• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[Q] hacking the adb connection

Search This thread

earlenceferns

Member
Mar 9, 2010
12
0
Hello,

I am trying to use KillingInTheNameOf (on a compatible device) to write the

service.adb.tcp.port 5555

property. Then I try to restart adbd by killing it such that it will bind to 5555.
Then, my aim is to connect to this from code running on the device itself.


1. Is this possible?
2. I manage to write the property (I know this by listing the contents of the memory area in KillingInTheNameOf itself), but getprop returns blank.

http://pastebin.com/uC9HQYe6

-Earlence
 

earlenceferns

Member
Mar 9, 2010
12
0
updates

update. I managed to insert the new property at the end of the list. nothing crashes. iterating thru the shared mem, lists the new property at the end, but getprop returns a blank.

This is the relevant parts of the code

void create_new_prop(char *name, char *value, struct prop_area *pa, struct prop_info *pi)
{
int namelen = strlen(name);
int valuelen = strlen(value);
int pa_count = pa->count;

while(pa_count--)
++pi;

printf("pi addr: %x\n", pi);

memcpy(pi->name, name, namelen + 1);
memcpy(pi->value, value, valuelen + 1);

pa->toc[pa->count] = (namelen << 24) | (((unsigned) pi) - ((unsigned) pa));
pa->count++;
}

-Earlence
 

earlenceferns

Member
Mar 9, 2010
12
0
more updates

IT seems that property_change has to be fired for any property to "take effect". (no wonder the KillingInTheNameOf exploit kills adb and restarts it).

Anyone have ideas on how to trick an execution of "property_change" ?

-Earlence