Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,740,298 Members 42,862 Now Online
XDA Developers Android and Mobile Development Forum

[EXPLOIT] Modify System Files w/o Flashing Boot Partition

Tip us?
 
jichuan89
Old
(Last edited by jichuan89; 7th March 2012 at 08:26 AM.)
#1  
Member - OP
Thanks Meter 62
Posts: 70
Join Date: Nov 2010
Location: Mountain View, CA

 
DONATE TO ME
Default [EXPLOIT] Modify System Files w/o Flashing Boot Partition

Exploit: Modify System Files w/o Flashing Boot Partition

Background

One of the serious inconveniences of the stock Nook Tablet firmware is the inability to copy & paste in text fields. I hacked together a solution (see this thread) that requires replacing the file /system/framework/framework.jar. However, when I did replaced that file, my tablet no longer boots.

It turns out that there are two files in the ramdisk that specify (what I assume to be) checksums of system files: /manifest00 and /manifest01. B&N has added a "feature" to the /init process that checks if system files on disk match the checksums in /manifest00 and /manifest01, and will crash the system if it finds a discrepancy, resulting in a boot loop.

/manifest00 and /manifest01 cover essentially all of the system files that one would be interested to modify, including my /system/framework/framework.jar. It is possible to get around this by using a ramdisk that has an empty /manifest00 and /manifest01, because /init only checks files with a checksum listed in /manifest00 and /manifest01, and will happily ignore everything else. But this would require me to flash a new boot partition, and since the NT has a locked bootloader, I would have to use bauwks's 2nduboot or Cyanoboot.

In essence, B & N is quite clever:
1. To modify system files (/system), you need to modify the boot partition (/manifest00 and /manifest01).
2. To modify the boot partition, you need to modify the boot loader.
3. The bootloader is locked.

Of course, with bauwks's 2nduboot hack, 3 is no longer an obstacle, but I would still rather not flash and damage my boot partition, having almost bricked my tablet once by doing so.

Exploit

I studied the /manifest00 and /manifest01 in the 1.4.2 ROM on my NT 8GB and compared them with /init.rc and /init.omap4430.rc, and discovered that /init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist. In addition, /system/bin/uim-sysfs is not in /manifest00 or /manifest01, and is thus not verified by /init.

Upon further testing, /system/bin/uim-sysfs is run after /init checks the checksums of system files, which means that /system/bin/uim-sysfs can modify /system as it wishes, with the caveat that it must restore its modifications before a reboot lest /init catches it at it.

So I placed a shell script at /system/bin/uim-sysfs that replaces /system/framework/framework.jar with my custom build, restarts the zygote process, and restores the stock /system/framework/framework.jar. I'm now able to use copy & paste on my Nook Tablet

If anyone's interested, you can check out the uim-sysfs script I'm using for the copy & paste hack in the linked file in this thread.
The Following 8 Users Say Thank You to jichuan89 For This Useful Post: [ Click to Expand ]
 
lavero.burgos
Old
#2  
lavero.burgos's Avatar
Senior Member
Thanks Meter 1307
Posts: 2,509
Join Date: Mar 2011
Location: Guayaquil

 
DONATE TO ME
Interesting and very useful for stock users. Well done!

~ Veronica
SG Captivate - PAC ROM 4.2.2 | SGS2X - CM10.1 4.2.2 | NOOK Tablet - CM10.1 4.2.2 |

If i helped you please hit
button -
Your files everywhere! Get dropbox 2GB+250mb free: http://db.tt/9DHo4Gi

VIDEO TUTORIALS
My XDA FTP Folder ~ GDrive Folder ~ My XDA Threads
 
fattire
Old
#3  
fattire's Avatar
Recognized Developer
Thanks Meter 4386
Posts: 1,519
Join Date: Oct 2010
Thumbs up Stop it, BN. Stop it.

Quote:
/init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist!
Interesting find. What is BN thinking with this manifest checking stuff. BN, just stop it. Seriously. Stop it.

Stop it, BN.

FWIW, uim-sysfs is the no-longer-used userspace side of the "shared transport" wireless daemon stuff (the other side is called "kim" in the kernel) that's used for bluetooth, FM, and gps on the 1271... it's used in CM7/CM9 (backported from 2.6.35 to 2.6.32) for nookcolor to make bluetooth work.

BN likely just modified TI's stock init.omap3.rc and left lines like the uim service as-is. Running this non-existent file as root is kinda a "security" hole, IMO, assuming the manifest verification was supposed to be some kind of security. Remove this, there will doubtlessly be other examples of the same thing.

All that said, is this script, which is replacing system files on-the-fly any more "safe" than just replacing the boot partition in the first place? Add CyanoBoot, shift current boot.img contents 512 bytes. Done.

Nice discovery tho.
 
jichuan89
Old
(Last edited by jichuan89; 7th March 2012 at 04:42 AM.)
#4  
Member - OP
Thanks Meter 62
Posts: 70
Join Date: Nov 2010
Location: Mountain View, CA

 
DONATE TO ME
Quote:
Originally Posted by fattire View Post
All that said, is this script, which is replacing system files on-the-fly any more "safe" than just replacing the boot partition in the first place? Add CyanoBoot, shift current boot.img contents 512 bytes. Done.
Well, the only real difference for me is what happens when you screw something up. When I screwed up /system, I could always use the "8 failed reboots" method to go back to stock /system. When I screwed up my boot partition, I almost bricked my tablet and there was no way of getting back to the factory restore interface.

In addition, it's also really, really easy for development because we'd be working with simple files, not images. For my copy & paste hack, I was editing /system/bin/uim-sysfs directly on the tablet using a text editor. Boot images are much harder to work with.

