Related
Hey guys,
I have a very wierd problem with a piece of code i am working on. It is supposed to detect the version of CHT installed and commence a set of actions depending on whether it finds CHT is not installed or if it is the version.
The code is (link removed) (i would post it directly but it's an entire sub procedure and way to long to post here)
I don't understand why it is generating the error in the title. There is no code that would cause that type of conversion as far as i can see.
Does anyone have any ideas?
Fix it, sort of, thanks to JVH3. Now the CHT Editor team needs to fix the bug i found.
The result of probably more than 100 hours of solo hackery: a working COM DLL for allowing any application to elevate itself to SYSTEM (root) permissions.
What you need:
An interop-unlocked HTC phone. Sorry second-gen and Arrive users.
A working HtcUtility driver. It's possible some HTC update at some point crippled this. It works for me; if it doesn't work for you let me know what updates you have.
What it does:
Allows changing the security token of any application to give that app unrestricted permissions. At this point, you can call any user-mode API, perform any operation, with full access.
It also allows you to read or write any value from memory, even kernel memory (this is how it modifes the security token).
What it can be used for:
Darn near anything. If it can be done while the phone is booted, you can do it.
What it can't be used for:
Modifying the ROM - the R and O stand for "read only" and they mean it.
Interop-unlocking a phone - it requires interop-unlock to get root in the first place.
How to use it:
In your app, include the HtcRoot.dll library.
Include the code from DriverAccessTest.cs in the test app (defines the COM API and enables using it).
Call the OpenHtcUtility function (will throw an exception if your device is incompatible).
Call the MakeMeRoot function (can also throw exceptions).
(OPTIONAL) Call the ReturnZeroIfRoot function to make sure your app is elevated (does not throw exceptions, will return an error code if you get one).
Do stuff with SYSTEM permissions (probably using another COM DLL, such as for registry or filesystem access).
Call the RestoreToken function (failure to do this *might* cause a kernel memory leak).
Call the CloseHtcUtility function (OS will probably handle this if program just exits).
What you can do right now:
Try the test app. It should pop up a series of messge boxes. Hopefully none of them say anything like "FAILURE".
Report any bugs or failures you discover.
Build things with this library, and publish them!
Breakdown of the download:
There are two folders in the ZIP, one for the Visual Studio 2010 C#/Silverlight XAP project, and one for the Visual Studio 2008 C++/COM DLL project.
The test XAP is in the HtcUtilityTest\bin\Debug folder.
The native (COM) DLL is also available in that folder, or under its own project.
If you want to mess with this, I'm going to assume you are already familiar with hybrid native/managed development for WP7. If not, Heathcliff74 has posted an excellent tutorial on this forum.
Special thanks to:
Heathcliff74 for the hybrid app tutorial and interop unlock info.
Paul_Hammons for the links and info about HtcUtility, the driver that makes this possible. Thread: http://forum.xda-developers.com/showthread.php?t=1434793
Supported devices / firmware versions / ROMs
All HTC devices (if interop-unlocked and with the right firmware numbers) should be compatible.
Some custom ROMs work, some do not. This will depend on the version of the firmware that the ROM's HtcUtility driver is taken from.
I believe I compiled the test app as Mango-only, but the native library doesn't care at all.
Compatible:
Stock ROMs with compatible firmware for HD7, Trophy, Mozart
HD2 (BttF [XBmod-Yuki] v2 SP1)
Not compatible:
Firmware version 2250.21.51004.401 or newer
Verizon Trophy firmware version 2305.13.20104.605 or newer
DFT ROM with build 8107, Firmware 5.10.401
Arrive (except on pre-Mango), Titan, Radar, Titan 2 (no interop-unlock)
Others are untested or results are incomplete.
Goals and future work:
Support more devices:
* Try and add support for newer firmware.
* Help ROM cookers ensure the library is supported.
* Look for similar openings in other OEM libraries.
Future-proofing:
* Allow installation of a mod to support this capability after known updates.
* Resilience against possible future updates.
* Allow users with incompatible devices to downgrade (possibly to NoDo), install the mod, and be able to use the phone after upgrading.
Improve the library:
* Fix some memory leaks.
* Clean up the code - remove dead code and improve comments.
