Post Reply

[BrickBug][Fix][Kernel][01.08]Detection of stock kernel safety + patch guide

OP Tungstwenty

1st August 2012, 01:12 AM   |  #1  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
After lots of discussion about the famous "SuperBrick" issue on GT-I9100 4.0.4 stock kernels, I wrote a script to allow everyone to check it on their own and hopefully patch it if needed.


Main goal - Detection

Detect if a STOCK kernel has MMC_CAP_ERASE enabled (unsafe) or not (safe).

I have validated it against XWLPG, XWLPM, XWLPO, XWLPT, XXLP5, XXLP5-CFRoot and all of them were detected correctly: safe on 4.0.3 kernels, unsafe on 4.0.4 ones.
I also checked it against Siyah 3.5.2 (despite knowing from the sources it's safe) and it was also correctly detected.
However, for custom kernels I don't expect the code patterns to be always the same and therefore it's possible that the detection is inconclusive - you will see that in the output.


Secondary goal - Fixing (instructions provided, not the tools)

When an unsafe kernel is detected, provide instructions on how to patch the code so it's safe.

For that, you'll need:
* an external kernel unpack/repack script (just search the forum as there are several available)
* a Linux box
* a hex editor
* any other requirements for the repack script: CROSS_COMPILE, etc.



Requirements for this script

This is pretty much self contained and can be run on either:
* Linux
* Windows with Cygwin

Running on the device itself would be theoretically possible but it ultimately depends on the installed Busybox version, in particular the parameters accepted by the "grep" command.
On my v1.20.0-cm9 version it's not possible to make it work.



Sample outputs

Here are some executions against existing kernel images:

The latest XWLPT (4.0.4):
Code:
###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - forum.xda-developers.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPT/zImage
Kernel: Linux version 3.0.15-I9100XWLPT-CL941023 (dpi@DELL169) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Fri Jul 27 18:08:15 KST 2012

1 ocurrences of the bad code signature
0 ocurrences of the good code signature


***************
!!! WARNING !!!
***************

The kernel appears to have MMC_CAP_ERASE *enabled*, which is dangerous on many devices

Unpacked kernel code stored at: XWLPT/zImage_unpacked
The unsafe instruction can be found at offset 0x00594ec0

==================== Disassembly of the instruction ====================

XWLPT/zImage_instruction:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   e3811b01        orr     r1, r1, #1024   ; 0x400
========================================================================

*** Instructions for patching ***

- Choose one of the existing unpack/repack scripts
- Unpack the kernel code, initramfs, etc.
- Do a binary edit of the unpacked code
- At offset 0x00594ec0, replace "01 ?b 8? e3" with "00 ?b 8? e3" - change just the first byte to 00
- Repack the kernel, including the changed code and all original contents
- Re-run this script to confirm that the newly generated file no longer has MMC_CAP_ERASE enabled

XWLPG (4.0.3):
Code:
###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - forum.xda-developers.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPG/zImage
Kernel: Linux version 3.0.15-I9100XWLPG-CL619441 (dpi@DELL150) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu May 24 18:09:27 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


The kernel appears to be good (MMC_CAP_ERASE disabled)
XXLQ5-CFRoot (4.0.4):
Code:
###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - forum.xda-developers.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XXLQ5_CFRoot/zImage
Kernel: Linux version 3.0.15-I9100XXLQ5-CL753921 (se.infra@SEP-85) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu Jun 28 14:16:15 KST 2012

1 ocurrences of the bad code signature
0 ocurrences of the good code signature


***************
!!! WARNING !!!
***************

The kernel appears to have MMC_CAP_ERASE *enabled*, which is dangerous on many devices

Unpacked kernel code stored at: XXLQ5_CFRoot/zImage_unpacked
The unsafe instruction can be found at offset 0x00594ef4

==================== Disassembly of the instruction ====================

XXLQ5_CFRoot/zImage_instruction:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   e3811b01        orr     r1, r1, #1024   ; 0x400
========================================================================

*** Instructions for patching ***

- Choose one of the existing unpack/repack scripts
- Unpack the kernel code, initramfs, etc.
- Do a binary edit of the unpacked code
- At offset 0x00594ef4, replace "01 ?b 8? e3" with "00 ?b 8? e3" - change just the first byte to 00
- Repack the kernel, including the changed code and all original contents
- Re-run this script to confirm that the newly generated file no longer has MMC_CAP_ERASE enabled

Finally, here's the expected output of a kernel after the patch has been applied.
I didn't actually do the entire kernel repack, but I changed the code and compressed the file in a similar way as it will appear in a "complete" zImage file.
Patched XWLPM:
Code:
###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - forum.xda-developers.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPM-patched/zImage
Kernel: Linux version 3.0.15-I9100XWLPM-CL837163 (dpi@DELL145) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu Jul 5 11:26:14 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


The kernel has been patched by this method to disable MMC_CAP_ERASE and should now be entirely safe


Disclaimers

My main goal here is to provide information, not a one-click solution. I'm personally not worried about this issue since I run a kernel compiled from sources rather than a stock one.

