[BrickBug][Fix][Kernel][01.08]Detection of stock kernel safety + patch guide

[Tungstwenty]

After lots of discussion about the famous "SuperBrick" issue on GT-I9100 4.0.4 stock kernels, I wrote a script to allow everyone to check it on their own and hopefully patch it if needed.


Main goal - Detection

Detect if a STOCK kernel has MMC_CAP_ERASE enabled (unsafe) or not (safe).

I have validated it against XWLPG, XWLPM, XWLPO, XWLPT, XXLP5, XXLP5-CFRoot and all of them were detected correctly: safe on 4.0.3 kernels, unsafe on 4.0.4 ones.
I also checked it against Siyah 3.5.2 (despite knowing from the sources it's safe) and it was also correctly detected.
However, for custom kernels I don't expect the code patterns to be always the same and therefore it's possible that the detection is inconclusive - you will see that in the output.


Secondary goal - Fixing (instructions provided, not the tools)

When an unsafe kernel is detected, provide instructions on how to patch the code so it's safe.

For that, you'll need:
* an external kernel unpack/repack script (just search the forum as there are several available)
* a Linux box
* a hex editor
* any other requirements for the repack script: CROSS_COMPILE, etc.



Requirements for this script

This is pretty much self contained and can be run on either:
* Linux
* Windows with Cygwin

Running on the device itself would be theoretically possible but it ultimately depends on the installed Busybox version, in particular the parameters accepted by the "grep" command.
On my v1.20.0-cm9 version it's not possible to make it work.



Sample outputs

Here are some executions against existing kernel images:

The latest XWLPT (4.0.4):

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPT/zImage
Kernel: Linux version 3.0.15-I9100XWLPT-CL941023 (dpi@DELL169) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Fri Jul 27 18:08:15 KST 2012

1 ocurrences of the bad code signature
0 ocurrences of the good code signature


***************
!!! WARNING !!!
***************

[COLOR="Red"]The kernel appears to have MMC_CAP_ERASE *enabled*, which is dangerous on many devices[/COLOR]

Unpacked kernel code stored at: XWLPT/zImage_unpacked
The unsafe instruction can be found at offset 0x00594ec0

==================== Disassembly of the instruction ====================

XWLPT/zImage_instruction:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   e3811b01        orr     r1, r1, #1024   ; 0x400
========================================================================

*** Instructions for patching ***

- Choose one of the existing unpack/repack scripts
- Unpack the kernel code, initramfs, etc.
- Do a binary edit of the unpacked code
- At offset 0x00594ec0, replace "01 ?b 8? e3" with "00 ?b 8? e3" - change just the first byte to 00
- Repack the kernel, including the changed code and all original contents
- Re-run this script to confirm that the newly generated file no longer has MMC_CAP_ERASE enabled

XWLPG (4.0.3):

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPG/zImage
Kernel: Linux version 3.0.15-I9100XWLPG-CL619441 (dpi@DELL150) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu May 24 18:09:27 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


[COLOR="SeaGreen"]The kernel appears to be good (MMC_CAP_ERASE disabled)[/COLOR]

XXLQ5-CFRoot (4.0.4):

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XXLQ5_CFRoot/zImage
Kernel: Linux version 3.0.15-I9100XXLQ5-CL753921 (se.infra@SEP-85) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu Jun 28 14:16:15 KST 2012

1 ocurrences of the bad code signature
0 ocurrences of the good code signature


***************
!!! WARNING !!!
***************

[COLOR="Red"]The kernel appears to have MMC_CAP_ERASE *enabled*, which is dangerous on many devices[/COLOR]

Unpacked kernel code stored at: XXLQ5_CFRoot/zImage_unpacked
The unsafe instruction can be found at offset 0x00594ef4

==================== Disassembly of the instruction ====================

XXLQ5_CFRoot/zImage_instruction:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   e3811b01        orr     r1, r1, #1024   ; 0x400
========================================================================

*** Instructions for patching ***

- Choose one of the existing unpack/repack scripts
- Unpack the kernel code, initramfs, etc.
- Do a binary edit of the unpacked code
- At offset 0x00594ef4, replace "01 ?b 8? e3" with "00 ?b 8? e3" - change just the first byte to 00
- Repack the kernel, including the changed code and all original contents
- Re-run this script to confirm that the newly generated file no longer has MMC_CAP_ERASE enabled

