Develop Bugs

Running Homebrew Native Executables - Status: DONE!!

[2012/06/03] IMPORTANT UPDATE HERE
Hi hackers,
This is meant as a little update on one of the projects I've been working on. I'm kinda stuck now. I have a suspicion of what the problem is. I thought that maybe if I write a post about it, me or someone else will have an idea on how to get this working.
The goal is to run native homebrew executables on WP7
This has not been done yet. All apps are Silverlight apps that are compiled as DLL and run by Taskhost.exe with least privileges. All other executables are signed by Microsoft. Executables that are compiled as ARM executable cannot be started.
The angle is to create a certificate that allows to sign a WP7 executable. Then add that to the appropriate certificate store. Create an executable. Sign it with the private key. Load it onto a WP7 device. Copy it to the Windows folder. Use an OEM driver to launch the executable.
First I did research on the certificate stores. I can now with certainty state that there are 4 certificate stores:
- CA
- Root
- My
- Code Integrity
After a lot of research I finally got complete read/write access to all of these stores. The Code Integrity store contains all the certificates that are used by the Loader Verifier to verify the executable that is being launched. When the device is launched for the first time, the certificates that are in \Windows\ciroots.p7b are installed to that certificate store. These certificates have these properties:
Key Usage = 0x86 = Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing
Entended Key Usage = Code Signing (1.3.6.1.5.5.7.3.3) + Unknown key usage (1.3.6.1.4.1.311.10.3.14)
So I used OpenSSL to create such an certificate (with private key) for myself. And I installed the certificate in the Code Integrity store.
I then used VS2008 to create a completely barebone executable (ARMv4 Console app with only Sleep(-1) in the Main). I signed it with SignTool from Microsoft.
I loaded the executable to my device and I copied it to the \Windows folder (I think the policies restrict executing to only from that folder, but I'm not sure about that).
I use the Samsung driver to launch the executable, because I need at least Standard Rights to launch an executable. The Samsung driver has Elevated Rights. My own app has only Least Privileges. Using the Samsung driver does not return any success or fail codes. But looking at the Running Processes list, I don't see my Test.exe running. It should be, because the main thread is put to sleep infinitely.
So why is this not working?
Well, I have a guess. I think it's the policies that bind the certificates in the Code Integrity store to the different accounts/chambers. In the \Windows folder there are a lot of policy xml-files. On fist boot, these are merged into PolicyCommit.xml and then compiled to policydb.vol. When the Loader Verifier (lvmod.dll) loads an executable, it queries the policies to determine access rights and chamber for that executable. The policies that matter in this context are defined in 8314B832-8D03-444f-9A2A-1EF6FADCC3B8.policy.xml. It's an xml-file that basically says this:
Code:
Microsoft Mobile Device Privileged PCA - ced778d7bb4cb41d26c40328cc9c0397926b4eea - not used in this context
Microsoft Mobile Device TCB PCA - 88bcaec267ef8b366c6e6215ac4028e7a1be2deb - honored by System Identity Group
Microsoft Mobile Device Unprivileged PCA - 1c8229f5c8d6e256bdcb427cc5521ec2f8ff011a - honored by Standard Right Identity Group
Microsoft Mobile Device VSD PCA - 91b318116f8897d2860733fdf757b93345373574 - not used in this context
VeriSign Mobile Root Authority for Microsoft - 069dbcca9590d1b5ed7c73de65795348e58d4ae3 - honored by LPC Identity Group
I should find a way to add a policy with my certificate in it. Any ideas?
Ciao,
Heathcliff74

If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards

Flow WP7 said:
If you are able to re-sign an executable that is already in the ROM, i would try that, so you know the problem isn't within the native code, but only with the signing. Or maybe the other way round which would be awesome.
regards
Click to expand...
Click to collapse
That's a good idea. I must say that I don't have much faith in the current RecMod tools for WP7 right now. I am able to get the binaries recmodded so that I can disassemble them correctly. But I don't think they can be easily launched. But there are executables that are on the rom as complete binaries, instead of rom-modules. To begin with, I have to select one that does not need much privileges to run and try to sign that one and then run it.
I'm really busy with work right now, so I think I won't be able to try it until the day after tomorrow. But I will try it and will let know how that went.
Thanks!

Decompiled taskhost.exe, so it gets more easy for us to see if its able to make taskhost to start another exe for us. Lots of code tho (C code).
taskhost.c (276 KB) in attachments.
edit: Oh, WOW, this really shows how to call those anonymous methods without call signature "Hello" (signature: "??z_Hello_?mze")
Hmm, pretty much about the pause part?
Code:
if ( v10 )
{
a7 = sub_178E7(v10);
if ( a7 >= 0 )
{
a7 = sub_180A5(v7, v7 + 64);
if ( a7 >= 0 )
{
a7 = ThemeInitialize(v7 + 136);
if ( a7 >= 0 )
{
v11 = sub_1862B(v13, v7);
EnableHostAutoDehydration(v11 == 3);
v16 = 0;
a7 = InitializeEmClientEx(&a2, 0, &v16);
if ( a7 >= 0 )
{
a7 = RegisterPausedHostCallback(sub_19D0D, 0);
if ( a7 >= 0 )
{
a7 = RegisterResumingHostCallback(sub_19D31, 0);
if ( a7 >= 0 )
{
if ( v11 != 3
|| (a7 = RegisterDehydrateHostCallback(sub_19D76, 0), a7 >= 0)
&& (a7 = RegisterFreezeHostCallback(sub_19D97, 0), a7 >= 0) )
{
a7 = RegisterExitHostCallback(sub_19D55, 0);
if ( a7 >= 0 )
a7 = sub_17C0A(*(_DWORD *)(v7 + 128), 0);
}
}
}
}
}
}
}
}
UIX framework entry-point (exe)
Code:
int __cdecl sub_11114(int a1, int a2, int a3)
{
int v4; // [sp+0h] [bp-38h]@1
char Dst; // [sp+4h] [bp-34h]@1
int v6; // [sp+8h] [bp-30h]@1
int v7; // [sp+Ch] [bp-2Ch]@1
int v8; // [sp+18h] [bp-20h]@1
int v9; // [sp+28h] [bp-10h]@1
v4 = 0;
memset(&Dst, 0, 0x34u);
v8 = a3;
v6 = (int)L"res://FlightModeUXDLL!FlightMode.uix";
v7 = (int)L"FMMain";
v9 = 2;
RunApplication(&v4);
return dword_12034;
}
C++ converted
Code:
UIXApplicationInfo app;
app { ... }
RunApplication(&app);
struct UIXApplicationInfo
{
int UNK_v4 = 0;
char Dst = {0};
char* uixFile;
char* uixEntryPoint;
int UNK_v8;
int UNK_v9 = 2;
}
Then just figure out the UIX part (or test the existing "res://FlightModeUXDLL!FlightMode.uix" if it launches, if so, we made it).
___
Found this in mango dump:
> Uninstall provxml
Code:
<!-- Uninstall Xbox LIVE Extras App -->
<characteristic type="AppInstall">
<nocharacteristic type="{0c17d153-b5d5-df11-a844-00237de2db9e}"/>
</characteristic>

Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455

athompson said:
Is there a reason you can't just use COM interop to run native code? Check out this thread for a discussion covering the technique: http://forum.xda-developers.com/showthread.php?t=820455
Click to expand...
Click to collapse
Hello "co-founder of native code on WP7"
I'm fully aware of the possibility of native code through COM. I use it for example in the WP7 Root Tools. But I just wanted to take it a step further. Running native executables give a lot more freedom. Not being bound to the watchdog, getting higher privileges and running in the background for instance. But there's a whole lot more. So that's why I started research on it. Thanks anyway. You helped making native code possible on WP7.
Ciao,
Heathcliff74

The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.

fiinix said:
The taskhost.exe is our RAM, because our app run in it, giving us full RAM access inside our "viritual ram". So that means we own all strings, int, floats etc. Then rewrite the ram to change strings in mscorlib. The checksum if an exe has been modified is only checked at startup, without checking if we modify the dll at runtime.
My purpose with this is that some function's call external apps, where we rewrite the args going in to the function. Just find an exploitable function and modify it after JIT has been there one before generating the pre ram, that we modify and call yet again but with the modified ram values behind.
Marshal.Copy, my friends, there.
[SecurityFuckingSafeCritical]
(byte[] source, IntPtr destination, int length)
> Interopservices leaked dll (\windows)
destination = our ram ptr to modify.
Click to expand...
Click to collapse
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App

Heathcliff74 said:
Hmmm. 10 Points for inventiveness But I don't think it's going to work. Even if you could find a function where the executable is passed as argument you still don't have enough privileges. Most code will have the path to the executable hardcoded instead of an argument. And you will still run under TaskHost with Least Privileges. And you need to have at least Standard Privileges or higher to launch most executables with CreateProcess() or ShellExecuteEx().
Sent from my OMNIA7 using XDA Windows Phone 7 App
Click to expand...
Click to collapse
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.

fiinix said:
"And you will still run under TaskHost with Least Privileges"
I know, i dont need standard rights to do it. Because i call a mscorlib function that is trusted code. I think you saw my idea wrong, let me show you.
[mscorlib, SecuritySafeCritical]
public static void example(string str)
{
string mscorlibStr = "you cant change my value ";
Debug.WriteLine(mscorlibStr + str);
}
This is where we modify "mscorlibStr" in ram and the function is still trusted code. But its doing something totally different from that it would do.
Click to expand...
Click to collapse
I really hate to break it for you. But the [SecuritySafeCritical] is indeed trusted code, but it will still check your privileges. All the API functions that do system modifications like that, do the security checks. Read the note under SecuritySafeCriticalAttribute here. Also read this; same problem. You are in process TaskHost.exe and it is launched in LPC (Least Privilege Chamber), so every CeImpersonateToken() to do the important stuff will fail and return an error code. I also wouldn't know how you would modify the stack-frame of a function that you call. Seems impossible to me, because at the moment you call the function, that stack-frame has not been allocated yet.
Anyway, although I don't think that is going to work in any way, I absolutely don't want to discourage you, because my experience is that when you try enough, sooner or later you will find an exploit
Ciao,
Heathcliff74

Currently installing "Windows Embeded Compact 7", because this lousy ARMv4 compiler (from WM5-6) maybe generates wrong ARM op-codes (WP7 runs ARMv7), therefore it says "Invalid program signature" (or what error it was).
Maybe ARMv7 is'nt even backwards compatibility with ARMv4.
By compiling with the ARMv7 compiler from WEM7, it will probably (hope) generate a valid exe.
Thats it..
edit:
*Research
"Armv7 is the processor instruction set used starting with the S5L8920 in the iPhone 3GS and in all subsequent devices. Processors that support Armv7 instructions are backward compatible with Armv6 instructions, but attempting to run binaries compiled for Arm7 on older, Armv6 processors will result in the error: "Bad CPU type in executable"."
Source: http://theiphonewiki.com/wiki/index.php?title=Armv7
___
"As I said in the past, the ARMv6 CTR was kept backwards compatible with
> > > earlier versions of the ARM architecture (and ARM tried to keep it like
> > > this as much as possible). With ARMv7, you have multiple levels of cache
> > > and different types (e.g. ASID-tagged VIVT I-cache). There is no way you
> > > could encode the useful information while keeping the same (and only)
> > > register, hence the the need for a new register."
Source: http://www.spinics.net/lists/arm-kernel/msg58813.html
As i see this (^), all ARMv > 6 == no backwards
ARMv6 had backwards to 4
ARMv7 >> ARMv6 compatibility, not more.
_
Problem officer even running ARMv4???
>On a non ARMv4 backwards compatibility CPU.
Profit!!
__
[ExeX.exe] (the one that i recompiled to a state: "this has to work")(ARMv4)
Decompilation:
Code:
; Attributes: bp-based frame
EXPORT start
start
var_20= -0x20
oldR4= -0x1C
oldR5= -0x18
oldR6= -0x14
oldR7= -0x10
oldR11= -0xC
oldSP= -8
oldLR= -4
MOV R12, SP
STMFD SP!, {R4-R7,R11,R12,LR}
ADD R11, SP, #0x1C
SUB SP, SP, #4
MOV R4, R3
MOV R5, R2
MOV R6, R1
MOV R7, R0
.
Next up, decompile a ARMv7 from a raw device. (how, someone has one)

fiinix said:
Next up, decompile a ARMv7 from a raw device. (how, someone has one)
Click to expand...
Click to collapse
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?

athompson said:
I think you'll find what you're looking for here: http://forum.xda-developers.com/showthread.php?t=681659 in the dump of the IMAGEFS. What did you use to decompile it? IDA Pro, or a different thing?
Click to expand...
Click to collapse
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.

fiinix said:
IDA Pro, yes. Ill see if i can dump that "nbh" (used to nb0), and extract a fully operable exe that is not corrupted.
Click to expand...
Click to collapse
First use Andim's WP7 Rom Tools to extract the rommodules. Remember to always dump a folder, not a single file.
Then use Denomitor's version of Recmod and follow the instructions in the post. That works most of the time.

Going forward
Currently building the WP7 ARMv7 commandline, getting closer.
Current cmd (not working, no need to help):
Code:
"C:\WINCE700\sdk\bin\i386\arm\cl.exe" /Od /D "_DEBUG" /D "_WIN32_WCE=0x700" /D "UNDER_CE" /D "ZUNE_HD" /D "WINCE" /D "DEBUG" /D "_WINDOWS" /D "ARM" /D "_ARM_" /D "_UNICODE" /D "UNICODE" /D "_CRT_SECURE_NO_WARNINGS" /Gm /EHsc /MTd /Gy /fp:fast /GR- /Fo"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/" /Fd"C:\Users\Steven VM\Desktop\ARMv7\Build\Debug/vc80.pdb" /W3 /c /Zi /TP /QRfpe- /QRarch7 "C:\Users\Steven VM\Desktop\ARMv7\main.cpp"
/QRarch7 is the ARMv7.
edit:
HOORRY SHEEAT
generated:
> main.obj
> vc80.idb
> vc80.pdb
, feels soo good:
main.exe is there.
IDA Pro says "ARM AND THUMB MODE SWITCH INSTRUCTIONS", just like others.
Code:
; Input MD5 : B50E8D8395DE7CA2419464DC3CE0BC74
; File Name : C:\Users\Steven\Desktop\burn\main.exe
; Format : Portable executable for ARMI (PE)
; Imagebase : 10000
; Section 1. (virtual address 00001000)
; Virtual size : 00000018 ( 24.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; Processor : ARM
; Target assembler: Generic assembler for ARM
; Byte sex : Little endian
; Segment type: Pure code
AREA .text, CODE, READWRITE, ALIGN=4
; ORG 0x11000
CODE32
EXPORT start
start
var_4= -4
SUB SP, SP, #4
MOV R3, #1
STR R3, [SP,#4+var_4]
LDR R0, [SP,#4+var_4]
ADD SP, SP, #4
BX LR
; End of function start
Made an empty entry point as from above ^:
Code:
int wWinMainCRTStartup()
{
return 1;
}
PE Explorer (main.exe):
Machine: THUMB
Operating System Version: 7.0
Image Version: 7.0
Subsystem Version: 7.0
Subsystem: WinCE GUI

**** so CLOSE!
Successful copied "main.exe" and "ExeX.exe" to "\Windows", where i have the right to launch them remotely.
Method:
WP7Process p = device.LaunchEXE(@"main.exe", "");
main.exe (no signing, ARMv7):
System.UnauthorizedAccessException: Access is denied.
WP7Process p = device.LaunchEXE(@"ExeX.exe", "");
ExeX.exe (signed with CA/ROOT custom, ARMv4):
System.Runtime.InteropServices.COMException (0x800704EC): This program is blocked by group policy. For more information, contact your system administrator.
There IS different things going on! Something is missing, but what
edit:
Signed main.exe with custom XDA ROOT certificate (ARMv7):
signtool.exe sign /sha1 "[CertChomp]" "main.exe"
> Now main.exe also gets "This program is blocked by group policy. For more information, contact your system administrator."
Ill see if i can add it to startup list , if it boot from there.
edit 2:
Nope gonna hijack "fieldtestapp.exe" with my app because policy says:
Risky-mode.Activate();
Backup(fieldtestapp.exe, backupPath);
Copy(main.exe, > fieldtestapp.exe);
"LOADERVERIFIER_ROUTE_BY_NAME"
"LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT"
<Rule Description="Route fieldtestapp.exe" ResourceIri="$(LOADERVERIFIER_ROUTE_BY_NAME)/PRIMARY/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_LOW">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE" />
</Authorize>
</Rule>
<Rule Description="Authorize fieldtestapp.exe be loadable to $(FIELDTESTAPP_EXE_SID) and chambers" ResourceIri="$(LOADERVERIFIER_EXE_AUTHZ_INROM_ROOT)/WINDOWS/FIELDTESTAPP.EXE" SpeakerAccountId="$(SYSTEM_USER_NAME)" PriorityCategoryId="PRIORITY_STANDARD">
<Authorize>
<Match AccountId="$(FIELDTESTAPP_EXE_SID)" AuthorizationIds="LV_ACCESS_EXECUTE,LV_ACCESS_LOAD" />
</Authorize>
</Rule>
edit 3:
Seems like "fieldtestapp.exe" is ROM locked. Need to try out some other targets.
edit 4:
Target acquired "ProximitySensorDisable.exe" > "ProximitySensorDisableBackup.exe"
Successful copy == no ROM lock.
edit 5:
There exists two types of talking to the LoadVerifier (the: This program is blocked by group policy.):
Direct exe name OR special certificate
How we do:
> Direct exe (hijack exe)
How we cant do (SHA1) (Nope, ain't gonna happen):
> We certainly dont have Microsofts certificate so this way is a nodo, haha lol, no do way.
(1: direct exe name) /LOADERVERIFIER/GLOBAL/AUTHORIZATION/PE_AUTHZ/NONE/NONE/PRIMARY/WINDOWS/CFGHOST.EXE
(2: static/pre certificates) /LOADERVERIFIER/GLOBAL/CERTIFICATES/HASH/SHA1/91B318116F8897D2860733FDF757B93345373574
edit 6:
Yep, loads of edits, just for you.
Allowed exe's to run (sorted a-z) (direct exe) (pre cert removed):
Code:
ACCESSIBILITYCPL.EXE
ACCOUNTSMANAGER.EXE
ALARMS.EXE
APPCHECKERSHIM.EXE
APPPREINSTALLER.EXE
AUTODATACONFIG.EXE
AUTOSIM.EXE
AUTOTIMEUPDATE.EXE
BRIGHTNESSCPL.EXE
BTUXCPL.EXE
CALENDARAPP.EXE
CALLSETTINGSHOST.EXE
CALNOT.EXE
CALUPD.EXE
CAM_FW_UPDATE_UI.EXE
CELLUXCPL.EXE
CERTINSTALLER.EXE
CFGHOST.EXE
CFLAUNCHER.EXE
CHDIALERHOST.EXE
CIPHASE2.EXE
CLIENTSHUTDOWN3.EXE
CLOCKNOT.EXE
CMACCEPT3.EXE
COLDINIT.EXE
COMMSVC.EXE
COMPOSITOR.EXE
CONFIGDM.EXE
CONFIGXML.EXE
CONMANCLIENT3.EXE
CONTACTS.EXE
CPROG.EXE
DATETIMECPL.EXE
DCVSSWITCH.EXE
DEPOTCOPY.EXE
DEVICEFEEDBACKCPL.EXE
DEVICEREG.EXE
DIAGPORTCHANGETEST.EXE
DLLHOST.EXE
DMSCHEDULERCALLBACK.EXE
DMSRV.EXE
DMSTOOLS.EXE
DUACLIENT.EXE
DW.EXE
EDM3.EXE
EMAIL.EXE
EMAILSETUP.EXE
ENDPOINT.EXE
FCROUTERCMDTEST.EXE
FIELDTESTAPP.EXE
FLIGHTMODE.EXE
GAMESUX.EXE
IEXPLORE.EXE
INITIATEDMSESSION.EXE
INVALIDLICENSEUXLAUNCHER.EXE
KEYBOARDCPL.EXE
LASSCREDENTIALEXPIRATIONCHECK.EXE
LASSRESTARTER.EXE
LIVETOKEN.EXE
LOCKCPL.EXE
LOOPBACKTEST.EXE
MEDIAGROVEL.EXE
MEUX.EXE
MITSMAN.EXE
MMSPRPROXY.EXE
MMSTRANSHOST.EXE
MULTIMEDIALAUNCHER.EXE
MYPHONECPL.EXE
MYPHONETASKSRUNTIME.EXE
NATIVEINSTALLERHOST.EXE
OFFICEURL.EXE
OMADMCLIENT.EXE
OMADMPRC.EXE
OMHUB.EXE
ONBOOTSQM.EXE
ONENOTEMOBILE.EXE
OOBE.EXE
PACMANINSTALLER.EXE
PHOTOENT.EXE
PHOTOENTCAPTURE.EXE
PHOTOUPLOADER.EXE
PPT.EXE
PWORD.EXE
PWRLOGCTRL.EXE
PXL.EXE
RAPICONFIG.EXE
REGIONCPL.EXE
RMACTIVATE.EXE
SAPISVR.EXE
SECSIMTKIT.EXE
SERVICESD.EXE
SERVICESSTART.EXE
SETTELEPORTMODE.EXE
SETTINGS3.EXE
SHORTMSG.EXE
SICLNT.EXE
SIGNALEVENT.EXE
SIREPSERVERAPPDEV.EXE
SMSETTINGS.EXE
SMSTRANSPORT.EXE
SOUNDCPL.EXE
SPEECHCPL.EXE
SPMC.EXE
SQMEVENT.EXE
SSUPDATE.EXE
TASKHOST.EXE
TELSHELL.EXE
TESTSHOW.EXE
THEMECPL.EXE
TOGGLEBROWSERHIBERNATION.EXE
TOGGLEDOG.EXE
UDEVICE.EXE
UIF.EXE
UNIFIEDPAIR.EXE
USBMGR.EXE
WEBSEARCH.EXE
WIFIUXSPLASH.EXE
WLANEXT.EXE
WLIDSETUP.EXE
WWANDATAMGR.EXE
XDRMREMOTESERV.EXE
ZIPVIEW.EXE
ZMFTASKLAUNCH.EXE
How code (yes i know its super un-optimized, fast put together):
Code:
var doc = XDocument.Load(File.OpenRead("SamsungOmnia7_BasePolicy_webserver.xml"));
var ea = doc.Elements().ToArray()[0].Elements()
.Where(x => x.Name.LocalName == "Rule")
.Where(x => x.Attributes("ResourceIri").Count() > 0)
.Where(x =>
{
var r = x.Attribute("ResourceIri").Value;
return r.Contains("LOADERVERIFIER") && r.ToLower().Contains(".exe") && !r.Contains("CERTIFICATES");
})
.Select(x =>
{
var v = x.Attribute("ResourceIri").Value;
var l = v.LastIndexOf('/');
return v.Substring(l + 1);
})
.Distinct()
.OrderBy(x => x)
.ToArray();
edit 7:
yeah, lol i say too.
Unprotected exe (FCRouterCmdTest.exe)
> c:\Project Work\SGH-i707(Cetus)\FCRouterCmdTest\Windows Mobile 6 Professional SDK (ARMV4I)\Release\FCRouterCmdTest.pdb
mfw samsung use "Windows Mobile 6 Professional SDK (ARMV4I)"

Wow, this truly was a big step today
Done hacking today.
"After a day, there comes another day"

@fiinix,
You did a lot of testing. Good job, man.
A few comments:
0x800704ec "blocked by group policy" is THE error of the new WP7 security model. It is basically telling you to go f*ck yourself. Everything you do without enough privileges or capabilities results in this error.
The two ways of policies, exe-path and cert-hash, is result of difference between rom-modules and executables that are signed and added as a file. Rom-modules are not even normal files. You can't open and read them. They are executable sections that are mapped in rom-address-space. You can only call loadlibrary() and createprocess() on them. Since they are only executable sections, they don't have a signature, like a normal executable file would have. Therefore they are referred to with an exe-path. You may safely assume that every path to an executable in the policy files is referring to a rom-module and can't be overwritten in any way (except by cooking your own rom - who is going to unlock our bootloaders?!?) Other than that, there are a few signing certs that Microsoft has. Signing the different executables with different privileges and accordingly a different cert. Their hashes are in the policies.
Using ARMv7 isn't going to add much I'm afraid. Although it may make a difference in the exe-header. But you've seen tools that were really old, remember And they were signed to have TCB access. And they were compiled for ARMv4. So it should not make much difference.
I did some testing with certificates myself yesterday. Up until Zune totally went bezerk on it. I don't know what happened, but after removing my own cooked certs it all seems normal again. Zune started using 100% cpu on verifying certs and dropping my connection all the time. Help! So I haven't made much progress. I will try again later. Hope it will go better. And I will try to resign an existing executable, as Flow WP7 suggested.

According to policy on my omnia (webserver dumped) there seems to exist two typed of HDD, one ROM hard coded and one that points to internal sd card. It seems that all exe and dll on the sd are not "protected" and therefore can be hijacked.
Seems like ARMv4 will be enough, but to be on the safe side i compile with both, to have more chance getting it work.
Zune, hmm, did not seem to like you, maybe Microsoft DDOS'ed you lol
"Sent from my fingers on my phone", don't expect way too long text

XxXPachaXxX said:
Excuse my ignorance...I'm a noob...This hack may also work on LG devices?
Click to expand...
Click to collapse
At the moment fiinix and I are both working on Samsungs and we use a couple of Samsung-specific exploit to get deeper in the system and getting a better understanding of the system. The ultimate goal is to find exploits that will work for all devices. But we're not at that stage yet. Hacking is research, a lot of trying and being lucky sometimes. Just bear with us
Ciao,
Heathcliff74

[SHELL SCRIPT] Battery logging (discharge, capacity, etc)

After seeing apps like Android Battery Monitor, I wanted something I could run in a shell (adb) that would give me similar statistics, namely the battery discharge rate. I couldn't find any such tools or scripts, so I wrote one. Hopefully it will be useful to someone else, too.
The file paths are hard coded, and will likely only work on the Samsung Epic 4G Touch, however it could probably be easily adapted to other devices as well. It also probably requires busybox, since it uses some basic shell programs.
The script will output statistics every second, like this:
Code:
[DATE]|[TIME]|[DISCHARGE]|[CHARGE%]|[CHARGEMV]|[BATTTEMP]
2011/09/27|13:03:18|+0mA|92%|4101mV|31°C
2011/09/27|13:03:19|+0mA|92%|4101mV|31°C
2011/09/27|13:03:20|+0mA|92%|4101mV|31°C
2011/09/27|13:03:21|-83mA|92%|4018mV|32°C
2011/09/27|13:03:22|+0mA|92%|4018mV|32°C
2011/09/27|13:03:23|+0mA|92%|4018mV|32°C
2011/09/27|13:03:24|+0mA|92%|4018mV|32°C
2011/09/27|13:03:25|+0mA|92%|4018mV|32°C
2011/09/27|13:03:26|+0mA|92%|4018mV|32°C
2011/09/27|13:03:27|+0mA|92%|4018mV|32°C
2011/09/27|13:03:28|+0mA|92%|4018mV|32°C
2011/09/27|13:03:29|+0mA|92%|4018mV|32°C
2011/09/27|13:03:30|+45mA|92%|4063mV|32°C
Here's the script:
Code:
INTERVAL=1
CAPACITYVOLTAGE=0
while true; do
PREVVOLTAGE=$CAPACITYVOLTAGE
DATETIME=$(date +'%Y/%m/%d|%H:%M:%S')
CAPACITYVOLTAGE="$(( $(cat /sys/devices/platform/sec-battery/power_supply/battery/voltage_now) / 1000 ))"
CAPACITYPERCENT="$(cat /sys/devices/platform/sec-battery/power_supply/battery/capacity)"
DISCHARGE="+$(( $CAPACITYVOLTAGE - $PREVVOLTAGE ))"
TEMP="$(( $(cat /sys/devices/platform/sec-battery/power_supply/battery/batt_temp) / 10 ))"
echo "${DATETIME}|$(echo ${DISCHARGE}|sed -e 's/^+-/-/')mA|${CAPACITYPERCENT}%|${CAPACITYVOLTAGE}mV|${TEMP}°C"
sleep ${INTERVAL}
done

While a nice piece of work - this is not development. It is an App. Moving to the appropriate section.

jerdog said:
While a nice piece of work - this is not development. It is an App. Moving to the appropriate section.
Click to expand...
Click to collapse
Well, I was hoping to get some feedback and make some improvements before calling it an app, but that works.

xak944 said:
After seeing apps like Android Battery Monitor, I wanted something I could run in a shell (adb) that would give me similar statistics, namely the battery discharge rate. I couldn't find any such tools or scripts, so I wrote one. Hopefully it will be useful to someone else, too.
The file paths are hard coded, and will likely only work on the Samsung Epic 4G Touch, however it could probably be easily adapted to other devices as well. It also probably requires busybox, since it uses some basic shell programs.
The script will output statistics every second, like this:
Code:
[DATE]|[TIME]|[DISCHARGE]|[CHARGE%]|[CHARGEMV]|[BATTTEMP]
2011/09/27|13:03:18|+0mA|92%|4101mV|31°C
2011/09/27|13:03:19|+0mA|92%|4101mV|31°C
2011/09/27|13:03:20|+0mA|92%|4101mV|31°C
2011/09/27|13:03:21|-83mA|92%|4018mV|32°C
2011/09/27|13:03:22|+0mA|92%|4018mV|32°C
2011/09/27|13:03:23|+0mA|92%|4018mV|32°C
2011/09/27|13:03:24|+0mA|92%|4018mV|32°C
2011/09/27|13:03:25|+0mA|92%|4018mV|32°C
2011/09/27|13:03:26|+0mA|92%|4018mV|32°C
2011/09/27|13:03:27|+0mA|92%|4018mV|32°C
2011/09/27|13:03:28|+0mA|92%|4018mV|32°C
2011/09/27|13:03:29|+0mA|92%|4018mV|32°C
2011/09/27|13:03:30|+45mA|92%|4063mV|32°C
Here's the script:
Code:
INTERVAL=1
CAPACITYVOLTAGE=0
while true; do
PREVVOLTAGE=$CAPACITYVOLTAGE
DATETIME=$(date +'%Y/%m/%d|%H:%M:%S')
CAPACITYVOLTAGE="$(( $(cat /sys/devices/platform/sec-battery/power_supply/battery/voltage_now) / 1000 ))"
CAPACITYPERCENT="$(cat /sys/devices/platform/sec-battery/power_supply/battery/capacity)"
DISCHARGE="+$(( $CAPACITYVOLTAGE - $PREVVOLTAGE ))"
TEMP="$(( $(cat /sys/devices/platform/sec-battery/power_supply/battery/batt_temp) / 10 ))"
echo "${DATETIME}|$(echo ${DISCHARGE}|sed -e 's/^+-/-/')mA|${CAPACITYPERCENT}%|${CAPACITYVOLTAGE}mV|${TEMP}°C"
sleep ${INTERVAL}
done
Click to expand...
Click to collapse
1) How does one install the script?
2) How does one uninstall it?
3) How much does the script affect battery performance?
4) How stable is the script?
5) What makes this script better than other similar apps in the market?

>> 1) How does one install the script?
You don't. Just move it to an appropriate location on your phone via adb push command, change permissions to make executable & run it. It does not involve any formal installation/removal.
>> 3) How much does the script affect battery performance?
Neglible. even if you launched from a terminal emulator on-board your phone & not while it was connected via the USB to your computer
>> 4) How stable is the script?
Fairly since its quite simple. He is only reading those ascii files available on any typical linux based system & printing to console after some post-processing

Been interested in looking at what I can get my rooted device to do via Terminal/SSH, this is a great start Had to edit it a bit for my desire Z, however working a treat.. The script can lag a little if I use it via SSH with the screen off, however to be expected I suppose. A little Caffeine and it completely works as expected.
Code:
INTERVAL=1
CAPACITYVOLTAGE=0
while true; do
PREVVOLTAGE=$CAPACITYVOLTAGE
DATETIME=$(date +'%Y/%m/%d|%H:%M:%S')
CAPACITYVOLTAGE="$(cat /sys/devices/platform/rs30100001:00000000/power_supply/battery/batt_vol)"
CAPACITYPERCENT="$(cat /sys/devices/platform/rs30100001:00000000/power_supply/battery/capacity)"
DISCHARGE="+$(( $CAPACITYVOLTAGE - $PREVVOLTAGE ))"
TEMP="$(( $(cat /sys/devices/platform/rs30100001:00000000/power_supply/battery/batt_temp) / 10 ))"
echo "${DATETIME}|$(echo ${DISCHARGE}|sed -e 's/^+-/-/')mA|${CAPACITYPERCENT}%|${CAPACITYVOLTAGE}mV|${TEMP}°C"
sleep ${INTERVAL}
done
I'm off to try and create something similar for the GPS.. No idea how feasible as yet, but appreciate the inspiration.

Nice job on this script.

Very good work man keep it up

I had to edit it a bit for my Vibrant (Miui 9.23)
make file (I called mine "adb_batt.sh" placed it on my sdcard
I used Gscrip lite to run it (or terminal)
"sh ./mnt/sdcard/adb_batt.sh"
==================================
INTERVAL=1
CAPACITYVOLTAGE=0
while true; do
PREVVOLTAGE=$CAPACITYVOLTAGE
DATETIME=$(date +'%Y/%m/%d|%H:%M:%S')
CAPACITYVOLTAGE="$(( $(cat sys/devices/platform/i2c-gpio.6/i2c-6/6-0066/max8998-charger/power_supply/battery/voltage_now) / 1000 ))"
CAPACITYPERCENT="$(cat sys/devices/platform/i2c-gpio.6/i2c-6/6-0066/max8998-charger/power_supply/battery/capacity
)"
DISCHARGE="+$(( $CAPACITYVOLTAGE - $PREVVOLTAGE ))"
TEMP="$(( $(cat sys/devices/platform/i2c-gpio.6/i2c-6/6-0066/max8998-charger/power_supply/battery/batt_temp_check) / 10 ))"
echo "${DATETIME}|$(echo ${DISCHARGE}|sed -e 's/^+-/-/')mA|${CAPACITYPERCENT}%|${CAPACITYVOLTAGE}mV|${TEMP}°C"
sleep ${INTERVAL}
done

doesn't this do the same thing
https://market.android.com/details?id=ccc71.bmw&feature=search_result

BLOWNCO said:
doesn't this do the same thing
https://market.android.com/details?id=ccc71.bmw&feature=search_result
Click to expand...
Click to collapse
yes, but having a tweakable script version.
back on topic, trying to run the script but it complains
Code:
# sh logb
: not found
logb: 16: Syntax error: "done" unexpected (expecting "do")

frifox said:
yes, but having a tweakable script version.
back on topic, trying to run the script but it complains
Code:
# sh logb
: not found
logb: 16: Syntax error: "done" unexpected (expecting "do")
Click to expand...
Click to collapse
Sounds like you might've copied and pasted the script on a windows text editor, which uses DOS line endings. You need to convert them to unix line endings. If you use notepad++ to edit/save the file:
Edit > EOL Conversion > Unix Format

FBis251 said:
Sounds like you might've copied and pasted the script on a windows text editor, which uses DOS line endings. You need to convert them to unix line endings. If you use notepad++ to edit/save the file:
Edit > EOL Conversion > Unix Format
Click to expand...
Click to collapse
sh1t, i thought i made sure it pasted in unix format... oh well, redid it with notepad++ and that fixed it

I like the scripts and like to have a look into this on my xperia z1 compact. Has anybody has an idea, where I can find the batteryfolder on sony devices?

Has anyone experienced the memory corruption like me when uploading?

Hello everyone, I experienced a potential memory corruption (also seemed like memory leak) bug (or backdoor who knows) and managed to reproduce it on both Oneplus5T and Oneplus6. It seems to be serious so I want to know if anyone else can reproduce it.
step to reproduce:
1. on the android run (how to run this? see bellow) : nc -l -p 8000 < /dev/zero
2. connect from the same subnet: nc ${IP_OF_ANDROID} 8000
3. if the terminal on your computer display anything, there must be something wrong, because 0x00 shouldn't be printed as visible character on the terminal.
how to run 'nc' on the android:
1. use termux (available in google play). use 'pkg install netcat' to install nc
2. use busybox. I use adb to push 'https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l' into my phone and use root permission to execute it.
Results of Oneplus6 and Oneplus 5T (imgur.com/a/YpvYrzp). I also use pv to demonstrate 0x00 is indeed trasmitting. For the Oneplus5T, I tried unlock+stock OOS, unlock+stock OOS+magisk, unlock+stock OOS+magisk+bluspark kernel, all of those setting suffer from the same issue. (OOS version is 5.1.5, latest stable I think)
If you are patient enough, you can also observe human readable strings, like
NOT_RESTRICTED&TRUSTED&NOT_VPN] ] found {mApnType=default mState=IDLE mWaitingApns={null} mApnSetting={null} mReason=radioTurnedOff mDataEnabled=false mDependencyMet=true}amingOff=false hasDataRoamingOn=false hasDataRoamingOff=false hasLocationChanged=false has4gHandoff = false hasMultiApnSupport=false hasLostMultiApnSupport=false
Click to expand...
Click to collapse
which in my opinion belongs to the memory of other apps or OS.
I can't reproduce it on my Nexus5 and another oneplus3.

Get camera working on custom rom without selinux permissive

I very recently decided to mod my wonderful, but neglected, LG V30. H933. By following the various guides, I unlocked the bootloader, installed twrp, rooted with magisk. Then using this thread https://forum.xda-developers.com/lg-v30/how-to/canadian-h933-compatibility-h930-roms-t3897586 prepared it for a Pie custom ROM (a tedious process, but it works just fine). I then installed LOS16 H930, no gapps. Using opencamera instead of gcam. All went well, but the camera/flashlight and a few of my user apps wouldn't work.
As many of you know, you can get the camera/flashlight working by setting selinux permissive. However, you need the permissions enabled at the boot/startup level. Executing setenforce 0 as root won't get the camera working in this situation. However, patching the kernel command line, which is what Kernel-Sepolicy-Patcher.zip does will do the trick. Unfortunately, this situation presents us with a dilemma. Running your device in selinux permissive full-time is a security risk one should not take. But having to boot into recovery, run a patcher, then reboot when you want to take a photo...and then repeating the process to go back to enforcing mode, is too tedious.
After spending days deep diving into the seemingly bottomless pit of android camera (a terrific learning experience), running through all the init scripts, services, selinux stuff, etc., etc. For a number of reasons, I never really found the exact solution I was looking for. Finally, I decided upon the following method to deal with the issue. Keep in mind that this still opens up security a little bit, but it's a helluva lot better than running SELinux *permissive* (i.e. no SElinux security at all). I performed most of the work on my arch linux system, but alternatively you can do this using an adb shell or a terminal app on the device.
WARNING / DISCLAIMER: If you mess up or brick your phone, it's on you. It's YOUR responsibility - not mine.
Directions:
1) Obtain a copy of your current boot partition:
Code:
dd if=/dev/block/bootdevice/by-name/boot of=/sdcard/boot.img
2) Copy boot.img to the PC's current directory:
Code:
adb pull /sdcard/boot.img
3) Use magisk's magiskboot utility to unpack boot.img (kernel, ramdisk, kernel dtb, etc):
Code:
./magiskboot unpack boot.img
4) Extract the sepolicy file from ramdisk.cpio:
Code:
./magiskboot cpio ramdisk.cpio "extract sepolicy sepolicy"
The quotes are necessary. You can also just use xarchiver or anything that can handle cpio. Don't copy from /sepolicy or /sys/fs/selinux/policy from the live device because they contain a large number of magisk rules (assuming you're rooted). Copy it from the current boot partition.
5) Add/modify selinux rules in the sepolicy file. I used setools-android https://github.com/xmikos/setools-android It built fine on arch linux, I believe dependencies are built in, but YMMV. The sepolicy-inject command is used to add/modify rules. Use logcat and dmesg (save the output to examine it more easily with an editor). See what caused your avc denied entries. Correct some or all of them by adding permissions to existing entries or adding new entries to the policy file.
Update: The only rule change you need to get the camera working is:
Code:
sepolicy-inject -s sensors -t sensors -c capability -p dac_override -P sepolicy
However, you might want to change other rules that are generating avc denieds (audio, battery health, ...). You can also use magiskpolicy or other tools for this. You can either add permissions to an existing rule, or add a new rule.
6) Replace the original sepolicy file in ramdisk.cpio with the modified one:
Code:
./magiskboot cpio ramdisk.cpio "add 644 sepolicy sepolicy"
7) Repack the boot image:
Code:
./magiskboot repack boot.img
magiskboot reads the original unpacked boot.img to get certain info for the repack, and then creates by default a new-boot.img image file.
8) Copy new-boot.img from to your device if it's not already there:
Code:
adb push new-boot.img /sdcard
9) Write the new boot image to the device:
Code:
dd if=/sdcard/new-boot.img of=/dev/block/bootdevice/by-name/boot
10) Boot. Voila!

I should add that there are other ways to get this accomplished as well. Mostly courtesy of magisk. However, the method above will work even without being rooted.

A few people have said flashing nougat kdz, then updating to oreo allows you to use aosp Pie roms with working camera on enforcing

tech_infinity said:
A few people have said flashing nougat kdz, then updating to oreo allows you to use aosp Pie roms with working camera on enforcing
Click to expand...
Click to collapse
Thank you. Yes, I had read that.
In my case, because I followed the Canadian guide linked in my original post, that's exactly what had been done. Nougat 10d -> Oreo 20i -> LOS16 Pie. It could very well be an issue specific to that LOS rom.
When looking over the logs and watching the processes in realtime, in addition to doing a lot of other investigation (with my limited tools/resources), it seems that "something" that is normally there on startup is absent, and then an alternative route and configuration is taken for camera setup. Without those permissions, it pukes around the part where it is trying to configure the three different camera sensors. Why else would there be a need for additional permissions (assuming relevant sepolicy rules are the same versus stock), and why else would those additional permissions make the difference? There's no system camera app in this rom (unlike other LOS roms). You can see what looks like orphaned "camera code" in /system.
You get this over and over without permissive or adding specific rules (see OP).
Code:
03-06 08:21:27.668 0 0 I init : Service 'vendor.camera-provider-2-4' (pid 2462) exited with status 1
03-06 08:21:27.668 0 0 I init : Sending signal 9 to service 'vendor.camera-provider-2-4' (pid 2462) process group...
03-06 08:21:27.668 0 0 I libprocessgroup: Successfully killed process cgroup uid 1047 pid 2462 in 0ms
03-06 08:21:27.669 0 0 I init : starting service 'vendor.camera-provider-2-4'...
An interesting page on android camera framework:
https://programmer.ink/think/camera-android-camera2-hal3-framework-analysis.html
Given the idiosyncracies of this phone (versus my OP6 or other phones), I'm somewhat hesitant to test a bunch of different ROMs (stock and custom) to gain more insight. But perhaps when I have adequate time I'll do more digging. I'd like to compare the sepolicy files as well as a number of other things (e.g. "blobs"). If I find anything interesting, I will post it.
BTW, it's not just the camera issue that needed to be taken care of. There are other services that (most likely unbeknownst to the users of the rom) are caught in a kill/restart loop (battery, audio,...). Adding specific permissions resolved those issues as well.

Upon inspection of sepolicy of a few of the ROMs in question.
Stock Nougat 998 10d:
Code:
allow sensors sensors : capability { chown [B]dac_override[/B] dac_read_search fowner setgid setuid net_bind_service net_raw } ;
Stock Oreo 933 20i:
Code:
allow sensors sensors : capability { chown [B]dac_override[/B] dac_read_search fowner setgid setuid net_bind_service net_raw } ;
Stock Pie 933 20k:
Code:
allow sensors sensors : capability { chown fowner setgid setuid net_bind_service net_raw } ;
Interesting.

This is brilliant work, congrats
You mentioned other services that need permissions. Care to share those as well?
Thanks.
*Edit*
I did manage to return to the state it was before flashing stock pie.
I did a full backup in twrp (especially efs), then I used chip erase on lgup and flashed "H93022j_00_OPEN_EU_OP_0403.kdz" and then I restored efs (chip erase deletes ALL partitions including efs where imei and serial number are stored, that's why an efs backup is essential).
Now I'm using enforcing and everything seems to work.
Be careful though, chip erase is VERY dangerous.

Hi thanks for this awesome tutorial
I'm not very familiar with sepolicy-inject
Could you please tell me how to translate these avc errors into an ALLOW rule for bypassing that annoying "permission denied" message as shell user? Thanks!
Code:
mount : type=1400 audit(0.0:645): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
mount : type=1400 audit(0.0:646): avc: denied { dac_read_search } for capability=2 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
mount : type=1400 audit(0.0:647): avc: denied { mounton } for path="/system" dev="dm-0" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
mount : type=1400 audit(0.0:648): avc: denied { read } for name="dm-0" dev="tmpfs" ino=20822 scontext=u:r:shell:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
cat : type=1400 audit(0.0:755): avc: denied { syslog } for capability=34 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability2 permissive=0
cat : type=1400 audit(0.0:756): avc: denied { sys_admin } for capability=21 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0

Question [How-to] Enable Call Recording on Pixel 6 Pro [Root needed]

Install: https://play.google.com/store/apps/details?id=com.termux
Then open Termux
Type:
apt update; apt install sqlite
SU
Then type:
/data/data/com.termux/files/usr/bin/sqlite3 /data/user/0/com.google.android.gms/databases/phenotype.db
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__enable_call_recording", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_call_recording_geofence_value", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__use_call_recording_geofence_overrides", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_crosby_geofence_value", 0, 1, 0)
Next:
Clear dialer data
Open dialer and force close (clear from recent apps)
Open the dialer once again and in settings screen, you should see: "call recording"
Optional:
Depending on your location, you might get a pre-recording prompt notifying you (and the other party on the line) that the call may be recorded. This can be disabled by unzipping the attached file and copying the files to: /data/data/com.google.android.dialer/files/callrecordingprompt
Then in termux, run the following command
SU (unless your initial Termux session is still running)
chmod -R 777 /data/data/com.google.android.dialer/files/callrecordingprompt
Please note that disabling this prompt may be illegal depending on your jurisdiction. Some places however only require single party consent. Hence, why I posted this. You are responsible to know the laws of your jurisdiction. I will not be held liable for you breaking the law.
Major props to this thread: https://forum.xda-developers.com/t/...ding-in-stock-dialer-app-root-needed.4321719/
And @gisthere and @Liranazuz5
The above is a modification from their work on that thread. Most notability the removal of some ";" in the code that caused database errors and the combination of 2 different posts (flag implementation + app w/ database flags sync).
Intention of this thread: bring this information to Pixel 6 Pro owners. Please go and like the original thread/user posts (instead of this thread).

mkhcb said:
Install: https://play.google.com/store/apps/details?id=com.termux
Then open Termux
Type:
apt update; apt install sqlite
SU
Then type:
/data/data/com.termux/files/usr/bin/sqlite3 /data/user/0/com.google.android.gms/databases/phenotype.db
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__enable_call_recording", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_call_recording_geofence_value", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__use_call_recording_geofence_overrides", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_crosby_geofence_value", 0, 1, 0)
Next:
Clear dialer data
Open dialer and force close (clear from recent apps)
Open the dialer once again and in settings screen, you should see: "call recording"
Major props to this thread: https://forum.xda-developers.com/t/...ding-in-stock-dialer-app-root-needed.4321719/
And @gisthere and @Liranazuz5
The above is a modification from their work on that thread. Most notability the removal of some ";" in the code that caused database errors and the combination of 2 different posts (flag implementation + app w/ database flags sync).
Intention of this thread: bring this information to Pixel 6 Pro owners. Please go and like the original thread/user posts (instead of this thread).
Click to expand...
Click to collapse
Good info. For those of us that are too lazy to go through those steps, there is also a tiny app available to enable call recording as well (rooted devices only). Just install, enable from the app, and after 15 minutes or so you should see the call recording button/option. Been using on my device for a bit now and no issues. There are also a ton of flags available you can experiment with, just use caution in doing so. I am not the dev and no credit goes to me. Just sharing the devs (jacopotediosi) work:
Releases · jacopotediosi/GAppsMod
Tweak Google apps (e.g., Phone and Messages) to unlock hidden features (e.g., available only in some countries or on certain devices). Root is required. - jacopotediosi/GAppsMod
github.com

scott.hart.bti said:
Good info. For those of us that are too lazy to go through those steps, there is also a tiny app available to enable call recording as well (rooted devices only). Just install, enable from the app, and after 15 minutes or so you should see the call recording button/option. Been using on my device for a bit now and no issues. There are also a ton of flags available you can experiment with, just use caution in doing so. I am not the dev and no credit goes to me. Just sharing the devs (jacopotediosi) work:
Releases · jacopotediosi/GAppsMod
Tweak Google apps (e.g., Phone and Messages) to unlock hidden features (e.g., available only in some countries or on certain devices). Root is required. - jacopotediosi/GAppsMod
github.com
Click to expand...
Click to collapse
Nice find!

mkhcb said:
Install: https://play.google.com/store/apps/details?id=com.termux
Then open Termux
Type:
apt update; apt install sqlite
SU
Then type:
/data/data/com.termux/files/usr/bin/sqlite3 /data/user/0/com.google.android.gms/databases/phenotype.db
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__enable_call_recording", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_call_recording_geofence_value", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__use_call_recording_geofence_overrides", 0, 1, 0)
INSERT INTO FlagOverrides(packageName, user, name, flagType, boolVal, committed) VALUES("com.google.android.dialer", "", "G__force_within_crosby_geofence_value", 0, 1, 0)
Next:
Clear dialer data
Open dialer and force close (clear from recent apps)
Open the dialer once again and in settings screen, you should see: "call recording"
Major props to this thread: https://forum.xda-developers.com/t/...ding-in-stock-dialer-app-root-needed.4321719/
And @gisthere and @Liranazuz5
The above is a modification from their work on that thread. Most notability the removal of some ";" in the code that caused database errors and the combination of 2 different posts (flag implementation + app w/ database flags sync).
Intention of this thread: bring this information to Pixel 6 Pro owners. Please go and like the original thread/user posts (instead of this thread).
Click to expand...
Click to collapse
Hi buddy,
All credit for these call recording values goes to @gisthere !
But yeah, i'm still using that method on the P6Pro.
Just a note, in some regions there is a stupid voice message whenever you start recording. So, in order to eliminate that just replace these two files in /data/data/com.google.android.dialer/files/callrecordingprompt with the files inside that that zip file attached. Rename the unzipped files accordingly .

Liranazuz5 said:
Hi buddy,
All credit for these call recording values goes to @gisthere !
But yeah, i'm still using that method on the P6Pro.
Just a note, in some regions there is a stupid voice message whenever you start recording. So, in order to eliminate that just replace these two files in /data/data/com.google.android.dialer/files/callrecordingprompt with the files inside that that zip file attached. Rename the unzipped files accordingly .
Click to expand...
Click to collapse
So I replaced the files and now it says "Recording Failed" when I replaced the files. What permissions are your files? Any tips?
Edit: seems like the files above are corrupt and hence why I can't get it to work.
Edit 2: It appears that the file owner, which I can't seem to reproduce, has to be exactly the same as the original file.
Edit 3: chmod -R 777 /data/data/com.google.android.dialer/files/callrecordingprompt seems to have fixed the issue.

Can we uninstall sqlite after the changes are done?

@mkhcb "Edit 3: chmod -R 777 /data/data/com.google.android.dialer/files/callrecordingprompt seems to have fixed the issue." -> This with the corrupt files or the original files?

mkhcb said:
So I replaced the files and now it says "Recording Failed" when I replaced the files. What permissions are your files? Any tips?
Edit: seems like the files above are corrupt and hence why I can't get it to work.
Edit 2: It appears that the file owner, which I can't seem to reproduce, has to be exactly the same as the original file.
Edit 3: chmod -R 777 /data/data/com.google.android.dialer/files/callrecordingprompt seems to have fixed the issue.
Click to expand...
Click to collapse
I should've mentioned that smh, sorry buddy, it was late..

WhoIsJohnGalt1979 said:
@mkhcb "Edit 3: chmod -R 777 /data/data/com.google.android.dialer/files/callrecordingprompt seems to have fixed the issue." -> This with the corrupt files or the original files?
Click to expand...
Click to collapse
The files are not corrupt, I thought they were since I couldn't open it with VLC. Even if it is corrupt, it works with the right permission .

These are just an "empty" wav files, that's all .

Liranazuz5 said:
These are just an "empty" wav files, that's all .
Click to expand...
Click to collapse
I figured based on the size. I thought it would at least be 1 second of nothing sounds, but nope.

mkhcb said:
I figured based on the size. I thought it would at least be 1 second of nothing sounds, but nope.
Click to expand...
Click to collapse
Yeah lol, 00:00 seconds recording.
Great job on that guide, nicely done Sir!

scott.hart.bti said:
Good info. For those of us that are too lazy to go through those steps, there is also a tiny app available to enable call recording as well (rooted devices only). Just install, enable from the app, and after 15 minutes or so you should see the call recording button/option. Been using on my device for a bit now and no issues. There are also a ton of flags available you can experiment with, just use caution in doing so. I am not the dev and no credit goes to me. Just sharing the devs (jacopotediosi) work:
Releases · jacopotediosi/GAppsMod
Tweak Google apps (e.g., Phone and Messages) to unlock hidden features (e.g., available only in some countries or on certain devices). Root is required. - jacopotediosi/GAppsMod
github.com
Click to expand...
Click to collapse
This module worked very well on my pixel 6 for almost 7 months. now, suddenly the phone starts to prmopt"not support in your region"
How it woks for you now?

Chmod is a linux or terminal command. Will it work if we just change the permissions in a root explorer on the phone?

Spookymyo said:
Chmod is a linux or terminal command. Will it work if we just change the permissions in a root explorer on the phone?
Click to expand...
Click to collapse
Yes
Edit: Darn sorry for the bump. I got a notification and thought this was a new question. Then I realized the notification was a like, not a reply to my thread.

I purchased the full version of 'call recorder' by skvalex. Pricy, but just works.

fil3s said:
I purchased the full version of 'call recorder' by skvalex. Pricy, but just works.
Click to expand...
Click to collapse
I can confirm it is working without any problems. Thanks for the heads up!