Learning About AVB Android Verified Boot (Boot.img dtb.img, vbmeta.img, and the "staging blob")

Search This thread
@Renate thank you so much for taking the time. I will read and re-read every thing you have said now and again tomorrow after some sleep. Just Thank You Thank You you've saved me days of banging my head against the wall and really provided a clear path forward. Haha and I love the humor you add in these teachings. "It could be the first 1000 digits of pi" hahaha "Behave yourself!" !
 
  • Like
Reactions: louforgiveno
Hi @Renate! I am reading about objdump now and it talks a lot about "displaying information" and "dissembly to view", but is it able to make edits? Is this the program You use? Or which decompiler do You prefer to make patches or mods with? I would like to focus on learning the tools you know because you know all the things I want to know!

I am trying to play with Ghidra now
Capture.PNG

1669992424851.png

I feel like i am not looking at the right view haha! but I am trying! I have watched so many videos on this I want to be able to do it so bad x.x disassembly has just never "clicked" for me yet

What I am watching now

John shows how to open the defined strings window in that video
1669993992696.png



OHH and Renate! Should I be using arm for the decompiler or should I be using x86? Like is it asking for the file I am using or the computer I am using??
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
You have an ELF file. The disassembler should know already that it's AARCH64.
You should be looking at "Disassembled view".
Maybe you can click on "ADB_EXTERNAL_STORAGE" and select "where referenced" or some such thing.

Your disassembler program might have the ability of assembling single instructions and modifying.
If not you have to use an online assembler to come up with the codes.
Fortunately, most of the instructions you'd want to do are simple, load zero into this register, nop or branch.
When you know the offset and what you want to write you can use any hex editor.
 
  • Love
Reactions: jenneh
Gosh, thanks Renate! I had no idea there was Online Assemblers as well, goodness you are opening up a new world here! I finally found a very good beginner video by a man with a very pleasantly calm voice

So maybe I can stop trying to fly before I have took lessons >.> Thank you so much for helping me. I Will figure out what you mean by this Today

" load zero into this register, nop or branch." without having to ask! Haha!
 
Last edited:
I'm so happy I'm crying haha THANK YOU RENATE!!!! This, This is what I needed!!! Oh goodness! Idk why it never occurred to me to look up anything on the arm architecture specifically x.x that makes so much sense to do in hind sight. I made it to the register bits and yeah, the lights are starting to come on. YAYYYY.

What is a processor register?
What is a stack pointer?
What is a link register?
What is a program counter?
What actually is computer memory?
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
Let's start with the basics. How big is your adbd file?
adbd used to be static linked and was around 1MB.
Later Google made it use a fistful of libs and it was less than 50kB.

In any case look for where "ADB_EXTERNAL_STORAGE" is used.
That's the start of where you want to modify.
 
  • Wow
Reactions: jenneh

Renate

Recognized Contributor / Inactive Recognized Dev
Renate, how did you know to go to the external storage?
You can look at your disassembler side-by-side with the Andoid source code.
You have to find the correct version, but things change slowly.
Also Google restructures the source code tree all the time and it's hard to find stuff.
Here's adbd daemon/main.cpp for Android 10: https://android.googlesource.com/platform/system/core/+/refs/heads/android10-dev/adb/daemon/main.cpp
It looks like we just want to eliminate line #230, drop_privileges(server_port)
BUT... drop_privileges() is actually a static function.
That means it's like all the code in drop_privileges() is copy/pasted into adbd_main().
There is no "bl" (branch and link) instruction going to an actual drop_privileges().
 
  • Wow
Reactions: jenneh
@Renate Brilliant! THANK YOU for linking the Source Code! I have heard these guys talking about loading the source code separately while they are in ghidra (i listen to this stuff at work) and in my mind I always pictured they were reading it from HxD. Which is silly now that I think about it. I've probably watched it too but it's easier to understand when you are working on something yourself.

Now to the Questions!!

So the version of android I am working with is android 9, with this adbd, does that matter? Interestingly, for this device Nvidia Skipped android 10 and went straight to 11 lol. No idea why!

