Shattered Screen? Turn Your Broken Device into a Complete Media Center!

A cracked screen usually means you’ll have to spend a hefty … more

Gmail 5.0: Material Design and Multiple Account Support

Google started to materialize many of its applications right after announcing the … more

Some of Our Favorite Features in Android 5.0 Lollipop

Android 5.0 Lollipop is the latest major revision to Google’s mobile operating … more

Sony SmartEyeglass SDK Developer Preview Released

A little over a month ago in Tokyo, Japan, Sony unveiled its new SmartEyeglasstechnology. … more
Post Reply

[EXPLOIT] Modify System Files w/o Flashing Boot Partition

OP jichuan89

7th March 2012, 03:06 AM   |  #1  
OP Member
Mountain View, CA
Thanks Meter: 62
 
70 posts
Join Date:Joined: Nov 2010
Donate to Me
More
Exploit: Modify System Files w/o Flashing Boot Partition

Background

One of the serious inconveniences of the stock Nook Tablet firmware is the inability to copy & paste in text fields. I hacked together a solution (see this thread) that requires replacing the file /system/framework/framework.jar. However, when I did replaced that file, my tablet no longer boots.

It turns out that there are two files in the ramdisk that specify (what I assume to be) checksums of system files: /manifest00 and /manifest01. B&N has added a "feature" to the /init process that checks if system files on disk match the checksums in /manifest00 and /manifest01, and will crash the system if it finds a discrepancy, resulting in a boot loop.

/manifest00 and /manifest01 cover essentially all of the system files that one would be interested to modify, including my /system/framework/framework.jar. It is possible to get around this by using a ramdisk that has an empty /manifest00 and /manifest01, because /init only checks files with a checksum listed in /manifest00 and /manifest01, and will happily ignore everything else. But this would require me to flash a new boot partition, and since the NT has a locked bootloader, I would have to use bauwks's 2nduboot or Cyanoboot.

In essence, B & N is quite clever:
1. To modify system files (/system), you need to modify the boot partition (/manifest00 and /manifest01).
2. To modify the boot partition, you need to modify the boot loader.
3. The bootloader is locked.

Of course, with bauwks's 2nduboot hack, 3 is no longer an obstacle, but I would still rather not flash and damage my boot partition, having almost bricked my tablet once by doing so.

Exploit

I studied the /manifest00 and /manifest01 in the 1.4.2 ROM on my NT 8GB and compared them with /init.rc and /init.omap4430.rc, and discovered that /init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist. In addition, /system/bin/uim-sysfs is not in /manifest00 or /manifest01, and is thus not verified by /init.

Upon further testing, /system/bin/uim-sysfs is run after /init checks the checksums of system files, which means that /system/bin/uim-sysfs can modify /system as it wishes, with the caveat that it must restore its modifications before a reboot lest /init catches it at it.

So I placed a shell script at /system/bin/uim-sysfs that replaces /system/framework/framework.jar with my custom build, restarts the zygote process, and restores the stock /system/framework/framework.jar. I'm now able to use copy & paste on my Nook Tablet

If anyone's interested, you can check out the uim-sysfs script I'm using for the copy & paste hack in the linked file in this thread.
Last edited by jichuan89; 7th March 2012 at 08:26 AM.
The Following 8 Users Say Thank You to jichuan89 For This Useful Post: [ View ]
7th March 2012, 03:11 AM   |  #2  
lavero.burgos's Avatar
Senior Member
Flag Guayaquil
Thanks Meter: 1,315
 
2,513 posts
Join Date:Joined: Mar 2011
Donate to Me
More
Interesting and very useful for stock users. Well done!

~ Veronica
7th March 2012, 04:15 AM   |  #3  
fattire's Avatar
Recognized Developer
Thanks Meter: 4,401
 
1,526 posts
Join Date:Joined: Oct 2010
Thumbs up Stop it, BN. Stop it.
Quote:

/init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist!

Interesting find. What is BN thinking with this manifest checking stuff. BN, just stop it. Seriously. Stop it.

Stop it, BN.

FWIW, uim-sysfs is the no-longer-used userspace side of the "shared transport" wireless daemon stuff (the other side is called "kim" in the kernel) that's used for bluetooth, FM, and gps on the 1271... it's used in CM7/CM9 (backported from 2.6.35 to 2.6.32) for nookcolor to make bluetooth work.

BN likely just modified TI's stock init.omap3.rc and left lines like the uim service as-is. Running this non-existent file as root is kinda a "security" hole, IMO, assuming the manifest verification was supposed to be some kind of security. Remove this, there will doubtlessly be other examples of the same thing.

All that said, is this script, which is replacing system files on-the-fly any more "safe" than just replacing the boot partition in the first place? Add CyanoBoot, shift current boot.img contents 512 bytes. Done.

Nice discovery tho.
7th March 2012, 04:27 AM   |  #4  
OP Member
Mountain View, CA
Thanks Meter: 62
 
70 posts
Join Date:Joined: Nov 2010
Donate to Me
More
Quote:
Originally Posted by fattire

All that said, is this script, which is replacing system files on-the-fly any more "safe" than just replacing the boot partition in the first place? Add CyanoBoot, shift current boot.img contents 512 bytes. Done.

Well, the only real difference for me is what happens when you screw something up. When I screwed up /system, I could always use the "8 failed reboots" method to go back to stock /system. When I screwed up my boot partition, I almost bricked my tablet and there was no way of getting back to the factory restore interface.

