[VOLVO SCT] Volvo Sensus Connected Touch (car - navi - audio)

Search This thread
By:
Advanced…
X

xadax

Member
Jun 24, 2013
47
9
gekkekoe123 said:
Attempt fb mem exploit...
[1] Segmentation fault (core dumped) ./break_setresuid


is it possible to post the core file ?
We probably need to find the adresses in the zimage. That's something that will take time.
hang on :)
Click to expand...
Click to collapse

I did post the core file in core.zip.

---------- Post added at 12:59 AM ---------- Previous post was at 12:43 AM ----------
gekkekoe123 said:
you could also try to do it yourself with help of : https://github.com/android-rooting-tools/helper_tools
Click to expand...
Click to collapse
How do I run this? I don't think running the scripts within adb shell on the SCT is the way. Do I have to make a dump file or can I use the plf, but need a Linux x86 environment? I am currently running Windows 7 x64.
 
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
my bad, I will download the core and see what is happening.

Code: 
./extract_address_and_disassemble zimage 
Searching for zImage compression
GZ compression detected
Unpacking zImage
181+1 records in
181+1 records out
2882635 bytes (2.9 MB) copied, 0.0583776 s, 49.4 MB/s

gzip: stdin: decompression OK, trailing garbage ignored
DONE unpacking zImage
Grabbing addresses
[+]mmap
  mem=f6ffe000 length=0059f800 offset=c900a000
kallsyms_addresses search failed
Disassembling kernel for specific functions
0 symbols are loaded.
0 symbols are loaded.
searching for ptmx_fops
searching for perf_swevent_enabled

Tool also doesn't seem to work.
 
X

xadax

Member
Jun 24, 2013
47
9
gekkekoe123 said:
my bad, I will download the core and see what is happening.

Code: 
./extract_address_and_disassemble zimage 
Searching for zImage compression
GZ compression detected
Unpacking zImage
181+1 records in
181+1 records out
2882635 bytes (2.9 MB) copied, 0.0583776 s, 49.4 MB/s

gzip: stdin: decompression OK, trailing garbage ignored
DONE unpacking zImage
Grabbing addresses
[+]mmap
  mem=f6ffe000 length=0059f800 offset=c900a000
kallsyms_addresses search failed
Disassembling kernel for specific functions
0 symbols are loaded.
0 symbols are loaded.
searching for ptmx_fops
searching for perf_swevent_enabled

Tool also doesn't seem to work.
Click to expand...
Click to collapse
I also tried on a Linux system with the plf (http://www.parrot.com/uk/support/sensus-connected-touch):
Code: 
Searching for zImage compression
GZ compression detected
Unpacking zImage

gzip: stdin: decompression OK, trailing garbage ignored
DONE unpacking zImage
Grabbing addresses
[+]mmap
  mem=f749d000 length=00306e80 offset=c8b6b000
kallsyms_addresses search failed
Disassembling kernel for specific functions
0 symbols are loaded.
0 symbols are loaded.
searching for ptmx_fops
searching for perf_swevent_enabled
 
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103

Attachments

  • splot3.zip
    48.8 KB · Views: 14
donaldta

donaldta

Senior Member
Aug 12, 2013
1,328
461
Whoa! Buffer Overrun.

xadax said:
Second try.,,
Click to expand...
Click to collapse

Thank you very much for this go. It provided me with a lot of information but unfortunately, since it was not segmented per install it was very difficult to digest. Next time It would be helpful after you installed a file that you used [CTRL]+[A] before you exported the log then cleared it before the next installation. That way it is much easier to associate the error message with which each installation.

One particularly interesting information is that every install attempt was confronted with "Signatures files not found" yet the installed anyways at least with the AlphaSparma0.apk when opting to re-install.

xadax said:
Code: 
C:\>adb install AlphaSparma0.apk
797 KB/s (1897501 bytes in 2.323s)
        pkg: /data/local/tmp/AlphaSparma0.apk
Failure [INSTALL_FAILED_ALREADY_EXISTS]

11-01 18:42:25.880: D/PackageParser(1492): Scanning package: /data/app/vmdl-789078278.tmp
11-01 18:42:27.190: W/PackageParser(1492): Signatures files not found.
11-01 18:42:27.190: W/PackageManager(1492): Attempt to re-install com.parrot.spotify without first uninstalling.

C:\>adb install -r AlphaSparma0.apk
805 KB/s (1897501 bytes in 2.299s)
        pkg: /data/local/tmp/AlphaSparma0.apk
Success

11-01 18:42:34.710: D/PackageParser(1492): Scanning package: /data/app/vmdl-1103253973.tmp
11-01 18:42:35.730: W/PackageParser(1492): Signatures files not found.
11-01 18:42:35.760: D/PackageManager(1492): Removing package com.parrot.spotify
11-01 18:42:35.760: D/PackageManager(1492):   Services: com.parrot.spotify.service.SPService com.parrot.spotify.mediaengine.SPMediaEngine com.parrot.spotify.mediaengine.SPMediaProvider com.parrot.spotify.voicereco.binder.SPVoiceRecoService
11-01 18:42:35.810: D/PackageManager(1492):   Activities: com.parrot.spotify.SPLoginActivity com.parrot.spotify.SPMainActivity com.parrot.spotify.SPBrowsingActivity com.parrot.spotify.SPBrowsingPlayerActivity com.parrot.spotify.SPSearchActivity com.parrot.spotify.SPSettingsActivity com.parrot.spotify.SPLicencesWebViewActivity com.parrot.spotify.dialog.StatusDialog com.parrot.spotify.SPPopupWithoutActivity
11-01 18:42:35.840: D/PackageManager(1492): Scanning package com.parrot.spotify
11-01 18:42:35.840: W/PackageManager(1492): Trying to update system app code path from /system/app/com.parrot.spotify.apk to /data/app/com.parrot.spotify-1.apk
11-01 18:42:37.360: D/PackageManager(1492):   Services: com.parrot.spotify.service.SPService com.parrot.spotify.mediaengine.SPMediaEngine com.parrot.spotify.mediaengine.SPMediaProvider com.parrot.spotify.voicereco.binder.SPVoiceRecoService
11-01 18:42:37.360: D/PackageManager(1492):   Activities: com.parrot.spotify.SPLoginActivity com.parrot.spotify.SPMainActivity com.parrot.spotify.SPBrowsingActivity com.parrot.spotify.SPBrowsingPlayerActivity com.parrot.spotify.SPSearchActivity com.parrot.spotify.SPSettingsActivity com.parrot.spotify.SPLicencesWebViewActivity com.parrot.spotify.dialog.StatusDialog com.parrot.spotify.SPPopupWithoutActivity
11-01 18:42:37.360: W/PackageManager(1492): Code path for pkg : com.parrot.spotify changing from /system/app/com.parrot.spotify.apk to /data/app/com.parrot.spotify-1.apk
11-01 18:42:37.360: W/PackageManager(1492): Resource path for pkg : com.parrot.spotify changing from /system/app/com.parrot.spotify.apk to /data/app/com.parrot.spotify-1.apk
11-01 18:42:37.500: D/PackageManager(1492): New package installed in /data/app/com.parrot.spotify-1.apk
Click to expand...
Click to collapse

Well, at least I know that the base app is good.

xadax said:
Code: 
C:\>adb install -r evil-AlphaSparma1.apk
777 KB/s (3269861 bytes in 4.108s)
        pkg: /data/local/tmp/evil-AlphaSparma1.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

11-01 18:43:11.690: D/PackageParser(1492): Scanning package: /data/app/vmdl806157416.tmp
11-01 18:43:11.800: E/PackageParser(1492): Package com.alephzain.framaroot has no certificates at entry res/layout/activity_frama.xml; ignoring!

C:\>adb install -r evil-AlphaSparma2.apk
733 KB/s (3253691 bytes in 4.329s)
        pkg: /data/local/tmp/evil-AlphaSparma2.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

11-01 18:43:21.700: D/PackageParser(1492): Scanning package: /data/app/vmdl105264748.tmp
11-01 18:43:21.800: E/PackageParser(1492): Package com.alephzain.framaroot has no certificates at entry res/layout/activity_frama.xml; ignoring!

C:\>adb install -r evil-AlphaSparma3.apk
800 KB/s (3253061 bytes in 3.966s)
        pkg: /data/local/tmp/evil-AlphaSparma3.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

11-01 18:43:30.370: D/PackageParser(1492): Scanning package: /data/app/vmdl-548715317.tmp
11-01 18:43:30.840: E/PackageParser(1492): Package com.alephzain.framaroot has no certificates at entry lib/armeabi/libframalib.so; ignoring!
Click to expand...
Click to collapse

I was expecting those three to fail because they had files which did not exist in AlphaSparma0.apk. However, I did not expect the next two to fail.

xadax said:
Code: 
C:\>adb install -r evil-AlphaSparma4.apk
736 KB/s (2358856 bytes in 3.129s)
        pkg: /data/local/tmp/evil-AlphaSparma4.apk
Failure [INSTALL_FAILED_INVALID_APK]

11-01 18:43:37.530: D/PackageParser(1492): Scanning package: /data/app/vmdl-375256504.tmp
11-01 18:43:38.350: W/PackageParser(1492): Signatures files not found.
11-01 18:43:38.350: D/PackageManager(1492): Scanning package com.alephzain.framaroot
11-01 18:43:38.370: W/PackageParser(1492): Signatures files not found.
11-01 18:43:38.370: W/PackageManager(1492): Package couldn't be installed in /data/app/com.alephzain.framaroot-1.apk

C:\>adb install -r evil-AlphaSparma5.apk
788 KB/s (2331785 bytes in 2.888s)
        pkg: /data/local/tmp/evil-AlphaSparma5.apk
Failure [INSTALL_FAILED_INVALID_APK]

11-01 18:43:46.200: D/PackageParser(1492): Scanning package: /data/app/vmdl-254428381.tmp
11-01 18:43:47.020: W/PackageParser(1492): Signatures files not found.
11-01 18:43:47.020: D/PackageManager(1492): Scanning package com.alephzain.framaroot
11-01 18:43:47.040: W/PackageParser(1492): Signatures files not found.
11-01 18:43:47.040: W/PackageManager(1492): Package couldn't be installed in /data/app/com.alephzain.framaroot-1.apk
Click to expand...
Click to collapse

As you see the trojan packages are being re-parsed which is not something I expected. I may have to go back to the drawing board on this one. Would you be able to re-install the modified Wikango app that johnnie_w created, its the one you had named, "evil--ppktemp.apk". I would like to see the logcat data for that installation.

Code: 
C:\>adb shell dumpsys package com

:) Again, inundated with too much information. Believe me I know the irony of having little to no feedback but then being overwhelmed with a tidal wave of information. For this portion the command, "adb shell dumpsys package com.android.packageinstaller" would have been better since we were only looking for one relevant line. This was analogous to looking for a needle in a haystack.

xadax said:
Package [com.android.packageinstaller] (406137e0):

userId=10019 gids=[]
sharedUser=null
pkg=Package{40665c28 com.android.packageinstaller}
codePath=/system/app/PackageInstaller.apk
resourcePath=/system/app/PackageInstaller.apk
nativeLibraryPath=/data/data/com.android.packageinstaller/lib
versionCode=10
versionName=2.3.7
dataDir=/data/data/com.android.packageinstaller
targetSdk=10
supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]
timeStamp=1970-01-01 00:01:11
firstInstallTime=1970-01-01 00:02:17
lastUpdateTime=1970-01-01 00:01:11
signatures=PackageSignatures{406138b0 [405f45a0]}
permissionsFixed=false haveGids=true
pkgFlags=0x1 installStatus=1 enabled=0

grantedPermissions:
android.permission.READ_PHONE_STATE
android.permission.INSTALL_PACKAGES
android.permission.DELETE_PACKAGES
android.permission.CLEAR_APP_USER_DATA
android.permission.CLEAR_APP_CACHE
Click to expand...
Click to collapse

Now we know that you performed these steps with Package Installer 2.3.7 present. Is there anyway you can try this again with one of the 2.3.3 installed?
 
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
also try this one:

I switched the exploit order. the fb mem thing crashes.

but test sploit3 and 4 for me and paste output.
 

Attachments

  • sploit4.zip
    49.1 KB · Views: 10
  • splot3.zip
    48.8 KB · Views: 7
donaldta

donaldta

Senior Member
Aug 12, 2013
1,328
461
Hidden they are!

getiem said:
2) We do not have an app manager to deinstall updates (like Donaldta showed in his virtual device). The SCT is a very crippled android system. All menu's that are standard for android are gone. It is already a wonder we have the Debug option under Development, but that is the only option (besides Fake location)
Click to expand...
Click to collapse

I took a look at the "com.parrot.setting2.apk" from the SCT's PLF and it looks like most if not all of the standard settings are present. I'm not quite sure how they hid them but perhaps we can use Activity Manager to bring them up. Give these four a try first to see if the respective settings control panel will pop up on the SCT.

Code: 
root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.ApplicationSettings[/B]
Starting: Intent { cmp=com.android.settings/.ApplicationSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.RunningServices[/B]
Starting: Intent { cmp=com.android.settings/.RunningServices }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DevelopmentSettings[/B]
Starting: Intent { cmp=com.android.settings/.DevelopmentSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.applications.StorageUse[/B]
Starting: Intent { cmp=com.android.settings/.applications.StorageUse }

If these work then I'll go back and catalog the rest of them for you. If they don't maybe we can find out why with the logcat messages.
 
Last edited:
  • Like
Reactions: xadax
X

xadax

Member
Jun 24, 2013
47
9
gekkekoe123 said:
also try this one:

I switched the exploit order. the fb mem thing crashes.
but test sploit3 and 4 for me and paste output.
Click to expand...
Click to collapse
Code: 
$ ./break_setresuid3b
Attempt fb mem exploit...
[1]   Segmentation fault (core dumped) ./break_setresuid3b
core3b attached

Code: 
$./break_setresuid4
ACU Volvo (V01.47.88_Volvo_EU) is not supported.
Attempting to detect from /proc/kallsyms...
ACU Volvo (V01.47.88_Volvo_EU) is not supported.
failed to open /dev/diag due to No such file or directory.Attempt fb mem exploit
...
failed to get root access
[1]   Segmentation fault (core dumped) ./break_setresuid4
core4 attached
and ls -l /dev attached
 

Attachments

  • core3b4lsdev.zip
    13 KB · Views: 12
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
another try :)


from http://blog.azimuthsecurity.com/2013/02/re-visiting-exynos-memory-mapping-bug.html

The second new device is more of the same: yet another device file that allows unprivileged users to map arbitrary physical memory. This bug appears in kernels for devices using the TI OMAP3 chipset, which includes a number of popular older devices, such as the Motorola Droid, Droid 2, and Droid X. For reference, the affected code is implemented in drivers/dsp/bridge/rmgr/drv_interface.c and even includes a helpful comment:
Click to expand...
Click to collapse

so we could also use framaroot gimli method if the break_setresuid fails
 

Attachments

  • sploit5.zip
    48.8 KB · Views: 26
  • Like
Reactions: xadax
X

xadax

Member
Jun 24, 2013
47
9

Attachments

  • core5.zip
    5.7 KB · Views: 19
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
xadax said:
Code: 
./break_setresuid5
ACU Volvo (V01.47.88_Volvo_EU) is not supported.
failed to open /dev/diag due to No such file or directory.Attempt fb mem exploit
...
failed to get root access
[1]   Segmentation fault (core dumped) ./break_setresuid5
core5 attached
Click to expand...
Click to collapse

Ok thank you for all the usefull testing. The break_setresuid5 doesn't seem to work, or we need to see why it core dumped.
Both method are somewhat time consuming.

Checking our dev log i noticed:
Code: 
crwxrwxrwx root     root     246,   0 2013-11-02 01:53 DspBridge

This is the one framaroot uses. In the coming days, I'll try to make a commandline programme that uses framalib to exploit /dev/dspbridge
Volvo seems to be lucky to be using such an "old" kernel :(

again thanks for the testing.
 
  • Like
Reactions: xadax
X

xadax

Member
Jun 24, 2013
47
9
donaldta said:
I took a look at the "com.parrot.setting2.apk" from the SCT's PLF and it looks like most if not all of the standard settings are present. I'm not quite sure how they hid them but perhaps we can use Activity Manager to bring them up. Give these four a try first to see if the respective settings control panel will pop up on the SCT.

Code: 
root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.ApplicationSettings[/B]
Starting: Intent { cmp=com.android.settings/.ApplicationSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.RunningServices[/B]
Starting: Intent { cmp=com.android.settings/.RunningServices }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DevelopmentSettings[/B]
Starting: Intent { cmp=com.android.settings/.DevelopmentSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.applications.StorageUse[/B]
Starting: Intent { cmp=com.android.settings/.applications.StorageUse }

If these work then I'll go back and catalog the rest of them for you. If they don't maybe we can find out why with the logcat messages.
Click to expand...
Click to collapse

I tried them, it seems to be working. The ApplicationSettings and DevelopmentSettings still show the known limited menus.
RunningServices and StorareUse show screens I have not seen before.

P.S. this will be my last action for now, since it is getting late here, it is raining heavily and I don't want a flat battery tomorrow...
Thanks, there seems to be some progress now. Perhaps some other SCT owner take over for now.

---------- Post added at 02:34 AM ---------- Previous post was at 02:32 AM ----------
gekkekoe123 said:
Ok thank you for all the usefull testing. The break_setresuid5 doesn't seem to work, or we need to see why it core dumped.
Both method are somewhat time consuming.

Checking our dev log i noticed:
Code: 
crwxrwxrwx root     root     246,   0 2013-11-02 01:53 DspBridge

This is the one framaroot uses. In the coming days, I'll try to make a commandline programme that uses framalib to exploit /dev/dspbridge
Volvo seems to be lucky to be using such an "old" kernel :(

again thanks for the testing.
Click to expand...
Click to collapse

There is a new firmware coming in two weeks, I don't know which Asteroid/kernel version this is based on.
 
donaldta

donaldta

Senior Member
Aug 12, 2013
1,328
461
I know that Cydia Impactor didn't work in this case. However, you might want to try hitting up the author or someone on his IRC server. After all, on the Cydia Impactor webpage, he did write...

If you are having problems using Cydia Impactor (it crashes, doesn't work on your device, or simply doesn't make any sense) please join #android on irc.saurik.com and ask a question.
Click to expand...
Click to collapse

With some background information on what happened, he might be able to implement work around.

---------- Post added at 08:00 PM ---------- Previous post was at 07:36 PM ----------
xadax said:
I tried them, it seems to be working. The ApplicationSettings and DevelopmentSettings still show the known limited menus. RunningServices and StorareUse show screens I have not seen before.
Click to expand...
Click to collapse

Alright, here are all the ones that I've found.

Code: 
root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.WirelessSettings[/B]
Starting: Intent { cmp=com.android.settings/.WirelessSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.SoundSettings[/B]
Starting: Intent { cmp=com.android.settings/.SoundSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DisplaySettings[/B]
Starting: Intent { cmp=com.android.settings/.DisplaySettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.SecuritySettings[/B]
Starting: Intent { cmp=com.android.settings/.SecuritySettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.providers.subscribedfeeds/com.android.settings.ManageAccountsSettings[/B]
Starting: Intent { cmp=com.android.providers.subscribedfeeds/com.android.settings.ManageAccountsSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.PrivacySettings[/B]
Starting: Intent { cmp=com.android.settings/.PrivacySettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.deviceinfo.Memory[/B]
Starting: Intent { cmp=com.android.settings/.deviceinfo.Memory }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.LanguageSettings[/B]
Starting: Intent { cmp=com.android.settings/.LanguageSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.VoiceInputOutputSettings[/B]
Starting: Intent { cmp=com.android.settings/.VoiceInputOutputSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.AccessibilitySettings[/B]
Starting: Intent { cmp=com.android.settings/.AccessibilitySettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DateTimeSettings[/B]
Starting: Intent { cmp=com.android.settings/.DateTimeSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DeviceInfoSettings[/B]
Starting: Intent { cmp=com.android.settings/.DeviceInfoSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.quicklaunch.QuickLaunchSettings[/B]
Starting: Intent { cmp=com.android.settings/.quicklaunch.QuickLaunchSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.fuelgauge.PowerUsageSummary[/B]
Starting: Intent { cmp=com.android.settings/.fuelgauge.PowerUsageSummary }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.ApplicationSettings[/B]
Starting: Intent { cmp=com.android.settings/.ApplicationSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.RunningServices[/B]
Starting: Intent { cmp=com.android.settings/.RunningServices }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.DevelopmentSettings[/B]
Starting: Intent { cmp=com.android.settings/.DevelopmentSettings }

root@Microknoppix:/home/knoppix# [B]adb shell am start -n com.android.settings/.applications.StorageUse[/B]
Starting: Intent { cmp=com.android.settings/.applications.StorageUse }
 
Last edited:
  • Like
Reactions: johnnie_w and xadax
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
Okay,

I'ven doing some hacking and got a proof of concept command line framaroot.
For now only Gimli exploit is enabled. But this exploit works on the parrot so this should work. The other exploit are samsung exploits.
I will enable them at a later stage

usage:
Code: 
adb push libframalib.so /data/local/.
adb push sploit /data/local
adb shell chmod 755 /data/local/sploit

Now try each of the following:
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit Gimli 2
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit Gimli 3

and verify after each step if you have root.
If stuff breaks please post adb logcat

[Edit]

Ok, cmd-frama3 now enables all the exploits in frama root!
Use one of these instead of Gimli in the commands above:
Gandalf, Boromir, Pippin, Legolas, Aragorn, Gimli

For SCT Gimli is the one that should work.

Credits to the Author of frama root for the lib.
Hopefully Volvo didn't patch more than parrot did...

Also don't update any firmware as they might have patched the Omap bug
 

Attachments

  • cmd-frama2.zip
    883.2 KB · Views: 19
  • cmd-frama3.zip
    883.2 KB · Views: 20
Last edited:
  • Like
Reactions: johnnie_w and stavas
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
The cmd frama tool allows you to invoke functions from the frama lib. We don't need to install it as APK since the native tool will load the lib itself. Its important that the framalib is in the same folder as the tool.

I added an option where the user can choose a mode (1=normal, 0=adb).


See attached cmd-frama4.zip
Usage:

Code: 
adb push libframalib.so /data/local/.
adb push sploit /data/local
adb shell chmod 755 /data/local/sploit

Now try each of the following and check for root after each try:
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 2
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 2

At this point, I need someone to run cmd-frama4 on actual unit. My emulator cannot emulate the SCT.
I can see the stacktrace that the framalib methods are invoked.

The following 2 parameters should have the highest succes rate:

# use normal activity with Gimli exploit and selected idx 0 from root menu
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 0
# use ADB activity with Gimli exploit and selected idx 0 from root menu
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 0
Please post output and adb logcat in case of problems.
 