I tried searching for any strings related to this
"It looks like we just want to eliminate line #230, drop_privileges(server_port)"

but got no results.

I am super sorry, but what specifically do you all mean when you say to look at the disassembler side by side with the source code? Like now I understand the source code part, and can look for the 9 version if that matters, but, when I start adbd in ghidra, should I be looking at the listing window or should I be looking at some other view? I really apologize for the Im sure super basic questions to you, but I really appreciate you helping me to understand
1670077415511.png
 
Okay @Renate so I was able to look at some of the Source codes for android 9 and none of them are matching up with what I have got going on. Like this one for instance: https://android.googlesource.com/pl...fs/tags/android-9.0.0_r61/adb/daemon/main.cpp

I will continue reading mine and I will link it here in case you have any idea if I did the right thing or not. I do see where there is talk of the minijail! Looking for drop_privledge now
Code:
/* WARNING: Could not reconcile some variable overlaps */
/* adbd_main(int) */

undefined8 adbd_main(int param_1)

{
  undefined **ppuVar1;
  ulong uVar2;
  undefined4 uVar3;
  long lVar4;
  uint uVar5;
  int iVar6;
  int iVar7;
  char *pcVar8;
  long lVar9;
  undefined8 *puVar10;
  undefined4 *puVar11;
  basic_ostream *pbVar12;
  int *piVar13;
  long lVar14;
  code *pcVar15;
  ulong uVar16;
  ulong local_118;
  undefined8 uStack_110;
  void *local_108;
  basic_string local_100;
  undefined7 uStack_ff;
  undefined uStack_f8;
  undefined7 uStack_f7;
  undefined local_f0;
  undefined4 uStack_ef;
  undefined uStack_eb;
  undefined2 uStack_ea;
  ulong local_e0;
  ulong uStack_d8;
  undefined **local_d0;
  code *pcStack_c8;
  undefined ***local_b0;
  basic_string local_a0;
  undefined7 uStack_9f;
  undefined uStack_98;
  undefined7 uStack_97;
  undefined local_90;
  undefined4 uStack_8f;
  undefined uStack_8b;
  undefined2 uStack_8a;
  undefined4 uStack_88;
  undefined4 local_84;
  undefined4 uStack_80;
  undefined8 uStack_7c;
 