Finally, here's the expected output of a kernel after the patch has been applied.
I didn't actually do the entire kernel repack, but I changed the code and compressed the file in a similar way as it will appear in a "complete" zImage file.
Patched XWLPM:

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: XWLPM-patched/zImage
Kernel: Linux version 3.0.15-I9100XWLPM-CL837163 (dpi@DELL145) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Thu Jul 5 11:26:14 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


[COLOR="Blue"]The kernel has been patched by this method to disable MMC_CAP_ERASE and should now be entirely safe[/COLOR]

Disclaimers

My main goal here is to provide information, not a one-click solution. I'm personally not worried about this issue since I run a kernel compiled from sources rather than a stock one.

Despite my best effort, I can't promise that:
- The detection will be flawless (although checks exist to make sure there's exactly 1 occurrence of either the "good code snippet" or the "bad code snippet" and an inconclusive result is reported if that's not the case)
- The patch will work or even be a runnable kernel (you might need to reflash another one from download mode). I have not performed the full unpack/repack process to test it out, although it's something already done elsewhere such as the CF-Root kernels and others.


That being said, enjoy

 

[Tungstwenty]

(Reserved)

 

[DaReDeViL]

WOW, << That's one small step for man, one giant leap for "s2 community" >> !!!!!

 

[jlevy73]

Now this is what XDA is all about. Good stuff man, much appreciated!

 

[xky1980]

sorry for my "stupid" question;
I've a linux notebook, I've connected my device with the usb cable. Now how can I send command to the device? with adb and android sdk?
Tkanks

 

[martintspedersen]

hahaha yes man nice one... i hope that give us some nice ''stock'' roms

ps i was number 500 that hit your thanks button LOL

 

[Tungstwenty]

sorry for my "stupid" question;
I've a linux notebook, I've connected my device with the usb cable. Now how can I send command to the device? with adb and android sdk?
Tkanks

If you read the requirements section, you'll see it's not likely that it runs successfully on the device itself, due to BusyBox limitations.
Just place the zImage file somewhere on your notebook, along with the script, and run it from a terminal.

 

[xky1980]

If you read the requirements section, you'll see it's not likely that it runs successfully on the device itself, due to BusyBox limitations.
Just place the zImage file somewhere on your notebook, along with the script, and run it from a terminal.

Oooohh! So the kernel must be read from the same path of the script, not from the device! OK thanks

Inviato dal mio GT-I9100 con Tapatalk 2

---------- Post added at 09:18 AM ---------- Previous post was at 09:02 AM ----------

I've executed the script with siyah 3.5.2
the result is: The kernel appears to be good (MMC_CAP_ERASE disabled)
So it means that is possible to safely make wipes and nandroid restores from recovery on my XWLPT?
Thanks

 

[jgcaap]

Genius!

Sent from my GT-I9100 using Tapatalk 2

 

[gokhanmoral]

great work

 

[rush25]

Amazing work

Sent from my GT-I9100 using xda premium

 

[00raq00]

Did someone test it on S2 with CWM ?

 

[simone201]

Great work dude!!
Keep it up

 

[Tungstwenty]

Did someone test it on S2 with CWM ?

What do you mean?
If you're talking about the detection, there's no such kernel as "CWM"
What exists is:
1. stock kernels, with stock recovery (faulty for all 4.0.4 builds so far)
2. CF-Root, which is just the stock kernel code but with stock recovery replaced by CWM, root included, etc. (but it's still the original kernel code and it still has he bug)
3. custom kernels built by kernel developers from source, which unless they forgot to do so, has the source code changed to be safe

If you're asking about item no 2, I *think* Chainfire changed the code of the CWM version he included in the package to make it safer, but the kernel is still vulnerable and flashing a .zip file in recovery (which could run some code it might include) is still potentially unsafe.

 

[whiskerp]

This is a great piece of work. I have attempted to build a patched kernel for XWLPT but I'm a bit of a noob at hacking zImage.

I set up the repack-zImage.v6 scripts and unpacked the kernel. I am a bit concerned about the error however:

repack-zImage.sh -u
Separating gzipped part from trailer in 'piggy.gz+piggy_trailer'
Trying size: 4184870  6277305  5231087  4707978  4969533  5100311  5165700  5133005  
5116657  5108483  5112570  5114614  5113592  5114103  5113847  5113975  5114039  5114071  
5114055  5114047[COLOR="Red"]/usr/local/bin/repack-zImage.sh: line 284: [: : integer expression expected[/COLOR]

padding check (may take some time): 1

Found uncompressed ramdisk.
Detecting padding (may take some time): 1
Unpacking initramfs
4300 blocks
4300 blocks

Success.
The unpacked files and the initramfs directory are in './zImage_unpacked'.

However I persevered and found and patched the byte in "piggy" using okteta and then repacked the kernel by doing:

repack-zImage.sh -3 -p
Creating piggy.gz
Padding './zImage_packing/piggy.gz' to 5114048 bytes (+1)
Assembling zImage
Successfully created './zImage_packing/zImage'
Generated file: './zImage_packing/zImage.tar'

This checks out OK as having been patched OK.

./check-kernel-MMC_CAP_ERASE.sh 

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: zImage
gzip (pos = 18101)
Kernel: Linux version 3.0.15-I9100XWLPT-CL941023 (dpi@DELL169) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Fri Jul 27 18:08:15 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


The kernel has been patched by this method to disable MMC_CAP_ERASE and should now be entirely safe

but sadly gets stuck at the boot screen

Does anyone know what I have done wrong and might be able to help? I'll share the kernel if I can get it built.

Peter

 

[00raq00]

What do you mean?
If you're talking about the detection, there's no such kernel as "CWM"
What exists is:
1. stock kernels, with stock recovery (faulty for all 4.0.4 builds so far)
2. CF-Root, which is just the stock kernel code but with stock recovery replaced by CWM, root included, etc. (but it's still the original kernel code and it still has he bug)
3. custom kernels built by kernel developers from source, which unless they forgot to do so, has the source code changed to be safe

If you're asking about item no 2, I *think* Chainfire changed the code of the CWM version he included in the package to make it safer, but the kernel is still vulnerable and flashing a .zip file in recovery (which could run some code it might include) is still potentially unsafe.

If we can detect brick bug in kernel and know what must be changed so why we can't fix stock kernel? If we can fix stock kernel my question is did someone do that and test it with fake cwm and wipe?

Sent from my GT-I9100 using Tapatalk 2

 

[darth_mickrig]

This is a great piece of work. I have attempted to build a patched kernel for XWLPT but I'm a bit of a noob at hacking zImage.

I set up the repack-zImage.v6 scripts and unpacked the kernel. I am a bit concerned about the error however:

repack-zImage.sh -u
Separating gzipped part from trailer in 'piggy.gz+piggy_trailer'
Trying size: 4184870  6277305  5231087  4707978  4969533  5100311  5165700  5133005  
5116657  5108483  5112570  5114614  5113592  5114103  5113847  5113975  5114039  5114071  
5114055  5114047[COLOR="Red"]/usr/local/bin/repack-zImage.sh: line 284: [: : integer expression expected[/COLOR]

padding check (may take some time): 1

Found uncompressed ramdisk.
Detecting padding (may take some time): 1
Unpacking initramfs
4300 blocks
4300 blocks

Success.
The unpacked files and the initramfs directory are in './zImage_unpacked'.

However I persevered and found and patched the byte in "piggy" using okteta and then repacked the kernel by doing:

repack-zImage.sh -3 -p
Creating piggy.gz
Padding './zImage_packing/piggy.gz' to 5114048 bytes (+1)
Assembling zImage
Successfully created './zImage_packing/zImage'
Generated file: './zImage_packing/zImage.tar'

This checks out OK as having been patched OK.

./check-kernel-MMC_CAP_ERASE.sh 

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: zImage
gzip (pos = 18101)
Kernel: Linux version 3.0.15-I9100XWLPT-CL941023 (dpi@DELL169) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Fri Jul 27 18:08:15 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


The kernel has been patched by this method to disable MMC_CAP_ERASE and should now be entirely safe

but sadly gets stuck at the boot screen

Does anyone know what I have done wrong and might be able to help? I'll share the kernel if I can get it built.

Peter

Did you use this script here http://xdaforums.com/showthread.php?t=901152 ? I used that one and asked tungstwenty for help. He discovered, that that one was faulty. I have my own kernel build now but still couldn't test it.

 

[whiskerp]

Safe version of XWLPT stock.

This is a great piece of work. I have attempted to build a patched kernel for XWLPT but I'm a bit of a noob at hacking zImage.

I set up the repack-zImage.v6 scripts and unpacked the kernel. I am a bit concerned about the error however:

Edit: Variable was assigned to nul rather than zero and was not a real problem.

repack-zImage.sh -u....

However I persevered and found and patched the byte in "piggy" using okteta and then repacked the kernel by doing:

repack-zImage.sh -3 -p
...[CODE]./check-kernel-MMC_CAP_ERASE.sh 

###############################################
#                                             #
# GT-I9100 Kernel MMC_CAP_ERASE bug detection #
# By Tungstwenty - xdaforums.com   #
# Tungstwenty@gmail.com                       #
#                                             #
###############################################

Detecting safety of kernel: zImage
gzip (pos = 18101)
Kernel: Linux version 3.0.15-I9100XWLPT-CL941023 (dpi@DELL169) (gcc version 4.4.3 (GCC) ) #3 SMP PREEMPT Fri Jul 27 18:08:15 KST 2012

0 ocurrences of the bad code signature
1 ocurrences of the good code signature


The kernel has been patched by this method to disable MMC_CAP_ERASE and should now be entirely safe

I have now rebuilt this and it works! and it is available at the Dropbox link below.

http://dl.dropbox.com/u/46833344/Kernel_XWLPT_eMMC_safe.tar

Does someone else want to check this out? I re-did the build above after fixing two unassigned variables in repack-zImage (fixed build files below)

http://dl.dropbox.com/u/46833344/repack-zImage.v6-fixed-scripts.tar.gz

 

[darth_mickrig]

I have now rebuilt this and it works! and it is available at the Dropbox link below.

http://dl.dropbox.com/u/46833344/Kernel_XWLPT_eMMC_safe.tar

Does someone else want to check this out? I re-did the build above after fixing two unassigned variables in repack-zImage (fixed build files below)

http://dl.dropbox.com/u/46833344/repack-zImage.v6-fixed-scripts.tar.gz

Did you already test CWM Wipe?

 

[Tungstwenty]

This is a great piece of work. I have attempted to build a patched kernel for XWLPT but I'm a bit of a noob at hacking zImage.

I set up the repack-zImage.v6 scripts and unpacked the kernel. I am a bit concerned about the error however:
...

Did you use this script here http://xdaforums.com/showthread.php?t=901152 ? I used that one and asked tungstwenty for help. He discovered, that that one was faulty. I have my own kernel build now but still couldn't test it.

I have now rebuilt this and it works!

After having the detection, I was also trying to get it to work using exactly that same repacker script, which darth_mickrig tipped me about.
I also found it has some errors, not only in the line you mentioned but also in the packing when using "-3" so that piggy can be edited directly rather that its inner blocks in separate files (which would require subtracting something from the offset displayed by my script).

wiskerp, I'm glad you had it sorted out already. I didn't have a chance to properly testing my patched+repacked zImage from one of the 4.0.4 versions (was planning on testing it despite the fact that I'm running a 4.0.3 ROM) so your feedback is great.

The repack-zImage.v6 script appears to no longer be maintained and its author doesn't post on XDA for a while now, but I'll try to see if I can reach him to know whether he's ok with updating that script for newer kernels in addition to fixing the existing bugs. It might work properly in other shells / bash versions, who knows...

In the meantime, I was also asked by a couple of N7000 guys to make the detection work for their kernels, which apart from the "really stock" ones have a different compression - lzma/xz instead of gzip on the outer layer. On the inner parts (initramfs) it's also not working correctly, so I'll need to check it out. CF-Root, for instance, uses a different compression than the base stock, probably so that the additional payload fits the partition size.

Oh, one note:
Keep in mind that despite being a patch on the stock kernel, the yellow triangle will appear and the counter will be incremented if you flash the patched version through Odin. It's no longer properly signed by Samsung.

Kudos to wiskerp for beating me to share a patched version :highfive:. I had already done the repackaging and was waiting to get home to flash and try it out to see if it would boot before posting it