* Allow reading/writing more than 4 bytes at a time from managed code.
* Add APIs to elevate other processes (by name or ID) to SYSTEM.
Develop homebrew around the library:
* Support accessing common APIs (filesystem, etc.).
* Resurrect the Advanced Explorer app, perhaps (registry and filesystem).
* Support native app launching on stock ROMs.
Also reserved
Reserved for OP #2
It does not work on HTC 7 Mozart (HTC Europe):
Error to Write the value 1337 to test address - System.Runtime.InteropServices.COMException (0x8007001F): A device attached to the system is not functioning
Click to expand...
Click to collapse
OS: 7.10.7740.16
Firmware: 2250.21.51101.401
Radio: 5.71.09.02a_22.51.50.21U
Boot: 5.11.2250.1(133487)
Please include the full error message or a description of what went wrong.
Failure on fully updated devices is unfortunately possible - my phone is (intentionally) a few updates behind. I'm looking into ways to make it work anyhow (either sending an older CAB update to roll back, or using the root acess to create an unlocker/root-enabler that survives subsequent updates). I'm going to look into how the full-unlock ROMs differ from standard ROMs, and see if I can do the same thing in running software.
Does it works with custom roms?
If the custom ROM has a working HtcUtility driver, then yes. My goal is to unlock the kind of capabilities normally restricted to custom ROMs on stock firmware, though.
@bleh815: Thanks for the report. That's frustrating; it looks like it is capable of doing read but not write. Write might just be restricted in what addresses is allowed, or it might be disabled entirely (the driver gives the same error code for every problem that I've encountered so far). Time to figure out
A) what update causes the problem (I'm on 2250.21.30102.531, HD7, stock ROM)
B) what restrictions that update introduces
C) how to work around those resrtictions (possibly by downgrading and then using root access to add something that will still work after upgrade).
GoodDayToDie said:
A) what update causes the problem (I'm on 2250.21.30102.531, HD7, stock ROM)
Click to expand...
Click to collapse
I've just downgraded a mozart of mine back to stock NoDo (TMOB-DE) to find out which OEM update breaks (actually fixes) it.
Cool, thanks! It's one of the post-Mango HTC updates; a Microsoft update wouldn't have modified an HTC driver, and my phone has all the pre-Mango HTC updates but it still works.
.
..........
Hi, at first it says "SUCCESS!", then it says "Trying to open a file gives error 1260" and then it says "Now opening a file gives error 0" and finally "Finally, opening a file gives error 1260".
System informations:
OS=7.10.7720.68
Firmwareversion=2250.21.12200.162
Radio=5.68.09.05a_22.50.50.21U
Bootloader=4.6.2250.0(129185)
HTC 7 Trophy.
That is *exactly* the sequence of messages it is supposed to give!!
In particular, the messages I need to see are the "SUCCESS" (the rest is potentially interesting info, but not very important) and then the "Now opening a file gives error 0".
The "SUCCESS" means that a sequence of read/write tests succeeded.
The "Now... error 0" means that the process has been elevated to full permissions.
The "Finally... error 1260" means that the security token was successfully restored at the end, so it was unable to open the file again. This is the expected and correct behavior.
I don't recognize your Firmware Version number; I'm guessing it's specific to your phone. What method did you use to upgrade to Mango?
how do i install it?
Tried on interop-unlocked HTC Surround, not working Tested any call in VS debug mode - no luck at all.
I can confirm that it works with any OS version, from 7004 to 8107.79
On a HTC 7 Mozart (TMOB-DE) it works with firmware 2250.21.13201.111 (Stock NoDo ROM) but the hole gets fixed with 2250.21.51101.111 (1st Post-Mango HTC Update).
You guys are gods taking programming to a hole new level!
I wish to see ms take you all more serious and not let wp7 fail like minmo6.5 did!
I wish I could get on your level!
I realy need some help lerning basic silverlight my self!
But I have read how hybrid working ant this is just fantastic!
conradulations on all your developments so far you guys are truly amazing!
Oh, that code, beautiful reading that!
Thanks for sharing this learnfull code!
I'd like to try it on my Verizon HTC Trophy, I would love to get file access back....
I downloaded the package and I even have VS 2010 installed but beyond that I have no idea as I am not a programmer.
Can someone post a compiled XAP for us to try to see if our phone works with it or not ?
Or some step by step VS 201 directions to try would also be helpful.
@Ttblondey: *FACEPALM* The path to the test XAP is given in the opening post. You install the XAP on your phone using any XAP deployment tool. It requires that your phone be interop-unlocked; Heathcliff74 has a nice long thread about that. The app is called called HtcUtilityTest. Run it, and report the results. If you want to actually *use* the DLL, the instructions for doing that are given too but you need to write some code.
@sensboston: PLEASE give a more complete report! Success and error messages, at the least. Also, your phone version info. Thanks!
@bleh815: THANK YOU! I mean, it's a little annoying to know how far back this was fixed ("First post-Mango HTC update" means the one that was included *with* Mango for most people, or the one after that?) but good to know. Now, to look at exactly what they changed...
@jackrabbit72380: Thanks man! As for working with it yourself, like I mention below, I'm planning to provide a universal homebrew library that people can easily use to do whatever they want.
@fiinix: You're welcome! Honestly, I didn't expect anybody to call my mess of debug-commented and mildly hacky C++ "beautiful" but that hack itself *is* pretty awesome. My only concern with using it is the risk of a context switch causing the wrong app's token to get overwritten, and I should probably look into that, but I think it's OK for the moment. There are bigger fish to fry.
In the meantime, it should open up a huge list of capabilities for tools like your DllImport project. I'm currently considering reviving Advanced Explorer (like TouchXplorer + Registry Editor, but open source; was never ported to Mango though) using the root access instead of using ComFileRW and the provxml driver. Let me know what you want to do with it!
One other thing I'd like to add is the ability to easily elevate *another* process; it's not hard to do but I haven't written it yet. This could be handy for apps where we don't have the source code (for example, elevate Schaps registry editor, which uses low-privilege native code for browsing, so it can read *all* registry locations instead of just some of them).
@DavidinCT: Well, running the test app is easy, just install the XAP. It just runs a battery of tests though, it doesn't actually *do* anything useful. To get filesystem access, you'll need to write some native code (which means using Visual Studio 2008 and the CE/Smart Device plug-in, see Heathcliff74's toturial on the subject). Basically, you would first use this DLL (accessed via COM, you can look at my own C# code for how to do that) to opent he driver handle and elevate the process to root. You could then write your own COM DLL that uses the standard Win32 filesystem APIs (CreateFile, etc. - all are documented on MSDN) and exposes those APIs, or the results of them, to managed code via COM. Then, back in your phone app (the one that called into my HtcRoot DLL) you can call into your own DLL to access the file system.
If that's too big a leap, don't worry. I plan to release a general-purpose high-privilege homebrew DLL that exposes some of the most-used functionality (filesystem, registry, provxml, and other things by request), is easily extensible (possibly using something like the DllImport project, where you just specify the function you want to call and the DLL it's located in right from C#), and that will be a lot easier to hack with. You'll still need to know C# and basic Silverlight, but it'll be a lot easier (and hopefully useful without knowing any C++ or COM).
GoodDayToDie, you are amazing, always keeping me interested!
When starting the test xap, I get the below, it then goes into the "Page Name" and that's it.
Device Info here, running a FullUnlock DFT Rom by a Chinese dev from the DFT Forum.
Nonetheless, top work on getting this started and can't wait to keep reading about the progress!
XeKToReX
Hey,
since im one of the few people that cant get OTAs or unlock bootloader I decided to decompile the unlock apk.
I used dex2jar.
So I now have some Jasmin code (which look to me like assembler) of which I don't understand most. Though looking through the code for things i do understand I found that in "com/asus/unlock/s.j" it says:
Code:
L0:
new java/io/FileOutputStream
dup
ldc "/dev/block/mmcblk0p3"
invokespecial java/io/FileOutputStream/<init>(Ljava/lang/String;)V
astore 10
L1:
aload 10
aload 3
invokevirtual java/io/FileOutputStream/write([B)V
new java/io/FileOutputStream
dup
ldc "/dev/block/mmcblk0p4"
invokespecial java/io/FileOutputStream/<init>(Ljava/lang/String;)V
astore 9
which looks to me like its writing raw data from mmcblk0p3 to mmcblk0p4...
So I was wondering 2 things:
1. does anyone know what is on mmcblk0p3?
and 2. is there someone on this forum who understands Jasmin code better than me and could look at the file?
PS: i attached the Jasmin code to this post if thats against the forum rules please take it down.
EDIT:
ok jsut tryed to dd mmcblk0p3 to mmcblk0p4... nothing happens
Obviously code shows it writes to blk0p3 and blk0p4 some magic (I guess there's a hash done on serial number, and passed to bootloader).
Once rebooting, the bootloader probably checks this magic, and proceed to unlock if the magic is valid (hence the "Unlock Check Failed" some people got).
Two things to do to make it work:
- Know what is written, how to calculate it
- Know where exactly it is written in p3 and p4
I am here to learn.
This post is more suitable for Q&A. This section is for development not for questions of development.
Please have your post moved to the correct location. Thank you
tomween1 said:
This post is more suitable for Q&A. This section is for development not for questions of development.
Please have your post moved to the correct location. Thank you
Click to expand...
Click to collapse
how is this not development?
I'm trying to hack/mod the unlocker apk to unlock all devices... sure its not ready yet but i thought the dev forums are for developers (and wanna be devs - like me) to talk about how to solve problems.
I think its OK on development too. Im asking for xplod/nebkat help to see if we can go further on this.
BierLiebHaber said:
how is this not development?
I'm trying to hack/mod the unlocker apk to unlock all devices... sure its not ready yet but i thought the dev forums are for developers (and wanna be devs - like me) to talk about how to solve problems.
Click to expand...
Click to collapse
I don't see a problem with it, but I'm assuming the person who does was referencing the fact that in many device forums (especially ones with large numbers of users) the rule for the android development section is "if you didn't make it, it doesn't belong here." Which isn't a bad idea considering there isn't a dedicated roms or tweaks section.
TXKSSnapper said:
I don't see a problem with it, but I'm assuming the person who does was referencing the fact that in many device forums (especially ones with large numbers of users) the rule for the android development section is "if you didn't make it, it doesn't belong here." Which isn't a bad idea considering there isn't a dedicated roms or tweaks section.
Click to expand...
Click to collapse
Yes sir
Here are the decompiled java code zip files created with dex2jar and then jad and jd-gui. They're not perfect and not everything could be decompiled, but it should make the program a lot easier to read
hmm after looking at the code for ages and trying to recompile it i always get a "wrong sinature" on the transformer (yes i did sign it)... i dont know and cant/wont work on it anymore since i got the ota's today at 3am and was able to unlock the bootloader
so i guess its a waiting game for anyone who cant get ota's/unlock
BierLiebHaber said:
hmm after looking at the code for ages and trying to recompile it i always get a "wrong sinature" on the transformer (yes i did sign it)... i dont know and cant/wont work on it anymore since i got the ota's today at 3am and was able to unlock the bootloader
so i guess its a waiting game for anyone who cant get ota's/unlock
Click to expand...
Click to collapse
It won't work by compiling it as-is since the obfuscated/undecompilable bytecode resulted as comments in the code (which as it turned out is the part we actually need).
You get "Wrong signature" when installing the app? You probably miscompiled it (or didn't sign it properly). Anyway, as I said above, it won't work as-is.
XpLoDWilD said:
It won't work by compiling it as-is since the obfuscated/undecompilable bytecode resulted as comments in the code (which as it turned out is the part we actually need).
You get "Wrong signature" when installing the app? You probably miscompiled it (or didn't sign it properly). Anyway, as I said above, it won't work as-is.
Click to expand...
Click to collapse
I'm not sure if you're referring to the Java code or the smali code. If you're referring to the latter, I was able to decompile the unlock tool, recompile it, and sign it and it ran in the Android SDK emulator (obviously, with no effect though)
XpLoDWilD said:
It won't work by compiling it as-is since the obfuscated/undecompilable bytecode resulted as comments in the code (which as it turned out is the part we actually need).
You get "Wrong signature" when installing the app? You probably miscompiled it (or didn't sign it properly). Anyway, as I said above, it won't work as-is.
Click to expand...
Click to collapse
i compiled the jasmin code so there were no comments (since it was all byte code)
and i guess i did sign it wrong but i used SignApk (which works for all the cwm zips if created) maybe i have to create/use a special key to sign it?
edit: also i didn't get "wrong signature" when installing i only got it when i tried to install it over the existing install (if i tried to install after factory reset it only said "The app was not installed" )
this apk need to be signed with the same key as the system, test signing it will not
work.
it also submits the device serial number to ASUS looks like
Code:
https://mdm.asus.com/DMServer/DeviceState
the unlock code is probably in the server response.
untermensch said:
this apk need to be signed with the same key as the system, test signing it will not
work.
it also submits the device serial number to ASUS looks like
Code:
https://mdm.asus.com/DMServer/DeviceState
the unlock code is probably in the server response.
Click to expand...
Click to collapse
I don't know if running it on a real tablet is any different from the emulator, but why wouldn't a test key work?
I was able to run the (modified) tool in the emulator by doing this:
1. Extract apk with apktool
Code:
apktool decode UnLock_Device_App_V7.apk
2. Open res/raw/keystore.bks with Portcecle and delete the certificate.
3. Modify smali code
4. Rebuild apk with apktool
Code:
apktool build UnLock_Device_App_V7/ modified.apk
5. Create signing key
[code]keytool -genkey -v -keystore testkey.keystore -alias testalias -keyalg RSA -keysize 2048 -validity 10000
6. Sign apk
Code:
jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore testkey.keystore modified.apk testalias
---------- Post added at 04:47 PM ---------- Previous post was at 04:43 PM ----------
Does anyone know how to skip the EULA portion of the tool? The checkbox doesn't show up in the emulator. I don't have an ASUS tablet yet, but I do have have an environment ready to sniff the traffic between the tool and the ASUS server.
I'm thinking of replacing /sys/devices/platform/cardhu_misc/cardhu_chipid in i.smali with different text files and seeing the response from the ASUS server.
Android wont allow the requested permissions, unless the apk is signed with the ASUS
key or you sign the rest of the ROM with the test key, unless something has changed
since froyo.
untermensch said:
Android wont allow the requested permissions, unless the apk is signed with the ASUS
key or you sign the rest of the ROM with the test key, unless something has changed
since froyo.
Click to expand...
Click to collapse
Ahh, I see. I didn't know that.
you may get around that by odex-ing your changed code and installing
along side the unmodified APK, it has been at least a year since I hacked Android
so I don't quite remember what worked and what didn't work. I seem to
remember that APK's installed in /system/app were trusted regardless of the signing
here is my mmcblk0p3 post unlock
Tracing the code with random (but expected length values), I'm getting URLs, like:
https://mdm.asus.com/DMServer/Devic...H=RkNGOTRFNTBGNzI1N0M5NTE2RkYyNTgxNjcxMUQyMkI
there are also 2 variables
&ACTION=...
&STATUS=...
that I can't figure out. No matter what I send to the ASUS server, I always get the "104" reply.
---------- Post added at 07:05 PM ---------- Previous post was at 07:05 PM ----------
untermensch said:
here is my mmcblk0p3 post unlock
Click to expand...
Click to collapse
Thanks! I'll see what I can find in it.
EDIT: The hexdump of the partition is attached (EDIT: removed). I see a whole bunch of \x00 bytes and \xFF bytes and some sort of ASCII table. The interesting stuff seems to be at offset E000. I'm not sure what that is for. I'd need to compare it to an mmcblk0p3 partition from a TF300T that's not unlocked.
EDIT2: Would you also mind posting your mmcblk0p4 partition too?
Why?
It is needed to have root on your device. Google it, to get more details
Sent from my HTC One X using xda premium
I myself dont know and it would be nice to have an explanation here as most of us are new to this rooting and bricking jargon simple explanations of these things will help "COMMUNITY" members hence why we have a section
HTC one X Q&A
It very easy to tell someone Google it
as Einstein said: "If you cannot explain it simply then you don't understand it well enough"
check this video out I found it, however I cannot view it due to Admins blocking Youtube http://www.google.co.za/url?sa=t&rc..._92TCg&usg=AFQjCNGRf354aisVBQXiO8jVypBAj91PLg
Edit:
Not my intention to be Rude but this is a Q&A and we need to be helpful as a Community not make people not want to ask questions
BusyBox is a package containing a whole range of "program commands" and/or "scripts" (tools). It is with these extra tools, specific tasks can be performed.
