[KERNEL] [KEXEC] Kernel EXECution for locked devices [N900V] [WIP]

[hsbadr]

THIS THREAD IS WIP & FOR DEVELOPERS ONLY !

Technical information with sources & binaries is in post #2. It includes kernel building, kexec-module, kexec-tools, hijack script, required patches & current problems with logs.

What is kexec?​

--------------------------------------------------------------------------------------------------------​

kexec or kernel execution is a module/mechanism of the kernel that allows live/hot booting of a new/custom kernel "over" the currently running kernel. For more info, read the useful threads/links bellow.

kexec could be used to load a custom kernel into memory & yes, we'll then be able to install AOSP ROMs or in general run a custom kernel compatible with our device.

Updates:​

--------------------------------------------------------------------------------------------------------​

[09/01/2014]:​

kexec module has been successfully patched & loaded/inserted into both NC2 & NC4 stock kernels. Now, I'm working on compiling/loading a guest kernel & fixing possible problems/bugs.

[08/31/2014]:​

Two versions of HLTEVZW KK kernel have been compiled from source: one uses the default configurations & the 2nd adds custom capabilities & kexec boot options. Moreover, kexec-tools & module have been cross-compiled. Now, I'm working on patches for kexec module & guest kernel (the hardest part).

[08/01/2014]:​

I've successfully flashed a custom kernel on my device. This trips knox flag & isn't 100% related to kexec, but it has the same objective (loading custom kernel on the locked-bootloader devices). However, the bootloader makes security check & blocks the installed kernel with the "unauthorized software by VZW" warning. Then, I tried to patch the bootloader to remove this security check, but my device was HARD BRICKED. Now, I've created a General thread for how to recover from a HARD BRICK. This is promising info for testing bootloader exploits.

​

​

Status

--------------------------------------------------------------------------------------------------------​

Supported NC2 & NC4 kernels

Working kexec-tools

Loaded kexec module

WIP kexec/guest kernel​

Thanks to / Credits:

--------------------------------------------------------------------------------------------------------​

@sextape - for the leaked NC2 firmware

@Hashcode - for his great work on kernel/recovery
...

Please PM me if I forgot to add proper credits for your work!​

​

XDA:DevDB Information
KEXEC, Kernel for the Verizon Samsung Galaxy Note 3

Contributors
hsbadr, CalcProgrammer1, ryanbg
Kernel Special Features:

Version Information
Status: Testing

Created 2014-07-11
Last Updated 2015-02-15

 

[hsbadr]

Technical Information

This post is reserved for technical information with sources & binaries. This includes kernel building, kexec-module, kexec-tools, hijack script, required patches & current problems.

Kernel Building:
--------------------------------------------------------------------------------------------------------​

The first step for building working kexec-module & tools is to cross-compile the kernel from source with the correct configurations. I won't describe how to build a kernel from source, but you may find this thread very useful.

I've used two different sources for the NC4/NC2 HLTE_VZW KK kernels. The 1st one is a part of SM-N900V_NA_KK_Opensource.zip released by Samsung for N900V NC4 kernel while the 2nd is available on @Hashcode's Github profile with 3 branches: hltevzw-kk-nc2 branch is modified for N900V NC2 kernel + 15 commits for compiling kexec as a module & other kexec patches.

The instructions provided by Samsung to build the NC4 kernel are to update CROSS_COMPILE toolchain environment variable in the Makefile & build with the default configurations as follows:

export ARCH=arm
make VARIANT_DEFCONFIG=msm8974_sec_hlte_vzw_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig
make

However, I've patched the sources & used menuconfig interface to customize kernel configurations as follows:

export ARCH=arm
make VARIANT_DEFCONFIG=msm8974_sec_hlte_vzw_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig menuconfig
make

(menuconfig is added in the second line)

The default output is the kernel image (arch/arm/boot/zImage) & modules (drivers/*/*.ko). The kexec-module(s) will be built if you patched the sources & configured it as a module.

You may then use dtbTool to generate device tree dt.img & mkbootimg to pack the kernel in boot.img.

Kexec Module:
--------------------------------------------------------------------------------------------------------​

There're many different flavors of kexec-mod sources. @delewer in this thread uses a standalone kexec-mod source MOD'd for Sony Xperia Z1 to be cross-compiled against the precompiled kernel source while @Hashcode in his sources on Github patches the kernel source to cross-compile kexec-mod with the kernel. Some modules may or may not use/port the hardboot patches. The output for kexec module/drivers have different names (the standalone kexec-mod source generates kexec_load.ko & procfs_rw.ko while the kernel source patched by @Hashcode generates 3 modules: arm_kexec.ko, msm_kexec.ko & kexec.ko).

To test if the cross-compiled modules are loadable & have the correct kernel headers, use insmod in terminal emulator (or a safe point with terminal like Safestrap) to insert the module into the kernel (assuming you've kexec.ko in /system/lib/modules/):

insmod /system/lib/modules/kexec.ko

Then, use lsmod to list & show the status of loaded modules:

lsmod

Alternatively, you may check if system call of the kernel includes kexec functions using:

cat /proc/kallsyms | grep kexec

The kexec-modules I've compiled are loadable & have been successfully inserted into both NC4 & NC2 kernels.

I'm using my own sources for kexec-module based on others & I'll share the sources with binaries & modules after making some required tests.

Kexec Tools:
--------------------------------------------------------------------------------------------------------​

I'm using the latest version of kexec-tools from here (currently, kexec-tools-2.0.8.tar.gz) cross-compiled for arm with custom configurations. Three binaries are generated including kexec (directly boot into a new kernel) & kdump (display kernel trace data). For more info, check the manpage of each binary & kexec/kexec-tools manuals/guides.

To test your kexec-tools cross-compiled binaries for arm,

kexec --help

assuming that they're in your PATH (e.g., /system/xbin) with executable permissions (e.g., 755).

Hijack Script:
--------------------------------------------------------------------------------------------------------
will be updated soon...​

Required Patches:
--------------------------------------------------------------------------------------------------------
will be updated soon...​

Current Problems/Logs:
--------------------------------------------------------------------------------------------------------
will be updated soon...​

 

[jr_718]

Sent from my SM-G900V using Tapatalk

 

[amebiasis]

Sent from my SM-G900V using Tapatalk

My eyes about popped out the side of my head when I saw this! It says your in testing have you had any luck at all? Thank you thank you thank you BTW!

 

[hsbadr]

My eyes about popped out the side of my head when I saw this! It says your in testing have you had any luck at all? Thank you thank you thank you BTW!

I've tested several binaries for the same kernel version, but none works for now. I'll compile from source & see. However, please keep this this thread for devs discussions only until we release working kexec & guest kernel.

 

[bmwh0r3]

Trying to keep the n3 alive before the n4 arrives? Lol seriously though congrats and thank you. Hope you and the devs here the best of luck. We, the re owners, appreciate all you have done already for us.

 

[hsbadr]

Trying to keep the n3 alive before the n4 arrives? Lol seriously though congrats and thank you. Hope you and the devs here the best of luck. We, the re owners, appreciate all you have done already for us.

Note 4 is useless until it gets root & custom ROMs. For me, it'll be better ONLY IF we can break its security & unlock bootloader!

 

[krazy_smokezalot]

What about surge & ryanbg and e.v.a. I been following them and they both have a good idea on how things work well I think they are good for the job

 

[bmwh0r3]

Just a thought I had when unlocking my spare RAZR hd, but the kernels on the Razr and my note 3 are 3.4.97 and 3.4.0. Is the exploit part of the kernel or is there a reason I'm a user and not a Dev? If it is, motopacalypse.apk is what unlocked my RAZR. I'm just trying to learn so please don't think I'm a moron. I just don't know the coding aspect of android at all.

 

[tpike]

Have you got an irc or hangout open for discussion?
Thanks for your efforts! !

 

[TheLoonyRebel]

Have you got an irc or hangout open for discussion?
Thanks for your efforts! !

There is #Galaxy-Note-3 on Freenode but it's really quiet in there most of the time.

 

[kvnhmmd]

Many forum lurkers like me have been anxiously waiting for this breakthrough! Don't give up! I also believe in donating to hardworking devs like you guys! Good luck...

 

[Feche]

I was an owner of a Motorola Defy and the day that it got KEXEC I was so exited.. so good luck for you guys! Nothing is impossible. :victory:

 

[ironfisted]

I was an owner of a Motorola Defy and the day that it got KEXEC I was so exited.. so good luck for you guys! Nothing is impossible. :victory:

Who was devs on kexec on defy?

 

[Feche]

Who was devs on kexec on defy?

Not sure

 

[ryanbg]

I've been working on kexec for a little while now with limited success. My biggest problem is the getting the 4 byte CRCs for the kernel symbols used by the kexec module. Same with a few other projects I'm working on. They compiled the NC2 kernel with MOD VERSION and CRC. I've compiled it from source, but there's so much work to be done my head is spinning.

 

[kvnhmmd]

I've been working on kexec for a little while now with limited success. My biggest problem is the getting the 4 byte CRCs for the kernel symbols used by the kexec module. Same with a few other projects I'm working on. They compiled the NC2 kernel with MOD VERSION and CRC. I've compiled it from source, but there's so much work to be done my head is spinning.

Good luck! Lots of us are waiting for this!

 

[117micc]

I've been working on kexec for a little while now with limited success. My biggest problem is the getting the 4 byte CRCs for the kernel symbols used by the kexec module. Same with a few other projects I'm working on. They compiled the NC2 kernel with MOD VERSION and CRC. I've compiled it from source, but there's so much work to be done my head is spinning.

Keep it up man, I understand the hard work involved in doing something like this, but it will definitely pay of in the end!!! Thank you for your hard work and dedication, you got a lot of people counting on you

Sent from my BajaRom "L" Themed Note 3

 

[hsbadr]

I've been working on kexec for a little while now with limited success. My biggest problem is the getting the 4 byte CRCs for the kernel symbols used by the kexec module. Same with a few other projects I'm working on. They compiled the NC2 kernel with MOD VERSION and CRC. I've compiled it from source, but there's so much work to be done my head is spinning.

I see. Let me know if you'd like to contribute to this thread. I'll update it soon with more details about the required patches & the preliminary results of my tests ––after releasing a new version of JasmineROM.

 

[ironfisted]

I've been working on kexec for a little while now with limited success. My biggest problem is the getting the 4 byte CRCs for the kernel symbols used by the kexec module. Same with a few other projects I'm working on. They compiled the NC2 kernel with MOD VERSION and CRC. I've compiled it from source, but there's so much work to be done my head is spinning.

I was told by a defy dev that we would have better luck contacting hp touch pad kernel devs. I guess their kernel is more like ours I guess. Idk. I never tried contacting dev from their yet