Attachments

  • cmd-frama4.zip
    883.4 KB · Views: 17
Last edited:
J

johnnie_w

Senior Member
Aug 4, 2007
55
22
Unfortunately I get segmentation faults (with all combinations, no root after running all of them):

Code: 
$ LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 1
Command line Frama root by Gekkekoe, (credits alephzain for framalib)
Using Gimli with selected index 1 in mode 0
Offset Get:676 Release:680
Size of JNIEnv: 932
Got callback GetStringUTFChars
[1] + Stopped (signal)        LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 1
$
[1]   Segmentation fault      LD_LIBRARY_PATH=/data/local /data/local/sploit 0 Gimli 1

Logcat:
Code: 
I/DEBUG   ( 1045): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 1045): Build fingerprint: 'AFM/fc6100_volvo/fc6100_volvo:2.3.7/V01.47.88_Volvo_EU/:user/release-keys'
I/DEBUG   ( 1045): pid: 2134, tid: 2134 (sploit) >>> /data/local/sploit <<<
I/DEBUG   ( 1045): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
I/DEBUG   ( 1045):  r0 bee6fbd8  r1 00000000  r2 00000005  r3 00000000
I/DEBUG   ( 1045):  r4 00000001  r5 801eb54c  r6 00000000  r7 bee6fbd8
I/DEBUG   ( 1045):  r8 bee6fbd8  r9 00000000  10 80008f44  fp afd4d5e8
I/DEBUG   ( 1045):  ip 80008f8c  sp bee6f828  lr 80001913  pc 00000000  cpsr 40000010
I/DEBUG   ( 1045):  d0  746547206b636146  d1  5455676e69727443
I/DEBUG   ( 1045):  d2  656b6b6547207968  d3  726328202c656f61
I/DEBUG   ( 1045):  d4  0000000000000000  d5  0000000000000000
I/DEBUG   ( 1045):  d6  0000000000000000  d7  0000000000000000
I/DEBUG   ( 1045):  d8  0000000000000000  d9  0000000000000000
I/DEBUG   ( 1045):  d10 0000000000000000  d11 0000000000000000
I/DEBUG   ( 1045):  d12 0000000000000000  d13 0000000000000000
I/DEBUG   ( 1045):  d14 0000000000000000  d15 0000000000000000
I/DEBUG   ( 1045):  d16 0000000000000000  d17 0000000000000000
I/DEBUG   ( 1045):  d18 0000000000000000  d19 0000000000000000
I/DEBUG   ( 1045):  d20 0000000000000000  d21 0000000000000000
I/DEBUG   ( 1045):  d22 0000000000000000  d23 0000000000000000
I/DEBUG   ( 1045):  d24 0000000000000000  d25 0000000000000000
I/DEBUG   ( 1045):  d26 0000000000000000  d27 0000000000000000
I/DEBUG   ( 1045):  d28 0000000000000000  d29 0000000000000000
I/DEBUG   ( 1045):  d30 0000000000000000  d31 0000000000000000
I/DEBUG   ( 1045):  scr 00000000
I/DEBUG   ( 1045):
I/DEBUG   ( 1045):          #00  pc 00000000
I/DEBUG   ( 1045):          #01  pc 00001910  /data/local/libframalib.so
I/DEBUG   ( 1045):          #02  pc 00001fda  /data/local/libframalib.so
I/DEBUG   ( 1045):
I/DEBUG   ( 1045): code around pc:
I/DEBUG   ( 1045):
I/DEBUG   ( 1045): code around lr:
I/DEBUG   ( 1045): 800018f0 23dfe2da 449d009b 4690bc3c 46a24699
I/DEBUG   ( 1045): 80001900 bdf046ab 683b4647 99021c06 46406fdb
I/DEBUG   ( 1045): 80001910 683d4798 4b8a4a89 20841c01 447a582d
I/DEBUG   ( 1045): 80001920 4640447b 683947a8 1c022388 464058cb
I/DEBUG   ( 1045): 80001930 47989902 23a9683a 58d3009b 22001c01
I/DEBUG   ( 1045):
I/DEBUG   ( 1045): stack:
I/DEBUG   ( 1045):     bee6f7e8  00000001
I/DEBUG   ( 1045):     bee6f7ec  bee6f7dc
I/DEBUG   ( 1045):     bee6f7f0  00000002
I/DEBUG   ( 1045):     bee6f7f4  00000000
I/DEBUG   ( 1045):     bee6f7f8  00000004
I/DEBUG   ( 1045):     bee6f7fc  00009fd4
I/DEBUG   ( 1045):     bee6f800  801eb518
I/DEBUG   ( 1045):     bee6f804  000084b8  /data/local/sploit
I/DEBUG   ( 1045):     bee6f808  00000000
I/DEBUG   ( 1045):     bee6f80c  00000000
I/DEBUG   ( 1045):     bee6f810  bee6fd48
I/DEBUG   ( 1045):     bee6f814  bee6fbd8
I/DEBUG   ( 1045):     bee6f818  ffffffff
I/DEBUG   ( 1045):     bee6f81c  00000001
I/DEBUG   ( 1045):     bee6f820  df002777
I/DEBUG   ( 1045):     bee6f824  e3a070ad
I/DEBUG   ( 1045): #01 bee6f828  b00072e0  /system/bin/linker
I/DEBUG   ( 1045):     bee6f82c  b00072cf  /system/bin/linker
I/DEBUG   ( 1045):     bee6f830  00000000
I/DEBUG   ( 1045):     bee6f834  80003814  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f838  00000001
I/DEBUG   ( 1045):     bee6f83c  00000000
I/DEBUG   ( 1045):     bee6f840  b0003db1  /system/bin/linker
I/DEBUG   ( 1045):     bee6f844  00000000
I/DEBUG   ( 1045):     bee6f848  800034b4  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f84c  00000000
I/DEBUG   ( 1045):     bee6f850  80003490  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f854  800034a4  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f858  800034a8  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f85c  bee6f89c
I/DEBUG   ( 1045):     bee6f860  bee6f8dc
I/DEBUG   ( 1045):     bee6f864  00000000
I/DEBUG   ( 1045):     bee6f868  00000000
I/DEBUG   ( 1045):     bee6f86c  00000000
I/DEBUG   ( 1045):     bee6f870  00000000
I/DEBUG   ( 1045):     bee6f874  00000000
I/DEBUG   ( 1045):     bee6f878  00000000
I/DEBUG   ( 1045):     bee6f87c  00000000
I/DEBUG   ( 1045):     bee6f880  000164c4
I/DEBUG   ( 1045):     bee6f884  00000000
I/DEBUG   ( 1045):     bee6f888  00001000
I/DEBUG   ( 1045):     bee6f88c  00000000
I/DEBUG   ( 1045):     bee6f890  000000b8
I/DEBUG   ( 1045):     bee6f894  00000000
I/DEBUG   ( 1045):     bee6f898  00000032
I/DEBUG   ( 1045):     bee6f89c  00000000
I/DEBUG   ( 1045):     bee6f8a0  00000032
I/DEBUG   ( 1045):     bee6f8a4  00000000
I/DEBUG   ( 1045):     bee6f8a8  00000032
I/DEBUG   ( 1045):     bee6f8ac  00000000
I/DEBUG   ( 1045):     bee6f8b0  000000c3
I/DEBUG   ( 1045):     bee6f8b4  00000000
I/DEBUG   ( 1045):     bee6f8b8  80000bb5  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6f8bc  b0003e67  /system/bin/linker
I/DEBUG   ( 1045):     bee6f8c0  afd42684
I/DEBUG   ( 1045):     bee6f8c4  bee6f98c
I/DEBUG   ( 1045):     bee6f8c8  afd42684
I/DEBUG   ( 1045):     bee6f8cc  0000b008
I/DEBUG   ( 1045):     bee6f8d0  00000014
I/DEBUG   ( 1045):     bee6f8d4  afd183d9  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f8d8  afd42684
I/DEBUG   ( 1045):     bee6f8dc  00000001
I/DEBUG   ( 1045):     bee6f8e0  00008842  /data/local/sploit
I/DEBUG   ( 1045):     bee6f8e4  afd18425  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f8e8  afd42684
I/DEBUG   ( 1045):     bee6f8ec  afd192bb  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f8f0  afd42684
I/DEBUG   ( 1045):     bee6f8f4  00000000
I/DEBUG   ( 1045):     bee6f8f8  00000014
I/DEBUG   ( 1045):     bee6f8fc  bee6f9e4
I/DEBUG   ( 1045):     bee6f900  00000002
I/DEBUG   ( 1045):     bee6f904  00008843  /data/local/sploit
I/DEBUG   ( 1045):     bee6f908  bee6f98c
I/DEBUG   ( 1045):     bee6f90c  afd42684
I/DEBUG   ( 1045):     bee6f910  00000001
I/DEBUG   ( 1045):     bee6f914  ffffffff
I/DEBUG   ( 1045):     bee6f918  ffffffff
I/DEBUG   ( 1045):     bee6f91c  afd1a9a3  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f920  00000001
I/DEBUG   ( 1045):     bee6f924  afd1bcd1  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f928  000082d7  /data/local/sploit
I/DEBUG   ( 1045):     bee6f92c  00000000
I/DEBUG   ( 1045):     bee6f930  00000000
I/DEBUG   ( 1045):     bee6f934  7461642f
I/DEBUG   ( 1045):     bee6f938  6f6c2f61
I/DEBUG   ( 1045):     bee6f93c  00000073
I/DEBUG   ( 1045):     bee6f940  00000000
I/DEBUG   ( 1045):     bee6f944  00000003
I/DEBUG   ( 1045):     bee6f948  fffffffd
I/DEBUG   ( 1045):     bee6f94c  00008842  /data/local/sploit
I/DEBUG   ( 1045):     bee6f950  00000000
I/DEBUG   ( 1045):     bee6f954  00000000
I/DEBUG   ( 1045):     bee6f958  00000014
I/DEBUG   ( 1045):     bee6f95c  bee6fa1f
I/DEBUG   ( 1045):     bee6f960  00008830  /data/local/sploit
I/DEBUG   ( 1045):     bee6f964  afd41524
I/DEBUG   ( 1045):     bee6f968  00000000
I/DEBUG   ( 1045):     bee6f96c  00000000
I/DEBUG   ( 1045):     bee6f970  00000000
I/DEBUG   ( 1045):     bee6f974  0002031e
I/DEBUG   ( 1045):     bee6f978  afd415a8
I/DEBUG   ( 1045):     bee6f97c  afd415a8
I/DEBUG   ( 1045):     bee6f980  00000000
I/DEBUG   ( 1045):     bee6f984  00008842  /data/local/sploit
I/DEBUG   ( 1045):     bee6f988  00000001
I/DEBUG   ( 1045):     bee6f98c  bee6fb79
I/DEBUG   ( 1045):     bee6f990  00000003
I/DEBUG   ( 1045):     bee6f994  00000000
I/DEBUG   ( 1045):     bee6f998  b00094dc
I/DEBUG   ( 1045):     bee6f99c  bee6ffe3
I/DEBUG   ( 1045):     bee6f9a0  00000000
I/DEBUG   ( 1045):     bee6f9a4  ffffff8c
I/DEBUG   ( 1045):     bee6f9a8  056a3244
I/DEBUG   ( 1045):     bee6f9ac  00000000
I/DEBUG   ( 1045):     bee6f9b0  00000000
I/DEBUG   ( 1045):     bee6f9b4  00000008
I/DEBUG   ( 1045):     bee6f9b8  00000000
I/DEBUG   ( 1045):     bee6f9bc  00000008
I/DEBUG   ( 1045):     bee6f9c0  00008000  /data/local/sploit
I/DEBUG   ( 1045):     bee6f9c4  bee6fc48
I/DEBUG   ( 1045):     bee6f9c8  00000008
I/DEBUG   ( 1045):     bee6f9cc  00000000
I/DEBUG   ( 1045):     bee6f9d0  00000001
I/DEBUG   ( 1045):     bee6f9d4  00000000
I/DEBUG   ( 1045):     bee6f9d8  afd42770
I/DEBUG   ( 1045):     bee6f9dc  afd290c3  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f9e0  00000008
I/DEBUG   ( 1045):     bee6f9e4  bee6f984
I/DEBUG   ( 1045):     bee6f9e8  00000000
I/DEBUG   ( 1045):     bee6f9ec  00000000
I/DEBUG   ( 1045):     bee6f9f0  afd41560
I/DEBUG   ( 1045):     bee6f9f4  afd10ea4  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6f9f8  afd4665c
I/DEBUG   ( 1045):     bee6f9fc  0ec0dcd4
I/DEBUG   ( 1045):     bee6fa00  b0009d18
I/DEBUG   ( 1045):     bee6fa04  b00037fb  /system/bin/linker
I/DEBUG   ( 1045):     bee6fa08  bee6fbc4
I/DEBUG   ( 1045):     bee6fa0c  b0009d18
I/DEBUG   ( 1045):     bee6fa10  00000000
I/DEBUG   ( 1045):     bee6fa14  ffffffe0
I/DEBUG   ( 1045):     bee6fa18  afb01c01  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa1c  00b1606c
I/DEBUG   ( 1045):     bee6fa20  b0009468
I/DEBUG   ( 1045):     bee6fa24  b00038d5  /system/bin/linker
I/DEBUG   ( 1045):     bee6fa28  afd4000c
I/DEBUG   ( 1045):     bee6fa2c  00000002
I/DEBUG   ( 1045):     bee6fa30  b000fc94
I/DEBUG   ( 1045):     bee6fa34  b000fc94
I/DEBUG   ( 1045):     bee6fa38  00000000
I/DEBUG   ( 1045):     bee6fa3c  bee6faa4
I/DEBUG   ( 1045):     bee6fa40  00000000
I/DEBUG   ( 1045):     bee6fa44  b0009e30
I/DEBUG   ( 1045):     bee6fa48  b00094c4
I/DEBUG   ( 1045):     bee6fa4c  00000016
I/DEBUG   ( 1045):     bee6fa50  afb01e10  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa54  000160f4
I/DEBUG   ( 1045):     bee6fa58  afb00000  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa5c  b0009e30
I/DEBUG   ( 1045):     bee6fa60  afb01c01  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa64  07902248
I/DEBUG   ( 1045):     bee6fa68  b0009d18
I/DEBUG   ( 1045):     bee6fa6c  b00037fb  /system/bin/linker
I/DEBUG   ( 1045):     bee6fa70  b00102d0
I/DEBUG   ( 1045):     bee6fa74  b0009d18
I/DEBUG   ( 1045):     bee6fa78  07902248
I/DEBUG   ( 1045):     bee6fa7c  ffffffe0
I/DEBUG   ( 1045):     bee6fa80  80000bc5  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6fa84  80008e5c
I/DEBUG   ( 1045):     bee6fa88  b0009468
I/DEBUG   ( 1045):     bee6fa8c  b00038d5  /system/bin/linker
I/DEBUG   ( 1045):     bee6fa90  afb007b0  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa94  afb01630  /system/lib/libm.so
I/DEBUG   ( 1045):     bee6fa98  b000fc94
I/DEBUG   ( 1045):     bee6fa9c  b000fc94
I/DEBUG   ( 1045):     bee6faa0  00000000
I/DEBUG   ( 1045):     bee6faa4  bee6fb0c
I/DEBUG   ( 1045):     bee6faa8  00000000
I/DEBUG   ( 1045):     bee6faac  b0009ae8
I/DEBUG   ( 1045):     bee6fab0  b00094c4
I/DEBUG   ( 1045):     bee6fab4  00000015
I/DEBUG   ( 1045):     bee6fab8  80001150  /data/local/libframalib.so
I/DEBUG   ( 1045):     bee6fabc  00008ff0  /data/local/sploit
I/DEBUG   ( 1045):     bee6fac0  afd41524
I/DEBUG   ( 1045):     bee6fac4  bee6fb48
I/DEBUG   ( 1045):     bee6fac8  00000008
I/DEBUG   ( 1045):     bee6facc  00000000
I/DEBUG   ( 1045):     bee6fad0  00000000
I/DEBUG   ( 1045):     bee6fad4  00000011
I/DEBUG   ( 1045):     bee6fad8  00002180
I/DEBUG   ( 1045):     bee6fadc  00000001
I/DEBUG   ( 1045):     bee6fae0  000007d0
I/DEBUG   ( 1045):     bee6fae4  000007d0
I/DEBUG   ( 1045):     bee6fae8  00001000
I/DEBUG   ( 1045):     bee6faec  00000408
I/DEBUG   ( 1045):     bee6faf0  0000b000
I/DEBUG   ( 1045):     bee6faf4  00000000
I/DEBUG   ( 1045):     bee6faf8  afd4d5e8
I/DEBUG   ( 1045):     bee6fafc  00000800
I/DEBUG   ( 1045):     bee6fb00  00000001
I/DEBUG   ( 1045):     bee6fb04  bee6fb14
I/DEBUG   ( 1045):     bee6fb08  afd16fd7  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6fb0c  00005401
I/DEBUG   ( 1045):     bee6fb10  bee6fb18
I/DEBUG   ( 1045):     bee6fb14  afd41524
I/DEBUG   ( 1045):     bee6fb18  00000500
I/DEBUG   ( 1045):     bee6fb1c  00000005
I/DEBUG   ( 1045):     bee6fb20  000000bf
I/DEBUG   ( 1045):     bee6fb24  00008a3b  /data/local/sploit
I/DEBUG   ( 1045):     bee6fb28  7f1c0300
I/DEBUG   ( 1045):     bee6fb2c  01000415
I/DEBUG   ( 1045):     bee6fb30  1a131100
I/DEBUG   ( 1045):     bee6fb34  170f1200
I/DEBUG   ( 1045):     bee6fb38  00000016
I/DEBUG   ( 1045):     bee6fb3c  93156a52
I/DEBUG   ( 1045):     bee6fb40  afd42684
I/DEBUG   ( 1045):     bee6fb44  bee6fbb4
I/DEBUG   ( 1045):     bee6fb48  afd42684
I/DEBUG   ( 1045):     bee6fb4c  0000b008
I/DEBUG   ( 1045):     bee6fb50  00000046
I/DEBUG   ( 1045):     bee6fb54  afd183d9  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6fb58  afd42684
I/DEBUG   ( 1045):     bee6fb5c  00000001
I/DEBUG   ( 1045):     bee6fb60  afd3ab87  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6fb64  afd18425  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6fb68  afd42684
I/DEBUG   ( 1045):     bee6fb6c  afd192bb  /system/lib/libc.so
I/DEBUG   ( 1045):     bee6fb70  afd42684
I/DEBUG   ( 1045):     bee6fb74  00000000
I/DEBUG   ( 1045):     bee6fb78  323339a4
I/DEBUG   ( 1045):     bee6fb7c  93156a52
I/DEBUG   ( 1045):     bee6fb80  0000000a
I/DEBUG   ( 1045):     bee6fb84  00000000
I/DEBUG   ( 1045):     bee6fb88  00000000
I/DEBUG   ( 1045):     bee6fb8c  00009fd4
I/DEBUG   ( 1045):     bee6fb90  000003ab
I/DEBUG   ( 1045):     bee6fb94  0000b410
I/DEBUG   ( 1045):     bee6fb98  00000004
I/DEBUG   ( 1045):     bee6fb9c  93156a52
I/DEBUG   ( 1045):     bee6fba0  00000000
I/DEBUG   ( 1045):     bee6fba4  00000000
I/DEBUG   ( 1045):     bee6fba8  00000000
I/DEBUG   ( 1045):     bee6fbac  00000000
I/DEBUG   ( 1045):     bee6fbb0  bee6fbfc
I/DEBUG   ( 1045):     bee6fbb4  00009fd4
I/DEBUG   ( 1045):     bee6fbb8  bee6fc34
I/DEBUG   ( 1045):     bee6fbbc  00000004
I/DEBUG   ( 1045):     bee6fbc0  bee6fc48
I/DEBUG   ( 1045):     bee6fbc4  80001fdf  /data/local/libframalib.so

