[Q] 'Correct' way to compile a permissive SELinux kernel? - Nexus 5 Developer Discussion [Developers Only]

As the title suggests, I'm attempting to compile a (Lollipop) Nexus 5 kernel with SELinux in permissive mode by default. For reference, I am using the msm kernel source tree at commit 8a80a0e.
I have managed to accomplish this by modifying msm/security/selinux/selinuxfs.c and inserting new_value = 0; into sel_write_enforce to prevent the mode being changed:
Code:
length = -EINVAL;
if (sscanf(page, "%d", &new_value) != 1)
goto out;
new_value = 0; /* inserted this line */
if (new_value != selinux_enforcing) {
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u ses=%u",
This method, however, doesn't seem particularly good, as it relies on the intricacies of the specific implementation of SELinux used in this kernel, and prevents the mode being changed later.
This post suggests changing the CONFIG_ALWAYS_ENFORCE flag for a Samsung device, however the Nexus 5 kernel does not appear to have such an option. Setting the default state of SELinux using various menuconfig options and kernel command line parameters does not appear to have any effect, and disabling it entirely causes the device to crash after boot, before any logcat output is produced.
I have noticed than when started with a kernel with SELinux enabled, one of the first messages from logcat is from auditd, of the form enforcing=1 old_enforcing=0 auid=... ses=..., indicating that something is setting the SELinux mode to enforcing almost immediately after boot.
Thus, I am wondering if anyone knows where this command to set SELinux to enforcing comes from, how to disable it, or another way to compile a kernel with SELinux set to permissive?

I believe you need to change the kernel config to allow command line switching of SELinux:
Code:
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
then modify the boot parameters of your boot.img adding to the cmdline:
Code:
enforcing=0 androidboot.selinux=permissive
I think that's the way. I went through all this but ended up just disabling SELinux altogether so I can't remember for sure if that's all.

Gene Poole said:
I believe you need to change the kernel config to allow command line switching of SELinux:
Code:
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
then modify the boot parameters of your boot.img adding to the cmdline:
Code:
enforcing=0 androidboot.selinux=permissive
I think that's the way. I went through all this but ended up just disabling SELinux altogether so I can't remember for sure if that's all.
Click to expand...
Click to collapse
Doesn't work. The system boots up in permissive mode, but immediately switches to enforcing, as it usually does. The first few lines of logcat:
Code:
--------- beginning of main
I/installd( 0): installd firing up
W/auditd ( 169): type=2000 audit(0.0:1): initialized
I/auditd ( 169): type=1403 audit(0.0:2): policy loaded auid=4294967295 ses=4294967295
W/auditd ( 169): type=1404 audit(0.0:3): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295

Are you using the google boot image, or the AOSP image (they're quite different)? I just checked mine (built from source) and init has -DALLOW_DISABLE_SELINUX=1 which may not be present in the distro version of init.

Gene Poole said:
Are you using the google boot image, or the AOSP image (they're quite different)? I just checked mine (built from source) and init has -DALLOW_DISABLE_SELINUX=1 which may not be present in the distro version of init.
Click to expand...
Click to collapse
I wasn't aware there was a difference. I compiled the kernel from source, enabling the relevant config options, then got boot.img from the Nexus 5 factory image, and extracted and replaced the kernel and boot parameters as suggested by this document.

The boot.img built as part of the AOSP build (with USERDEBUG flag) is not locked down the way the factory boot image is. There may be something built-in to the init process to ensure selinux is available in the kernel and cannot be disabled.
I wish I knew more about this. My original goal was to implement the things I needed in the AOSP build and set up selinux permissions to allow it, but I gave up and ended up just removing selinux from the kernel altogether.

Hmm... I'll take a look in the initrd of the Android boot images to see if there's anything in there that might be setting the SELinux mode.
Update: Bah. It seems the AOSP source of init can be configured to accept a ro.boot.selinux parameter, but I see no indication that the code is present in the stock init binary. The code also explains why the phone immediately reboots into recovery when SELinux support is disabled in the kernel.
Update 2: After attempting to download 18GB of AOSP source code, I think my dodgy way of disabling SELinux is really the best method.

Gene Poole said:
I believe you need to change the kernel config to allow command line switching of SELinux:
Code:
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
then modify the boot parameters of your boot.img adding to the cmdline:
Code:
enforcing=0 androidboot.selinux=permissive
I think that's the way. I went through all this but ended up just disabling SELinux altogether so I can't remember for sure if that's all.
Click to expand...
Click to collapse
bootloop ¯\_(ツ)_/¯

Just disable it in the config?
Why do you need it if you don't use it?

Jo_Jo_2000 said:
Just disable it in the config?
Why do you need it if you don't use it?
Click to expand...
Click to collapse
I prefer CONFIG_ALWAYS_ENFORCE = false instead of new_value = 0

Related

supolicy --live fails with code 13

Hello again!
Tried launching supolicy --live as root in init context, it failed with code -13.
What gives? If I want to run supolicy --live very early in init, which context should I use ? Should I assume Zygote's context via seclabel ?
Hey, I hope I will not be comitting a gross transgression if I tag @Chainfire into this to hopefully draw attention.
Basically, what I'm trying to do is to patch Selinux policies and temporarily set Selinux to Permissive rather early during init sequence (after /system is available but before /data is properly available)
Supolicy --live says
supolicy v2.45 (ndk:arm64-v8a) - Copyright (C) 2014-2015 - Chainfire
Patching policy ...
- Failure! 13
Click to expand...
Click to collapse
What has gone wrong and how would I go about making it right ?
P.S.:
Do note that when the boot completes Supersu runs fine and Selinux can be switched to Permissive without issue (but it's too late at that point )
Android is Lollipop 5.0 and sources are not available for this specific ROM
Hello,
I tried on
supolicy v2.64 (ndk:armeabi-v7a)
same problem. Did you find a way to fix this issue ?
Error 13 is access denied. supolicy probably doesn't have the rights to read/write the sepolicy.

Porting (Kang) Keymaster Firmware

Anyone ever attempted to kang Keymaster Firmware from a different device? I have tried the firmware from bacon, hammerhead, and g3. I have tried with and without the TARGET_KEYMASTER_WAIT_FOR_QSEE flag.
See these commits:
https://github.com/blastagator/cm_d...mmit/a50026b03824e65e852dc975e369f89a6e8e33a6
https://github.com/blastagator/them...mmit/b5951a58a4df5cabc8f928fae2476629cc73b1fa
https://github.com/blastagator/LGG2_Kernel/commit/655b64e43cbcd4550671cadf8bc19b6c495b3190
The result is always the same in dmesg:
Code:
[0][4371: keystore]QSEECOM: qseecom_load_app: App (keymaster) does'nt exist, loading apps for first time
[0][4371: keystore]QSEECOM: qseecom_load_app: scm_call failed resp.result unknown, -12
[0][4371: keystore]QSEECOM: qseecom_ioctl: failed load_app request: -14
This is the only related thing I've found:
http://androidforums.com/threads/beta-4-4-2-stock-kitkat.952314/
Very old and no answer.
I suspect the firmware might be signed to the device type and thus we might be SOL, but I was bored and messing around. Alternatively, perhaps the kernel is missing something. I looked for commits that may be missing from qseecom.c and smc.c, but nothing jumped out at me.
Figured I'd post a dev thread and maybe we can find an answer.
edit: This is my cheat sheet to myself, so far, for how to add hardware crypto to a device:
Code:
Needed commits:
Probable problem: G2 has no keymaster firmware, need to borrow someone else's
See this commit:
https://github.com/blastagator/themuppets_proprietary_vendor_lge/commit/b5951a58a4df5cabc8f928fae2476629cc73b1fa
g2-common/g2-common-vendor-blobs.mk
+ vendor/lge/g2-common/proprietary/vendor/firmware/keymaster/keymaster.b00:system/vendor/firmware/keymaster/keymaster.b00 \
+ vendor/lge/g2-common/proprietary/vendor/firmware/keymaster/keymaster.b01:system/vendor/firmware/keymaster/keymaster.b01 \
+ vendor/lge/g2-common/proprietary/vendor/firmware/keymaster/keymaster.b02:system/vendor/firmware/keymaster/keymaster.b02 \
+ vendor/lge/g2-common/proprietary/vendor/firmware/keymaster/keymaster.b03:system/vendor/firmware/keymaster/keymaster.b03 \
+ vendor/lge/g2-common/proprietary/vendor/firmware/keymaster/keymaster.mdt:system/vendor/firmware/keymaster/keymaster.mdt \
And, actually put the files in that folder, so they get copied.
CRUCIAL: MUST match this name and path!!! (Other things like keymaste.mdt and such are for if the files are in the modem)
Also, symlinks are NOT needed if we put the file into proprietary like this!
Device commit:
https://github.com/blastagator/cm_device_lge_g2-common/commit/a50026b03824e65e852dc975e369f89a6e8e33a6
BoardConfig
+# Encryption / Keymaster
+TARGET_HW_DISK_ENCRYPTION := true
+TARGET_KEYMASTER_WAIT_FOR_QSEE := true
+
NOTE: Not sure about wait_for_qsee --- MAYBE needed????
g2.mk
+# Keystore
+PRODUCT_PACKAGES += \
+ keystore.msm8974
+
Note: The resulting /system image will have TWO keystore files, this is correct
I checked a bacon image to confirm there are supposed to be two. One labeled msm8974 & one labeled default
Probable needed kernel changes:
Config
-# CONFIG_DM_REQ_CRYPT is not set
+CONFIG_DM_REQ_CRYPT=y
-# CONFIG_CRYPTO_DEV_QCRYPTO is not set
+CONFIG_CRYPTO_DEV_QCRYPTO=y
If dm-req-crypt.c doesn't build, need this commit:
https://github.com/blastagator/LGG2_Kernel/commit/50ddb1a013065cefa35151e9ded72aadcd210611
(platform: msm: Fix compile when CONFIG_PFT is not set)
include/linux/pft.h
-static inline int pft_get_key_index(struct inode *inode, u32 *key_index,
+static inline int pft_get_key_index(struct bio *bio, u32 *key_index,
blastagator said:
Anyone ever attempted to kang Keymaster Firmware from a different device?
Click to expand...
Click to collapse
Maybe, you have to add something like this:
https://github.com/CyanogenMod/andr...mmit/595cf776441389d147f4b4e7ec316aa02d74d14e
Rangell11 said:
Maybe, you have to add something like this:
https://github.com/CyanogenMod/andr...mmit/595cf776441389d147f4b4e7ec316aa02d74d14e
Click to expand...
Click to collapse
That is for if the firmware is in the /modem partition. I know it's finding the firmware because if I remove the files the error messages go away and the keystore service crashes without a specific error.
I've also insured permissions 0644 on the files and I've put selinux in permissive to see if that would help, but same errors.
blastagator said:
I've also insured permissions 0644 on the files and I've put selinux in permissive to see if that would help, but same errors.
Click to expand...
Click to collapse
Like this??
http://review.cyanogenmod.org/#/c/155981/
Did you try this?
http://review.cyanogenmod.org/#/c/137146/
PS:
I think our G2 not support TARGET_KEYMASTER_WAIT_FOR_QSEE flag.
http://review.cyanogenmod.org/#/c/102410/
Rangell11 said:
Like this??
http://review.cyanogenmod.org/#/c/155981/
Click to expand...
