SU for Android on ChromeOS
- Thread starter lionclaw
- Start date
I executed the combined RootandSEpatch.sh script and appear to have successfully acquired root on a Samsung Chromebook Plus, but my /system/etc/ folder is still not R/W for Adaway, is there another step to make this container R/W?
Same problem. Can't get write access to /system with Adaway or root explorer. Apps are able to gain root privilege but can't write to the system partition
Which Chrome OS version?
I think it's most likely an issue with /opt/google/containers/android/config.json.
Config.json is the container config, which, along with certain other parts of the OS, has been changed significantly in recent OS versions/updates. There was an issue in the CrOS code which arose fairly recently (in CrOS v65), which rendered it temporarily impossible to mount the container R/W. The underlying issue was apparently fixed in the source code a while back, but the correct container config is quite finicky to get right, and rather easy to get wrong. Since this (writeable Android /system) is an issue that only impacts tinkerers/developers, I imagine that it's not particularly high on the list of things that have to be working correctly when an OS update ships.
Someone raised an issue on the rooting scripts' github last month and, at that time, while there wasn't a particularly straightforward workaround/fix for CrOS v65, for v66 the fix involved removing one line from config.json, and, according to my testing, the issue was not occurring on v67 at that time.
I am currently running v69 and do not experience the issue (i.e. I can write to /system, and the "mount command executed within an Android terminal shows that /dev/loop1 is mounted rw).
If you are running CrOS v66, the fix should be quite simple, and, as I mentioned, on v69 at least, it appears to be no longer necessary. If you are running CrOS v67 or 68, you can try the fix which I previously tested on v66. At some point I may have time to check out v67/68 to confirm this works, but in any case as long as you make a back up of the file, you should have nothing to lose by trying it.
The likely fix: Check my post on github for a little more detail if you like, but, essentially, if you open /opt/google/containers/android/config.json in vi, and see the line:
Code:
"dev",Or, if you want, you can add your config.json (or the first 40 or so lines of it) to a post here, and we can take a look at it to further investigate.
Good morning and thanks for the quick response. I am on 68.0.3440.25 dev channel on the samsung chromebook plus. I found a similar line and it reads as follows:
"root": {
"path": "rootfs/root"
},
"hostname": "android",
"mounts": [
{
"destination": "/",
"type": "bind",
"source": "rootfs/root",
"options": [
"rslave",
"suid",
"exec"
],
"performInIntermediateNamespace": true
},
{
As you can see "dev" is not present.
OK yeah, that's strange. Yes, the config.json snippet you provide appears to be correct for a working R/W mount.
I've just switched my C100 from v69 canary to v68.0.3440.25 dev on one of its CrOS partitions without powerwashing (by changing channel and then deleting the file created in /mnt/stateful/ by the update engine, so it doesn't trigger a powerwash).
Ad-away writing to /system, and writing to /system via Terminal Emulator definitely both work fine for me on v68.0.3440.25 at the moment.
Due to the way I've manually gone over to v68 to briefly test this, I have my user profile and everything on /mnt/stateful (partition 1) carried over from v69 (which CrOS nags about at boot, but it still works) - I'm fairly sure that config.json and most of the other related container config bits and pieces are all just on the rootfs partition (and not, e.g. bind mounted from elsewhere), so I don't think it should make a difference that I haven't powerwashed.
However, to completely rule out being able to replicate this issue I guess I might need to do a complete wipe and start totally afresh. I can probably do that at some point (after backing a few things up), but hopefully that won't be necessary.
Can you have a look to see if /dev/loop1 is mounted ro or rw within the Android container?
If you do, in a Chrome OS root shell:
Code:
printf "mount | grep loop1" | android-sh
Code:
mount | grep loop1Can you have a look to see if /dev/loop1 is mounted ro or rw within the Android container?
If you do, in a Chrome OS root shell:
or in an Android terminal emulator
Does it show as rw?[/QUOTE]
Good morning, thank you again for the quick response. No, it shows as RO
If you do, in a Chrome OS root shell:
Code:
printf "mount | grep loop1" | android-sh
Code:
mount | grep loop1Good morning, thank you again for the quick response. No, it shows as RO
Code:
kevin_cheets:/ $ mount | grep loop1
/dev/loop1 on / type ext4 (ro,seclabel,nodev,relatime,block_validity,delalloc,barrier,user_xattr,acl)Yeah, so although the line I mentioned is not present in your config.json, I'm guessing that it may be something similar, still. I had a brief look at some of the changelogs on chromium.googlesource.com related to arc++ and couldn't immediately see anything that might have caused it this time around. If necessary I'll have a proper look again when I have time, later in the week.
I'll set up a completely fresh CrOS install, probably tomorrow, and see if I can replicate the issue.
@Nolirum, are you using a Chromebook plus? If not, I would be glad to help if you would like me to test anything. If you are interested PM me for my hangouts info. Thank you again
Apologies for the delayed response. I've been a bit busy, besides couldn't replicate it my end on any of the CrOS versions or find anything in the source, and I think it can be quite tricky to troubleshoot these types of issue remotely.
however, I can now replicate this issue on v69.0.3491.0 on my device, and after some diffing and A/B testing I have found that this time the source of the problem appears to be within the container. A recent change to init.rc seems to be the culprit.
Starting from arc version 4892840 (on my device), the argument "nodev" has been added to the mount options for the rootfs. On my device this is at line 288 of init.rc.
After removing "nodev" and rebooting, the Android container now mounts read/write again.
i.e.
Edit /opt/google/containers/android/rootfs/root/init.rc
Remove "nodev" from the mount options for the rootfs therein (line 288 on my device).
So the following
Code:
on post-fs
start logd
# Once everything is setup, no need to modify /.
# The bind+remount combination allows this to work in containers.
mount rootfs rootfs / remount bind ro nodevbecomes
Code:
on post-fs
start logd
# Once everything is setup, no need to modify /.
# The bind+remount combination allows this to work in containers.
mount rootfs rootfs / remount bind roAfter a reboot, the Android rootfs is now writeable again.
Code:
localhost / # printf "mount | grep loop1" | android-sh
/dev/loop1 on / type ext4 (rw,seclabel,nodev,relatime)Edit: I guess you could do it with sed, something like
Code:
sed -i.old 's|mount rootfs rootfs / remount bind ro.*$|mount rootfs rootfs / remount bind ro|g' /opt/google/containers/android/rootfs/root/init.rcHopefully the above works for you. If needed I could add this to the rooting script, but it'll probably be best to wait a bit anyway, and see there are any further changes in forthcoming CrOS updates (v70?).
Edit 2: I've had a commentfrom someone else with a Chromebook Plus, and the above fix did not work for them.
I have also found that, on my device, it is also possible to get the Android rootfs to mount RW again by actually changing, on the same line, the RO argument (which, I understand, previously would be overridden by Chrome OS) to RW.
After making either one, or both, of those changes, I found that the rootfs would mount R/W on my device.
So, to change RO to RW, it would be something like
Code:
sed -i 's|mount rootfs rootfs / remount bind ro|mount rootfs rootfs / remount bind rw|g' /opt/google/containers/android/rootfs/root/init.rc
Code:
mount rootfs rootfs / remount bind ro
Code:
mount rootfs rootfs / remount bind rwIf/when i find out more on this, I'll post back.
Edit 3. The latter command has now been confirmed to work on the Chromebook Plus on v69 to re-enable the R/W mount for the Android rootfs. It also works for me on v70. I'll probably add it to the rooting script presently.
Last edited:
No root in SuperSU
I tested your scripts & got it install/patch -
However in SuperSU it says no root detected, & using a root checking app says partially rooted, any idea around this?
I tested your scripts & got it install/patch -
However in SuperSU it says no root detected, & using a root checking app says partially rooted, any idea around this?
Attachments
Last edited:
Success root v67 - on hacked Chrome OS ICS Bben cherrytrail with cyan Acer CB R11 ROM
I ran again the script 02SEPatch.sh
curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/02SEPatch.sh | sudo sh
& it finally gave me root - fiddly, but eventually worked-
I also made the suggested changes to get rw before running it.
Here is the output after the successful run:
chronos@localhost ~/Downloads $ curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/02SEPatch.sh | sudo sh
Test Rooting scripts for Android on Chrome OS
Version 0.25
Unofficial scripts to copy SuperSU files to an Android system image on Chrome OS
Part 2 of 2
There is an SE Linux policy file located at /etc/selinux/arc/policy/policy.30, which can be patched with SuperSU's patching tool.
This script assists with the process.
Copying policy.30 to /home/chronos/user/Downloads/policy.30 to allow Android access to the file.
Opening an Android shell and attempting to patch policy_30.
supolicy v2.82 (ndk:x86) - Copyright (C) 2014-2017 - Chainfire & CCMT
Patching policy [/var/run/arc/sdcard/default/emulated/0/Download/policy.30] --> [/var/run/arc/sdcard/default/emulated/0/Download/policy.30_out] ...
libsepol.policydb_index_others: security: 1 users, 2 roles, 704 types, 0 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security: 65 classes, 7695 rules, 0 cond rules
- Success
Overwriting policy.30
Copying patched policy from /home/chronos/user/Downloads/policy.30_out to /etc/selinux/arc/policy/policy.30
Setting SE Linux to 'Permissive' temporarily
Copying Android /sepolicy to /usr/local/Backup/sepolicy.old
Overwriting Android /sepolicy with patched policy.30
Setting permissions and context for /sepolicy
Done!
Please reboot now
Feed -
https://twitter.com/inabster/status/1022893846718492673
https://twitter.com/inabster/status/1019974551751614464
https://twitter.com/meNabster/status/1022789803874689024
I ran again the script 02SEPatch.sh
curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/02SEPatch.sh | sudo sh
& it finally gave me root - fiddly, but eventually worked-
I also made the suggested changes to get rw before running it.
Here is the output after the successful run:
chronos@localhost ~/Downloads $ curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/02SEPatch.sh | sudo sh
Test Rooting scripts for Android on Chrome OS
Version 0.25
Unofficial scripts to copy SuperSU files to an Android system image on Chrome OS
Part 2 of 2
There is an SE Linux policy file located at /etc/selinux/arc/policy/policy.30, which can be patched with SuperSU's patching tool.
This script assists with the process.
Copying policy.30 to /home/chronos/user/Downloads/policy.30 to allow Android access to the file.
Opening an Android shell and attempting to patch policy_30.
supolicy v2.82 (ndk:x86) - Copyright (C) 2014-2017 - Chainfire & CCMT
Patching policy [/var/run/arc/sdcard/default/emulated/0/Download/policy.30] --> [/var/run/arc/sdcard/default/emulated/0/Download/policy.30_out] ...
libsepol.policydb_index_others: security: 1 users, 2 roles, 704 types, 0 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security: 65 classes, 7695 rules, 0 cond rules
- Success
Overwriting policy.30
Copying patched policy from /home/chronos/user/Downloads/policy.30_out to /etc/selinux/arc/policy/policy.30
Setting SE Linux to 'Permissive' temporarily
Copying Android /sepolicy to /usr/local/Backup/sepolicy.old
Overwriting Android /sepolicy with patched policy.30
Setting permissions and context for /sepolicy
Done!
Please reboot now
Feed -
https://twitter.com/inabster/status/1022893846718492673
https://twitter.com/inabster/status/1019974551751614464
https://twitter.com/meNabster/status/1022789803874689024
Attachments
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
5This is a cross-post from a reddit thread I started, but this is probably a more appropriate location for it.
I have been trying to modify files in the system folder for the Android container on the Asus Flip so I can install SuperSu, but have run into some problems.
The system folder is contained in a squashfs image on the chromebook at /opt/google/containers/android/system.raw.img. Mounted squashfs images appear to not support read-write access. I have been able to unsquash the image, add the SuperSU apk to the /system/priv-app folder and su to the /system/xbin folder, and remake the image. This boots, but SuperSU force closes as soon as it starts.
To make tinkering easier, I've tried building a writable image using dd and mkfs. I placed it in a location that has rw access and modified the /etc/init/android-ureadahead.conf script which mounts it to enable rw access. Unfortunately though it won't boot. The boot logs for the android container show a litany of SELinux errors for different things that it could not set context, operation not permitted. I can post the exact log if necessary. Some googling led me to find that the SELinux security context attributes weren't being replicated in my image, so I tried mounting with context and fscontext options equal to the contexts from the original image, but I get the same problem.
If anyone has any ideas I'd be especially grateful.4I have been able to successfully root the Android image on my Asus Flip.
I built a blank image with dd in /usr/local, formatted it with mkfs, mounted it to a folder, mounted the original system.raw.img to a folder, copied the files across, placed *all* the SuperSU files listed as 'required' in the SuperSU update-binary in the relevant places in /system in my new image, set permissions & contexts for those files, edited arc-system-mount.conf and arc-ureadahead.conf to point to the new image and, finally, patched /etc/selinux/arc/policy/policy.30 with the SuperSU sepolicy patching tool in order to boot my rooted Android instance with selinux set to enforcing.
I have created a couple of scripts which more-or-less fully automate this procedure, which can be downloaded from nolirium.blogspot.com. Please feel free to download, open the scripts in a text editor to check them out, and try them out if you like. Only tested on Asus Flip, though.
I seem to be unable to post attachments at the moment so I will just add the descriptions here, I could probably post the entire scripts here too if anyone wants. Feel free to let me know what you think.
DESCRIPTIONS:
1-3.sh
Combines the first three scripts listed below.
01Makecontainer.sh
Creates an 900MB filesystem image in /usr/local/Android_Images, formats it, then copies Android system files therein.
02Editconf.sh
Modifies two system files: arc-system-mount.conf - changing the mount-as-read-only flag and replacing the Android system image location with a new location; and arc-ureadahead.conf - again replacing the Android system image location. Originals are renamed .old - copies of which are also placed in /usr/local/Backup.
03Androidroot.sh
Mounts the previously created Android filesystem image to a folder, and copies SuperSU files to the mounted image as specified in the SuperSU update-binary.
04SEpatch.sh
Copies an SELinux policy file found at /etc/selinux/arc/policy/policy.30 to the Downloads folder, opens an Android root shell for the SuperSU policy patching command to be entered, then copies the patched policy back to the original location. A copy of the original policy.30 is saved at /etc/selinux/arc/policy/policy.30.old and /usr/local/Backup/policy.30.old
Uninstall.sh
Removes the folder /usr/local/Android_Images and attempts to restore the modified system files arc-system-mount.conf and arc-ureadahead.conf.3
You mean a guide to doing it manually? Or to using the script-based approach? Doing the whole process manually would be a little involved, but If you would like to try the script then it should be quite simple. I would recommend backing up any important files beforehand nonetheless.
To root with the script:
Beforehand: Put the Chromebook into Developer Mode in order to get shell access, if you haven't already done so. (hold Esc+F3, and tap power button, then press Ctrl+D at the "Missing or Damaged" screen, then press Enter.) Putting the Chromebook in Developer Mode will completely wipe the device.
1. Once in CrOS, in Developer Mode, open crosh with Ctrl+Alt+T. Type shell. Press enter.
2. Turn off rootfs verification for the currently active partition, so you can modify the filesystem (if you haven't already done so). To do this, enter the following command then reboot:
Code:sudo /usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --partitions $(( $(rootdev -s | sed -r 's/.*(.)$/\1/') - 1))
3. Back in the shell, copy the following, paste it in at the command prompt with a double-tap or Ctrl+Alt+V, then press enter.
Code:curl -Ls https://raw.githubusercontent.com/nolirium/aroc/onescript/RootandSEpatch.sh | sudo sh
4. Once the script has finished, check its output for any error messages. If any error messages are shown, see what they say, and if you like you may paste them in here. Otherwise, just reboot and you should be good to go.
Note: The script keeps the original Android roots as a backup, renaming it to .bk. The rooted copy takes up approximately 1.5GB of space on the drive. If you wish to restore the original for any reason, you should be able to do it by entering the following into the shell, then rebooting.
Code:sudo mv /opt/google/containers/android/system.raw.img.bk /opt/google/containers/android/system.raw.img2
Sketchy looking errors, lol. ...I wouldn't know where to start.
G'luck!
I think it should definitely be buildable, in theory, just with the android bits and pieces missing... Whether or not it's worth all the hassle, though...?
I don't know if you happened to see the Google Groups thread linked from one of the Reddit posts I linked earlier, but in that thread there was a guy saying:
Admittedly, that was a slightly older CrOS version, and a different device, but I bet the same applies now. Indeed, I think I'e seen a few similar posts on those lists. Who knows how much of the Android stuff is missing, (and just how many errors/config issues you might have to go through in order to successfully build Chromium OS for Caroline) though, I suppose?
Yeah, unionfs would potentially make messing around with /system much easier, I guess... Or overlayfs, maybe?
Edit: Meh, overlayfs doesn't seem to be possible on kernel 3.14 (my CB's kernel). Should be possible on 3.18 and 4.4...
I had another go at building xpad.ko for my kernel. I was actually able to get past the weird errors quite easily this time - I hadn't realised previously that one set of errors was inconsequential, and another couple of errors were actually covered, along with their workarounds, on those Crouton github wiki articles. That said, there were still some annoyances - one was "error: unrecognized command line option ‘-fstack-protector-strong": one article and google seemed to suggest the version of gcc I was using was at fault, while another article (which, of course, I didn't see first of all), advised to simply edit out the offending string (in this case, replace -fstack-protector-strong with -fstack-protector-all). Aside from these and a few other small issues, it was quite straightforward to build that one module, directly on the Chromebook (in a Ubuntu Trusty chroot), disable module locking, copy it over to Chrome OS, and load it up in place of the original.
Although, it didn't work properly, but I think that may have been just because I f*cked up the C code messing around trying to edit a couple of bits using a somewhat massively different commit as a semi-guide. In any case, the process got me thinking that it should be pretty simple to just add on potential modules of interest with that method.
So anyway, I finally had time to sort the rooting scripts out a bit and then add them to github. I tried to tidy up the main script somewhat, moving a few bits into their own functions. As suggested, I combined the Intel and arm scripts into one, with a check for CPU arch and a few related conditionals which hopefully work on Intel and armv8 Chromebooks as they do on my armv7 device.
Yeah, everything in one step would be ideal. Although we could get away with leaving SE Linux unpatched (if we wanted to) if we just set it persistently to permissive in CrOS (e.g. with sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config), negating the need for a second script, however I think it might be best to just patch the policy properly, since we are able to do so. The ability to easily switch to permissive was removed in an update at one point in the past. (which was a real headache to figure a way around), before later being re-introduced.
If we could successfully do the patching plus all the rest of it beforehand in one single step that would be great, less messing about after an update.
Edit: Sorted it. The combined script can now be run from github as a true one-step process. When rooting for the first time, or after an OS update, all that should need to be run is the below command (plus the command to switch off rootfs verification, if necessary)
Code:curl -Ls https://raw.githubusercontent.com/nolirium/aroc/onescript/RootandSEpatch.sh | sudo sh
The above is the original pair of scripts (below) combined into one, with an additional function to patch selinux without requiring an extra reboot. This is done by temporarily copying su, libsupol to subdirectories under /data/adb, bind mounting these subdirs over /system/xbin and /system/lib in the currently running (unrooted), container, patching the selinux policy file, then copying the patched file into the rooted container. One reboot is still necessary after running the script in order to get the rooted container mounted up properly.
Alternatively, the original pair of scripts are below, this way the process is two steps (plus reboots). i.e.
sudo rebootCode:curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/01Root.sh | sudo sh
sudo rebootCode:curl -Ls https://raw.githubusercontent.com/nolirium/aroc/master/02SEPatch.sh | sudo sh
So far I haven't really had success in fully dismantling the old container neatly then properly remounting all the dirs and loading everything back up in the new one without having to reboot CrOS... I thought the arc-setup binary might be helpful, but it doesn't want to give up its secrets. I tried a few debugging things like strace and LD_DEBUG=files on it, but not much light was shed.
There's definitely other possible approaches that could be looked into. Same goes for the overlays....
Edit: I think I might have a potential solution. I was probably thinking too hard about it before. I'll probably need to powerwash and play around a little bit first, in order to rule out a couple of factors.
Yeah it's weird. I remember getting a fright after updating once or twice, when one or other of the passwords no longer worked. I mean, you expect them to be reset after a powerwash, but not an update. Either it reset the password, or it didn't get passed over to the other partition, or something. I think it was the root password that stopped working, but I could still sudo as chronos (or maybe vice-versa).
Notwithstanding any auto-update strangeness, there appears to be a couple of other things going on here.
I think the following is right:
If you open a VT with ctrl+alt+F2, F3, or F4, login as root with the 'debugging password' and then, as per the message which appears in tiny writing amongst some others there, set a sudo password for chronos with chromeos-setdevpasswd , this creates /mnt/stateful_partition/etc/devmode.passwd, and stores the password hash for chronos in there. If you run chromeos-setdevpasswd and just hit enter twice, it still saves a hash in devmode.passwd, and you get a prompt for sudo but you just have to hit enter.
However, if you set a sudo password for chronos with passwd, its hash gets stored in /etc/shadow instead.
Found a bit of possibly related info in /etc/pam.d/chromeos-auth.
From the latter:
Actually this was bothering me the other day: I couldn't figure out how to easily get back to the passwordless sudo for chronos. I mean, I've seen slightly involved methods of configuring this on google, but it must be something simple in this case! From what I understood of the latter quoted file, I tried removing all the passwords for chronos: this didn't work!
Prior to this, I tried my root password out of curiosity and it no longer worked - it had disappeared again somewhere along the line it seems. Anyway, I set it again it with passwd root, and now I have a hash in /etc/shadow for root. Hopefully, this password will stick, anyway...
I saw a somewhat related thread on Reddit from a while back which touched on this (raising more questions than answers), although the query there was "how is root login disabled after setting a password for chronos?"2
The R13 has a 64-bit Mediatek processor, right?
I have added a version for ARM64, but I haven't tested it.
You can find the instructions and scripts at nolirium.blogspot.com