  lVar4 = tpidr_el0;
  lVar14 = *(long *)(lVar4 + 0x28);
  __umask_chk(0);
  signal(0xd,(__sighandler_t)0x1);
  init_transport_registration();
  adbd_cloexec_auth_socket();
  adbd_auth_init();
  pcVar8 = getenv("ADB_EXTERNAL_STORAGE");
  if (pcVar8 == (char *)0x0) {
    if (((adb_trace_mask & 1) != 0) &&
       (pcVar8 = (char *)android::base::GetMinimumLogSeverity(), (int)pcVar8 < 2)) {
      puVar11 = (undefined4 *)__errno();
      uVar3 = *puVar11;
      android::base::LogMessage::LogMessage
                ((LogMessage *)&local_a0,"system/core/adb/daemon/main.cpp",199,0,1,(char *)0x0,-1) ;
      pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_a0);
      android::base::StringPrintf
                ("Warning: ADB_EXTERNAL_STORAGE is not set.  Leaving EXTERNAL_STORAGE unchanged.\n" )
      ;
      uVar2 = (ulong)((byte)local_e0 >> 1);
      ppuVar1 = (undefined **)((ulong)&local_e0 | 1);
      if ((local_e0 & 1) != 0) {
        uVar2 = uStack_d8;
        ppuVar1 = local_d0;
      }
      std::__1::__put_character_sequence<char,std::__1::char_traits<char>>
                (pbVar12,(char *)ppuVar1,uVar2);
      if (((byte)local_e0 & 1) != 0) {
        operator.delete(local_d0);
      }
      pcVar8 = (char *)android::base::LogMessage::~LogMessage((LogMessage *)&local_a0);
      *puVar11 = uVar3;
    }
  }
  else {
    uVar5 = setenv("EXTERNAL_STORAGE",pcVar8,1);
    pcVar8 = (char *)(ulong)uVar5;
  }
  lVar9 = minijail_new(pcVar8);
  uStack_7c = 0xbc300000bc1;
  uStack_80 = 0xbbe;
  uStack_88 = 0x404;
  local_84 = 0x3f7;
  local_90 = 0xba;
  uStack_8f = 0xb900000b;
  uStack_8b = 0xb;
  uStack_8a = 0;
  uStack_98 = 0xec;
  uStack_97 = 0xbbb000003;
  local_a0 = (basic_string)0xf3;
  uStack_9f = 0x3ef000003;
  minijail_set_supplementary_gids(lVar9,0xb,&local_a0);
  minijail_use_caps(lVar9,0xc0);
  minijail_change_gid(lVar9,2000);
  minijail_change_uid(lVar9,2000);
  minijail_enter(lVar9);
  local_e0 = cap_get_proc();
  local_d0 = &PTR_debuggerd_fallback_handler_005570b0;
  pcStack_c8 = cap_free;
  local_b0 = &local_d0;
  iVar6 = cap_clear_flag(local_e0,2);
  if ((iVar6 == -1) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 7)) {
    piVar13 = (int *)__errno();
    iVar6 = *piVar13;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0x8b,0,6,(char *)0x0,iVa r6
              );
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>
              (pbVar12,"cap_clear_flag(INHERITABLE) failed",0x22);
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *piVar13 = iVar6;
  }
  iVar6 = cap_clear_flag(local_e0,0);
  if ((iVar6 == -1) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 7)) {
    piVar13 = (int *)__errno();
    iVar6 = *piVar13;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0x8e,0,6,(char *)0x0,iVa r6
              );
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>
              (pbVar12,"cap_clear_flag(PEMITTED) failed",0x1f);
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *piVar13 = iVar6;
  }
  iVar6 = cap_clear_flag(local_e0,1);
  if ((iVar6 == -1) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 7)) {
    piVar13 = (int *)__errno();
    iVar6 = *piVar13;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0x91,0,6,(char *)0x0,iVa r6
              );
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>
              (pbVar12,"cap_clear_flag(PEMITTED) failed",0x1f);
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *piVar13 = iVar6;
  }
  iVar6 = cap_set_proc(local_e0);
  if ((iVar6 != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 7)) {
    piVar13 = (int *)__errno();
    iVar6 = *piVar13;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0x94,0,6,(char *)0x0,iVa r6
              );
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>
              (pbVar12,"cap_set_proc() failed",0x15);
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *piVar13 = iVar6;
  }
  if (((adb_trace_mask & 1) != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 2))  {
    puVar11 = (undefined4 *)__errno();
    uVar3 = *puVar11;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_118,"system/core/adb/daemon/main.cpp",0x97,0,1,(char *)0x0,-1) ;
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_118);
    android::base::StringPrintf("Local port disabled");
    uVar2 = (ulong)((byte)local_100 >> 1);
    pcVar8 = (char *)((ulong)&local_100 | 1);
    if (((byte)local_100 & 1) != 0) {
      uVar2 = CONCAT71(uStack_f7,uStack_f8);
      pcVar8 = (char *)CONCAT26(uStack_ea,CONCAT15(uStack_eb,CONCAT41(uStack_ef,local_f0)));
    }
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>(pbVar12,pcVar8,uVar2);
    if (((byte)local_100 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_ea,CONCAT15(uStack_eb,CONCAT41(uStack_ef,local_f0)) ));
    }
    android::base::LogMessage::~LogMessage((LogMessage *)&local_118);
    *puVar11 = uVar3;
  }
  uVar2 = local_e0;
  local_e0 = 0;
  if (uVar2 != 0) {
    local_100 = SUB81(uVar2,0);
    uStack_ff = (undefined7)(uVar2 >> 8);
    if (local_b0 == (undefined ***)0x0) {
                    /* WARNING: Subroutine does not return */
      abort();
    }
    (*(code *)(*local_b0)[6])(local_b0,&local_100);
  }
  if (&local_d0 == local_b0) {
    pcVar15 = (code *)(*local_b0)[4];
LAB_00405120:
    (*pcVar15)();
  }
  else if (local_b0 != (undefined ***)0x0) {
    pcVar15 = (code *)(*local_b0)[5];
    goto LAB_00405120;
  }
  if (lVar9 != 0) {
    minijail_destroy(lVar9);
  }
  iVar6 = access("/dev/usb-ffs/adb/ep0",0);
  if (iVar6 == 0) {
    usb_init();
  }
  local_a0 = (basic_string)0x28;
  uStack_8a = 0;
  local_100 = (basic_string)0x0;
  uStack_ff = 0;
  uStack_f8 = 0;
  uStack_f7 = 0;
  uStack_8f = 0x74726f70;
  uStack_97 = 0x7063742e626461;
  local_90 = 0x2e;
  uStack_9f = 0x65636976726573;
  uStack_98 = 0x2e;
  uStack_8b = 0;
  local_f0 = 0;
  uStack_ef = 0;
  uStack_eb = 0;
  uStack_ea = 0;
  android::base::GetProperty(&local_a0,&local_100);
  if (((byte)local_100 & 1) != 0) {
    operator.delete((void *)CONCAT26(uStack_ea,CONCAT15(uStack_eb,CONCAT41(uStack_ef,local_f0)))) ;
  }
  if (((byte)local_a0 & 1) != 0) {
    operator.delete((void *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)))) ;
  }
  uVar16 = (ulong)((byte)local_e0 >> 1);
  uVar2 = uVar16;
  if ((local_e0 & 1) != 0) {
    uVar2 = uStack_d8;
  }
  if (uVar2 == 0) {
    local_100 = (basic_string)0x28;
    uStack_ea = 0;
    local_118 = 0;
    uStack_110 = 0;
    uStack_ef = 0x74726f70;
    uStack_f7 = 0x7063742e626461;
    local_f0 = 0x2e;
    uStack_ff = 0x74736973726570;
    uStack_f8 = 0x2e;
    uStack_eb = 0;
    local_108 = (void *)0x0;
    android::base::GetProperty(&local_100,(basic_string *)&local_118);
    if ((local_e0 & 1) == 0) {
      local_e0 = local_e0 & 0xffffffffffff0000;
    }
    else {
      *(char *)local_d0 = '\0';
      uStack_d8 = 0;
    }
    std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>::reserve
              ((basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> *)&local_ e0
               ,0);
    local_d0 = (undefined **)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90))) ;
    uStack_d8 = CONCAT71(uStack_97,uStack_98);
    local_e0 = CONCAT71(uStack_9f,local_a0);
    local_a0 = (basic_string)0x0;
    uStack_9f = 0;
    uStack_98 = 0;
    uStack_97 = 0;
    local_90 = 0;
    uStack_8f = 0;
    uStack_8b = 0;
    uStack_8a = 0;
    if ((local_118 & 1) != 0) {
      operator.delete(local_108);
    }
    if (((byte)local_100 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_ea,CONCAT15(uStack_eb,CONCAT41(uStack_ef,local_f0)) ));
    }
    uVar16 = (ulong)((byte)local_e0 >> 1);
  }
  if (((byte)local_e0 & 1) != 0) {
    uVar16 = uStack_d8;
  }
  if (uVar16 == 0) {
    puVar10 = (undefined8 *)operator.new(0x30);
    local_f0 = SUB81(puVar10,0);
    uStack_ef = (undefined4)((ulong)puVar10 >> 8);
    uStack_eb = (undefined)((ulong)puVar10 >> 0x28);
    uStack_ea = (undefined2)((ulong)puVar10 >> 0x30);
    *(undefined *)(puVar10 + 4) = 0;
    puVar10[1] = 0x6e2e726f646e6576;
    *puVar10 = 0x2e74736973726570;
    puVar10[3] = 0x74726f702e706374;
    puVar10[2] = 0x2e6264612e616476;
    local_118 = 0;
    uStack_110 = 0;
    uStack_f8 = 0x20;
    uStack_f7 = 0;
    local_100 = (basic_string)0x31;
    uStack_ff = 0;
    local_108 = (void *)0x0;
    android::base::GetProperty(&local_100,(basic_string *)&local_118);
    if ((local_e0 & 1) == 0) {
      local_e0 = local_e0 & 0xffffffffffff0000;
    }
    else {
      *(char *)local_d0 = '\0';
      uStack_d8 = 0;
    }
    std::__1::basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>>::reserve
              ((basic_string<char,std::__1::char_traits<char>,std::__1::allocator<char>> *)&local_ e0
               ,0);
    local_d0 = (undefined **)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90))) ;
    uStack_d8 = CONCAT71(uStack_97,uStack_98);
    local_e0 = CONCAT71(uStack_9f,local_a0);
    local_a0 = (basic_string)0x0;
    uStack_9f = 0;
    uStack_98 = 0;
    uStack_97 = 0;
    local_90 = 0;
    uStack_8f = 0;
    uStack_8b = 0;
    uStack_8a = 0;
    if ((local_118 & 1) != 0) {
      operator.delete(local_108);
    }
    if (((byte)local_100 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_ea,CONCAT15(uStack_eb,CONCAT41(uStack_ef,local_f0)) ));
    }
  }
  ppuVar1 = (undefined **)((ulong)&local_e0 | 1);
  if (((byte)local_e0 & 1) != 0) {
    ppuVar1 = local_d0;
  }
  iVar7 = sscanf((char *)ppuVar1,"%d",&local_118);
  if ((iVar7 == 1) && (0 < (int)local_118)) {
    if (((adb_trace_mask & 1) != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 2) )
    {
      puVar11 = (undefined4 *)__errno();
      uVar3 = *puVar11;
      android::base::LogMessage::LogMessage
                ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0xe0,0,1,(char *)0x0,- 1)
      ;
      pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
      android::base::StringPrintf("using port=%d",local_118 & 0xffffffff);
      uVar2 = (ulong)((byte)local_a0 >> 1);
      pcVar8 = (char *)((ulong)&local_a0 | 1);
      if (((byte)local_a0 & 1) != 0) {
        uVar2 = CONCAT71(uStack_97,uStack_98);
        pcVar8 = (char *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)));
      }
      std::__1::__put_character_sequence<char,std::__1::char_traits<char>>(pbVar12,pcVar8,uVar2);
      if (((byte)local_a0 & 1) != 0) {
        operator.delete((void *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90 )))
                       );
      }
      android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
      *puVar11 = uVar3;
    }
    local_init((int)local_118);
  }
  else {
    if (iVar6 == 0) goto LAB_004053b0;
    local_init(0x15b3);
    local_118._0_4_ = 0x15b3;
  }
  setup_mdns((int)local_118);
LAB_004053b0:
  if (((adb_trace_mask & 1) != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 2))  {
    puVar11 = (undefined4 *)__errno();
    uVar3 = *puVar11;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0xe8,0,1,(char *)0x0,-1) ;
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    android::base::StringPrintf("adbd_main(): pre init_jdwp()");
    uVar2 = (ulong)((byte)local_a0 >> 1);
    pcVar8 = (char *)((ulong)&local_a0 | 1);
    if (((byte)local_a0 & 1) != 0) {
      uVar2 = CONCAT71(uStack_97,uStack_98);
      pcVar8 = (char *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)));
    }
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>(pbVar12,pcVar8,uVar2);
    if (((byte)local_a0 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)) ));
    }
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *puVar11 = uVar3;
  }
  init_jdwp();
  if (((adb_trace_mask & 1) != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 2))  {
    puVar11 = (undefined4 *)__errno();
    uVar3 = *puVar11;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0xea,0,1,(char *)0x0,-1) ;
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    android::base::StringPrintf("adbd_main(): post init_jdwp()");
    uVar2 = (ulong)((byte)local_a0 >> 1);
    pcVar8 = (char *)((ulong)&local_a0 | 1);
    if (((byte)local_a0 & 1) != 0) {
      uVar2 = CONCAT71(uStack_97,uStack_98);
      pcVar8 = (char *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)));
    }
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>(pbVar12,pcVar8,uVar2);
    if (((byte)local_a0 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)) ));
    }
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *puVar11 = uVar3;
  }
  if (((adb_trace_mask & 1) != 0) && (iVar6 = android::base::GetMinimumLogSeverity(), iVar6 < 2))  {
    puVar11 = (undefined4 *)__errno();
    uVar3 = *puVar11;
    android::base::LogMessage::LogMessage
              ((LogMessage *)&local_100,"system/core/adb/daemon/main.cpp",0xec,0,1,(char *)0x0,-1) ;
    pbVar12 = (basic_ostream *)ENGINE_get_RSA_method(&local_100);
    android::base::StringPrintf("Event loop starting");
    uVar2 = (ulong)((byte)local_a0 >> 1);
    pcVar8 = (char *)((ulong)&local_a0 | 1);
    if (((byte)local_a0 & 1) != 0) {
      uVar2 = CONCAT71(uStack_97,uStack_98);
      pcVar8 = (char *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)));
    }
    std::__1::__put_character_sequence<char,std::__1::char_traits<char>>(pbVar12,pcVar8,uVar2);
    if (((byte)local_a0 & 1) != 0) {
      operator.delete((void *)CONCAT26(uStack_8a,CONCAT15(uStack_8b,CONCAT41(uStack_8f,local_90)) ));
    }
    android::base::LogMessage::~LogMessage((LogMessage *)&local_100);
    *puVar11 = uVar3;
  }
  fdevent_loop();
  if ((local_e0 & 1) != 0) {
    operator.delete(local_d0);
  }
  if (*(long *)(lVar4 + 0x28) != lVar14) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}
This is so much fun!
1670080636600.png
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
Well, the details are different, but the drift is the same.
Get ADB_EXTERNAL_STORAGE, decide if you want to do anything, Set EXTERNAL_STORAGE.
Then you see minijail_new(), that's what you wnt to avoid.
So you want to replace that instruction (easier to see in disassembler view) with a branch to past all the minijail stuff.
Scroll down until you see the access() call.
 
  • Wow
Reactions: jenneh
Now that I have had some sleep... Time to play more!
documenting my fumbles to help me remember in the future when I am competent enough to write a guide

had to enable the disassembled view from window options and have decompiler in back
1670128365045.png

useful explainations from the link renate shared
adrp: Form PC-relative address to 4KB page. (what is PC-relative?)
cbnz: Compare and Branch on Nonzero.
tbnz: Test bit and Branch if Nonzero
1670129426148.png

What is this? Is it what is going through and making everything root? I see where it remounts the other partitions too

1670130292401.png

what about this, what does the s_ mean? in my head right now, I imagine "say" but I know that is wrong. There's so many of these s_ functions, is it a function or what is that blue line actually referred to?

1670134667197.png

2.PNG

1670135031681.png

the image from the guide
ghidra-2.png
Capture.PNG

I switched the adbd main to graph view and goodness its amazing how much is behind the scenes x.x
Capture.PNG

1670138026543.png

1670138120865.png

He says alt left arrow alt right arrow short keys for stepping in and out
Very helpful
More helpful
 
Last edited:
Hi @Renate! Can we bypass the minijail by changing the arrows in the graph to just run somehow? I feel like I seen some videos of people doing that in IDA on other things, but I don't know
1670138382408.png


I am really trying to find what you say here
"Scroll down until you see the access() call."
but I am struggling.

1670139746153.png

I think I found it>?

How to get dark theme on ghidra
1.PNG

1670155964304.png

courtesy of
https://www.reddit.com/r/ghidra/comments/b5z1e8
This is inverted colors with bare metal settings. The trouble for me is I cannot read the tool bar
1670156081049.png


These settings
1670156976062.png

Result in:
1670156889131.png

The "windows" option looks like the bare metal one, hardly able to read the menu or buttons

Windows Classic:
1670157156486.png

I like this look the best
 
Last edited:

Renate

Recognized Contributor / Inactive Recognized Dev
405130 is your destination. That is the setup for the access() call
So you want to replace your minijail_new() with a jump to 405130
You can calculate it or else try values and play with it until the b(ranch) is in the right place.

I can't tell where the minijail_new() is because you're looking in C mode.
It's easier in assembler mode (like your last screen print).
Arrows and graphs are just visualization tools. I'm not sure that you can modify anything from them.
 
  • Love
Reactions: jenneh
1.PNG
2.PNG
1670184980532.png

Hi @Renate Thank you again for your answers! Maybe I can make enough sense to gather one last clue before I go to bed. Haha.

"So you want to replace your minijail_new() with a jump to 405130" Erm >.> How would I attempt to try this? So close!!!

I brought it up in two different views because I am dense and idk which is the C one to avoid it. Is the C one the one that says LAB_ blah blah?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Magisk and its variants just start from a stock boot image.
    You can swap the modified image with friends as long as the original boot images were compatible.
    2
    I found the mini jail now...
    Nope. You found the text string "minijail_changing_gid".
    If you changed that it would only change the text printed in the log.
    You want to find where that string is being used.
    For that you need to disassemble.
    Code:
        2110:	f0ffffe0 	adrp	x0, 1000 ; "ADB_EXTERNAL_STORAGE"
        2114:	91204000 	add	x0, x0, #0x810
        2118:	940004e6 	bl	34b0 ; getenv()@plt
        211c:	b40000e0 	cbz	x0, 2138
        2120:	aa0003e1 	mov	x1, x0
        2124:	f0ffffe0 	adrp	x0, 1000 ; "EXTERNAL_STORAGE"
        2128:	911cf000 	add	x0, x0, #0x73c
        212c:	320003e2 	orr	w2, wzr, #0x1
        2130:	940004e4 	bl	34c0 ; setenv()@plt
        2134:	14000005 	b	2148
        2138:	f0000008 	adrp	x8, 5000 ; 00005000
        213c:	f9418d08 	ldr	x8, [x8,#792]
        2140:	39400108 	ldrb	w8, [x8]
        2144:	37004908 	tbnz	w8, #0, 2a64
        2148:	140000e1 	b	24cc
    Yours will, of course, be different.
    2
    I was wondering if you have ever experienced lag in the adb shell?
    No, I've found ADB to be pretty efficient when using multiple shells or adbsync.exe or adbgrab.exe
    Still, Google gets no credit for an adb.exe that takes over a second to start. I guess they just put lots of delays in to work around some race condition on an i386.
    2
    @Renate Thank You for helping me to understand by providing all this Context. Now I get why that example i shared was failing and wouldn't or couldn't work. I really had no idea how everything is so device specific up to and including the binaries. Again sorry for a tangent, it just helps me to learn. Now that I know how to edit, I will start working in the area as you have said many times and report back. Sorry it didn't register until just now. Thank you Miss Renate!!!
    2
    And Are these images actually stored on the device physically Twice?
    No, that -> tells you that they are just symbolic links.
    On some devices the "friendly names" are cryptic. On others some of them are more descriptive.
    Code:
    $ cd /dev/block/by-name/
    $ ls -l
    total 0
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 abl_a -> /dev/block/mmcblk0p19
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 abl_b -> /dev/block/mmcblk0p20
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 apdp -> /dev/block/mmcblk0p58
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 bluetooth_a -> /dev/block/mmcblk0p32
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 bluetooth_b -> /dev/block/mmcblk0p33
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 boot_a -> /dev/block/mmcblk0p36
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 boot_b -> /dev/block/mmcblk0p37
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 carrier -> /dev/block/mmcblk0p56
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 cid -> /dev/block/mmcblk0p53
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 cmnlib64_a -> /dev/block/mmcblk0p13
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 cmnlib64_b -> /dev/block/mmcblk0p14
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 cmnlib_a -> /dev/block/mmcblk0p11
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 cmnlib_b -> /dev/block/mmcblk0p12
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 ddr -> /dev/block/mmcblk0p29
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 devcfg_a -> /dev/block/mmcblk0p23
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 devcfg_b -> /dev/block/mmcblk0p24
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 devinfo -> /dev/block/mmcblk0p57
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 dhob -> /dev/block/mmcblk0p46
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 dsp_a -> /dev/block/mmcblk0p34
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 dsp_b -> /dev/block/mmcblk0p35
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 dtbo_a -> /dev/block/mmcblk0p38
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 dtbo_b -> /dev/block/mmcblk0p39
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 frp -> /dev/block/mmcblk0p52
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 fsc -> /dev/block/mmcblk0p71
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 fsg_a -> /dev/block/mmcblk0p69
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 fsg_b -> /dev/block/mmcblk0p70
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 hw -> /dev/block/mmcblk0p72
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 hyp_a -> /dev/block/mmcblk0p9
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 hyp_b -> /dev/block/mmcblk0p10
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 keymaster_a -> /dev/block/mmcblk0p15
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 keymaster_b -> /dev/block/mmcblk0p16
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 kpan -> /dev/block/mmcblk0p45
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 limits -> /dev/block/mmcblk0p65
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 logfs -> /dev/block/mmcblk0p60
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 logo_a -> /dev/block/mmcblk0p54
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 logo_b -> /dev/block/mmcblk0p55
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 metadata -> /dev/block/mmcblk0p50
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 misc -> /dev/block/mmcblk0p51
    lrwxrwxrwx 1 root root 18 1970-04-18 05:37 mmcblk0 -> /dev/block/mmcblk0
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 modem_a -> /dev/block/mmcblk0p30
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 modem_b -> /dev/block/mmcblk0p31
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 modemst1 -> /dev/block/mmcblk0p67
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 modemst2 -> /dev/block/mmcblk0p68
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 msadp -> /dev/block/mmcblk0p47
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 padA -> /dev/block/mmcblk0p74
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 padB -> /dev/block/mmcblk0p76
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 persist -> /dev/block/mmcblk0p48
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 prodpersist -> /dev/block/mmcblk0p49
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 prov_a -> /dev/block/mmcblk0p17
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 prov_b -> /dev/block/mmcblk0p18
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 qupfw_a -> /dev/block/mmcblk0p25
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 qupfw_b -> /dev/block/mmcblk0p26
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 recovery_a -> /dev/block/mmcblk0p40
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 recovery_b -> /dev/block/mmcblk0p41
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 rpm_a -> /dev/block/mmcblk0p7
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 rpm_b -> /dev/block/mmcblk0p8
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 sp -> /dev/block/mmcblk0p73
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 spunvm -> /dev/block/mmcblk0p59
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 ssd -> /dev/block/mmcblk0p42
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 storsec_a -> /dev/block/mmcblk0p27
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 storsec_b -> /dev/block/mmcblk0p28
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 super -> /dev/block/mmcblk0p75
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 tz_a -> /dev/block/mmcblk0p5
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 tz_b -> /dev/block/mmcblk0p6
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 uefisecapp_a -> /dev/block/mmcblk0p21
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 uefisecapp_b -> /dev/block/mmcblk0p22
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 uefivarstore -> /dev/block/mmcblk0p66
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 userdata -> /dev/block/mmcblk0p77
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 utags -> /dev/block/mmcblk0p43
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 utagsBackup -> /dev/block/mmcblk0p44
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 vbmeta_a -> /dev/block/mmcblk0p61
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 vbmeta_b -> /dev/block/mmcblk0p62
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 vbmeta_system_a -> /dev/block/mmcblk0p63
    lrwxrwxrwx 1 root root 21 1970-04-18 05:37 vbmeta_system_b -> /dev/block/mmcblk0p64
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 xbl_a -> /dev/block/mmcblk0p1
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 xbl_b -> /dev/block/mmcblk0p2
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 xbl_config_a -> /dev/block/mmcblk0p3
    lrwxrwxrwx 1 root root 20 1970-04-18 05:37 xbl_config_b -> /dev/block/mmcblk0p4
    $