[FIX] [Android 'L'] Bypassing the new PIE security check

Search This thread

cernekee

Senior Member
Jun 2, 2013
186
425
Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).

If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:

Code:
$ ./curl --help                             
error: only position independent executables (PIE) are supported.

PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.

As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.

Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:

Code:
    3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98
    3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100
    3a0e:       8a0a            ldrh    r2, [r1, #16]
    3a10:       2a03            cmp     r2, #3
    3a12:       d007            beq.n   3a24 // change to e007 (b.n)
    3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)
    3a16:       2002            movs    r0, #2
    3a18:       4479            add     r1, pc

Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:

Code:
$ ./curl --help
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
     --anyauth       Pick "any" authentication method (H)
 -a, --append        Append to target file when uploading (F/SFTP)
     --basic         Use HTTP Basic Authentication (H)
     --cacert FILE   CA certificate to verify peer against (SSL)
[...]

This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.

It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.

Update 2014/07/21: AOSP has re-enabled the PIE check after recompiling their last non-PIE binary. I filed a ticket asking Google to revert this change in order to avoid breaking ABI compatibility.
 

Attachments

  • bypass-pie.zip
    229.4 KB · Views: 76,583
  • curl.zip
    685 KB · Views: 22,408
Last edited:

willybarca

Senior Member
Apr 7, 2010
422
129
sydney
so which one should we use to have proper root curl or the pie bypass

---------- Post added at 06:22 PM ---------- Previous post was at 06:20 PM ----------

never mind even using piebypass still gives me app optimizing process ,, ill try the curl zip
 

shanyel

Senior Member
Oct 18, 2010
77
5
  • Like
Reactions: CrashOverride1995

bitstra

Senior Member
Sep 22, 2010
1,593
2,549
Berlin
Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).

If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:

Code:
$ ./curl --help                             
error: only position independent executables (PIE) are supported.

PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.

As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.

Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:

Code:
    3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98
    3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100
    3a0e:       8a0a            ldrh    r2, [r1, #16]
    3a10:       2a03            cmp     r2, #3
    3a12:       d007            beq.n   3a24 // change to e007 (b.n)
    3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)
    3a16:       2002            movs    r0, #2
    3a18:       4479            add     r1, pc

Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:

Code:
$ ./curl --help
Usage: curl [options...] <url>
Options: (H) means HTTP/HTTPS only, (F) means FTP only
     --anyauth       Pick "any" authentication method (H)
 -a, --append        Append to target file when uploading (F/SFTP)
     --basic         Use HTTP Basic Authentication (H)
     --cacert FILE   CA certificate to verify peer against (SSL)
[...]

This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.

It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.

This runs fine on razor-lpv-79-preview!

I can use Dropbox now...

Thanks a lot!!!
 
Oct 22, 2012
28
86
For those still getting PIE errors in the latest L build (lpx13d), I found that the binary linked in this thread will not work as a drop-in fix for that. After checking the binaries, they are in fact different, however I managed to repatch the newer binary with the same fix. I have yet to actually test this modification, but it's the same patch in principle:

Code:
.text:000032D4                 STR.W           R5, [R6,#0x98]
.text:000032D8                 STR.W           R4, [R6,#0x100]
.text:000032DC                 LDRH            R2, [R1,#0x10]
.text:000032DE                 CMP             R2, #3
.text:000032E0                 BEQ             loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)
.text:000032E2                 LDR             R1, =(aErrorOnlyPosit - 0x32EA)
.text:000032E4                 MOVS            R0, #2
.text:000032E6                 ADD             R1, PC  ; "error: only position independent execut"...
.text:000032E8                 BL              __dl___libc_format_fd

ZIP attached, again, I have no idea if this works or not. But for those who needed the patch previously, it's here again.

EDIT: Fixes several issues for me, and doesn't crash like the previous executable did. So far it fixes the actual PIE issues in SSHTunnel (although it can't do global IPTABLES support still) and it fixes SSHDroid's PIE issues.

EDIT 2: Fixes ES File Explorer as well.
 

Attachments

  • patch-pie.zip
    211.2 KB · Views: 25,579
Last edited:

blkbeltkid17

Senior Member
Jan 11, 2011
66
3
Norfolk, Virginia USA
^ thank you sir I just updated my N5 to the 13d build and when I re booted most of my root apps were borked, so I looked for a fix and I flashed the zip. and it actually fixed my issues,
I don't know if that was the intended results but that is what came out for me
 

defconoi

Senior Member
Oct 31, 2008
3,184
6,077
SCHUYLKILL HAVEN
www.android-unleashed.com
For those still getting PIE errors in the latest L build (lpx13d), I found that the binary linked in this thread will not work as a drop-in fix for that. After checking the binaries, they are in fact different, however I managed to repatch the newer binary with the same fix. I have yet to actually test this modification, but it's the same patch in principle:

Code:
.text:000032D4                 STR.W           R5, [R6,#0x98]
.text:000032D8                 STR.W           R4, [R6,#0x100]
.text:000032DC                 LDRH            R2, [R1,#0x10]
.text:000032DE                 CMP             R2, #3
.text:000032E0                 BEQ             loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)
.text:000032E2                 LDR             R1, =(aErrorOnlyPosit - 0x32EA)
.text:000032E4                 MOVS            R0, #2
.text:000032E6                 ADD             R1, PC  ; "error: only position independent execut"...
.text:000032E8                 BL              __dl___libc_format_fd

ZIP attached, again, I have no idea if this works or not. But for those who needed the patch previously, it's here again.

EDIT: Fixes several issues for me, and doesn't crash like the previous executable did. So far it fixes the actual PIE issues in SSHTunnel (although it can't do global IPTABLES support still) and it fixes SSHDroid's PIE issues.

EDIT 2: Fixes ES File Explorer as well.
thanks gonna test this on mako

Edit: this works great on the N6 leak mako rom, great work, this made quite a few thousand ppl happy, good work man
 
Last edited:

Tom_H_

Senior Member
Jul 1, 2009
66
7
This has fixed the VPN issue for me, Hotspot shield is working perfectly now!
THANK YOU!
 

manore

Member
Apr 16, 2012
28
7
\o/

Thanks for the patch! This fixed TitaniumBackup for me. Tested with Hammerhead and Flo on LPX13D.
 
Last edited:

gengi

Senior Member
Jan 9, 2011
823
163
Sorry for asking but we also have to flash the curl file or just the pie.zip ? Thanks.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 51
    For those still getting PIE errors in the latest L build (lpx13d), I found that the binary linked in this thread will not work as a drop-in fix for that. After checking the binaries, they are in fact different, however I managed to repatch the newer binary with the same fix. I have yet to actually test this modification, but it's the same patch in principle:

    Code:
    .text:000032D4                 STR.W           R5, [R6,#0x98]
    .text:000032D8                 STR.W           R4, [R6,#0x100]
    .text:000032DC                 LDRH            R2, [R1,#0x10]
    .text:000032DE                 CMP             R2, #3
    .text:000032E0                 BEQ             loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)
    .text:000032E2                 LDR             R1, =(aErrorOnlyPosit - 0x32EA)
    .text:000032E4                 MOVS            R0, #2
    .text:000032E6                 ADD             R1, PC  ; "error: only position independent execut"...
    .text:000032E8                 BL              __dl___libc_format_fd

    ZIP attached, again, I have no idea if this works or not. But for those who needed the patch previously, it's here again.

    EDIT: Fixes several issues for me, and doesn't crash like the previous executable did. So far it fixes the actual PIE issues in SSHTunnel (although it can't do global IPTABLES support still) and it fixes SSHDroid's PIE issues.

    EDIT 2: Fixes ES File Explorer as well.
    46
    Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).

    If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:

    Code:
    $ ./curl --help                             
    error: only position independent executables (PIE) are supported.

    PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.

    As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.

    Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:

    Code:
        3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98
        3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100
        3a0e:       8a0a            ldrh    r2, [r1, #16]
        3a10:       2a03            cmp     r2, #3
        3a12:       d007            beq.n   3a24 // change to e007 (b.n)
        3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)
        3a16:       2002            movs    r0, #2
        3a18:       4479            add     r1, pc

    Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:

    Code:
    $ ./curl --help
    Usage: curl [options...] <url>
    Options: (H) means HTTP/HTTPS only, (F) means FTP only
         --anyauth       Pick "any" authentication method (H)
     -a, --append        Append to target file when uploading (F/SFTP)
         --basic         Use HTTP Basic Authentication (H)
         --cacert FILE   CA certificate to verify peer against (SSL)
    [...]

    This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.

    It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.

    Update 2014/07/21: AOSP has re-enabled the PIE check after recompiling their last non-PIE binary. I filed a ticket asking Google to revert this change in order to avoid breaking ABI compatibility.
    7
    Last month, Chainfire posted a nice writeup on several new security changes happening upstream in AOSP. There has been much discussion of the SELinux changes and what that means for root apps, but I'd like to touch on another change that can affect even garden variety non-root apps: mandatory PIE (position-independent executables).

    If you're running the Android "L" developer preview image, you may have noticed that some of your native binaries no longer execute:

    Code:
    $ ./curl --help                             
    error: only position independent executables (PIE) are supported.

    PIE is a useful security feature, as randomizing the address space makes it significantly more difficult for an attacker to exploit bugs in a program. However, in this case, one must trade off compatibility for security: PIE is only available in JB 4.1 and above, so most app developers targeting a wide range of Android versions have disabled PIE in their builds. The new PIE check in "L" will cause breakage for most apps that ship native executables.

    As it turns out, even some of the precompiled binaries shipped with Android itself are affected, and Google has temporarily disabled PIE enforcement. It is not clear whether they will re-enable it at a later date.

    Since the Android "L" preview images were built prior to Google's latest change, they still have PIE enabled. I am attaching a flashable "bypass-pie.zip" which overwrites one byte in /system/bin/linker to bypass the PIE check:

    Code:
        3a06:       f8c6 5098       str.w   r5, [r6, #152]  ; 0x98
        3a0a:       f8c6 4100       str.w   r4, [r6, #256]  ; 0x100
        3a0e:       8a0a            ldrh    r2, [r1, #16]
        3a10:       2a03            cmp     r2, #3
        3a12:       d007            beq.n   3a24 // change to e007 (b.n)
        3a14:       4992            ldr     r1, [pc, #584]  ; (3c60)
        3a16:       2002            movs    r0, #2
        3a18:       4479            add     r1, pc

    Use this at your own risk. It works for me. The same non-PIE curl binary now runs correctly with the patched linker:

    Code:
    $ ./curl --help
    Usage: curl [options...] <url>
    Options: (H) means HTTP/HTTPS only, (F) means FTP only
         --anyauth       Pick "any" authentication method (H)
     -a, --append        Append to target file when uploading (F/SFTP)
         --basic         Use HTTP Basic Authentication (H)
         --cacert FILE   CA certificate to verify peer against (SSL)
    [...]

    This was tested on hammerhead-lpv79-preview-ac1d8a8e.tgz. If somebody wants to test on razor-lpv79-preview-d0ddf8ce.tgz and post the result, that would be helpful.

    It is not necessary to wipe any caches after flashing, although you may want to "clear data" for any apps that were crashing prior to applying the change so that they can start fresh.

    Update 2014/07/21: AOSP has re-enabled the PIE check after recompiling their last non-PIE binary. I filed a ticket asking Google to revert this change in order to avoid breaking ABI compatibility.

    Thanks a lot for your work.
    I just modified your zip file to create a PIE restore by replacing the modified linker file with the original for people who are testing apps to switch between the two.
    I will share the file just in case anyone wants it:
    http://d-h.st/Kzc
    5
    Here is the linker file patched for Android 5.1 :) Beware that the zip file I'm providing is not flashable - I'll make such a file later. For now you can copy the file using a file manager integrated in your recovery.
    hf ;)
    4
    Cannot flash on x86 device. Manually copying linker result in bootloop into recovery. Any idea?
    How can I edit the linker file? I know about hex editors but not android ...
    Whats the code added to oem linker file, I uploaded my oem zenfone 2 x86 linker file.

    p.s: You only need to replace back the original linker file in custom recovery to boot again.

    I know it's been a while since you posted this, but I've created a patched x86 linker! See attached.

    For any of you with unsupported devices, here's how I did it.

    I downloaded a disassembler called Hopper. There are probably better ones out there that are free and don't have so many nag screens, but it's what I happened to use.

    I went to File -> Read Executable for Disassembly, and opened my copy of the linker binary. I hit Ctrl+F, and searched for "independent" as a "string in assembly".

    This brought me to:

    Code:
    000127b0         db         "error: only position independent executables (PIE) are supported.\n", 0 ; XREF=__dl___linker_init+5445

    From there I was able to double click "__dl___linker_init+5445", but otherwise I could have searched for the address "127B0" to see where this string is used in the code. That brings me to address 0000:89C5, where this string is pulled into a register to be acted on. So, let's see if there is a jump to this point.

    In the disassembler there's a blue arrow pointing to this section of the code, meaning there's a conditional jump here. This "hopper" disassembler is kinda janky and I can't follow where the arrow comes from, but another Ctrl+F and search for "89C5" brings us to:

    Code:
    00007b1d         mov        dword [ds:eax+0x98], ecx
    00007b23         mov        dword [ds:eax+0xf8], esi
    00007b29         cmp        word [ds:edi+0x10], 0x3
    00007b2e         jne        0x89c5

    It's moving the values 98 and F8 in hex into some registers, making a comparison, then JNE, Jump-if-Not-Equal, to address 89C5, which is the error.

    Incidentally, this is the same code as OP's, but in x86 instead of ARM:

    Code:
    000032D4                 STR.W           R5, [R6,#0x98]
    000032D8                 STR.W           R4, [R6,#0x100]
    000032DC                 LDRH            R2, [R1,#0x10]
    000032DE                 CMP             R2, #3
    000032E0                 BEQ             loc_32F2 <---- replace D007 (07 D0) with E007 (07 E0, B loc_32F2)

    So anyway, the address 0000:7B2E is the address in the code where the jump to the error occurs. We don't want that to ever happen, so let's fire up a hex editor, and navigate to the 7B2E'th position in the file.

    Code:
    00007b10: 8b85 74fe ffff 31c9 be01 0000 0089 8898  ..t...1.........
    00007b20: 0000 0089 b0f8 0000 0066 837f 1003 0f85  .........f......
    00007b30: 910e 0000 8b85 68fe ffff 85c0 0f84 9500  ......h.........
    00007b40: 0000 8db3 d409 0000 ba00 0200 0089 3424  ..............4$

    So, starting at the 7B20 column, you count E sets of two over, so the command is the next 4 bytes: 0F 85 91 0E.

    Change those to 90 90 90 90, (nop instruction, ie: "Do nothing") so that it never takes that jump to the error.

    Ta-dah!

    Edit: I just realized, that zip looks flashable, but it wasn't intended to be, and the permissions on the file are not set to executable. You'll need to copy this over in a recovery console and chmod 755 it.

    Also: This came from a copy of android-x86 5.1-rc1, and has not been tested on anything else. I' assume it works on any x86 device, but I can't necessarily assume it will work on anything other than 5.1. You've all been warned!