Once a custom ROM has BusyBox installed, it means that scripts on the ROM and apps in the ROM can use make use of the tools to perform their tasks.
For example "dd" is a known linux command/tool for block-by-block copying and dumping. However "dd" does not exist until BusyBox is installed. Other popular tools are "uname" to get the kernels name/details, and "ls" is to list the contents of a directory/folder (similar to "dir" in DOS). There are about 50 or more of these commands packaged inside "BusyBox". Whenever there are new versions of BusyBox installed (as you may see in the changelogs for some custom ROM's), this is simply because BusyBox has included either new versions of some of its tools, or perhaps added additional tools to the package.
Hope that helps answer your question. However to be honest, I found all that out by SEARCHing this forum.
- WizzKidd
wizzkidd said:
BusyBox is a package containing a whole range of "program commands" and/or "scripts" (tools). It is with these extra tools, specific tasks can be performed.
Once a custom ROM has BusyBox installed, it means that scripts on the ROM and apps in the ROM can use make use of the tools to perform their tasks.
For example "dd" is a known linux command/tool for block-by-block copying and dumping. However "dd" does not exist until BusyBox is installed. Other popular tools are "uname" to get the kernels name/details, and "ls" is to list the contents of a directory/folder (similar to "dir" in DOS). There are about 50 or more of these commands packaged inside "BusyBox". Whenever there are new versions of BusyBox installed (as you may see in the changelogs for some custom ROM's), this is simply because BusyBox has included either new versions of some of its tools, or perhaps added additional tools to the package.
Hope that helps answer your question. However to be honest, I found all that out by SEARCHing this forum.
- WizzKidd
Click to expand...
Click to collapse
^^ hit the nail on the head. That's not to say that busybox is the ONLY way to get those tools. It's just the slimmest. There are more robust gnu equivalents of the tools that it includes, but they're nowhere near its tiny footprint.
Busybox is a pretty neat application though, since all of the tools that it provides are housed in one binary (busybox). The other commands operate with symlinks named appropriately for their function (su, etc.). The binary detects the name of the symlink that invoked it and behaves appropriately. It's commonly used in environments where not much space is available (recovery environments, embedded systems, etc.)
--Matt
jinkira said:
I myself dont know and it would be nice to have an explanation here as most of us are new to this rooting and bricking jargon simple explanations of these things will help "COMMUNITY" members hence why we have a section
HTC one X Q&A
It very easy to tell someone Google it
as Einstein said: "If you cannot explain it simply then you don't understand it well enough"
check this video out I found it, however I cannot view it due to Admins blocking Youtube http://www.google.co.za/url?sa=t&rc..._92TCg&usg=AFQjCNGRf354aisVBQXiO8jVypBAj91PLg
Edit:
Not my intention to be Rude but this is a Q&A and we need to be helpful as a Community not make people not want to ask questions
Click to expand...
Click to collapse
The main reason people here get told to Google a problem is because more likely than not, the answer you'll get from the search engine will be a page from XDA...
There's also a search box within XDA too, I found these pages using it, they would have answered the OPs question, there wasn't really a need for this thread.
Not trying to be rude but the search is there for a reason and these questions have been asked hundreds of times before
http://busybox.net/FAQ.html#whatis
thank you all for the feedback it is much appreciated
oh and I did do a search but only on the HOX forum not the entire site, and Searching only th HOXX forum there were fragmented pieces of info, but anyways Thanks you guys
https://m.youtube.com/watch?v=Bm1FggPu-Zs
Please watch the whole video first before starting anything, then try to replicate step by step.
Of course, there is the risk of the lzplay app being malicious, please keep that in mind, you have to grant the app some privileges.
Hi Yir!
I follow this steps to the detail and the GMS app still does not work (same message at
)
My build number is a little different and my phone is an ARE-AL10 model. No more updates are received.
Any ideas?.
Thanks!