Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

PSA: The new OTA (build 12840) patches the bootloader exploit used to obtain root

OP tchebb

2nd August 2013, 01:20 AM   |  #41  
cammykool's Avatar
Senior Member
Flag Arvada Colorado
Thanks Meter: 312
 
1,149 posts
Join Date:Joined: Sep 2011
More
so my goddamn chromecast pdated while i was flashing the new xploit...
2nd August 2013, 01:52 AM   |  #42  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Flag Twin Cities, MN
Thanks Meter: 1,073
 
728 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by cammykool

so my goddamn chromecast pdated while i was flashing the new xploit...

Sucks Man :/

Every reflash, first thing I do is kill the update_engine service, delete /cache/temp-ota.zip, then edit /data/updater/prefs/preveous-version to say 12840. I think this is tricking it, because every time I do this, it does not create a new temp-ota.zip, which means it is no longer trying to update. We will see though.
2nd August 2013, 01:52 AM   |  #43  
tvall's Avatar
Senior Member
Flag Springfield
Thanks Meter: 803
 
2,193 posts
Join Date:Joined: Oct 2010
well... its too late to save cammys chromecast, but i made a new image without update_engine. I'm working on the recovery, but its not an android boot image. I'll do my best on it, but not sure what it is exactly.

no idea if update_engine is vital to anything except updating. and im not entirely sure its vital to updating.

give me a hour or so and i'll post a couple of different images that kill updating in a few different ways.
2nd August 2013, 02:01 AM   |  #44  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Flag Twin Cities, MN
Thanks Meter: 1,073
 
728 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by tvall

well... its too late to save cammys chromecast, but i made a new image without update_engine. I'm working on the recovery, but its not an android boot image. I'll do my best on it, but not sure what it is exactly.

no idea if update_engine is vital to anything except updating. and im not entirely sure its vital to updating.

give me a hour or so and i'll post a couple of different images that kill updating in a few different ways.

when killed in logcat, it shows this:

Code:
I/logwrapper( 1473): /chrome/update_engine terminated by signal 15
I/update_engine( 1491): [0801/190057:INFO:main.cc(77)] Eureka Update Engine starting
I/update_engine( 1491): [0801/190057:INFO:update_check_scheduler.cc(64)] Next update check in 2700 seconds
I/update_engine( 1491): [0801/190057:INFO:string_based_ipc_server.cc(59)] Start IPC server: updater
I/update_engine( 1491): [0801/190057:INFO:unix_stream_server_socket.cc(59)] Unix server socket is created: updater
so it seems to only be for updating
2nd August 2013, 02:31 AM   |  #45  
tvall's Avatar
Senior Member
Flag Springfield
Thanks Meter: 803
 
2,193 posts
Join Date:Joined: Oct 2010
looking at the recovery, it appears to create a wifi network with the name eureka_recovery, and starts dnsmasq. there is also adb, but apparently it doesnt have a usb interface for it.

there is a flash_bootloader binary. I'm assuming it flashes the bootloader. so i guess if i remove it, it can't flash the bootloader.

edit: so this recovery seem to have a menu, just like any android recovery. if only we had input and stuff..

edit 2: my chromebooks battery is low, and its update_engine_client is informing me there is an update. I'm going to let it charge and relax for a bit. maybe I'll have more ideas when i get back on.

edit 3: check the permissions on the kernel partition. it may be something a simple chmod could fix

edit 4: the recovery will attempt to install a file called ota.zip from a usb drive if there is no ota on /cache. someone should try it

edit 5: going to go cuddle with the fiancee and let the chromebook update and charge. may be back on later. good luck everyone. I'll post something by midnight
Last edited by tvall; 2nd August 2013 at 02:57 AM.
2nd August 2013, 02:48 AM   |  #46  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Flag Twin Cities, MN
Thanks Meter: 1,073
 
728 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by tvall

looking at the recovery, it appears to create a wifi network with the name eureka_recovery, and starts dnsmasq. there is also adb, but apparently it doesnt have a usb interface for it.

there is a flash_bootloader binary. I'm assuming it flashes the bootloader. so i guess if i remove it, it can't flash the bootloader.

edit: so this recovery seem to have a menu, just like any android recovery. if only we had input and stuff..

edit 2: my chromebooks battery is low, and its update_engine_client is informing me there is an update. I'm going to let it charge and relax for a bit. maybe I'll have more ideas when i get back on.

For an idea, dont delete flash_bootloader as that would cause the update zip to fail. Maybe try setting ro.factorytest=0 to ro.factorytest=1 in the build.prop in recovery? for all we know, that may disable signature verification!

EDIT: Nevermind, ignore my stupidity. Let me know what you come up with!

EDIT2: Permissions seem fine
Quote:

brw------- root root 31, 0 2009-02-13 17:31 mtdblock0
brw------- root root 31, 1 2009-02-13 17:31 mtdblock1
brw------- root root 31, 10 2009-02-13 17:31 mtdblock10
brw------- root root 31, 11 2009-02-13 17:31 mtdblock11
brw------- root root 31, 2 2009-02-13 17:31 mtdblock2
brw------- root root 31, 3 2009-02-13 17:31 mtdblock3
brw------- root root 31, 4 2009-02-13 17:31 mtdblock4
brw------- root root 31, 5 2009-02-13 17:31 mtdblock5
brw------- root root 31, 6 2009-02-13 17:31 mtdblock6
brw------- root root 31, 7 2009-02-13 17:31 mtdblock7
brw------- root root 31, 8 2009-02-13 17:31 mtdblock8

Last edited by ddggttff3; 2nd August 2013 at 02:54 AM.
2nd August 2013, 02:59 AM   |  #47  
itmustbejj's Avatar
Senior Member
Flag Indianapolis
Thanks Meter: 39
 
812 posts
Join Date:Joined: Jun 2010
Donate to Me
Quote:
Originally Posted by ddggttff3

Sucks Man :/

Every reflash, first thing I do is kill the update_engine service, delete /cache/temp-ota.zip, then edit /data/updater/prefs/preveous-version to say 12840. I think this is tricking it, because every time I do this, it does not create a new temp-ota.zip, which means it is no longer trying to update. We will see though.

In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.
2nd August 2013, 03:00 AM   |  #48  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Flag Twin Cities, MN
Thanks Meter: 1,073
 
728 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by itmustbejj

In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.

Just checked again, it still trys to download an OTA.zip file so best thing is to either not use it, or keep an eye on it :/
2nd August 2013, 03:45 AM   |  #49  
tvall's Avatar
Senior Member
Flag Springfield
Thanks Meter: 803
 
2,193 posts
Join Date:Joined: Oct 2010
Quote:
Originally Posted by itmustbejj

In the interim, is this still an effective way to keep it from updating? I unplugged mine this morning before I went to work and I'm heading home. Just trying to figure out a way to still be able to use it without it updating.

Quote:
Originally Posted by ddggttff3

Just checked again, it still trys to download an OTA.zip file so best thing is to either not use it, or keep an eye on it :/

i'll go ahead and upload the image thats lacking update_engine

later i'll upload a build with a modified recovery image. fiancee is missing me. I've spent too much time on this for now.

---------- Post added at 08:45 PM ---------- Previous post was at 08:11 PM ----------

https://dl.dropboxusercontent.com/u/...omecast.bin.gz

this has update_engine replaced by a dummy script. this should kill ota updates, but it might not. again, provided as-is, no warranty, your problem if it breaks, yada yada.

I'll work on this crap more tomorrow.
The Following 6 Users Say Thank You to tvall For This Useful Post: [ View ]
2nd August 2013, 03:58 AM   |  #50  
ddggttff3's Avatar
Recognized Contributor / Recognized Developer
Flag Twin Cities, MN
Thanks Meter: 1,073
 
728 posts
Join Date:Joined: Dec 2009
Donate to Me
More
Quote:
Originally Posted by tvall

i'll go ahead and upload the image thats lacking update_engine

later i'll upload a build with a modified recovery image. fiancee is missing me. I've spent too much time on this for now.

---------- Post added at 08:45 PM ---------- Previous post was at 08:11 PM ----------

https://dl.dropboxusercontent.com/u/...omecast.bin.gz

this has update_engine replaced by a dummy script. this should kill ota updates, but it might not. again, provided as-is, no warranty, your problem if it breaks, yada yada.

I'll work on this crap more tomorrow.

Works great here! Now, all I see in the logcat is this

Code:
I/update_engine( 1146): no updates for you!

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes