FORUMS
Remove All Ads from XDA

[VOLVO SCT] Volvo Sensus Connected Touch (car - navi - audio)

353 posts
Thanks Meter: 85
 
By RichieB, Senior Member on 18th September 2013, 08:51 AM
Post Reply Email Thread
21st September 2013, 04:17 AM |#21  
donaldta's Avatar
Senior Member
Thanks Meter: 461
 
Donate to Me
More
Quote:
Originally Posted by johnnie_w

I tried to pull and push an APK, no luck. Pulling worked but I couldn't push it back to /system/app. We need root rights for this apparently.

I'm wondering what the device is looking for. We have to find that out, maybe we can modify APK's so it does accept them. Any other ideas?

Have you installed any of the available apps from the Asteroid Market for the SCT? Because then you can try to pull a copy of the apk to your computer, uninstall it from the SCT ("adb uninstall" or using the touchscreen), and then try using "adb install" (instead of push) to see if it can at least be re-installed that way.

If that is possible then maybe we can use the "master key exploit" to inject Framaroot into a pre-existing apk from the Asteroid Market, like the way it is described in this bash script. Provided of course that it hasn't already been patched on the SCT (it hasn't been patched on the PAS with Firmware version 2.1.2).

Also, just a stretch... I know you tried, "su - root" from "adb shell" and it didn't work but try to see if "su - system" works. It probably won't but it doesn't hurt to try.

Quote:
Originally Posted by johnnie_w

Also for patching the jar file or using the Lucky Patcher we need root.

Yes, that response was directed to jaanusj since root is available on the Asteroid Tablet.
21st September 2013, 05:38 PM |#22  
Member
Thanks Meter: 7
 
More
No success with the lucky patcher...
It still won't run. Same text in log.
21st September 2013, 06:47 PM |#23  
Member
Thanks Meter: 22
 
More
I was able to pull a package, and to inject Framaroot using the script. But when I tried to install it, it gave the following error:

Code:
D/PackageParser( 1377): Scanning package: /data/app/vmdl-1912454958.tmp
E/PackageParser( 1377): Package com.alephzain.framaroot has no certificates at entry res/layout/activity_frama.xml; ignoring!
Any pointers?

EDIT:

The packages coming from the Asteroid Market (Wikango is the only non-system app) are .ppk files. Looking at the logcat I saw they are decrypted, and extracted to /sdcard/.ppktemp. I was able to quickly copy that directory before it got removed. I looked at the content, and found a directory /META-INF/com/parrot containing a signature file. Maybe this is the key to get packages installed? Will try in a bit, my laptop ran out of juice
21st September 2013, 08:52 PM |#24  
Member
Thanks Meter: 22
 
More
Good news! I was able to install an APK file:

Code:
$ adb install ppktemp.apk
275 KB/s (20120357 bytes in 71.432s)
	pkg: /data/local/tmp/ppktemp.apk
Success
$
Now we need to inject Framaroot somehow in this package. I tried it, and this was the error I got:

Code:
unable to load PKCS7 object
15909:error:2006F078:BIO routines:BIO_read:uninitialized:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/bio/bio_lib.c:208:
15909:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/a_d2i_fp.c:175:
unable to load PKCS7 object
15914:error:2006F078:BIO routines:BIO_read:uninitialized:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/bio/bio_lib.c:208:
15914:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/crypto/asn1/a_d2i_fp.c:175:
Modified APK: evil---ppktemp.apk


---------- Post added at 06:52 PM ---------- Previous post was at 06:48 PM ----------

More good news: I was able to install the Framaroot APK! I just installed the APK with Framaroot injected, and it succeeded. Unfortunately it did crash immediately with the following message:

Code:
/ActivityManager( 1363): Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.alephzain.framaroot/.FramaActivity } from pid 1661
D/ActivityMonitorAppDrawer( 1661): Setting idle mode false
D/AllAppsDrawer( 1661): Setting idle mode: false
I/ActivityManager( 1363): Start proc com.alephzain.framaroot for activity com.alephzain.framaroot/.FramaActivity: pid=2646 uid=10045 gids={1006}
W/dalvikvm( 2646): Exception Ljava/lang/UnsatisfiedLinkError; thrown while initializing Lcom/alephzain/framaroot/FramaActivity;
W/dalvikvm( 2646): Class init failed in newInstance call (Lcom/alephzain/framaroot/FramaActivity;)
D/AndroidRuntime( 2646): Shutting down VM
W/dalvikvm( 2646): threadid=1: thread exiting with uncaught exception (group=0x40015560)
E/AndroidRuntime( 2646): FATAL EXCEPTION: main
E/AndroidRuntime( 2646): java.lang.ExceptionInInitializerError
E/AndroidRuntime( 2646): 	at java.lang.Class.newInstanceImpl(Native Method)
E/AndroidRuntime( 2646): 	at java.lang.Class.newInstance(Class.java:1409)
E/AndroidRuntime( 2646): 	at android.app.Instrumentation.newActivity(Instrumentation.java:1021)
E/AndroidRuntime( 2646): 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1561)
E/AndroidRuntime( 2646): 	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1666)
E/AndroidRuntime( 2646): 	at android.app.ActivityThread.access$1500(ActivityThread.java:117)
E/AndroidRuntime( 2646): 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:931)
E/AndroidRuntime( 2646): 	at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime( 2646): 	at android.os.Looper.loop(Looper.java:130)
E/AndroidRuntime( 2646): 	at android.app.ActivityThread.main(ActivityThread.java:3686)
E/AndroidRuntime( 2646): 	at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime( 2646): 	at java.lang.reflect.Method.invoke(Method.java:507)
E/AndroidRuntime( 2646): 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:839)
E/AndroidRuntime( 2646): 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:597)
E/AndroidRuntime( 2646): 	at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime( 2646): Caused by: java.lang.UnsatisfiedLinkError: Couldn't load framalib: findLibrary returned null
E/AndroidRuntime( 2646): 	at java.lang.Runtime.loadLibrary(Runtime.java:429)
E/AndroidRuntime( 2646): 	at java.lang.System.loadLibrary(System.java:554)
E/AndroidRuntime( 2646): 	at com.alephzain.framaroot.FramaActivity.<clinit>(FramaActivity.java:88)
E/AndroidRuntime( 2646): 	... 15 more
V/ExceptionReport( 1363): report_5ffd7aeaf already exists
V/ExceptionReport( 1363): Aborting report creation
W/ActivityManager( 1363):   Force finishing activity com.alephzain.framaroot/.FramaActivity
W/ActivityManager( 1363):   Force finishing activity se.volvocars.acu/.appdrawer.AppDrawerActivity
My guess is that it tries to find the library in com.alephzain.framaroot, but due to the fact that it is injected in a different package, it can't find it. I will contact the Framaroot developer, maybe he has a solution. Exciting stuff!
The Following 2 Users Say Thank You to johnnie_w For This Useful Post: [ View ] Gift johnnie_w Ad-Free
21st September 2013, 09:47 PM |#25  
donaldta's Avatar
Senior Member
Thanks Meter: 461
 
Donate to Me
More
Quote:
Originally Posted by johnnie_w

The packages coming from the Asteroid Market (Wikango is the only non-system app) are .ppk files.

Probably that's just Parrot renaming the Android PacKage (.apk) extension to identify its proprietary. Much like how an .apk file is really just a .zip file with structured folders and specific file locations within the archive.

I am pretty sure to take advantage of the Master Key Exploit with Framaroot, the package should be a system package since we want the it to end up in /system/app anyways.

Quote:
Originally Posted by johnnie_w

I was able to pull a package, and to inject Framaroot using the script. But when I tried to install it, it gave the following error:

Code:
D/PackageParser( 1377): Scanning package: /data/app/vmdl-1912454958.tmp
E/PackageParser( 1377): Package com.alephzain.framaroot has no certificates at entry res/layout/activity_frama.xml; ignoring!

Questions:
  • In the above test, did the Wikango application install without Framaroot or not at all?
  • If it was installed did you check if it is actually Wikango?
  • Was the Wikango application on the device prior?
  • Were you able to install an unaltered copy of the WIkango package through ADB?

Quote:
Originally Posted by johnnie_w

Looking at the logcat I saw they are decrypted, and extracted to /sdcard/.ppktemp. I was able to quickly copy that directory before it got removed. I looked at the content, and found a directory /META-INF/com/parrot containing a signature file. Maybe this is the key to get packages installed? Will try in a bit, my laptop ran out of juice

Let me try an explain the situation (at least how I understand it). I apologize if you knew this already but I feel it is important that we are on the same page.

First of all, each package that contains a "META-INF" directory and has the following files; CERT.RSA, CERT.SF and MANIFEST.MF. These files are used to validate the contents of the package using cryptographic signatures. The "CERT.SF" and "MANIFEST.MF" enumerates the items in the package and associates it with a cryptographic signature. The CERT.RSA file is the public key file used to validate each signature; however, only the private key can create the signatures. This key pair ias the fundamental basis in which Android ensures the package was created the signee and untampered.

The master key exploit takes advantage of the idea that only one file is tested per signature. However, if there are duplicate files in the package then last file processed is what ends up being used on the Android device. So, for this to work the file and directory structure of the APKs must match otherwise the package installer flags the non-duplicated because a signature doesn't exist for it. Framaroot isn't going to match anything in the Asteroid Market. However, we might be able to get alephzain to customize a copy of his Framaroot app so that it matches the manifest of a pre-existing Asteroid Market app so that it can be snuck into the system.

I am not sure what is in the /META-INF/com/parrot directory, but I suspect that it is the public key used to validate digital signatures.
21st September 2013, 09:55 PM |#26  
Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by donaldta

Probably that's just Parrot renaming the Android PacKage (.apk) extension to identify its proprietary. Much like how an .apk file is really just a .zip file with structured folders and specific file locations within the archive.

No, I think the PPK files are encrypted. I couldn't rename the file nor validate the type.

Quote:

I am pretty sure to take advantage of the Master Key Exploit with Framaroot, the package should be a system package since we want the it to end up in /system/app anyways.

Questions:

  • In the above test, did the Wikango application install without Framaroot or not at all?
  • If it was installed did you check if it is actually Wikango?
  • Was the Wikango application on the device prior?
  • Were you able to install an unaltered copy of the WIkango package through ADB?

  • The first installation was from the unmodified APK that I got from the extracted Wikango PPK.
  • Yes, it was Wikango
  • No it wasn't.
  • Not the PPK file, only the APK.


Quote:

Let me try an explain the situation (at least how I understand it). I apologize if you knew this already but I feel it is important that we are on the same page.

First of all, each package that contains a "META-INF" directory and has the following files; CERT.RSA, CERT.SF and MANIFEST.MF. These files are used to validate the contents of the package using cryptographic signatures. The "CERT.SF" and "MANIFEST.MF" enumerates the items in the package and associates it with a cryptographic signature. The CERT.RSA file is the public key file used to validate each signature; however, only the private key can create the signatures. This key pair ias the fundamental basis in which Android ensures the package was created the signee and untampered.

The master key exploit takes advantage of the idea that only one file is tested per signature. However, if there are duplicate files in the package then last file processed is what ends up being used on the Android device. So, for this to work the file and directory structure of the APKs must match otherwise the package installer flags the non-duplicated because a signature doesn't exist for it. Framaroot isn't going to match anything in the Asteroid Market. However, we might be able to get alephzain to customize a copy of his Framaroot app so that it matches the manifest of a pre-existing Asteroid Market app so that it can be snuck into the system.

I am not sure what is in the /META-INF/com/parrot directory, but I suspect that it is the public key used to validate digital signatures.

Thanks for the clarification, I already sent alephzain a message, let's see what comes out of it. If you want the Wikango APK, I can upload it somewhere?
21st September 2013, 10:29 PM |#27  
donaldta's Avatar
Senior Member
Thanks Meter: 461
 
Donate to Me
More
Quote:
Originally Posted by johnnie_w

Now we need to inject Framaroot somehow in this package. I tried it, and this was the error I got:

Code:
unable to load PKCS7 object

It looks like it is actually erroring out in lines #30 & 31 of the bash script which uses openssl piped into awk to set up the variable for the filename and echo statements. I don't think this is detrimental if that part fails in the script because it looks like the it created an "evil" version of the package anyways. Just without the fancy filename that it would have created had the two openssl lines worked.

Quote:
Originally Posted by johnnie_w

More good news: I was able to install the Framaroot APK! I just installed the APK with Framaroot injected, and it succeeded. Unfortunately it did crash immediately.

My guess is that it tries to find the library in com.alephzain.framaroot, but due to the fact that it is injected in a different package, it can't find it. I will contact the Framaroot developer, maybe he has a solution. Exciting stuff!

It looks like it is looking for the "\lib\armeabi\libframalib.so" shared object library. Hmm... maybe check to see if you have a "frama" apk in either your /system/app or /data/app directories? If a copy already exists then maybe try "adb install -r Framaroot-1.6.0" (notice the -r argument to reinstall). You might be able to use it to reload a fresh new copy if the package already exists.

Quote:
Originally Posted by johnnie_w

No, I think the PPK files are encrypted. I couldn't rename the file nor validate the type.

Thanks for the clarification, I already sent alephzain a message, let's see what comes out of it. If you want the Wikango APK, I can upload it somewhere?

That's cool. Could you upload a copy of the original PPK, the original APK, and the altered APK? Maybe to like dropbox or skydrive, so it can be shared? Or even a forum attachment? There might be others that can add their two cents in getting this working.
The Following 2 Users Say Thank You to donaldta For This Useful Post: [ View ] Gift donaldta Ad-Free
23rd September 2013, 09:38 PM |#28  
getiem's Avatar
Member
Thanks Meter: 46
 
Donate to Me
More
Quote:
Originally Posted by donaldta

That's cool. Could you upload a copy of the original PPK, the original APK, and the altered APK? Maybe to like dropbox or skydrive, so it can be shared? Or even a forum attachment? There might be others that can add their two cents in getting this working.

Ik extracted the PLF and attached one of the original APK files from it to this post. It may be usefull to you. The bash scripts are a step further then I am already....
Attached Files
File Type: apk HTMLViewer.apk - [Click for QR Code] (11.1 KB, 28 views)
File Type: apk Calculator.apk - [Click for QR Code] (78.1 KB, 23 views)
The Following User Says Thank You to getiem For This Useful Post: [ View ] Gift getiem Ad-Free
23rd September 2013, 09:48 PM |#29  
getiem's Avatar
Member
Thanks Meter: 46
 
Donate to Me
More
In the PLF update file I also found a directory with files that might look to me of use, but I don't know at all. Does this say something to you?

system/etc/security/
cacerts.bks
otacerts.zip
system/etc/security/parrot/accepted_certificates/
.ignore
system/etc/security/parrot/accepted_publick_keys/
afm_fc6100_volvo.der

Does this certificate mean the verification of apk files?
(I rarred the .der file for upload)
Attached Files
File Type: zip otacerts.zip - [Click for QR Code] (1.2 KB, 27 views)
File Type: rar afm_fc6100_volvo.rar - [Click for QR Code] (244 Bytes, 38 views)
24th September 2013, 01:23 AM |#30  
donaldta's Avatar
Senior Member
Thanks Meter: 461
 
Donate to Me
More
Quote:
Originally Posted by getiem

Ik extracted the PLF and attached one of the original APK files from it to this post. It may be usefull to you. The bash scripts are a step further then I am already....

Thanks! I appreciate the effort, but I already have the entire the SCT's ACU_VOLVO_EU_update.plf extracted and ready to reference at any time. All these three letter acronyms might be a tad confusing. But, the .PPK file which johnnie_w and I were referring to earlier is the Wikango app from the Asteroid Market. (at least that's what I've gathered) Apparently, the files distributed to the SCT from the Asteroid Market are transferred as .PPK files. So, I wanted be able to take a look at one for dissemination sake. As far as I understand, after the PPK is downloaded, it is decrypted into a temporary directory or as a temporary filename before installing. That's how johnnie_w was able to intercept a copy of its APK file and later was able to inject Framaroot into it using the bash script. So, really, I was asking for a copy of those files to be able peruse.

Quote:
Originally Posted by getiem

In the PLF update file I also found a directory with files that might look to me of use, but I don't know at all. Does this say something to you?

system/etc/security/
cacerts.bks
otacerts.zip
system/etc/security/parrot/accepted_certificates/
.ignore
system/etc/security/parrot/accepted_publick_keys/
afm_fc6100_volvo.der

Does this certificate mean the verification of apk files?
(I rarred the .der file for upload)

Honestly, I am not sure what the files under the parrot directory is for in the SCT. They don't exist at all in the PAS. Here is what I do know.
  • {SCT}\FileSystem\system\etc\security\cacerts.bks is the Android keystore and holds all the information regarding the Certificate Authority Certifications. You can use CACertMan to see what's inside.
  • {SCT}\FileSystem\system\etc\security\otacerts.zip is an archive of certificates whose public keys are acceptable during an Over The Air (OTA) update or in a Recovery Image.
  • {SCT}\FileSystem\system\etc\security\parrot\accept ed_certificates\.ignore file was 0 bytes, so I am assuming that's a file used as a flag for a script or application, like in a "if file exists then.." routine. If you have an SCT maybe check to see if it is still 0 bytes on a running system.
  • {SCT}\FileSystem\system\etc\security\parrot\accept ed_public_keys\afm_fc6100_volvo.der file is a X509 binary that uses Distinguished Encoding Rules (DER) for its public key certificate. I am not sure what it is used to verify though.
And yes, these files are used for verification. However, it does us no good because we cannot manipulate them since root is not available on the SCT. These public keys and certificates are used to verify digital signatures or decrypt written by their private counterpart. They cannot be used to digitally sign APKs for installation. Only the private keys can do that. If you want an overview about how it works then take at look at this How Encryption and Digital Signatures Work article.

Although, these files won't help you guys get root on the SCT, it might help jaanusj in getting AcuHome.apk installed on his PAT.
24th September 2013, 10:15 AM |#31  
getiem's Avatar
Member
Thanks Meter: 46
 
Donate to Me
More
I'm sorry that I did some useless work. .

I have SCT and will try soon to get into it. Car is just 6 days old now, and still figuring out some things (did'nt even have the time to log in to the asteroid market).
Post Reply Subscribe to Thread

Tags
car audio, sct, sensus connected touch, volvo

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes