I found a way to write arbritary data to local.prop
Right now my local.prop (after reboot) looks like this
I've tried a few variants, but adb keeps droping its root privileges. "adb root" and "adb remount" don't work either.
I'm guessing that either the local.prop gets parsed before the script runs, or that the garbage at the end prevents it from loading.
My knowledge of android died there, so if someone has any idea what can be tried, i'll give it a go.
How did i get there (in case someone wants to do the same):
I found out that on boot a script is run by the root user (/system/bin/installpreloads.sh) that writes /data/preinstall_md5/log.txt
/data/preinstall is world-writable, so i just deleted log.txt, and replaced it with a (soft) symbolic link to /data/local.prop.
Rebooted the phone and checked local.prop, and there was the output of the script.
Now, what it was writing at that point was no good (it was checking whether adobe flash app was installed), but there was a sign of hope:
The lines started with the app name (com.adobe.flashplayer, or something like that)
I took a look at the script and it checks for the apps in /preload (which is only readable by system so no chance to change that) and writes to the log file the names of the files it finds there.
A couple of days later, i realized (toying with sbf_flash) that the preinstall partition, isn't signed.
So i can change whatever i want on it, flash it with sbf_flash, and get the data i want into local.prop.
So i downloaded the Personal GB sbf and extracted it with the motorola depacker.
Luckily the preinstall patition is ext3, so i just mounted it changed the adobe package for one called "ro.sys.atvc_allow_all_adb=1#", unmounted it, flashed it and on next boot, my local.prop looked like that.
Right now my local.prop (after reboot) looks like this
Code:
ro.sys.atvc_allow_netmon_usb=0
ro.sys.atvc_allow_netmon_usb=0
ro.sys.atvc_allow_netmon_ih=0
ro.sys.atvc_allow_res_core=0
ro.sys.atvc_allow_res_panic=0
ro.sys.atvc_allow_all_adb=0
ro.sys.atvc_allow_all_core=0
ro.sys.atvc_allow_efem=0
ro.sys.atvc_allow_bp_log=0
ro.sys.atvc_allow_ap_mot_log=0
ro.sys.atvc_allow_gki_log=0
#: comparing /system/preinstall/md5/#.md5 and /data/preinstall_md5/#.md5
#: install skipped, file unchanged
#: comparing /system/preinstall/md5/#.md5 and /data/preinstall_md5/#.md5
#: install skipped, file unchanged
ro.sys.atvc_allow_all_adb=1#: comparing /system/preinstall/md5/ro.sys.atvc_allow_all_adb=1#.md5 and /data/preinstall_md5/ro.sys.atvc_allow_all_adb=1#.md5
ro.sys.atvc_allow_all_adb=1#: install attempt 1 of 5 failed
ro.sys.atvc_allow_all_adb=1#: install attempt 2 of 5 failed
ro.sys.atvc_allow_all_adb=1#: install attempt 3 of 5 failed
ro.sys.atvc_allow_all_adb=1#: install attempt 4 of 5 failed
ro.sys.atvc_allow_all_adb=1#: install attempt 5 of 5 failed
preinstall finished, setting preinstall.done to 1
preinstall exiting...I've tried a few variants, but adb keeps droping its root privileges. "adb root" and "adb remount" don't work either.
I'm guessing that either the local.prop gets parsed before the script runs, or that the garbage at the end prevents it from loading.
My knowledge of android died there, so if someone has any idea what can be tried, i'll give it a go.
How did i get there (in case someone wants to do the same):
I found out that on boot a script is run by the root user (/system/bin/installpreloads.sh) that writes /data/preinstall_md5/log.txt
/data/preinstall is world-writable, so i just deleted log.txt, and replaced it with a (soft) symbolic link to /data/local.prop.
Rebooted the phone and checked local.prop, and there was the output of the script.
Now, what it was writing at that point was no good (it was checking whether adobe flash app was installed), but there was a sign of hope:
The lines started with the app name (com.adobe.flashplayer, or something like that)
I took a look at the script and it checks for the apps in /preload (which is only readable by system so no chance to change that) and writes to the log file the names of the files it finds there.
A couple of days later, i realized (toying with sbf_flash) that the preinstall partition, isn't signed.
So i can change whatever i want on it, flash it with sbf_flash, and get the data i want into local.prop.
So i downloaded the Personal GB sbf and extracted it with the motorola depacker.
Luckily the preinstall patition is ext3, so i just mounted it changed the adobe package for one called "ro.sys.atvc_allow_all_adb=1#", unmounted it, flashed it and on next boot, my local.prop looked like that.
