Post Reply

Re-signing the system

OP Renate NST

1st July 2012, 04:01 AM   |  #21  
Senior Member
Thanks Meter: 47
 
418 posts
Join Date:Joined: May 2011
Quote:
Originally Posted by Renate NST

Well, you seem to have a handle on all this.
I've never heard of pkcs7 or any of its friends.

You try it once, next time you know it all. Just in case, itís all here: http://www.openssl.org/docs/apps/openssl.html

Quote:
Originally Posted by Renate NST

Deleting packages.xml will result in the non-shared user ids to be assigned in order as the APKs are discovered by the PackageManager.

I.e. it wonít work in the case I mentioned?
Or it does check /data/data to see if a user was assigned already and reassigns it?
I guess, I should try it on emulator...

Quote:
Originally Posted by Renate NST

User ids are only used for file permissions on /data/data as far as I know.

And /data/dalvik-cache too:
ls -l /data/dalvik-cache/*apk*

BTW: Some permissions are assigned in /system/etc/permissions/platform.xml, but for uid only.
dumpsys package shows some gids too,
I was wondering where are uid assigned to gids and can we use them too?

---------- Post added at 04:01 AM ---------- Previous post was at 03:48 AM ----------

Quote:
Originally Posted by ApokrifX

I.e. it wonít work in the case I mentioned?
Or it does check /data/data to see if a user was assigned already and reassigns it?

Oops... Apparently, well known BugOrFeature: http://forum.xda-developers.com/showthread.php?t=522935
1st July 2012, 05:30 AM   |  #22  
Senior Member
Thanks Meter: 47
 
418 posts
Join Date:Joined: May 2011
From packages.xml
Code:
UserID	CertIndex
1000	13	com.google.android.providers.subscribedfeeds	/system/app/GoogleSubscribedFeedsProvider.apk	
1000	13	com.google.android.server.checkin	/system/app/GoogleCheckin.apk	
1000	4	android	/system/framework/framework-res.apk	
1000	4	com.android.providers.settings	/system/app/SettingsProvider.apk	
1000	4	com.android.providers.subscribedfeeds	/system/app/AccountAndSyncSettings.apk	
1000	4	com.android.settings	/system/app/Settings.apk	
1000	4	com.bn.app.crypto.server	/system/app/CryptoServer.apk	
1000	4	com.bn.authentication.svc	/system/app/BnAuthenticationService.apk	
1000	4	com.bn.demomode	/system/app/DemoMode.apk	
1000	4	com.bn.devicemanager	/system/app/DeviceManager.apk	
1000	4	com.bn.nook.quickstart	/system/app/QuickStartActivity.apk	
1000	4	com.bn.syschecksum	/system/app/SysChecksum.apk	
1000	4	com.bn.waveformdownloader.svc	/system/app/WaveformDownloader.apk
Apparently, (1000, 13) and (1000, 4) should be two different uses, right?
But according to "dumpsys package" output, they are same:

Code:
SharedUser [android.uid.system] (49e7f2a0):
    userId=1000 gids=[1015, 3003, 3002, 3001, 1007]
Code:
  Package [com.google.android.providers.subscribedfeeds] (49ee7390):
    userId=1000 gids=[]
    sharedUser=SharedUserSetting{49e7f2a0 android.uid.system/1000}
    pkg=Package{49f73f88 com.google.android.providers.subscribedfeeds}
    codePath=/system/app/GoogleSubscribedFeedsProvider.apk
    resourcePath=/system/app/GoogleSubscribedFeedsProvider.apk
    dataDir=/data/data/com.google.android.providers.subscribedfeeds
    targetSdk=7
    supportsScreens=[medium, large, small, resizeable, anyDensity]
    timeStamp=1292347460000
    signatures=PackageSignatures{49e403a0 [49eb4fd8]}
    permissionsFixed=false pkgFlags=0x1 installStatus=1 enabled=0
Code:
  Package [com.android.settings] (49ee50f8):
    userId=1000 gids=[]
    sharedUser=SharedUserSetting{49e7f2a0 android.uid.system/1000}
    pkg=Package{49eff728 com.android.settings}
    codePath=/system/app/Settings.apk
    resourcePath=/system/app/Settings.apk
    dataDir=/data/data/com.android.settings
    targetSdk=7
    supportsScreens=[medium, large, small, resizeable, anyDensity]
    timeStamp=1217592000000
    signatures=PackageSignatures{49ea84c8 [49ed6f38]}
    permissionsFixed=false pkgFlags=0x1 installStatus=1 enabled=0
Code:
# ls -l /data/data/com.google.android.providers.subscribedfeeds
drwxr-xr-x system   system            2012-01-22 17:34 lib
drwxrwx--x system   system            2012-07-01 00:03 databases
drwxrwx--x system   system            2012-01-22 20:00 files
drwxrwx--x system   system            2012-07-01 00:03 shared_prefs
Code:
# ls -l /data/data/com.android.settings
drwxr-xr-x system   system            2000-01-01 02:28 lib
drwxrwx--x system   system            2011-06-18 20:55 cache
drwxrwx--x system   system            2011-06-18 20:55 databases
drwx------ system   system            2012-01-22 17:46 files
drwxrwx--x system   system            2012-01-22 21:01 shared_prefs
Last edited by ApokrifX; 1st July 2012 at 05:36 AM.
15th September 2014, 07:41 AM   |  #23  
Junior Member
Thanks Meter: 9
 
22 posts
Join Date:Joined: Oct 2012
Quote:
Originally Posted by ApokrifX

I dunno, they are trivially convertible, try for yourself:
Unzip CERT.RSA from stock Reader.apk
Obviously (or not), CERT.RSA is pkcs7 and certs in packages.xml are hex strings x509
Let’s convert pkcs7 -> x509

Code:
openssl pkcs7 -inform DER -in CERT.RSA  -out CERT.PEM -print_certs
openssl x509  -inform PEM -in CERT.PEM -outform DER -out CERT.x509.DER
Now open CERT.x509.DER is any hex editor:
Code:
0000000000: 30 82 04 96 30 82 03 7E │ A0 03 02 01 02 02 09 00
0000000010: CF 3F 93 2A 95 18 91 A5 │ 30 0D 06 09 2A 86 48 86
...
0000000480: BF 46 EB 99 2F F8 A8 9A │ 1F 66 2D 91 4F 0C 93 FE
0000000490: 44 7D 2F D0 C2 CC DC F7 │ 5E 84
And compare with packages.xml
Code:
<cert index="5" key="308204963082037ea003020102020900cf3f932a951891a5300d06092a864886
…
bf46eb992ff8a89a1f662d914f0c93fe447d2fd0c2ccdcf75e84" />

In the case of resigning in order to let a modified ReaderRMSDK.apk to run still using the B&N sharedId, I have a couple of doubts to clarify:
  1. Do I have to resign only the system apk that uses the same sharedId (10000, cert n. 4) or the whole system folder+framework?
  2. Would it work, instead of deleting packages.xml, if we change the B&N certs reference with the hex string output from the above commands obtained using our new CERT.RSA?

EDIT: I'm gonna give my theory a try and prepare a script to make the whole process automated in case it works fine. I'll write more tomorrow if it succeed.
Last edited by rob.power; 15th September 2014 at 08:47 AM.
The Following User Says Thank You to rob.power For This Useful Post: [ View ]
15th September 2014, 02:05 PM   |  #24  
thenookieforlife3's Avatar
Senior Member
Flag Washington D.C. Goals: Become an RC
Thanks Meter: 356
 
599 posts
Join Date:Joined: Aug 2014
Donate to Me
More
Quote:
Originally Posted by rob.power

In the case of resigning in order to let a modified ReaderRMSDK.apk to run still using the B&N sharedId, I have a couple of doubts to clarify:

  1. Do I have to resign only the system apk that uses the same sharedId (10000, cert n. 4) or the whole system folder+framework?
  2. Would it work, instead of deleting packages.xml, if we change the B&N certs reference with the hex string output from the above commands obtained using our new CERT.RSA?

EDIT: I'm gonna give my theory a try and prepare a script to make the whole process automated in case it works fine. I'll write more tomorrow if it succeed.

That sounds great.

Let's hope that the people who made this thread 2 years ago are still interested in this topic!
16th September 2014, 11:29 AM   |  #25  
Junior Member
Thanks Meter: 9
 
22 posts
Join Date:Joined: Oct 2012
Quote:
Originally Posted by thenookieforlife3

That sounds great.

Let's hope that the people who made this thread 2 years ago are still interested in this topic!

A brief update:
I still need to fix a few things. I'm quite conviced it should work well, but I'm still having invalid digest errors which lead to the apparent boot loop.
Code:
[...]
W/PackageParser(  992): Exception reading /system/framework/framework-res.apk
W/PackageParser(  992): java.lang.SecurityException: META-INF/CERT.SF has invalid digest for res/drawable-es-mdpi/c_quicknav_shop_normal_sm.png in /system/framework/framework-res.apk
W/PackageParser(  992): 	at java.util.jar.JarVerifier.verifyCertificate(JarVerifier.java:370)
W/PackageParser(  992): 	at java.util.jar.JarVerifier.readCertificates(JarVerifier.java:273)
W/PackageParser(  992): 	at java.util.jar.JarFile.getInputStream(JarFile.java:416)
W/PackageParser(  992): 	at android.content.pm.PackageParser.loadCertificates(PackageParser.java:327)
W/PackageParser(  992): 	at android.content.pm.PackageParser.collectCertificates(PackageParser.java:461)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.collectCertificatesLI(PackageManagerService.java:2080)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2113)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2051)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.<init>(PackageManagerService.java:563)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.main(PackageManagerService.java:336)
W/PackageParser(  992): 	at com.android.server.ServerThread.run(SystemServer.java:120)
I/PackageManager(  992): Failed verifying certificates for package:android
D/PackageManager(  992): Scanning app dir /system/app
I/PackageManager(  992): /system/app/AFfileDownloadService.apk changed; collecting certs
W/PackageParser(  992): Exception reading /system/app/AFfileDownloadService.apk
W/PackageParser(  992): java.lang.SecurityException: META-INF/CERT.SF has invalid digest for classes.dex in /system/app/AFfileDownloadService.apk
W/PackageParser(  992): 	at java.util.jar.JarVerifier.verifyCertificate(JarVerifier.java:370)
W/PackageParser(  992): 	at java.util.jar.JarVerifier.readCertificates(JarVerifier.java:273)
W/PackageParser(  992): 	at java.util.jar.JarFile.getInputStream(JarFile.java:416)
W/PackageParser(  992): 	at android.content.pm.PackageParser.loadCertificates(PackageParser.java:327)
W/PackageParser(  992): 	at android.content.pm.PackageParser.collectCertificates(PackageParser.java:461)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.collectCertificatesLI(PackageManagerService.java:2080)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2113)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2051)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.<init>(PackageManagerService.java:569)
W/PackageParser(  992): 	at com.android.server.PackageManagerService.main(PackageManagerService.java:336)
W/PackageParser(  992): 	at com.android.server.ServerThread.run(SystemServer.java:120)
I/PackageManager(  992): Failed verifying certificates for package:com.bn.nook.affiledownloadservice
I/PackageManager(  992): /system/app/Accessories.apk changed; collecting certs
W/PackageParser(  992): Exception reading /system/app/Accessories.apk
W/PackageParser(  992): java.lang.SecurityException: META-INF/CERT.SF has invalid digest for res/drawable/s_icon_recommend.png in /system/app/Accessories.apk
[...]

By the way, when checking on my pc using "jarsigner -verify -verbose" I don't get any errors, just the same warnings I get if I check the original apks.
Code:
[ ... ]
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2037-11-20) or after any future revocation date.
I've read around the internet that this could be due to a problem when signing using jdk7, as with this version they changed the default signing algorithm.
I will give it a try installing jdk6 to see if it works.

If somebody has more suggestions about the error, they are welcome.
17th September 2014, 08:08 PM   |  #26  
Junior Member
Thanks Meter: 9
 
22 posts
Join Date:Joined: Oct 2012
Really good news: I got it working!

I found how to correct the signature bug in JDK7. Then I had a few problem with packages.xml; I was trying to patch the old one directly with new signatures instead of just deleting it, but at first boot it underwent some weird changes becoming unable to load the UI.
Then just I changed the script to delete the file and it worked like charm, even if with some UID changes. Eventually, to avoid permissions errors, I pushed again the patched version, and now it's perfect.

Let me a day or two to review and debug the code, and hopefully before weekend it will available for download! I also want to add an option to completely automate even the previous steps of alternative dictionaries installation and maybe a way to automatically resolve any unmet dependencies.

Script is in bash, it will work on Ubuntu (and I'm quite sure any Debian-like distro, maybe even other Linux systems). Before anyone asks, I'm sorry but I'm not thinking about porting it to Windows; by the way, I'll release source code so anyone interested is welcome to port it.

Stay tuned!
The Following User Says Thank You to rob.power For This Useful Post: [ View ]
17th September 2014, 09:18 PM   |  #27  
thenookieforlife3's Avatar
Senior Member
Flag Washington D.C. Goals: Become an RC
Thanks Meter: 356
 
599 posts
Join Date:Joined: Aug 2014
Donate to Me
More
Quote:
Originally Posted by rob.power

Really good news: I got it working!

I found how to correct the signature bug in JDK7. Then I had a few problem with packages.xml; I was trying to patch the old one directly with new signatures instead of just deleting it, but at first boot it underwent some weird changes becoming unable to load the UI.
Then just I changed the script to delete the file and it worked like charm, even if with some UID changes. Eventually, to avoid permissions errors, I pushed again the patched version, and now it's perfect.

Let me a day or two to review and debug the code, and hopefully before weekend it will available for download! I also want to add an option to completely automate even the previous steps of alternative dictionaries installation and maybe a way to automatically resolve any unmet dependencies.

Script is in bash, it will work on Ubuntu (and I'm quite sure any Debian-like distro, maybe even other Linux systems). Before anyone asks, I'm sorry but I'm not thinking about porting it to Windows; by the way, I'll release source code so anyone interested is welcome to port it.

Stay tuned!

Hooray! \o/

Staying tuned for sure!
29th September 2014, 12:42 AM   |  #28  
Junior Member
Thanks Meter: 9
 
22 posts
Join Date:Joined: Oct 2012
It took a lot more than my prevision as I had an hard week at work.

By the way, here goes the script.
https://github.com/robpower/NookResigner
Maybe's not a coding masterpiece, but it seems to work quite well. I might have forgot some dependencies, so feedback is appreciated. Please let me know if you find any error; if possible, use github issue tracker .
PS: I will add more detailed explanation soon, even if I hope running 'NookResigned.sh -h' would be quite self explanatory.

I tried to make the script modular:
- running with no options will just resign the system;
- to add Reader patch, add -p option;
- to add dictionary conversion add the -d option
- the -r option is used to restore from backup
- the -c option will simply try to resolve dependencies.

Enjoy it! Cheers

EDIT: as stated in readme, many thanks to RenateRST and ApokrifX; this "user-friendly" script is based on their previous work and suggestions.
Last edited by rob.power; 29th September 2014 at 12:45 AM. Reason: Ack
The Following 3 Users Say Thank You to rob.power For This Useful Post: [ View ]
29th September 2014, 12:51 AM   |  #29  
thenookieforlife3's Avatar
Senior Member
Flag Washington D.C. Goals: Become an RC
Thanks Meter: 356
 
599 posts
Join Date:Joined: Aug 2014
Donate to Me
More
Quote:
Originally Posted by rob.power

It took a lot more than my prevision as I had an hard week at work.

By the way, here goes the script.
https://github.com/robpower/NookResigner
Maybe's not a coding masterpiece, but it seems to work quite well. I might have forgot some dependencies, so feedback is appreciated. Please let me know if you find any error; if possible, use github issue tracker .
PS: I will add more detailed explanation soon, even if I hope running 'NookResigned.sh -h' would be quite self explanatory.

I tried to make the script modular:
- running with no options will just resign the system;
- to add Reader patch, add -p option;
- to add dictionary conversion add the -d option
- the -r option is used to restore from backup
- the -c option will simply try to resolve dependencies.

Enjoy it! Cheers

EDIT: as stated in readme, many thanks to RenateRST and ApokrifX; this "user-friendly" script is based on their previous work and suggestions.

Good work!

I'll test it out tomorrow if I have time.
30th September 2014, 12:56 PM   |  #30  
Senior Member
Thanks Meter: 47
 
418 posts
Join Date:Joined: May 2011
Smile
Quote:
Originally Posted by rob.power

It took a lot more than my prevision as I had an hard week at work.
By the way, here goes the script.
EDIT: as stated in readme, many thanks to RenateRST and ApokrifX; this "user-friendly" script is based on their previous work and suggestions.

It's been a while since I visited NST forums. It's nice to see, it's alive and kicking still!

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Nook Touch Android Development by ThreadRank