The last advantage is that it's a lot less intrusive. There's no scary flashing going on here; just drop a file in /system/bin/ and you're set.
 
MikeCh
Old
#5  
Member
Thanks Meter 2
Posts: 57
Join Date: Mar 2007
Thumbs up care to share the files?

Quote:
Originally Posted by jichuan89 View Post
Exploit: Modify System Files w/o Flashing Boot Partition

Background

One of the serious inconveniences of the stock Nook Tablet firmware is the inability to copy & paste in text fields. I hacked together a solution (will post details later) that requires replacing the file /system/framework/framework.jar. However, when I did replaced that file, my tablet no longer boots.

It turns out that there are two files in the ramdisk that specify (what I assume to be) checksums of system files: /manifest00 and /manifest01. B&N has added a "feature" to the /init process that checks if system files on disk match the checksums in /manifest00 and /manifest01, and will crash the system if it finds a discrepancy, resulting in a boot loop.

/manifest00 and /manifest01 cover essentially all of the system files that one would be interested to modify, including my /system/framework/framework.jar. It is possible to get around this by using a ramdisk that has an empty /manifest00 and /manifest01, because /init only checks files with a checksum listed in /manifest00 and /manifest01, and will happily ignore everything else. But this would require me to flash a new boot partition, and since the NT has a locked bootloader, I would have to use bauwks's 2nduboot or Cyanoboot.

In essence, B & N is quite clever:
1. To modify system files (/system), you need to modify the boot partition (/manifest00 and /manifest01).
2. To modify the boot partition, you need to modify the boot loader.
3. The bootloader is locked.

Of course, with bauwks's 2nduboot hack, 3 is no longer an obstacle, but I would still rather not flash and damage my boot partition.

Exploit

I studied the /manifest00 and /manifest01 in the 1.4.2 ROM on my NT 8GB and compared them with /init.rc and /init.omap4430.rc, and discovered that /init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist. In addition, /system/bin/uim-sysfs is not in /manifest00 or /manifest01, and is thus not verified by /init.

Upon further testing, /system/bin/uim-sysfs is run after /init checks the checksums of system files, which means that /system/bin/uim-sysfs can modify /system as it wishes, with the caveat that it must restore its modifications before a reboot lest /init catches it at it.

So I placed a shell script at /system/bin/uim-sysfs that replaces /system/framework/framework.jar with my custom build, restarts the zygote process, and restores the stock /system/framework/framework.jar. I'm now able to use copy & paste on my Nook Tablet
would be nice if you can share some files
 
jichuan89
Old
#6  
Member - OP
Thanks Meter 62
Posts: 70
Join Date: Nov 2010
Location: Mountain View, CA

 
DONATE TO ME
Quote:
Originally Posted by MikeCh View Post
would be nice if you can share some files
If you're interested in copy & paste, I've now posted instructions at http://forum.xda-developers.com/show....php?t=1534757
 
fattire
Old
#7  
fattire's Avatar
Recognized Developer
Thanks Meter 4386
Posts: 1,519
Join Date: Oct 2010
Quote:
Originally Posted by jichuan89 View Post
Well, the only real difference for me is what happens when you screw something up. When I screwed up /system, I could always use the "8 failed reboots" method to go back to stock /system. When I screwed up my boot partition, I almost bricked my tablet and there was no way of getting back to the factory restore interface.
Well, "bricking" in the classic sense of creating a permanently damaged system is a bit difficult-- you can always boot from SD card and reflash from CWM, right?

Quote:
In addition, it's also really, really easy for development because we'd be working with simple files, not images. For my copy & paste hack, I was editing /system/bin/uim-sysfs directly on the tablet using a text editor. Boot images are much harder to work with.
do you mean for the developer or end user?

Quote:
The last advantage is that it's a lot less intrusive. There's no scary flashing going on here; just drop a file in /system/bin/ and you're set.
but aren't you still moving framework files around "on the fly"?

Well, in any event it was a good observation that can be used for all kinds of purposes-- rooting, running background processes, etc. You could even drop a cwm recovery binary in there to instantly turn stock into cwm I bet...
 
jichuan89
Old
(Last edited by jichuan89; 7th March 2012 at 12:13 PM.)
#8  
Member - OP
Thanks Meter 62
Posts: 70
Join Date: Nov 2010
Location: Mountain View, CA

 
DONATE TO ME
Quote:
Originally Posted by fattire View Post
Well, "bricking" in the classic sense of creating a permanently damaged system is a bit difficult-- you can always boot from SD card and reflash from CWM, right?
True.

Quote:
Originally Posted by fattire View Post
do you mean for the developer or end user?
I guess that's personal preference more than anything else. Please disregard.

Quote:
Originally Posted by fattire View Post
but aren't you still moving framework files around "on the fly"?
Yes - but the process is automated by the script in uim-sysfs. From the user's perspective it's just copying a file to /system/bin say using ES File Explorer, rather than burning an image to an SD card and booting from it which appears to scare/confuse a lot of people. Also they wouldn't need a computer or a card reader or a spare SD card or a USB cable or any special software on their computer.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Control Your Toast Notifications with SlicedToasts

Toasts are delicious, even in their Android flavor. In Android, toast doesn’t lead … more

Rotation Lets You Take Full Control of Your Device’s Orientation Settings

To be brutally honest, the native options for screen … more

Change the Alarm Icon in the Status Bar with Xposed

It’s hard to find a more hated object than your alarm clock. They wake us up nearly … more

Return to Outer Space Outer Space with Ship Up Game

Since the release of Flappy Birds, we’ve had the “fortune” to see … more