[KERNEL] Enabling Netfilter/AFWall+ on Ainol Novo 7 Paladin (MIPS)
I spent entirely too much time on this, so I'll post my boot.img and my findings here in case it's useful to anyone else in the future.
and this thread
have working links to CWM and Superuser zips.
has a link to an ICS 4.0.3 ROM running Linux 3.0.8. I installed this ROM, but was disappointed with the kernel's feature set. Important options like CONFIG_IP_NF_TARGET_REJECT and CONFIG_IP_NF_TARGET_LOG were disabled.
has a custom ROM by "pinkflozd". I wasn't able to find this image in the wild. It may have a newer kernel (3.0.23?) but AFAICT it doesn't have the Netfilter changes I needed either.
Custom kernel build:
I stumbled across this kernel
and used it as a baseline. Then I enabled:
- Various missing Netfilter features (e.g. LOG and REJECT targets)
The process looks like:
- Install CWM
- Find the .zip file for the ROM you want to use, e.g. the ICS 4.0.3 link above
- Install that ROM and make sure the stock kernel works
- Create a new boot.img with the desired options enabled
- Flash the new boot.img with CWM
Basic steps to create the new boot.img:
git clone -b paladin-3.0.8 git://github.com/cernekee/linux
git submodule init
git submodule update
cp /path/to/boot.img orig.img
# if desired, edit kernel code or .config, and rerun "make"
The scripts under linux/paladin/ will extract the ramdisk from orig.img, then create a new boot.img based on your kernel source tree. For more details on the kernel build, see paladin/README .
To flash the new image, reboot into CWM, then:
Other random findings:
adb push boot.img /tmp/
adb shell "dd if=/tmp/boot.img bs=1048576 seek=3 count=8 of=/dev/block/mmcblk0 ; sync"
# hit the reset button again
I did not have any luck with the "z4root" app, although ro.secure=0 on this ROM so "adb shell" always gives you a root shell. It did take some work to find Superuser/su binaries that worked on MIPS.
Enabling Netfilter's conntrack option seemed to cause dhd.ko to become unstable, possibly because it affected binary compatibility with existing kernel modules. So I left it alone.
This ROM is missing native iptables/ip6tables binaries, so AFWall needs to be set to use the builtin copies. The latest AFWall betas do ship with MIPS binaries now (the purpose of this exercise was to test them).
Checking the box to enable IPv6 crashes AFWall instantly. Need to investigate this.
AFWall's inbound connection option probably will not work, due to the lack of conntrack in the kernel.
This ROM appears to be missing some Java libraries needed for ICS+ VpnService apps to work.
NDK r9b is the first NDK release with support for the "MXU" SIMD instructions
supported by the Ingenic JZ4770 chip. Prior to this, most people used Ingenic's special toolchain to build the kernel.
To forcibly boot into CWM, hold down VOL+ while pressing the reset button.