In addition, it's also really, really easy for development because we'd be working with simple files, not images. For my copy & paste hack, I was editing /system/bin/uim-sysfs directly on the tablet using a text editor. Boot images are much harder to work with.

The last advantage is that it's a lot less intrusive. There's no scary flashing going on here; just drop a file in /system/bin/ and you're set.
Last edited by jichuan89; 7th March 2012 at 04:42 AM.
7th March 2012, 04:58 AM   |  #5  
Member
Thanks Meter: 2
 
57 posts
Join Date:Joined: Mar 2007
More
Thumbs up care to share the files?
Quote:
Originally Posted by jichuan89

Exploit: Modify System Files w/o Flashing Boot Partition

Background

One of the serious inconveniences of the stock Nook Tablet firmware is the inability to copy & paste in text fields. I hacked together a solution (will post details later) that requires replacing the file /system/framework/framework.jar. However, when I did replaced that file, my tablet no longer boots.

It turns out that there are two files in the ramdisk that specify (what I assume to be) checksums of system files: /manifest00 and /manifest01. B&N has added a "feature" to the /init process that checks if system files on disk match the checksums in /manifest00 and /manifest01, and will crash the system if it finds a discrepancy, resulting in a boot loop.

/manifest00 and /manifest01 cover essentially all of the system files that one would be interested to modify, including my /system/framework/framework.jar. It is possible to get around this by using a ramdisk that has an empty /manifest00 and /manifest01, because /init only checks files with a checksum listed in /manifest00 and /manifest01, and will happily ignore everything else. But this would require me to flash a new boot partition, and since the NT has a locked bootloader, I would have to use bauwks's 2nduboot or Cyanoboot.

In essence, B & N is quite clever:
1. To modify system files (/system), you need to modify the boot partition (/manifest00 and /manifest01).
2. To modify the boot partition, you need to modify the boot loader.
3. The bootloader is locked.

Of course, with bauwks's 2nduboot hack, 3 is no longer an obstacle, but I would still rather not flash and damage my boot partition.

Exploit

I studied the /manifest00 and /manifest01 in the 1.4.2 ROM on my NT 8GB and compared them with /init.rc and /init.omap4430.rc, and discovered that /init.omap4430.rc starts /system/bin/uim-sysfs with root permissions at boot, but /system/bin/uim-sysfs does not actually exist. In addition, /system/bin/uim-sysfs is not in /manifest00 or /manifest01, and is thus not verified by /init.

Upon further testing, /system/bin/uim-sysfs is run after /init checks the checksums of system files, which means that /system/bin/uim-sysfs can modify /system as it wishes, with the caveat that it must restore its modifications before a reboot lest /init catches it at it.

So I placed a shell script at /system/bin/uim-sysfs that replaces /system/framework/framework.jar with my custom build, restarts the zygote process, and restores the stock /system/framework/framework.jar. I'm now able to use copy & paste on my Nook Tablet

would be nice if you can share some files
7th March 2012, 07:37 AM   |  #6  
OP Member
Mountain View, CA
Thanks Meter: 62
 
70 posts
Join Date:Joined: Nov 2010
Donate to Me
More
Quote:
Originally Posted by MikeCh

would be nice if you can share some files

If you're interested in copy & paste, I've now posted instructions at http://forum.xda-developers.com/show....php?t=1534757
7th March 2012, 11:51 AM   |  #7  
fattire's Avatar
Recognized Developer
Thanks Meter: 4,401
 
1,526 posts
Join Date:Joined: Oct 2010
Quote:
Originally Posted by jichuan89

Well, the only real difference for me is what happens when you screw something up. When I screwed up /system, I could always use the "8 failed reboots" method to go back to stock /system. When I screwed up my boot partition, I almost bricked my tablet and there was no way of getting back to the factory restore interface.

Well, "bricking" in the classic sense of creating a permanently damaged system is a bit difficult-- you can always boot from SD card and reflash from CWM, right?

Quote:

In addition, it's also really, really easy for development because we'd be working with simple files, not images. For my copy & paste hack, I was editing /system/bin/uim-sysfs directly on the tablet using a text editor. Boot images are much harder to work with.

do you mean for the developer or end user?

Quote:

The last advantage is that it's a lot less intrusive. There's no scary flashing going on here; just drop a file in /system/bin/ and you're set.

but aren't you still moving framework files around "on the fly"?

Well, in any event it was a good observation that can be used for all kinds of purposes-- rooting, running background processes, etc. You could even drop a cwm recovery binary in there to instantly turn stock into cwm I bet...
7th March 2012, 12:07 PM   |  #8  
OP Member
Mountain View, CA
Thanks Meter: 62
 
70 posts
Join Date:Joined: Nov 2010
Donate to Me
More
Quote:
Originally Posted by fattire

Well, "bricking" in the classic sense of creating a permanently damaged system is a bit difficult-- you can always boot from SD card and reflash from CWM, right?

True.

Quote:
Originally Posted by fattire

do you mean for the developer or end user?

I guess that's personal preference more than anything else. Please disregard.

Quote:
Originally Posted by fattire

but aren't you still moving framework files around "on the fly"?

Yes - but the process is automated by the script in uim-sysfs. From the user's perspective it's just copying a file to /system/bin say using ES File Explorer, rather than burning an image to an SD card and booting from it which appears to scare/confuse a lot of people. Also they wouldn't need a computer or a card reader or a spare SD card or a USB cable or any special software on their computer.
Last edited by jichuan89; 7th March 2012 at 12:13 PM.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes