
Click to expand...
Click to collapse
No problem! Glad it helped! I should probably compile some sort of FAQ or something, lots of information spread across too many threads to make sense of it. But just FYI, I'm pretty sure OTA updates won't work anymore now that you've modified the system.
Hi , so apperntly the only way currently to modify system files of OnePlus 8 Pro is through flashing magisk modules , Tried using several file explorers but couldn't change permissions , tried via twrp but system won't be mounted , so my question is if there is a magisk module that someone made to mount r/w , if there is , I would like to get it , if there isn't , I would appreciate if anyone can create that for me , and please don't tell me to go to terminal and type commands because IT DOESN'T WORK, I don't know exactly what flashing magisk modules do but I figured out that it's the only way I can change system files , please help
Mounting system as R/W is impossible on stock software (OOS, OneUI etc).
This applies to all devices launched with Android 10, so, 7T/Pro and up.
https://source.android.com/devices/tech/ota/dynamic_partitions/implement
Your best shot is to create a module that 'modifies' the system systemless-ly.
Lossyx said:
Mounting system as R/W is impossible on stock software (OOS, OneUI etc).
This applies to all devices launched with Android 10, so, 7T/Pro and up.
https://source.android.com/devices/tech/ota/dynamic_partitions/implement
Your best shot is to create a module that 'modifies' the system systemless-ly.
Click to expand...
Click to collapse
That's literally the magisk module i'm asking for
ilan0098 said:
That's literally the magisk module i'm asking for
Click to expand...
Click to collapse
Literally not. You asked for a module that could make system R/W.
Anyway good luck
As mentioned, no r/w module...
galaxys said:
As mentioned, no r/w module...
Click to expand...
Click to collapse
Anyway such a module won't do any good IMHO. System/product/vendor partitions are combined into a single "super" partition.
The individual parts for /system, /vendor, /product are then mounted from there.
You will never be able to physically write on files in those partitions (if that is/was your intention).
However, you can write a Magisk module (easily) which replaces files with others (e.g. I replaced my /system/etc/hosts files with a version that has ad-blocked IP addresses). You can "delete" files by making them "empty" with a Magisk module (e.g. I have hidden the OnePlus phone/dialer/calculator/messages/notes apps in this way as I prefer the Google variants).
It's not that hard ... assuming you have a bit of Linux dev skills.
Can you be more specific about what exactly you want to do? Edit some file?
foobar66 said:
Anyway such a module won't do any good IMHO. System/product/vendor partitions are combined into a single "super" partition.
The individual parts for /system, /vendor, /product are then mounted from there.
You will never be able to physically write on files in those partitions (if that is/was your intention).
However, you can write a Magisk module (easily) which replaces files with others (e.g. I replaced my /system/etc/hosts files with a version that has ad-blocked IP addresses). You can "delete" files by making them "empty" with a Magisk module (e.g. I have hidden the OnePlus phone/dialer/calculator/messages/notes apps in this way as I prefer the Google variants).
It's not that hard ... assuming you have a bit of Linux dev skills.
Can you be more specific about what exactly you want to do? Edit some file?
Click to expand...
Click to collapse
Also if I do want to edit a system file , I can't , it won't let me do that , the file I edited just won't save
foobar66 said:
Anyway such a module won't do any good IMHO. System/product/vendor partitions are combined into a single "super" partition.
The individual parts for /system, /vendor, /product are then mounted from there.
You will never be able to physically write on files in those partitions (if that is/was your intention).
However, you can write a Magisk module (easily) which replaces files with others (e.g. I replaced my /system/etc/hosts files with a version that has ad-blocked IP addresses). You can "delete" files by making them "empty" with a Magisk module (e.g. I have hidden the OnePlus phone/dialer/calculator/messages/notes apps in this way as I prefer the Google variants).
It's not that hard ... assuming you have a bit of Linux dev skills.
Can you be more specific about what exactly you want to do? Edit some file?
Click to expand...
Click to collapse
I would very much like to edit the build.prop file, and let Adaway (F-droid) edit the hosts file to add its adblocking lists.
Are either of those things possible? Thanks!
R2-Brute said:
I would very much like to edit the build.prop file, and let Adaway (F-droid) edit the hosts file to add its adblocking lists.
Are either of those things possible? Thanks!
Click to expand...
Click to collapse
Enable systemless hosts in magisk manager and adaway will work. And for editing build prop, look up "resetprop", it's a magisk tool to modify build prop systemlessly.
Thank you so much! Adaway is up and running! I just got a new phone, and got so worried when it dawned on me that the System folder was locked down!
And I found "MagiskHide Props Config". Is it better or worse than Resetprop, or the same? "Props Config" has already flaked on me in the half hour I've been using it, but since a reinstall, it's working again.
I'm hoping it's just getting comfortable, but if you think Resetprop is more stable, please tell me.
And thanks again! Feeling good about technology.
I have ROOTED, rooted mean now you are Administrator of all in your phone. But live is not like a dream, I can't delete or modify anything in system folder on my rooted samsung phone, when using Z Archiver to delete empty and junk folder it says failed even sometimes it says Access Denied ( maybe the problem is here) converted RO->RW, tried through ES File it says in use or busy, Root Explorer is useless even if I adds write permission, but when using lucky patcher to uninstall & install and apps as system then it can creates or delete in systm app, which means there may be a way for me to modify it, if the trash can't be deleted then the system partition will be filled with garbage forever and can only get fatter. Who know how to solve it?
You have to patch super image to make everything r/w.
[GUIDE] How to make your System RW / Super R/W read/write-able
Welcome to the one and only, the original, universal SystemRW / SuperRW feat. MakeRW / ro2rw by lebigmac This script removes the read-only lock of all partitions embedded in the super partition of your stock firmware. This allows you to mount...
forum.xda-developers.com
in case someone still struggling with that
i wanted to copy trusted certificate ".0" file from storage to /system/etc/security/cacerts
i couldn't and tried to do the adb mount thing but i couldn't
anyway it worked when i tried MT manager ( i literally shocked ) its not in play store but you can find it online
if that didn't work i guess you have two option
1) open platform tools after enabling usb debugging and do "adb push /sdcard/yourfile /system/etc/security/cancerts
that will copy the file from sdcard to system/etc/security/cancerts
second option i didn't really tried but i saw it worked for some
is magisk module called "overlayfs" if you can't find it online i will attach it here
BUT before all that try MT manager .. idk how it really worked lol
Mazen550 said:
in case someone still struggling with that
i wanted to copy trusted certificate ".0" file from storage to /system/etc/security/cacerts
i couldn't and tried to do the adb mount thing but i couldn't
anyway it worked when i tried MT manager ( i literally shocked ) its not in play store but you can find it online
if that didn't work i guess you have two option
1) open platform tools after enabling usb debugging and do "adb push /sdcard/yourfile /system/etc/security/cancerts
that will copy the file from sdcard to system/etc/security/cancerts
second option i didn't really tried but i saw it worked for some
is magisk module called "overlayfs" if you can't find it online i will attach it here
BUT before all that try MT manager .. idk how it really worked lol
Click to expand...
Click to collapse
i have installed overlay fs but i can edit only /system, /product and some files in /vendor and /system_ext, i have android 13 with one ui 5.1