Category Archives: Operating Systems

How to gain root on HTM H10

12 Replies

The two cheap phones I ordered for porting Firefox OS have arrived. For far my favourite is the H10. This quick guide should also work for the HTM M1 with slight alterations.

This guide will show you how to install SuperSU and gain root. The entire process was easier than I anticipated.

Step 1: Download the latest version of Framaroot

Step 2: Copy the Framaroot apk to your phone

Step 3: Use your phone’s File Manager app to open the Framaroot apk you copied in step 2.

Screenshot_2014-01-22-09-59-56

Figure for Step 3.

Step 4: Android will have you verify the permissions Framaroot has requested. For our usage because Framaroot will exploit a permission escalation vulnerability it has access to all permissions despite only requesting photos. For this reason you must only ever install apks from sources you trust.

Screenshot_2014-01-22-10-00-11

Figure for step 4.

Step 5: My HTM H10 came with Android 4.2.2 which has an option to check apks against Google’s blacklist of apks. This blacklist should include Framaroot so you must select Disagree from the dialogue. In general this blacklist exists to protect us from malicious apps which might use the same exploit we need.

Screenshot_2014-01-22-10-00-25

Figure for step 5. If you see this remember to select Disagree.

Step 6: Framaroot is now installed but has not performed the exploit. Press Open to run Framaroot.

Screenshot_2014-01-22-10-00-45

Figure for step 6.

Step 7: As of writing the latest version of Framaroot is 1.8.1.apk. The only exploit version 1.8.1 knows which the H10 is still vulnerable against is the Boromir exploit. In the future Boromir should get fixed but new exploits should appear. Should must tap on the Boromir text to perform the exploit.

Screenshot_2014-01-22-10-00-49

Figure for step 7.

Step 8: Congradulations! The exploit should have worked but you must reboot your phone for it to take effect.

Screenshot_2014-01-22-10-00-54

Figure for step 8.

Let’s become Mozillians!

Leave a reply

Mozilla is special. No organization that I know of is so effective, open, or stubborn.

Stubburn because when the world embraced patent encumbered H.264 & MP3 Mozilla turned around and said: “Okay, then we’ll just make an encoding better in every dimension.”.

And that’s the story behind Daala & Opus.

Mozilla is not the organization we deserve. We deserve no better than MPEGLA, Apple, Microsoft, SAP, Oracle, or Intellectual Ventures.

Mozilla is the organization we need.

When someone says “The web is not ready” we need people who are working to make it ready. We are not going to see the real web on mobile until we stick it there. We need a stubborn organization which will keep fighting for our freedom even after we’ve all locked our bootloaders with someone else’s key.

We need an organization which goes into the mobile fight not looking to monopolize yet another app ecosystem. We need someone to unlock apps so when regular people ask “Does it have X app?” the answer is: “Yes, because it supports webapps“. Only then can operating systems compete as equals without user’s sacrifice.

So that rant should give an accurate portrait of my motivation for contributing. If it also describes you then please do consider contributing as well. In either case please enjoy my story.

Our journey starts mid-July 2013, I have just gotten back from Microsoft after another day of my internship. The weather is warm, the sun is shining, and it hasn’t rained in at least five minutes. First order of business is to select my project preferences for the coming semester’s UCOSP.

Our product selection is pretty broad: a programming language, conferencing webapp, code review webapp, and a few more webapps I do not remember. All fine projects but I only had eyes for two: RIght-to-left language support in Android Firefox, and Plugins for BB10 Cordova.

During my internship at Microsoft I came to the descision upon two things: I want to work for a smaller organization, and I’d go crazy if I could not talk about my work in the open. Those realizations and my preference for open source mobile operating systems close to the top of my list.

Back to the selection: As a way to make connections the Android Firefox project sounded perfect. Thus it was my first choice. BB10 took second but only for its merits as a project matching my exact interests.

As it happened, the UCOSP organizers saw through my ploy and assigned me to BB10. Yet despite the organizer’s clear attempts at thwarting me, they forgot one thing: our hackathon was being hosted at Mozilla!

In fact it appeared as if the Undergraduate Capstone Open Source Project organizers had not shared with Mozilla their plan of keeping me away from Mozilla. You see at the hackathon Greg Wilson gave everyone a tour of the new Toronto office: a modern and wonderful work environment on full display! Everyone was envious, including myself. Greg was even kind enough to give me his email!

With email in hand I went home to Calgary and worked. I worked so hard I mis-placed the email. That’s my story and I’m sticking to it!

With no email I took a long shot and asked the UCOSP organizers. They must have thought I was someone else because they give me Greg’s email without a fight. Now with email in hand for real I could email Greg asking how to apply.

And then I mis-placed the email again…

Just joking. Greg was encouraging and cc’d Mike Hoye, also of Mozilla, who gave fantastic general career advice plus good Mozilla specific advice. The advice is so good we should take a moment to read it together:

Don’t let anyone pressure you with what’s called an “exploding offer” – anyone who’s telling you that their offer is off the table after a certain date is just trying to fill chairs, and trying to scare you into accepting a job where you’ll be deeply undervalued. People who actually want to hire you _for you_ will, within reason, wait for you to make up your mind.

Finish UCOSP. Ship. Blog about shipping. Spin up a Mozilla build environment, go to http://www.whatcanidoformozilla.org/ and wander through it until you find a bug you want to fix, and then work your way through the process for fixing it. Ship that, and blog about that.

Then come and talk to us; let me know when you’re applying, and let the people you’ve collaborated with on that bug know you’re applying.

Unrelated to Mozilla, a colleague of mine ran this talk for Seneca last year: https://senema.senecac.on.ca/videos/1958/fsoss-2012-open-soucre-careers

It’s called “Open Source Careers”, typo in the URL aside, and you should watch it.

Thanks,

– mhoye

Just to make sure you understood please repeat after me: You should goto http://www.whatcanidoformozilla.org/ and find a cool project. Right now. I’ll wait for you. I’ll be right here when you get back.

Back?

I suspect you’re lying, instead just kept reading right? This is serious you should goto http://www.whatcanidoformozilla.org/, select a project and head over to BugsAhoy for a selection of mentored new contributor friendly bugs.

Promise me you’ll at least open the links and press 2 buttons. Just 2, not 3, only 2. Please? I’ll stay here and drink some tea.

IMG_20140110_213327

I promise you green tea which is the color green: is good green tea. The cookies are also pretty good.

Back for real? Okay I’ll trust you.

Now I should caution that the pain I encountered with the development environment I encountered is not something an app developer will encounter. With the disclaimer complete I must admit I’ve bricked one (1) phone. You see developing apps for FxOS is fast and easy but compiling an entire operating system is a bit more complex.

Before I could do anything I needed a phone so I ordered the recommended and cheap ZTE Open from ebay. While waiting for the phone’s arrival I experimented with FxOS’s QEMU based virtual machine, which I did not succeed at.

When I did receive the phone I set out at once to blog about it. Looking back I’m a bit ashamed, almost all of the issues I identified had already been reported. I should have searched for reports ahead of time so I could point out how things had been fixed. Instead at least one reader got the impression I hated FxOS.

On that note, my attempts at compiling for the ZTE Open have bricked it. The issue is well reported on the mailing list but I’m happy to report that ZTE is working on it.

Instead I’ve been developing on an old Nexus S. The odd thing is my build images have been using ZTE Open’s system backup. By no rights should my Nexus S be anything but bricked. Since the environment is working, I’ve avoided “fixing” this oversight.

With a working build environment I did what you just did: found a cool mentored bug from BugsAhoy. Right at the top of BugsAhoy’s list for firefox os mentored bugs was Bug #939372. This bug stood out as being perfect: low-level, C++, and self-contained.

The exact issue with bug #939372 was that Firefox OS logged all kernel out-of-memory messages via a shell script running as root. Dave Hylands’s suggested solution was to write a new program which could open the kernel log as root but then drop all root permissions unrelated to reading the kernel log.

So I wrote a first attempt at such a program. Perhaps the biggest pain was the permissions dropping. Being a stand-alone program I wanted to avoid bringing in a library dependency. This meant writing against linux’s system call interface. You might have noticed that this is Very Bad Thing™ to do. In this specific case, it was acceptable because the program was to go into FxOS’s hardware abstraction layer. Still, for any kids reading at home please do not attempt this, double so for Windows™®©☘ specific code.

At this point I started hanging out on the Mozilla IRC channels. Now I’m going to show you some links but please do not open them. Please, this is serious and not reverse physiology. –Begin Dangerous Links– Mozilla funny quote database and Mozilla memes. –End Dangerous Links– How dangerous you might wonder? I just wasted 10 minutes reading jokes I’ve read before!

The real IRC conversations are less exciting than the highlights. You may see more Qdot… flavour. For the most part, you’ll overhear people debugging and assisting others. Altogether Mozilla appears to be use IRC to be productive and less about in-jokes.

A bit prior to joining IRC, I did subscribe to the Mozilla mailing lists. These lists are pretty easy to follow and much lower flow than the Linux Kernel Mailing list. The two lists I’ve subscribed to, b2g & gaia, give a good feel for FxOS’s direction. I’ve also noticed that Mozillians are nice to a fault and will respond at face value to even “worthless” email. I’m not sure it’s even possible to write something inane enough to get called out upon. That’s an impressive community wide commitment to being a friendly community!

Back to bug #939372 Dave Hylands has now reviewed my attempt at the stand-alone logger. Along with my patch I asked a few questions. After some discussion, Dave brought in Michael Wu for an opinion. Michael suggested we move logging into the main b2g process. Since this would save me the permissions dropping mess, I had few protests.

Here’s where Dave’s mentoring saved the day: he pointed me to the exact line where to add the logging. It may sound like a small help but FxOS is huge and without his guidance I would have been stuck.

Then Dave gave me eight high quality code reviews, one after the other. Each time he identified real issues with my code. I got the impression he cared about the patch just as much as I did. He even found an issue with the Unagi’s kernel logging which I could not have found: the unagi’s kernel had been patched to format message timestamps in human readable time and not seconds since boot.

At the end of this process I can say with a smile and confidence that I’ve never before participated in a more thorough code review. It is nice to have another programmer dedicate their time to helping you. Dave went out of his way to make Firefox less intimidating and I do not want to imagine how lost I would have been without his help.

This entire process occurred out in the open, you can read it all here on the bug report itself: https://bugzilla.mozilla.org/show_bug.cgi?id=939372 In fact in the beginning I had emailed Dave in private. In the spirit of being open Dave encouraged me to bring the full conversation to the bug report.

It’s small things like encouraging public communication, which make me think open by default is not just a saying at Mozilla. The entire organization lives open by default, you can even attend one of the weekly team meetings. Even if you do not have anything to say you might enjoy just listening. I once attended the B2G meeting and was greeted with an in-depth and geeky discussion of quadcopter kits and microcontrollers.

Now I hope this story has sparked some envy in you. Contributing to FxOS is fun and less work than you’re expecting. Remember that website I harassed you into visiting: http://www.whatcanidoformozilla.org/ ? This would be a perfect time to find yourself an approachable mentored bug and take your first step to becoming a Mozillian.

If nothing else it is now safe to checkout the meme and quotes databases.

 

Exciting Systems Software & Trends as of January 2014

Leave a reply

This semester my high level goal is to get a junior position as a systems programmer. In fact right now I should be writing a different post related to this search. Instead my mind has wandered towards why systems software excites me.

In a way this post is a late response to something a co-workers asked over the summer at my Microsoft internship. He wanted to know why I wanted to work in such a “solved domain” as operating systems. You see at Microsoft maintaince is handled by a seperate sub-division from new feature development. Thus within our sub-division the work centred around fixing crashes and patching vulnerabilities.

This to be a dig at Windows and I hope he will not regret expressing his question. Instead the question was something I could not answer to my satisfaction at the time. If anything I must admit that Windows does not excite me but this could just be a factor of how there are no interesting blog posts documenting Window’s development.

From the beginning what has excited me about operating systems is the software.

This list is an attempt to summarize some of those interesting software projects or trends.

BTRFS

Long in development BTRFS has been promised to replace EXT4 as Linux’s default file system. If or when that switch does occur the transition should be smooth. You see BTRFS supports transparent migration from EXT4. Even better this migration is reversible. BTRFS keeps the original EXT4 on disk layout and will write new files in the old free space. At any time you can make the transition permanent by releasing the old EXT4 data structures to BTRFS.

F2FS

A modern file system is built on a castle of lies. The hard disk pretends to have N sectors of M blocks of W bytes. The disk will even lie to the OS about writing data to the platter when the data is only in cache. In simple terms: None of what the HDD tells the OS is true. With the advent of solid state disks these lies drop all pretences of reality. To this end Samsung has developed Flash-Friendly File System which exposes deep configuration knobs. With this configuration F2FS can match its behaviour to  that of the flash chip’s and microcontroller’s. The net result is a file system which shows promise. With proper tuning it appears F2FS can fly as seen on the Moto G.

ASM.js

To call ASM.js systems software I must confess my bias towards the web as a application platform. ASM.js is not a new VM or a new language. Instead I consider it a promise. A promise from javascript enginer developers that your ASM.js code will be fast. Already javascript is supposed to be fast but there are always edgecases. Without knowing you can make a hard to optimize javascript program. Before ASM.js why and how you’ve killed performance was opaque. Now with ASM.js we can give warnings and point you towards wiki pages. You can now optimize your inner loop without guessing or reading JS engine source code.

Sandboxing

Every major operating system is making moves towards sandboxing their ecosystem: Windows has Metro, Mac OS X has Mac Store. Meanwhile the mobile operating systems have all been sandboxed since birth. Sandoxing is even getting popular on linux with Docker. In effect sandboxing is the big red button for security. It brings the benefits of SELinux or AppArmor without the configuration. It assumes the applications are malicious and distrusts them. This distrust will frustrate developers used to being trusted. For this reason I am thankful the web has always been sandboxed: no one ever complains their webapp cannot write to the user’s home directory.

Internet Printing Protocol Everywhere

If anything in computing has a bad reputation it is printing. This reputation is well deserved. Now thanks to the mobile computing revolution the printer vendors have come together with the Apple, Linux, and Windows printing guys to create IPP Everywhere. This new standard reuses existing software and existing protocols to bring the holy grain of printing protocols: configuration-less printing. You might have also heard this goal under the name of driver-less printing. This second term is less accurate since we still have drivers but now all the drivers are generic. IPP Everywhere defines a basic raster format all compatible printers and operating systems must support. From there it also requires PDF and JPEG for capable printers.

Of course before you can print your computer must know about the printer. For discovery IPP Everywhere provides both Apple’s Bonjour (used by linux with Ahavi) and Window’s WS-Discovery. The amazing thing is the printer vendors are the ones volunteering to implement both protocols. We on the operating system side can continue using our existing stack!

Now while IPP Everywhere lays our foundation you might be wondering if it can reach wide adoption. You might recognize this situation from  XKCD #927. For now we only have hope to bet on. In private I’ve been told some encouraging news but you’ll have to wait another few months to hear it.

Disclaimer

Listed above is what I find interesting. My interests might differ from yours. You may even hate systems software and that’s fine. System software just happens to be where I’ve focused and I appreciate those working at different levels of the stack.

CPSC 527 or: How I Learned to Start Worrying and Write a Virus

14 Replies

Just over a decade ago my university started to offer a controversial course known as “CPSC 527 Computer Viruses and Malware”. Or as I refer to it: the Virus course.

The virus course has a reputation which proceeds it. I first heard of it in second year. Word was that there existed a course held in a locked and isolated lab. No internet and no electronics allowed. Only fourth year students could enrol and an essay was required.

So fast forward to late third year when I and a friend have set our minds on this mythical course. Said friend managed to uncover the controversy dating back to 2003 over the  introduction of our viruses course.

Most of the resulting articles and press releases can still be found through a quick search. Most notable were two press releases from the Anti-Virus Manufacturers: Sophos and F-Prot. Both give an insight into why the course was not received well by all:

I just wanted to make sure that you are aware of the effects that participation in the course may have on the students’ future career. Most anti-virus companies (including ours) have a policy against hiring former virus writers for anti-virus work. What this means is that in the event that the students actually learn something useful in the course, they will most likely not be able to obtain employment in the anti-virus industry due to their participation in the course, and thus not be able to contribute to actually solving the virus problem.– Fridrik Skulason of F-Prot

Sadly it seems the university is developing courses according to what it believes will be most attractive to potential students rather than focusing on skills that will be useful to them in the security industry. One wonders if the University will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users. — Graham Cluley of Sophos

What struck me is the assumption both responses hold: it is Anti-Virus companies which bring relief from viruses.

