Run commands on G1 without 3rd party app

[jdhorvat]

Is anyone aware of this? I found it by accident during a text conversation.

Step 1:
Reboot your phone.

Step 2:
Enter some commands.
When the system has completely rebooted there are several ways to enter commands. It seems like any app that came with the phone seems to double as a terminal. Try the following examples for running the reboot command

1. Open dialer, type reboot and press enter.
2. Create a search widget on your AndroidOS desktop... type reboot into it and press enter
3. Open a text message to yourself or someone else...in the message box type reboot and press enter.

You can also start telnetd this way, etc. Use your imagination.


Some open questions...

Questions:

- After a certain point it is no longer possible to enter commands this way. To enter commands again you have to reboot...which is the reason for Step 1. I don't know if it is a simple time limit at the beginning of boot, or if some hidden process is taking place and after its completion, the entering of commands using these methods is no longer possible. Does anyone know for sure why a reboot is eventually required to enter commands this way again?

- Copying and pasting commands into the various text boxes will not work. You must actually type the entire command and press enter immediately after in order for the command to be executed, or so it seems. Likewise you cannot for example enter a command in a search widget, then come back later with the text still there and press enter again to execute the command again. Does anyone have any insight into how these commands are being passed through to the system? I have never looked at any android src or anything like that, so I am absolutely clueless in this regard...and many others :-( It should also be noted that entering for example a "telnetd" command into a dialer will ALSO perform the function of dialing a phone number (it comes out as 8356383)..if entered into a text message it WILL pass with message to the recipient. One exception would be reboot, for obvious reasons.

- Does anyone have any additional insight into how this might be able to be used to compromise the security of the system? I used the search widget to start telnetd and ultimately get root. No pTerminal running. What other implications might this have?

- If someone has the spare time to look at the source and see why this is possible it would satisfy a great deal of my curiousity. Any takers? It would be interesting to see the code and know what the rules and limitations of entering commands this way really are.

- I am using RC29. Can anyone confirm whether or not this works on other versions?



Notes:

- Executing commands this way performs both the AndroidOS App function as well as executing the command. I.e. typing telnetd in a text message to your ex would be a pretty bad idea. This will both run telnetd AND send the text message to your ex.

- I would advise against entering long commands into the dialer as well. It will be really hard to explain to a Vietnamese Wal-Mart that you were just trying to mount your sdcard.

- Any commands that are entered WILL execute, but the results may not be obvious, as there is no output screen.

[staulkor]

Good find. Sounds like a bug to me though. I say that because if it were a hidden feature, I would think it wouldn't be sending a text message and executing a command.

[jdhorvat]

Quote:

Originally Posted by staulkor Good find. Sounds like a bug to me though. I say that because if it were a hidden feature, I would think it wouldn't be sending a text message and executing a command.

My thought as well. The only reason I'm not certain is the time limit after boot..If it even is a time limit. The other reason is that it does not seem to work if you enter commands into apps other than those packaged with Android. (i.e. entering "reboot" as a high score name in some game from the app market will not restart the phone)

[neoobs]

Quote:

Originally Posted by jdhorvat My thought as well. The only reason I'm not certain is the time limit after boot..If it even is a time limit. The other reason is that it does not seem to work if you enter commands into apps other than those packaged with Android. (i.e. entering "reboot" as a high score name in some game from the app market will not restart the phone)

That would mean there is a bug in the core.

[jimparis]

Quote:

That would mean there is a bug in the core.

I tracked it down -- they left a shell running on the console. See http://android.jim.sh/index.php/ConsoleShell

[jdhorvat]

Quote:

Originally Posted by jimparis I tracked it down -- they left a shell running on the console. See http://android.jim.sh/index.php/ConsoleShell

Thanks Jim! Excellent job tracking this down, this is precisely what I was hoping to see. I found your article very informative. It has certainly shed more light on the matter for me.