I want to implement a hardware driver for my i2c accelerometer on my beagleboard-xm, I'd like it to load it at boot. There are a good amount of resources on the web to help me compile my module but I'm having a hard time finding any information on loading my module at boot.
It seems that there are two initialization scripts:
init.rc in the root directory
init.goldfish.rc in system/etc
This page describes the process of writing an init.rc script in order to perform a custom initialization: http://source.android.com/porting/bring_up.html
from previous research I am pretty sure the init.goldfish.rc in system/etc is for custom board loading.. where one would replace goldfish with the name of the hardware in /proc/cpuinfo
I've looked in these two scripts to see how other modules were loaded at boot but the only thing that is loaded is the console. I feel like I'm missing something here. Are uevents used in order to detect and load the modules? if so What are the triggers for those uevents?
Any help would be greatly appreciated.
Dave
I think you could refer to the changes done by 0xdroid:
http://gitorious.org/0xdroid/vendor_0xlab/trees/master/beagleboard
Please check the files: init.rc, init.omap3.rc, init.omap3.sh, and then you should know how to customize the initialization process. However, you might need to add device node in source code "system/core/init/devices.c", otherwise it won't be applied automatically.
Related
Assume we have a process that may dlopen() some third-party library. This library may perform open("write_only_logfile", O_WRONLY) on some file to which user has only write access. We need to have an ability to be notified if this library attempts to open a file, so later we may dup() returned descriptor and redirect output.
There are few restrictions that make interception harder:
LD_PRELOAD is forbidden - no way to hook open()
inotify(7) doesn't help because user has no read permissions on "write_only_logfile" and it is owned by admin
we have no access to library sources and therefore cannot modify it
"write_only_logfile" is hardcoded inside the library, so we cannot pass another name to perform redirecting
I'm wondering if Linux has an efficient way to help in such situation.
Especially taking in account the fact that process may open() miscellaneous files pretty often.
P.S. To avoid confusion and understand better - it is a regular Android application with loaded JVM. If app hangs (so called ANR) - system sends SIGQUIT to it. Signal is received via dedicated thread that open()s /data/anr/traces.txt and writes JVM state to it. These data extremely useful for debugging. But app cannot read that file directly because of security reasons (All applications write to it, so there may be somewhat sensitive). Anyway I believe that it is absolutely fair to intercept content that my process would write to it.
P.S.S. In the worst case it is possible to find JVM library image (libart.so) and manually patch jump slot for open(). But it doesn't sound well.
Sounds like you are in troublesome situation. Most solutions briefly mentioned below are guaranteed to interfere with SELinux, so don't take my word for any of that.
Debugging your own process with strace to intercept open is one of usual solutions on normal Linux. I am not sure if it would work in Android; it certainly might become off-limit for non-debuggable apps starting in some new versions (if it is has not been banned yet).
seccomp-bpf is another possibility. Might not be available on older Android versions, but since Android O seccomp is going to be a guaranteed part of Android security getup. Intercept open in warn-only mode and give control back to yourself when something interesting happen (via debugging or signals).
If /data/anr/traces.txt is opened on-demand, you should be able to observe that by watching contents of /proc/self/fd/ with inotify or via polling. You might be able to reduce impact of races by setting io niceness of the opening thread…
All of above are only partial solutions, you still might need to decode actual open syscall that happened (strace source code might be helpful there for strace/seccomp solutions, readlink for /proc/self/fd/) and act upon it (dup2, as you already mentioned).
"write_only_logfile" is hardcoded inside the library
Is it possible to modify the memory of data segment of the library/executable? Afaik mprotect and PROTECT_EXEC in particular have been heavily restricted, but at least mmap is certainly permitted (to support JIT compilers etc). It might be possible to cook something up to edit the string constant in place (as long as doing so is possible and allowed, I am not sure myself about that).
If this is just about redirecting writes (and reads) to a single file, you could run the application in a mount namespace with a suitable bind mount for that particular file. Setting things up in this way probably requires a small SUID binary.
A more general solution quickly approaches a union file system, and getting it right is quite hard. Even the in-kernel union file system, overlayfs, does not manage to provide full POSIX semantics.
You need LD_PRELOAD to hook an application. To hook a third-party library, just load your hook normally before the library (or have it in your executable).
Assuming the library calls open from libc and not the corresponding syscall directly, and that it is linked in a normal way, you just have a function named open somewhere in your code. Make it call open from libc (RTLD_NEXT or whatever). The third-party library (and all other libraries of course) will resolve its open symbol to your function.
I'd like to get some numerical data from an app, but they are not stored as files like db. I know there are some memory hack apps for changing in game values although I do not know how they work.
I am looking for similar features but I don't need to change anything.
The app I am trying to write just reads some data from a specific app and do some background calculation based on that. If this is not possible, I would need to get information by reading the screen(for example get pixel color), but this seems to be very cumbersome task for getting many data.
Is there a way of achieving this?
Thanks.
EDIT: I'd assume I would need a root permission for this?
Yes, you would need root permission. Additionally your users must have fully rooted device with e.g. SuperSU or other modern Su app, that can lift most SELinux restrictions. There may also be conflicts with KNOX and other similar systems, but I am not really knowledgeable about those.
You would need to attach your process as debugger to the target application and locate the necessary data by scanning it's memory. This can be done in multiple ways, the best reference implementation to look at can be found in scanmem.
The code, performing the actual deed, which requires root rights, — reading/writing target process memory — would reside in a native executable, being run via su. You'd have to write some code to communicate with that executable (probably via it's stdin/stdout or something like that).
You will also have to write additional code to parse the memory layout of target application yourself.
Alternatively, you may prefer to inject a small module in memory of target application and/or have the app itself load a Dex file of you making (especially handy, if your target data is stored in Java memory). This approach have a benefit of minimizing interaction with memory layout of virtual machine, but you still have to initiate loading of initial Dex file. Once Dex file is loaded, you can do the rest in Java code, using good-old reflection API. If you go with this route, a (decently supported!) code for injecting executable snippets in memory of Linux process can be found in compel library, being developed as part of CRIU project[1].
Two Android processes cannot share memory and communicate with each other directly. So to communicate, objects have to be decomposed into primitives (marshalling) and transfered across process boundaries.
To do this marshalling, one has to write a lot of complicated code, hence Android handles it for us with AIDL (Android Interface Definition Language).
From the OP, as no more details can be found, I would recommend you reading/searching with the keyword "AIDL" and you will be redirected to the concrete solutions.
I am currently working with multiple android builds on different hardware. I am having an issue where they all have the same serial number, 0123456789ABCDEF. This makes it impossible to use adb when I connected to two or more devices at once, because the adb doesn't know which one to talk to.
I know that the name is being pulled from /sys/class/android_usb/android0/iSerial and if I wanted to I could change it there once the build is complete. Ideally though, I want that file to be set during the build depending on the build settings. I want to know where that file is being generated during the build. I believe it's being set either somewhere in barebox or in /system/core/adb, but have had no luck on the things I've tried editing.
If anyone has ran into this, any help would be greatly appreciated.
Edit:
Found the solution.
This can be found in /device/company_name/device_name/init.device_name.usb.rc
on boot
write /sys/class/android_usb/android0/iManufacturer ${ro.product.manufacturer}
write /sys/class/android_usb/android0/iProduct ${ro.product.model}
write /sys/class/android_usb/android0/iSerial ${ro.serialno}
echo "ro.serialno is ${ro.serialno}"
write /sys/class/android_usb/android0/idVendor 0451
write /sys/class/android_usb/android0/idProduct D101
..."
Change the ro.serialno to whatever you'd like.
I want to modify some system calls for tracing purposes. To be specific, whenever a system call open is made, I want to print some messages.
I have been looking into the internet and the code and I found open.c in kernel/goldfish/fs/ directory. And there are many functions in this file. How would I know which function is being called exactly. I could have written some printk call in all these functions to find it but I have to do it for other system calls also.
So, I have a few questions,
1) What is the best way to find implementation details of system calls?
2) I am using Kernel 2.6.29 (goldfish-Android). Are system calls implementation different in different kernel versions?
3) strace tells me that msgget ,msgrecv and 'SYS_24' system calls are being made. I look into Android/bionic/libc/SYSCALLS.txt file and msgget is not there.
But when I look into android/bionic/libc/kernel/arch-arm/asm/unistd.h file, I can find msgget there. I can't understand what's going on and then how can I find implementation for msgget ?
Thanks.
This link mentions almost all the system calls, their arguments and locations in respective files. It helped me finding system call details.
and answer for strace is given in above comments by Chris, thanks to him again.
I'm new to Android programming and need to create a file manager with this feature: it should scan LAN for servers and browse shared folders (like EStrongs File Explorer does it), but yet hadn't found a clue how to do that. Thanks in advance.
Your app will need to talk SMB protocol to do this. Loof at JCIFS library.
There is already an app that does this: Samba Explorer. It's open source so you might (depends on the source) reuse it.
That's a bit of a broad ask.
OK, here's a clue - start with what you know. There are LAN/s, servers and folders, (see, you already have a clue). Design classes to represent them. Start with the top-level class - LAN. Put some methods in to discover all the servers and list them. Don't do anything else until this works 100% with no crashes/leaks/failures. No - don't do it simply, do it properly. Network stuff is slow and blocky - use a threadpool now to scan your LAN/s.
TBH, though I haven't been on SO for all that long, it seems that the developers here like to be asked specific questions about a particular aspect of design/code/whatever that is not working, rather than be asked for a complete top-level design for a complex subsystem/app. They tend to react ineffectively to 'I haven't found a clue' or 'I haven't tried anything'.
Rgds,
Martin