Click to collapse
After clean boot I used "setenforce 0" to see if it would load after that. (keystore service keeps repeatedly attempting to load in the background and can be seen with 'dmesg'.) Disabling enforcing should have solved any selinux problem, but the same error persisted.
Rangell11 said:
Did you try this?
http://review.cyanogenmod.org/#/c/137146/
Click to expand...
Click to collapse
Keymaster is in the system partition and not the modem partition (for my tests anyway), so this wouldn't be needed. I will say the contact was not 'context=ubject_r:firmware_file:s0', it was listed as a regular system file, however, in permissive mode this should not matter. Maybe I will try another test when I have some time where the ROM is compiled permissive and the files have the correct context.
I don't think it is this issue though, as the keymaster firmware is found and qseecomd is attempting to load it.
Rangell11 said:
PS:
I think our G2 not support TARGET_KEYMASTER_WAIT_FOR_QSEE flag.
http://review.cyanogenmod.org/#/c/102410/
Click to expand...
Click to collapse
Thanks. I did some testing and tried both, no luck with either.
Looks like there are at least a couple updates to scm that I could try:
https://github.com/dorimanx/DORIMANX_LG_STOCK_LP_KERNEL/commits/master/arch/arm/mach-msm/scm.c
https://github.com/dorimanx/DORIMANX_LG_STOCK_LP_KERNEL/commits/master/drivers/misc/qseecom.c
Will try updating kernel when I have some free time.
edit: Pulled in a bunch of kernel changes and compiled the boot image to be permissive:
https://github.com/blastagator/LGG2_Kernel/commits/cm-13.0
Still the same error codes.
Code:
[ 0.480347 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: support_bus_scaling=0x1
[ 0.480356 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: disk-encrypt-pipe-pair=0x2
[ 0.480365 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: file-encrypt-pipe-pair=0x0
[ 0.480374 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: qsee-ce-hw-instance=0x0
[ 0.480382 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: qseecom.appsbl_qseecom_support = 0x0
[ 0.480421 / 01-01 00:00:00.473] QSEECOM: qseecom_probe: secure app region addr=0x7b00000 size=0x500000
[ 3.174366 / 01-13 05:47:06.160] init: Starting service 'qseecomd'...
[ 3.207945 / 01-13 05:47:06.193] init: Starting service 'keystore'...
[ 3.221661 / 01-13 05:47:06.206] warning: `qseecomd' uses 32-bit capabilities (legacy support in use)
[ 3.476387 / 01-01 05:47:06.146] QSEECOM: qseecom_load_app: App (keymaster) does'nt exist, loading apps for first time
[ 3.476494 / 01-01 05:47:06.146] QSEECOM: qseecom_load_app: scm_call failed resp.result unknown, -12
[ 3.476511 / 01-01 05:47:06.146] QSEECOM: qseecom_ioctl: failed load_app request: -14
[ 3.477964 / 01-01 05:47:06.146] init: Service 'keystore' (pid 275) exited with status 1
[ 3.477985 / 01-01 05:47:06.146] init: Service 'keystore' (pid 275) killing any children in process group
The last 5 lines just repeat indefinitely.
.
blastagator said:
After clean boot I used "setenforce 0" to see if it would load after that. (keystore service keeps repeatedly attempting to load in the background and can be seen with 'dmesg'.) Disabling enforcing should have solved any selinux problem, but the same error persisted.
Click to expand...
Click to collapse
Do you know why they did not use this change for our G2?
http://review.cyanogenmod.org/#/c/89419/
http://review.cyanogenmod.org/#/c/89418/
Rangell11 said:
Do you know why they did not use this change for our G2?
http://review.cyanogenmod.org/#/c/89419/
http://review.cyanogenmod.org/#/c/89418/
Click to expand...
Click to collapse
qcrypto is currently disabled, so there wouldn't be a need to apply similar patches to the current kernel, unless HW encryption were figured out.
I added those two commits, but I doubt this is the issue.
@blastagator
I've pushed my keymaster to Github: https://github.com/GalaticStryder/hardware_qcom_keymaster
This is the one we use on bacon and onyx on AOSPA builds.
Backporting 3.10 qseecom isn't needed and probably will break the APIs the blobs were compiled for. I'm gonna test this on nougat as well right now.
I'd actually ask for your help on AOSPA, I've got a semi-working RIL and some other great stuff to play with but I can't get the built-in kernel to boot after flashing, only boots when flashing my kernel externally.
The image is bumped, the mkbootimg was revisited twice but there's no go. I don't want to ship a prebuilt image to workaround this. I've tried CM14 kernel with my GCC 4.9 patches for androidkernel- toolchain and Lambda as well.
GalaticStryder said:
@blastagator
I've pushed my keymaster to Github: https://github.com/GalaticStryder/hardware_qcom_keymaster
This is the one we use on bacon and onyx on AOSPA builds.
Backporting 3.10 qseecom isn't needed and probably will break the APIs the blobs were compiled for. I'm gonna test this on nougat as well right now.
I'd actually ask for your help on AOSPA, I've got a semi-working RIL and some other great stuff to play with but I can't get the built-in kernel to boot after flashing, only boots when flashing my kernel externally.
The image is bumped, the mkbootimg was revisited twice but there's no go. I don't want to ship a prebuilt image to workaround this. I've tried CM14 kernel with my GCC 4.9 patches for androidkernel- toolchain and Lambda as well.
Click to expand...
Click to collapse
Without going too far OT, do you have a thread for the AOSPA you're working on? Curious what manifest you're using.
re: keymaster - I pulled the blobs from Bacon and it looks like the cm-13 nightlies use the latest hardware_qcom_keymaster. I don't think there have really been any big changes to the API. I could be wrong though!
blastagator said:
Without going too far OT, do you have a thread for the AOSPA you're working on? Curious what manifest you're using.
re: keymaster - I pulled the blobs from Bacon and it looks like the cm-13 nightlies use the latest hardware_qcom_keymaster. I don't think there have really been any big changes to the API. I could be wrong though!
Click to expand...
Click to collapse
I'm making progress using everything from CAF and patching the needed parts on demand.
The stuff AOSPA already has in their Github I'm sending to Gerrit: https://gerrit.aospa.co/#/q/status:open
The parts I needed to dive deeper I've forked or created the repos manually: https://github.com/GalaticStryder
My next step is to "decommonize" the power package to be able to hint impulse instead of ondemand and to update MSM8974 code that is two years old.
The only problem I'm facing is that the otapackage seems to flash the boot.img in a bad manner, causing boot certification problem. If I manually flash the boot.img after the otapackage it works like a charm, the problem is somewhere in the boot flashing script part of the ota_from_target_files python script, might be pushing the boot.img using imgdiff and causing the bootloader to refuse due to mismatching certification inside the boot sector. This is my hypothesis but it might be what is happening.
GalaticStryder said:
I'm making progress using everything from CAF and patching the needed parts on demand.
The stuff AOSPA already has in their Github I'm sending to Gerrit: https://gerrit.aospa.co/#/q/status:open
The parts I needed to dive deeper I've forked or created the repos manually: https://github.com/GalaticStryder
My next step is to "decommonize" the power package to be able to hint impulse instead of ondemand and to update MSM8974 code that is two years old.
The only problem I'm facing is that the otapackage seems to flash the boot.img in a bad manner, causing boot certification problem. If I manually flash the boot.img after the otapackage it works like a charm, the problem is somewhere in the boot flashing script part of the ota_from_target_files python script, might be pushing the boot.img using imgdiff and causing the bootloader to refuse due to mismatching certification inside the boot sector. This is my hypothesis but it might be what is happening.
Click to expand...
Click to collapse
Well beyond the scope of my dive into android fun. Wish I could help! What is your ultimate goal? Paranoid Android?
It is also very exciting to see the push of Android stuff into the mainline kernel. Hope for the future!
Realized additional blobs for qseecom:
https://github.com/blastagator/them...mmit/09bc989cdb0db9bc47f7501dbf36be2a155ca168
Also, updated boardconfig since the bacon qseecomd supports TARGET_KEYMASTER_WAIT_FOR_QSEE
https://github.com/blastagator/cm_d...mmit/6ca7cd8835afa57ebec9b47fc56514d87ee95e34
Building now. Not sure if I can test tonight, but fingers crossed, maybe it will work!
No luck. Still the same errors:
Code:
12-31 23:22:39.385 2697 2697 I keystore: Found keymaster0 module Keymaster QCOM HAL, version 3
12-31 23:22:39.385 2697 2697 I SoftKeymaster: system/keymaster/soft_keymaster_device.cpp, Line 122: Creating device
12-31 23:22:39.385 2697 2697 D SoftKeymaster: system/keymaster/soft_keymaster_device.cpp, Line 123: Device address: 0xb6b64000
12-31 23:22:39.386 2697 2697 D QCOMKeyMaster: keymaster app is loaded
12-31 23:22:39.386 2697 2697 D QCOMKeyMaster: keymaster app got loaded at attempt number 0
12-31 23:22:39.386 2697 2697 D QSEECOMAPI: : QSEECom_get_handle sb_length = 0x2000
12-31 23:22:39.386 2697 2697 D QSEECOMAPI: : App is not loaded in QSEE
12-31 23:22:39.392 2697 2697 E QSEECOMAPI: : Error::Load image request failed ret = -1, errno = 14
12-31 23:22:39.392 2697 2697 E QSEECOMAPI: : Error::Loading image failed with ret = -1
12-31 23:22:39.393 2697 2697 D QSEECOMAPI: : QSEECom_get_handle sb_length = 0x2000
12-31 23:22:39.393 2697 2697 D QSEECOMAPI: : App is not loaded in QSEE
12-31 23:22:39.393 2697 2697 E QSEECOMAPI: : Error::Cannot open the file /firmware/image/keymaste.mdt
12-31 23:22:39.393 2697 2697 E QSEECOMAPI: : Error::Loading image failed with ret = -1
12-31 23:22:39.393 2697 2697 E QCOMKeyMaster: Loading keymaster app failed
12-31 23:22:39.393 2697 2697 E keystore: Error opening keystore keymaster0 device.
12-31 23:22:39.393 2697 2697 E keystore: keystore keymaster could not be initialized; exiting
Guessing there is some sort of signature check that is matching the expected device to the keymaster firmware file. Unfortunately qseecomapi and keymaster are closed source, so it is kind of a guessing game...
Code:
/**
* @brief Open a handle to the QSEECom device.
*
* - Load a secure application. The application will be verified that it is
* secure by digital signature verification.
* Allocate memory for sending requests to the QSAPP
*
* Note/Comments:
* There is a one-to-one relation for a HLOS client and a QSAPP;
* meaning that only one app can communicate to a QSAPP at a time.
*
* Please note that there is difference between an application and a listener
* service. A QSAPP must be loaded at the request of the HLOS,
* and all requests are orginated by the HLOS client.
* A listener service on the otherhand is started during start-up by a
* daemon, qseecomd.
*
* A HLOS application may create mutiple handles to the QSAPP
*
* @param[in/out] handle The device handle
* @param[in] fname The directory and filename to load.
* @param[in] sb_size Size of the shared buffer memory for sending requests.
* @return Zero on success, negative on failure. errno will be set on
* error.
*/
int QSEECom_start_app(struct QSEECom_handle **clnt_handle, const char *path,
const char *fname, uint32_t sb_size);
Perhaps something in one of the .prop files could be changed to trick the app into passing a device check, but again, this is all very speculative.
blastagator said:
Anyone ever attempted to kang Keymaster Firmware from a different device? I have tried the firmware from bacon, hammerhead, and g3. I have tried with and without the TARGET_KEYMASTER_WAIT_FOR_QSEE flag.
The result is always the same in dmesg:
Code:
[0][4371: keystore]QSEECOM: qseecom_load_app: App (keymaster) does'nt exist, loading apps for first time
[0][4371: keystore]QSEECOM: qseecom_load_app: scm_call failed resp.result unknown, -12
[0][4371: keystore]QSEECOM: qseecom_ioctl: failed load_app request: -14
Click to expand...
Click to collapse
Hello @blastagator,
were you able to fix that Keymaster Issue , if so mind telling us how ?
Because , iam facing similar issues in YU4711 (jalebi)
sooorajjj said:
Hello @blastagator,
were you able to fix that Keymaster Issue , if so mind telling us how ?
Because , iam facing similar issues in YU4711 (jalebi)
Click to expand...
Click to collapse
No. Tried several things with no luck.
What is a keymaster firmware?
And what is it good for?
wq0913562 said:
What is a keymaster firmware?
And what is it good for?
Click to expand...
Click to collapse
Maybe this config is need for porting firmware from different devices.
wq0913562 said:
What is a keymaster firmware?
And what is it good for?
Click to expand...
Click to collapse
cryerenable said:
Maybe this config is need for porting firmware from different devices.
Click to expand...
Click to collapse
No, it is used to enable hardware backed keystore (i.e. hardware accelerated encryption)
blastagator said:
No, it is used to enable hardware backed keystore (i.e. hardware accelerated encryption)
Click to expand...
Click to collapse
hello
i'm facing a similar problem on my lineage 13 port for the lg stylo 2 plus the qseecomapi is keeping looking for the keymaste.mdt file
E QSEECOMAPI: Error::Cannot open the file /firmware/image/keymaste.mdt errno = 2
E QSEECOMAPI: Error::Loading image failed with ret = -1
Click to expand...
Click to collapse
and our device does not have one do you know how to bybass this, ty.
messi2050 said:
hello
i'm facing a similar problem on my lineage 13 port for the lg stylo 2 plus the qseecomapi is keeping looking for the keymaste.mdt file
and our device does not have one do you know how to bybass this, ty.
Click to expand...
Click to collapse
I got frustrated with it. Only other idea I had was to port all common blobs from similar device and see if that works.
blastagator said:
I got frustrated with it. Only other idea I had was to port all common blobs from similar device and see if that works.
Click to expand...
Click to collapse
Are you still active?
Just found this. Not sure if it can help.
http://bits-please.blogspot.de/2016/06/extracting-qualcomms-keymaster-keys.html
https://android.googlesource.com/platform/hardware/qcom/keymaster/+/master
Maybe I'll give it a try to port keymaster now that we have updated 3.4.113 kernel...

Getting UART working

Hello,
I'm trying to get UART output of gt-s6500d, but it's not working.
I've connected 620kΩ resistor between GND and ID pin, I got messages "AST_POWERON" and "BOOTING COMPLETED", however I cannot send anything on my own.
I'v tried
Code:
su;
echo "test" > /dev/ttyMSM0
(as well as tty0, ttyHS0, ttyGS0, ttyGS1) but nothing worked so far.
UART settings: 115200baud, no parity, no flow control, 1 stop bit, 8 data bits.
I've RS-232 connector powered with 3.3V, phone sends 1.8V signal but considering PC can read those two messages I assume this part is okay, I haven't connected phone VCC line, only ground, ID and TX.
Stock software and kernel, Android 2.3.6(S6500DXXMD1), kernel 2.6.38.6, phone is rooted and contains CWM recovery
Update 2018-09-28:
As it turns out 620kΩ resistor is ideal to get bootloader data, not sure if it even work with kernel, but I needed to add line
Code:
/dev/ttyHSL0 0660 system system
to ueventd.rc in initram to get one additional line on boot: "AST_UPLOAD" but the phone now is in a boot loop, maybe the boot.img is broken so bootloader send this information that uploading new boot.img is needed and restarts itself?
Bootloader outputs info with following resistors:
* 619kΩ (automatic boot)
* 150kΩ (manual boot)
* ~520kΩ probably works too
As it turn out I am unable to set cmdline to console=ttyMSM0 to allow any output from kernel, something (I think that may be bootloader) append this to cmdline:
Code:
console=null androidboot.hardware=qcom hw=3 androidboot.emmc=true androidboot.serialno=25db5e2a androidboot.baseband=msm
hardcoding cmdline into kernel seems only option for now
I'll update the post if I find out more

[Q] How to debug soft brick (SONY logo)

I'm building my own LineageOS from source for a while now. Updating it via `repo sync`, adding own patches and rebuilding has always worked fine. Until recently the phone gets soft bricked, stuck at the SONY logo on white screen and I can't figure out why.
Now I'm looking for a way to find the issue, i.e. debug that brick, get some logs or anything which allows me to fix that. `adb logcat` doesn't work as it is stuck way to early for that.
What are my options for getting logs, messages, errors, anything that may help?
With help from @linckandrea I got the following to work which I document here for others to benefit:
1. Create a file `init.log.sh` with following content and executable permission
Bash:
#! /vendor/bin/sh
_date=`date +%F_%H-%M-%S`
logcat -b all -v time -f /cache/logcat_${_date}.txt &
cat /proc/kmsg > /cache/kmsg_${_date}.txt
2. Copy it to /vendor/bin e.g. via
Bash:
PRODUCT_COPY_FILES += $(PLATFORM_PATH)/config/init/init.log.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.log.sh
in the makefiles
3. Add the following to (any) init.rc, e.g. init.yoshino.rc:
Code:
service logx /vendor/bin/init.log.sh
user root
group root system
seclabel u:r:su:s0
oneshot
on post-fs
start logx
4. Either find a context with access to /cache (maybe "system_app") and use that in "seclabel" instead of "su" or disable SELinux with
Bash:
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
This will dump kernel logs to /cache which can be accessed with e.g. TWRP after a failed boot.

Custom *.rc (init.rc) scripts with Magisk. (Or running a script at network change.)

Hello, everyone.
In order to avoid an XY problem, I would like to introduce the actual problem first.
I need to run a script each time network changes. Android automatically changes quite a few settings when network changes, and because I need to have some of them set to specific values, I need to tweak them each time something happens.
How would I like to proceed:
There is a sysprop setting that changes each time network changes: sys.radio.cellular.netId.
Naturally, I would like to hook my script to that property change.
Android init system seems to provide such an option: init.rc syntax allows to subscribe to a property change using the
Code:
on property:propname=*
syntax.
Seems easy:
Add a custom_network.rc
Bash:
on property:sys.radio.cellular.netId=*
start custom_network
service custom_network /bin/custom_network.sh
user root
seclabel u:r:magisk:s0
oneshot
Add a file /bin/custom_network.sh:
Bash:
#/system/bin/sh
echo "TODO"
The above is essentially following this guide: https://android.stackexchange.com/q...run-an-executable-on-boot-and-keep-it-running
So, I created a magisk module, added the files above to the $MODDIR/system/etc/init, and $MODDIR/system/bin directories.
Then I added the following lines to the customize.sh:
Bash:
set_perm $MODPATH/system/bin/custom_network.sh 0 0 0755
set_perm $MODPATH/bin/custom_network.sh 0 0 0755
chown 0.0 $MODPATH/system/etc/init/custom_network.rc
chmod 0644 $MODPATH/system/etc/init/custom_network.rc
chcon u:object_r:system_file:s0 $MODPATH/system/etc/init/custom_network.rc
However, this does not work. The service custom_network does not appear in the getprop | grep svc list, and cannot be started with setprop ctl.start "custom_network".
Is it true that in order for _any_ custom rc files, the system boot image must be patched?
If yes, is there a manual how to do so?
If no, then what am I doing wrong here?
Furthermore, if patching the boot image cannot be avoided, is there a manual on how to do this with minimal pain?
On the other hand, is there a way to avoid adding a custom init service entirely, and add a network listener by some other means?
Did you figure it out?
I don't believe init services get a stdout.
You need to write to either /dev/kmsg or logcat.
You can test your service with start custom_network.
You could also listen for uevents:
Code:
s=socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
Although I'm not sure what you're looking for is there.
I was mostly looking for feedback by someone also wanting to patch the init.rc: I'm still trying to understand the cascade of events causing adbd to be started twice in boot, to find and modify the rc script responsible for the first time it's started and use instead a patched adbd
csdvrx said:
I was mostly looking for feedback by someone also wanting to patch the init.rc: I'm still trying to understand the cascade of events causing adbd to be started twice in boot, to find and modify the rc script responsible for the first time it's started and use instead a patched adbd
Click to expand...
Click to collapse
have you figured it out ? i have the same issue , i am trying to create a file at /system/etc/init folder

Categories

Resources