EDIT:

Interestingly with exploit Pippin it did not crash, but it also didn't have any effect...
 
Last edited:
  • Like
Reactions: gekkekoe123
J

johnnie_w

Senior Member
Aug 4, 2007
55
22
Not sure if this can be of any help, but attached the output of dmesg on the SCT.
 

Attachments

  • dmesg_sct.txt
    29.1 KB · Views: 17
G

gekkekoe123

Senior Member
Sep 23, 2010
280
103
johnnie_w said:
Not sure if this can be of any help, but attached the output of dmesg on the SCT.
Click to expand...
Click to collapse


Did you also try first arg 1 ? Because I don't see /dev/stuff going on in the stack.

so:
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 0
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 1
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 2
adb shell LD_LIBRARY_PATH=/data/local /data/local/sploit 1 Gimli 3

? Only the Gimli exploit probably will work on SCT
You should be able to see super user apk appearing
 
Last edited:
You must log in or register to reply here.

Similar threads

G
Fly audio android car system
Replies
340
Views
206K
Z
zivkr
Z
HACK Navigation/Multimedia systems KIA/HYUNDAI and install third-party applications
Replies
2K
Views
954K
A
al.asmar
SilenceFiction
Installing a tablet as a backup camera monitor in my car
Replies
11
Views
61K
J
JoseJames27
404-Not Found
[Q] Stream Music from phone to car using Uconnect
Replies
1
Views
39K
R
rpaulin
M
success to hack Technisat MIB2 infotainment system
Replies
344
Views
265K
bubuste
bubuste

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 21
    R
    RichieB
    Volvo Sensus Connected Touch (SCT) is a new car audio-navi system based on systems of Parrot. SCT has hardware and software from the Parrot, but is not exactly equal. In general it has some more restrictions build in by Volvo.
    The system is based on the Parrot FC6100 (not the Parrot Asteroid Smart as was first believed). Looking at the Installation manual for Sensus Connected Touch (ACU) Accessory, Part Number: 31399165 the form factor is closest to the Parrot Asteroid Tablet (PAT). The only similarity that the SCT has with the PAS is Parrot's custom base of the Android 2.3 branch which is also shared by the PAT. So, if anything is more analogous to the Parrot Asteroid Tablet (PAT) than the Parrot Asteroid Smart. (thanks to Donaldta, see post) (Link to the Volvo V40 (MY14) SCT installation manual, also attached to this post as pdf)

    This is how the hardware of the SCT looks if outside of the car (thanks to @AAT):





    This thread is research and development on several topics and has already some nice answers:
    The starting questions:
    1. How to get ADB working y
    2. How to install .apk files y
    3. How to root y

    WARNING!:
    The below mentioned method is an experimental way of rooting. Rooting your SCT involves some android knowledge. Me, the developers and anyone in this topic are not responsible for typo's or any damage that may occur when you follow these instructions.
    ROOTING means you have complete control over the android system. This also means you can do damage to it.

    Security warning:
    The SCT has ADB over WIFI enabled by default. Never ever connect your Volvo SCT to an unknown and/or untrusted network! Anyone connected to that same network can harm your Volvo SCT. The same applies for connecting unknown people to a known/trusted network of yours.
    Security warning 2:
    If your ROOTED your SCT, you are extra vulnerable to above. Anyone with ADB on the same network has complete control over your SCT!

    WARNING!

    Do NOT attempt to replace the SCT's BUSYBOX executable or the command symlinks to it. Another user in this forum just sent me a private message stating that they tried this on their SCT and can no longer mount USB drives or connect to ADB over WiFi. Apparently, they also do not have a File Explorer or a Terminal Emulator installed so it seems this is going to be nearly impossible to fix and will most likely be required to swap it at the dealer.     See message from @donaldta : Message




    The below answers are not yet completely reviewed and tested. The answers will be reviewed in the next days. In any case the instructions below are delivered "as is" and have no guaranty. If you follow the instructions below, you are responsible for your own actions. So, before you do so, understand, or at least try to, what you are doing. If you have questions or have recommendations, post them in the topic.

    The answers and instructions below are constructed from the work of @gekkekoe123 and @donaldta and the trial and error experiments of the first users of the SCT (see first pages of the topic)
    This means everone using these instructions must give BIG THANKS TO @gekkekoe123 and @donaldta


    Instructions to root en install apps:

    Note: Instructions are tested on specific versions of the Volvo SCT
    It is possible that these instructions below are not (yet) working on other versions: Other continents, newer versions etc.
    If you tested it on a different continent + version, let me know, so I can put it here.

    Available versions:
    EU
    -1.47.88 - Tested
    -1.47.96 - Tested
    -1.49.34 Tested
    • One click script version 4 in attachments cmd-frama-menu-4.zip (4.62 MB)
      One-click script with menu provided by @gekkekoe123 and @donaldta
      Oneclick , latest version, script is discussed from here


      It is rather simple as long as You have the SENSUS CONNECTED TOUCH and a PC (prefer a laptop) which You need to connect to the same network.

      How to:
      1. Preparing
      *Download the: cmd-frama-menu-4.zip from the page 1, first post attachments. LINK: http://xdaforums.com/attachment.php?attachmentid=2636951&d=1395149723

      2. Follow the instructions
      The instructions are rather simple.
      -Connect your SCT to the same Wifi network as your PC. This wifi network can be your home network or your local hotspot from your phone.
      -Unzip the (cmd-frama-menu-4.zip) and start menu.bat found in the folder "menu"
      - After starting menu.bat on your pc it will ask:
      Code:
      Input {IP Address of Android Device} or USB:
      Type in the IP address of the SCT, can be found when You go to the settings on SCT -> WIFI -> and click on the connected network (starts with 192.-).
      After that the menu look list this: (Now just type in: 1 and wait a bit so it will say complete, then type in 2 and wait a bit until complete and so on, until step 6 when the SCT will restart itself)
      Code:
      1 - Copy Framaroot files and execute.
      2 - Install remount.sh into /system/xbin and remount as writeable.
      3 - Alter /system/build.prop to ro.parrot.install-all=true
      4 - Install Google Framework & Android Market
      5 - Install rewhitelist.sh/setpropex/patch init.parrot.capabilities.sh
      6 - Reboot Android Device
      7 - Install Android Packages from APKs folder.
      8 - Android Debug Bridge Shell
      9 - Save ADB Bugreport to Disk
      R - Input connection information & retry ADB connect.
      Q - Quit
      Run steps 1 through 6 in order to root the SCT.
      Step 7 is optional and will install all APKs you have placed inside the APKs folder in your unzipped menu.zip folder on your pc PC.
      Step 8 is for manual commands or troubleshooting.
      Step 9 is for troubleshooting.
      Step R is only needed when the connection to the SCT seems lost.

      3. You should have now a rooted SCT.

      4. Installing applications
      I noticed that lots of Apps from Google Play Store can not be downloaded directly to the SCT (because the SCT is not in the available list of the apps) so a easy way is to download the Applications as ".apk" files from the PC (You can find the desired app from: http://www.appsapk.com/ or http://www.androiddrawer.com/ for example).
      Then copy-paste these .apk files(make sure they do not have any spaces in the filenames) to the folder "APKs" found in the downloaded unzipped folder "cmd-frama-menu-4". To install them, run the menu.bat again and once connected with the SCT again run the step 7 to install the applications You copied to the APK folder.

      If you want to install apps using the Google Play Store that are larger than 7MB or so, you need to remap the cache directory to the SD card:
      Code: 
      remount.sh cache-sd
      Then after the app installation has finished, but before you start the app, remap the cache directory to the internal SCT memory:
      Code: 
      remount.sh cache-og

      5. Enable displaying applications while driving (disable safety feature)
      1. Download Android Terminal Emulator from Google Play Store on Your rooted SCT.
      2. Once installed, run Android Terminal Emulator under Applications
      3. touch the screen - the keyboard pops up
      4. Type in "su" press ENTER
      5. It should ask wether You allow Superuser or not, choose the "Allow" option.
      6. Type in "rewhitelist.sh" press ENTER
      7. Type in "reboot" press ENTER

      6. Enable Google Maps and Voice Search
      First install google.maps.6.14.4.apk by the method explained above. Then copy libvoicesearch.so to /system/lib and install Voice_Search_2.1.4.apk. These files can be found in Voice_Search_2.1.4.zip.
      Here is an example of how to do this with adb:
      Code: 
      adb connect [ip of your SCT]
adb push google.maps.6.14.4.apk /mnt/sdcard
adb install /mnt/sdcard/google.maps.6.14.4.apk
adb push libvoicesearch.so /mnt/sdcard
adb shell su -c 'remount.sh system-rw'
adb shell su -c 'cp /mnt/sdcard/libvoicesearch.so /system/lib'
adb shell su -c 'chmod 644 /system/lib/libvoicesearch.so'
adb push Voice_Search_2.1.4.apk /mnt/sdcard
adb install /mnt/sdcard/Voice_Search_2.1.4.apk
      Now #reboot# and Google Maps and Voice Search should be working.


      Now You should be done. Happy downloading and drive safely. :)

      Older instructions, just for reference here, do not follow anymore.

      [*]One-click script with menu provided by @gekkekoe123 and @donaldta
      This one-click script with menu options is here

      [*]One click script for version 1.49.34: http://xdaforums.com/showthread.php?p=50846498
      gekkekoe123 said:
      Actually it was fine (since we are in the root folder), but since I was too lazy, I used your file. I had to correct the "true" to 1.
      I also changed the menu to do this. I removed the set prop option, it's not needed anymore. Setpropex should also work on older versions.

      Btw, I did the upgrade manually using adb shell, and did not used the menu.bat.
      So if anyone could test it or double check the menu.bat file, it should be fine. I translated the manual commands back into the menu.bat

      My SCT is upgraded and I am able to install apks :) Let's find out if waze lost of data is fixed. Also adjusting screen dpi is still working. But we now have setpropex so we can override everything ;)

      When you finished step 5, you need to reboot in order to be able to install apks.

      As allways: no guarantee and at your own risk when using the tools
      Click to expand...
      Click to collapse



      Manual instructions and commands:

      1. Detailed instructions how to get ADB working between your pc and SCT
        1. Download the Android SDK, it contains the nescesary tools like ADB.exe and Monitor.bat (Download page Android SDK)
        2. Install the android SDK
        3. If you are using windows: set the installation path of your SDK\platform-tools\ in your windows environment variables. So, add c:\\SDK\Platform-tools\ to it. (More instructions on this point)
        4. Now connect your SCT to a Wifi network and also connect your laptop/pc to the same wifi network. This network can be your home network, or for example the wifi network you create with your phone wifi-tether function.
        5. Go into the SCT>Settings>Wifi and click on your connection details. Find out the IP adress of your SCT. (example, it would be something like 192.168.43.x if you are using wifi tether from your android phone. )
        6. Now on your pc, open the command line (cmd). Easiest is to click with shift-button hold and with Right-Mouse-Button on the folder where the files reside you want to transfer to the SCT (see instructions further for rooting). After RMB click, choose option: open command line here.
        7. Now type:
          Code: 
          adb connect $IPADDRESS
          Replace $IPADRESS with the IP from the previous step.
        8. ADB is now connected and you are ready to type the instructions for rooting.
          Code: 
          D:\sdk\platform-tools>adb connect 192.168.43.5
connected to 192.168.43.5:5555


      2. Detailed instructions how to Root SCT
        1. Download the cmd-frama-working.zip from the attachments
          Attachment
        2. Unzip it into a folder (example: d:\sct\ )
        3. Open the commandline in this folder
        4. Connect to adb (see instructions above)
        5. Do the following commands (line by line):
          Usage:
          Code: 
          adb push libframalib.so /data/local/.
adb push sploit.jar /data/local/.
adb shell mkdir /data/local/tmp/dalvik-cache
adb shell ANDROID_DATA=/data/local/tmp LD_LIBRARY_PATH=/data/local dalvikvm -cp /data/local/sploit.jar com.alephzain.framaroot.FramaAdbActivity Gimli 0
[or]
adb shell ANDROID_DATA=/data/local/tmp LD_LIBRARY_PATH=/data/local dalvikvm -cp /data/local/sploit.jar com.alephzain.framaroot.FramaActivity Gimli 0
          See post here and thank developer!
        6. Now you are rooted:
          Code: 
          cmd line frama root by Gekkekkoe
Credits to alephzain for Framalib
using Exploit: Gimli choice: 0
Executing Check
idx: 0 value: Gimli
idx: 1 value: Aragorn
Executing Check Completed
No such user 'root:root'
No such user 'root:root'
Result: 0
        7. Test root by command:
          Code: 
          adb shell
su
id
          On the SCT you will get a screen of SuperSU, asking if shell may have root access privileges. Say yes.
        8. exit the su and shell using
          Code: 
          exit
exit
        9. Reboot the SCT
          If you are still within shell, just use
          Code: 
          reboot
          If you are on command line again, use
          Code: 
          Adb Reboot
      3. Detailed instructions how to get Google framework and Google Play (market) on the SCT
        1. Download the files for framework and market

          Framework
          Market
        2. Push them to your SCT
          Code: 
          adb shell su root -c 'mount -o remount,rw ubi0:system /system'
adb push GoogleServicesFramework-2.2.1.apk /data/local/.
adb push Market-3.3.11.apk /data/local/.
adb shell
        3. Now install them
          Code: 
          cp /data/local/*.apk /system/app/.
chmod 644 /system/app/GoogleServicesFramework-2.2.1.apk
chmod 644 /system/app/Market-3.3.11.apk
reboot
        4. After reboot, connect the SCT to internet
        5. Open the google market on your SCT (in the applications drawer)
        6. Log in with your google credentials
        7. Accept terms and conditions
        8. Be sure to stay connected to internet, google market will update itself after some minutes
        9. Connect Adb and force SCT to reboot again.
        10. Open Market/Play and Accept terms and conditions again! (now for the updated versions)
        11. Wait for some time, it will again update itself again.
        12. Open adb, force reboot again
        13. Last time open Play (It should be named Play now, since it is updated, if it is not, wait longer and try previous steps again)
        14. Go into My Apps, update SuperSu
        15. After update, open SuperSu from your app drawer
        16. It will ask to update SuperSu Binary, use Normal Method
        17. Say thanks to Chainfire for the SuperSu :)
        18. In settings, you can disable the popup that will ask if you want to run an App that is using root. Can be convenient, but also dangerous (apps can use root even without notifying you.)

      4. Detailed instructions how to installation of other apps
        1. We have to enable installing all apps on SCT. Warning, this means editing the build.prop, which is vital to the system. Typing errors can result in a system that will not boot correctly.


          More methods apply here, use one which is convenient to you:
        2. Fast method:
          Code: 
          adb shell
mount -o remount,rw ubi0:system /system
sed -i 's/ro.parrot.install.allow-all=false/ro.parrot.install.allow-all=true/' /system/build.prop
        3. Slow method, more control, moderate risk:
          Code: 
          adb pull /system/build.prop
          edit content and set to true. Content of the file should look like this
          Code: 
          #TODO Set to false for prod #Package install limitations. Set to false to allow only the install of verified packages 
ro.parrot.install.allow-all=true
          replace build.prop with proper one.
          Code: 
          adb shell su root -c 'mount -o remount,rw ubi0:system /system'
adb push build.prop /system/build.prop
          If above does not work, use method like the google framework.
        4. Third method: install ES file explorer, use the rooting functions of this app to edit build.prop
          Instructions in this post and this post
      5. Detailed instructions how to install APK files
        1. Method 1: Use google play
        2. Method 2: If not available on google play, use a Google Play APK downloader on your pc and install using the
          Code: 
          ADB install
          or using
          ES Fileexplorer mentioned above
      6. Detailed instructions how to make apps available during driving

        All apps are behind a security wall of the SCT. When driving >5km/h, all apps not listed in the whitelist.xml will be disabled. To enable your installed apps you have to edit the whitelist.xml
        Warning: it is a safety feature you are disabling now, it is your own responsability when using apps during driving

        1. Slow method:
        2. Get the whitelist.xml from your SCT

          Code: 
          adb pull /system/etc/whitelist.xml
        3. Find out which packages are installed and have to be listed there:
          Code: 
          adb shell
pm list packages
          Other method, look to the url of google play on your pc, see bold part: https://play.google.com/store/apps/details?id=com.estrongs.android.pop
        4. List the packages by adding new lines with the package names
        5. Edit the whitelist.xml using a smart text editor. Preferably use Notepad++
        6. Copy the whitelist back to SCT

          Code: 
          adb push whitelist.xml /data/local
adb shell
su
mount -o remount,rw ubi0:system /system
cp /data/local/whitelist.xml /system/etc
reboot



          Scripted method:
        7. Download script
        8. Instructions in this post



    • FAQ
      1. Audio is not working when using application X
        This is a feature or limitation by design
        - TomTom and other navigation apps will break Sound/Audio due to this feature.
      2. If you have more, PM me or react in topic

    • TIPS
      1. Use a USB keyboard in combination with ES file explorer or a Shell app to edit files on the system.
      2. If you have more, PM me or react in topic








    Informational links:

    Information about SCT:
    http://www.volvocars.com/intl/sales-services/sales/sensus-connected-touch/pages/default.aspx
    Official FAQ of SCT:
    http://www.volvocars.com/intl/top/support/pages/sensus-connected-touch-faq.aspx
    Dutch experiences with SCT:
    http://www.volvo-forum.nl/viewtopic.php?t=54935&postdays=0&postorder=asc&start=0


    SCT update files:
    http://www.parrot.com/nl/support/sensus-connected-touch
    Current version: All regions - 1.49.34

    How to unpack the update (.plf) files:
    Download the plftool
    Basically, download, unzip, and go into the command line, the binaries directory and use the command syntax, "plftool -i -o "
    And please take the time to thank hoppy_barzed for hosting it for us and for loveshackdave for providing the tool to use it.


    Linked topic of Parrot Asteroid Smart:
    http://xdaforums.com/showthread.php?t=2118432
    View
    7
    donaldta
    donaldta
    Google Street View

    Alright, as I sit in the eve of the New Year, I will bid you all farewell to the old and welcome in the new. To commemorate this event, I will leave you with a parting/welcoming gift. Attached is a copy of the Google Street View APK. While it does not provide an icon in the app drawer, it does enable 360° Street View within Google Nav (which is apart of the Google Maps version 6.14.4 that's compatible with Gingerbread).

    App Screenshots:
    Click to expand...
    Click to collapse
    View
    6
    G
    gekkekoe123
    johnnie_w said:
    Well, adb install still won't work. What part do you mean?
    Click to expand...
    Click to collapse

    Euh you have basically full control over the unit now.
    - You can now allow install from unknow sources.
    - you can install google playstore... and Get TOMTOM on it :)
    - See the parrot thread, once you have root

    I cleaned up the code. Attached is the working version.
    I will make a version that autodetects and exploits. But thats for the coming days :)

    Usage:
    Code: 
    adb push libframalib.so /data/local/.
adb push sploit.jar /data/local/.
adb shell mkdir /data/local/tmp/dalvik-cache
adb shell ANDROID_DATA=/data/local/tmp LD_LIBRARY_PATH=/data/local dalvikvm -cp /data/local/sploit.jar com.alephzain.framaroot.FramaAdbActivity Gimli 0
[or]
adb shell ANDROID_DATA=/data/local/tmp LD_LIBRARY_PATH=/data/local dalvikvm -cp /data/local/sploit.jar com.alephzain.framaroot.FramaActivity Gimli 0
    View
    6
    donaldta
    donaldta
    donaldta said:
    Here are all the free APKs from the Asteroid Market available to me for the Smart ...and the rest of them are too large to share as an attachment.
    Click to expand...
    Click to collapse

    Okay, it suddenly occurred to me that 7-zip can split files to help in situations where there is a upload size limitation. I've split the rest of the oversized APKs into equal parts and included them with this post. I had to append the extra ".zip" extension in order to upload them, so you'll need to remove the extension after downloading them in order for 7-zip to detect them as split parts and combine them.
    View
    6
    G
    gebla
    OK, I took the risk. Installed the Volvo update this morning. Rerooted (without any problems) and after a second reboot found that ADW is still installed with all my apps.

    Happy updating all!
    View

New posts