Despite my best effort, I can't promise that:
- The detection will be flawless (although checks exist to make sure there's exactly 1 occurrence of either the "good code snippet" or the "bad code snippet" and an inconclusive result is reported if that's not the case)
- The patch will work or even be a runnable kernel (you might need to reflash another one from download mode). I have not performed the full unpack/repack process to test it out, although it's something already done elsewhere such as the CF-Root kernels and others.


That being said, enjoy
Attached Files
File Type: zip check-kernel-MMC_CAP_ERASE.zip - [Click for QR Code] (1.9 KB, 2732 views)
Last edited by Tungstwenty; 2nd August 2012 at 02:19 AM.
The Following 96 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
1st August 2012, 01:13 AM   |  #2  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
(Reserved)
The Following 5 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
1st August 2012, 04:21 AM   |  #3  
googy_anas's Avatar
Recognized Developer
Flag Rabat
Thanks Meter: 8,075
 
1,878 posts
Join Date:Joined: Jul 2009
Donate to Me
More
WOW, << That's one small step for man, one giant leap for "s2 community" >> !!!!!
The Following User Says Thank You to googy_anas For This Useful Post: [ View ]
1st August 2012, 04:28 AM   |  #4  
jlevy73's Avatar
Senior Member
Los Angeles
Thanks Meter: 1,304
 
9,260 posts
Join Date:Joined: Nov 2009
Now this is what XDA is all about. Good stuff man, much appreciated!
1st August 2012, 05:26 AM   |  #5  
xky1980's Avatar
Member
Thanks Meter: 1
 
85 posts
Join Date:Joined: Dec 2010
More
sorry for my "stupid" question;
I've a linux notebook, I've connected my device with the usb cable. Now how can I send command to the device? with adb and android sdk?
Tkanks
1st August 2012, 05:27 AM   |  #6  
martintspedersen's Avatar
Senior Member
Flag copenhagen
Thanks Meter: 2,006
 
1,782 posts
Join Date:Joined: Mar 2011
More
hahaha yes man nice one... i hope that give us some nice ''stock'' roms

ps i was number 500 that hit your thanks button LOL
Last edited by martintspedersen; 1st August 2012 at 05:29 AM.
1st August 2012, 07:16 AM   |  #7  
Tungstwenty's Avatar
OP Recognized Contributor
Thanks Meter: 4,397
 
1,821 posts
Join Date:Joined: Nov 2011
Donate to Me
More
Quote:
Originally Posted by xky1980

sorry for my "stupid" question;
I've a linux notebook, I've connected my device with the usb cable. Now how can I send command to the device? with adb and android sdk?
Tkanks

If you read the requirements section, you'll see it's not likely that it runs successfully on the device itself, due to BusyBox limitations.
Just place the zImage file somewhere on your notebook, along with the script, and run it from a terminal.
The Following 4 Users Say Thank You to Tungstwenty For This Useful Post: [ View ]
1st August 2012, 08:18 AM   |  #8  
xky1980's Avatar
Member
Thanks Meter: 1
 
85 posts
Join Date:Joined: Dec 2010
More
Quote:
Originally Posted by Tungstwenty

If you read the requirements section, you'll see it's not likely that it runs successfully on the device itself, due to BusyBox limitations.
Just place the zImage file somewhere on your notebook, along with the script, and run it from a terminal.


Oooohh! So the kernel must be read from the same path of the script, not from the device! OK thanks

Inviato dal mio GT-I9100 con Tapatalk 2

---------- Post added at 09:18 AM ---------- Previous post was at 09:02 AM ----------

I've executed the script with siyah 3.5.2
the result is: The kernel appears to be good (MMC_CAP_ERASE disabled)
So it means that is possible to safely make wipes and nandroid restores from recovery on my XWLPT?
Thanks
1st August 2012, 08:37 AM   |  #9  
jgcaap's Avatar
Senior Member
Flag Porto
Thanks Meter: 1,003
 
2,933 posts
Join Date:Joined: Sep 2009
Donate to Me
More
Genius!

Sent from my GT-I9100 using Tapatalk 2
1st August 2012, 08:49 AM   |  #10  
gokhanmoral's Avatar
Senior Recognized Developer
Flag Ankara
Thanks Meter: 25,743
 
3,744 posts
Join Date:Joined: Mar 2006
Donate to Me
More
great work

The Following User Says Thank You to gokhanmoral For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Tags
brickbug, fix, kernel
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Galaxy S II Original Android Development by ThreadRank