Bad news regarding the audio ril scene.
As I suspected, audio.primary.smdk4x12 does not do anything with libsecril-client. This is what makes our devices so different than all the Exynos GSM (non LTE) variants of the S3 and Note 2. This means that the source code under hardware/samsung is basically useless for us.
What does it use instead? It interfaces with libaudio-ril.so which in turn calls some functions in libcsd-client.so. libcsd-client then talks to our RIL qualcomm libraries and sets up the proper voice path. The closest thing we have is Google's own Qualcomm ALSA implementation that exists in hardware/qcom/audio. Google themselves are symlinking functions to libcsd-client at runtime so we know for certain that libcsd-client is a qualcomm proprietary and is closed source.
Wait, maybe libaudio-ril is so similar to the other phone's libsecril-client? Nope. Looking at the symbols the library provides, it has really nothing to do with libsecril-client:
dyanmic symbol table from libaudio-ril.so:
Code:
DYNAMIC SYMBOL TABLE:
00002d80 w DO .data.rel.ro 00000064 _ZTVN7android8AudioRilE
00000000 DF *UND* 00000000 __aeabi_unwind_cpp_pr0
0000105d g DF .text 00000004 _ZN7android6QmiCsd4initEv
0000105d g DF .text 00000004 _ZN7android6QmiCsd5closeEv
0000105d g DF .text 00000004 _ZN7android6QmiCsd15checkConnectionEv
00001067 g DF .text 00000002 _ZN7android6QmiCsd16setVoiceSolutionEv
0000106d g DF .text 00000004 _ZN7android6QmiCsd14setExtraVolumeEb
00001071 g DF .text 00000024 _ZN7android6QmiCsd14setScoSolutionEbi
00001095 g DF .text 0000000a _ZN7android6QmiCsd14closeVoicePathEii
00000000 DF *UND* 00000000 __aeabi_unwind_cpp_pr1
0000109f g DF .text 0000000a _ZN7android6QmiCsd15isLoopbackStartEv
000010a9 g DF .text 000000dc _ZN7android6QmiCsd14setDhaSolutionERKNS_7String8E
00000000 DF *UND* 00000000 memset
00000000 DF *UND* 00000000 strlen
00000000 DF *UND* 00000000 memcpy
00000000 DF *UND* 00000000 strtok_r
00000000 DF *UND* 00000000 atoi
00000000 DF *UND* 00000000 ss_audio_SetDhaSolution
00000000 DF *UND* 00000000 __android_log_print
00000000 DF *UND* 00000000 __stack_chk_fail
00000000 DO *UND* 00000000 __stack_chk_guard
00001185 g DF .text 00000028 _ZN7android6QmiCsd13setStartVoiceEv
00000000 DF *UND* 00000000 csd_client_start_voice
000011ad g DF .text 000001a8 _ZN7android6QmiCsd11setLoopbackEiii
00000000 DF *UND* 00000000 csd_client_pcm_loopback_stop
00000000 DF *UND* 00000000 ss_audio_packet_loopback_stop
00000000 DF *UND* 00000000 csd_client_stop_voice
00000000 DF *UND* 00000000 csd_client_pcm_loopback_start
00000000 DF *UND* 00000000 ss_audio_packet_loopback_start
00000000 DF *UND* 00000000 csd_client_switch_device
00001355 g DF .text 00000028 _ZN7android6QmiCsd9setRxMuteEb
00000000 DF *UND* 00000000 csd_client_stream_mute
0000137d g DF .text 0000002c _ZN7android6QmiCsd8setWbamrEb
00000000 DF *UND* 00000000 ss_audio_set_network_id
000013a9 g DF .text 00000040 _ZN7android6QmiCsd14setVoiceVolumeEif
00000000 DF *UND* 00000000 csd_client_volume_index
00000000 DF *UND* 00000000 _ZdlPv
00001405 g DF .text 00000028 _ZN7android6QmiCsdD2Ev
00000000 DF *UND* 00000000 pthread_mutex_destroy
0000142d g DF .text 00000012 _ZN7android6QmiCsdD0Ev
00001405 g DF .text 00000028 _ZN7android6QmiCsdD1Ev
0000143f g DF .text 00000018 _ZN7android6QmiCsd10setDualMicEb
00001459 g DF .text 0000006c _ZN7android6QmiCsd12setTtyDeviceEiii
00000000 DF *UND* 00000000 csd_client_tty
000014c5 g DF .text 0000004c _ZN7android6QmiCsd9setTxMuteEb
00000000 DF *UND* 00000000 csd_client_mic_mute
00001511 g DF .text 00000198 _ZN7android6QmiCsd12setVoicePathEii
00000000 DF *UND* 00000000 pthread_mutex_lock
00000000 DF *UND* 00000000 pthread_mutex_unlock
000016a9 g DF .text 00000044 _ZN7android6QmiCsdC2Ev
00000000 DF *UND* 00000000 pthread_mutex_init
00002de8 g DO .data.rel.ro 00000064 _ZTVN7android6QmiCsdE
000016a9 g DF .text 00000044 _ZN7android6QmiCsdC1Ev
000016ec g DF .text 0000000c __on_dlclose
00000000 DF *UND* 00000000 __cxa_finalize
00003000 g D .bss 00000000 __dso_handle
00002e50 g D .init_array 00000000 __INIT_ARRAY__
00002e58 g D .fini_array 00000000 __FINI_ARRAY__
00003000 g D *ABS* 00000000 _edata
00003000 g D *ABS* 00000000 __bss_start
00003010 g D *ABS* 00000000 _end
and libcsd-client.so: (google calls functions like csd_client_start_voice explicitly.
Code:
DYNAMIC SYMBOL TABLE:
00000000 DF *UND* 00000000 __android_log_print
00000000 DF *UND* 00000000 __aeabi_unwind_cpp_pr0
00000000 DF *UND* 00000000 pthread_mutex_lock
00000000 DF *UND* 00000000 pthread_cond_signal
00000000 DF *UND* 00000000 pthread_mutex_unlock
00000000 DF *UND* 00000000 memset
00000000 DF *UND* 00000000 strlcpy
00000000 DF *UND* 00000000 qmi_client_send_msg_sync
00000000 DF *UND* 00000000 __stack_chk_fail
00000000 DO *UND* 00000000 __stack_chk_guard
00004969 g DF .text 00000028 csd_get_service_object_internal_v01
00000000 DF *UND* 00000000 qmi_client_notifier_init
00000000 DF *UND* 00000000 qmi_client_get_service_list
00000000 DF *UND* 00000000 pthread_cond_wait
00000000 DF *UND* 00000000 qmi_client_release
00000000 DF *UND* 00000000 qmi_client_init
00000000 DF *UND* 00000000 qmi_client_register_error_cb
00000000 DF *UND* 00000000 clock_gettime
00000000 DF *UND* 00000000 pthread_cond_timedwait
00000000 DF *UND* 00000000 qmi_client_send_msg_async
00000000 DF *UND* 00000000 __aeabi_unwind_cpp_pr1
00003281 g DF .text 00000624 csd_client_start_voice
000038a5 g DF .text 00000128 csd_client_enable_device
000039cd g DF .text 000000c8 csd_client_disable_device
00003a95 g DF .text 000000b0 csd_client_start_record
00003b45 g DF .text 000000a4 csd_client_stop_record
00003be9 g DF .text 000000a8 csd_client_start_playback
00003c91 g DF .text 00000098 csd_client_stop_playback
00003d29 g DF .text 000000c8 csd_client_volume
00003df1 g DF .text 00000064 csd_client_mic_mute
00003e55 g DF .text 0000004c csd_client_wide_voice
00003ea1 g DF .text 0000006c csd_client_slow_talk
00003f0d g DF .text 0000006c csd_client_fens
00003f79 g DF .text 00000084 csd_client_volume_index
00003ffd g DF .text 000001b0 csd_client_switch_device
000041ad g DF .text 00000060 csd_client_stream_mute
0000420d g DF .text 00000208 csd_client_pcm_loopback_start
00004415 g DF .text 00000134 csd_client_pcm_loopback_stop
00004549 g DF .text 00000060 csd_client_tty
000045a9 g DF .text 00000078 csd_client_deinit_lb
00004621 g DF .text 00000094 csd_client_init_lb
000046b5 g DF .text 000002b4 csd_client_stop_voice
0000a010 g DO .bss 00000004 csd_condition
0000a014 g DO .bss 00000004 csd_cond_mutex
0000a07c g DO .bss 00000004 csd_state_mutex
00009630 g DO .data.rel.ro.local 00000030 csd_qmi_idl_service_object_v01
00000000 DO *UND* 00000000 common_qmi_idl_type_table_object_v01
00004990 g DF .text 0000000c __on_dlclose
00000000 DF *UND* 00000000 __cxa_finalize
0000a080 g D .bss 00000000 __dso_handle
00009e7c g D .init_array 00000000 __INIT_ARRAY__
00009e84 g D .fini_array 00000000 __FINI_ARRAY__
0000a008 g D *ABS* 00000000 _edata
0000a008 g D *ABS* 00000000 __bss_start
0000a090 g D *ABS* 00000000 _end
I was thinking we could skip libaudio-ril.so all together and call functions in libcsd-client just like google does. Problem is, the audio libcsd functions are made for qualcomm based chipsets and Samsung does mash-up functions from their own exynos alsa implementation (for everything except ril) and some functiosn via libaudio-ril.so to interact with qualcomm's stuff. Unfortunately trying to guess what exactly is happening: which functions are being called, what is the function signature exactly (parameters, return values) and in what order are they called is nearly impossible. We can try abandoning the entire exynos audio implementation and pretend to be qualcomm. Basically that will give us the qualcomm libraries that google uses for the nexus 4 for example but I highly doubt that this will even work given the very different hardware so I didn't pursue that path.
How to fix this?
1. Get the sources for the library (audio.primary.smdk4x12) that we use from Samsung. After all, the other exynos GSM phones do have that library open sourced somehow although it is not applicable or complete for us. I'm not sure who to contact about that.
2. Some genius reverse engineers audio.primary to figure out what exactly is going on. This is time consuming and is way beyond my league.
3. Mix the exynos audio.primary with the qualcomm audio.primary to try and get things rolling. To me though, the odds of getting this working are very slim. You'll be shooting in the dark. Maybe someone is more capable of disecting the library and have some more educated guesses as to what is going on.
4. Wait until Samsung releases 4.2 for any exynos + qualcomm lte phone. We can then use the libraries without knowing what exactly happens behind the scenes just like what we currently have in CM10.
I understand the community's frustration at samsung's lack of documentation and source.
Two things I already tried as well just in case someone wants to try them: 1. Backport the HAL JB library. It eventually crashed due to API compatability. I overrode the explicit checks and that led to SIGFAULTs in mediaserver. 2. symlink and call functions in libaudio-ril.so instead of libsecril-client.so from our audio.primary.smdk4x12 sources. Didn't work. CSD library wasn't getting the correct voice path and I have no idea what API it uses or what it expects. I can elaborate more if someone is interested.
Solid explorer sdcard1 is what's linked via extsdcard and I'm getting 775 perm. Card is formated to FAT32 put it in while booted, rebooted into recovery and flashed ur cm10 on top itself (already running ur cm10) wiped cache/dalvick rebooted and got nothing...pulled SD card, it booted, put SD card back in and then pulled SD card, system yelled at me that SD card has been removed...put it back in and rebooted and stuck on boot animation...pulled SD card and it finishes boot...idk its frustrating because I know its not the card, and because you don't have the issue lol...suppose for a moment you have the issue what could I provide to maybe show you what I'm talking about...my last resort is to do a full system wipe and reinstall to see if that fixes it, but that's last ditch.
Also in relation to the security exploit, I downloaded supercuiro's voodoo app and it says that I am vulnerable...I will be applying the fix shortly to figure out if it breaks camera and go from there. It also seems that cm10.1 merged the fix into their repos already so you shouldn't have to worry about it going forward.
Edit: quick fix does not break camera for me...now I'm disabling quick fix and enabling fix at boot.
Edit 2: enabled fix at boot and it does not break camera and fixes exploit.
Sent from my SGH-I317 using xda app-developers app
you're not able to boot at all with that sdcard? if the thing is stuck at the boot screen, you can logcat it and put it in pastebin so I can have a look. these issues are usually easy to solve once you got the logcat setup properly. (enable debugging in dev, install the sdk. use adb from terminal or cmd while the phone is connected via usb and bootlooping).
Cool so both chainfire and supercurios apps fix this exploit and won't break the camera for all who are concerned and want to fix the exploit...also for the newer member this does not remove root access it just fixes an app bypassing asking for root access rights...meaning when you select titanium back up for the first time either superuser or super su ask u to allow root access or not that is the correct way for that to happen...the I exploit allows apps the bypass that question and allow the app root access and it can then pull everything stored in RAM memory...what's stored in RAM I'm not sure and I hope someone who knows chimes in...but both fixes out there work and will not break camera for cm10
Sent from my SGH-I317 using xda app-developers app
everything currently running in your phone is stored in ram