I disagree. Security, and thus relief from viruses, instead derives from your ecosystem and your operating system. Which gets to my interest in the course:

  1. Have fun
  2. Becoming a better systems programmer

I have no interest in becoming a researcher for the Anti-Virus industry. Instead I want to create systems which will minimize vulnerabilities and reduce any ground a virus can win in finding a vulnerability. Meanwhile all Anti-Virus software can do is slow down your computer, take your money, and tell you it is time to reinstall Windows

Now Mr. Cluley and Mr. Skulason do raise a good question: why should you create a new virus? To answer that let us look back to 2007 during my tenure at the local McDonalds. In our flashback I am a new employee and my boss has taken time out of her day to instruct me on proper method for cleaning dishes. You see the drive through is right across from the washing station and thus it is the task of order takers to clean dishes while waiting for cars. Now I wasn’t a patient lad and protested against a practical demonstration. I asked her if she could instead just tell me how to wash dishes. To this she said:

You’ll only learn something once you’ve done it. — My boss circa 2007

Which is thus the core reason why CPSC 527 must be about writing new viruses. Similar themed courses at other universities may teach virues the way Mr. Cluley and Mr. Skulason wish them to be taught: by dissecting existing viruses. Granted Mr. Cluley is correct, this approach would better serve students going into the Anti-Virus industry. Dissecting existing viruses is the major task when writing an Anti-Virus scanner.  Thus prospective job applicants to Sophos or F-Prot would be well served by practicing their new job while in school.

Except I have no interest in the Anti-Virus industry. Instead I want to learn to think like a virus writer. I want to look over a system’s design and notice “Hey, I can abuse that!”. Not for the purpose of abuse, but to bake security into what I create.

To that end I can say CPSC 527 was a fantastic course: I wrote a virus, an exploit for a buffer overflow vulnerability, and for the final assignment a virus scanner for the other 10 group’s viruses.

All virus work was done in the virus lab: a locked lab with no internet access on machines which required a second student to vouch for your identity before you could login. The machines themselves were linux boxes running FreeBSD in a locked down virtual machine. Even if a malicious student did brings the virsues out of the lab there would be no targets to infect!

The virsues we wrote were not complex or modern. My current value to the Russian Mafia is still about zero dollars.

With that said my virus did win the prize for best virus, which in this course means it was the worst and most annoying virus.

What my virus did was launch a rootkit into kernel space. This rootkit would then sit and count how many files a thread opened. Once the thread has opened N files it got marked as an anti-virus. Then instead of killing the undesirable scanner, we would deny all write requests. Thus a scanner would work for the files in /bin but any warnings of virsues in /sbin or /usr/bin would be silenced. The net effect was to make programmers think their scanner was broken!

The rootkit was so effective even I got caught by it! My scanner would find the infected files in /bin but not the ones I knew were in /usr/bin.

Beyond pride, writing the rootkit was enjoyable, fulfilling that goal. Spying on the scanners required hooking BSD’s system calls and stuffing data into unused fields of the thread’s task struct. I even booby trapped the system calls table: any attempt at unloading my rootkit would leave non-NULL yet invalid pointers in the system call table. Thus any calls to open or write to files would crash the kernel.

Towards the intangible goal of improving my systems programming I am now quite paranoid. My programs now enjoy user input escaping far beyond anything reasonable. I found myself escaping even the input I got from the kernel! The kernel being the program which runs my program and already controls the entire computer.

As for systems design, my fervour for mobile and Firefox OS has only increased. We need to replace the Win32 ecosystem with an ecosystem that can be sandboxed and we need to do it without throwing user freedom to the dogs. To that end the web is perfect. Web browsers have undergone years of security stress testing in the most hostile environments imaginable. The web represents an ecosystem developed from the begining to be sandboxed, it is not even possible to self modify binaries!

In general we need more programmers to take courses like 527. University students no longer write virsues for fun or to prove a point. Instead we have rogue governments attacking their own people. The risk in teaching students virus writing is now far outweighed by the benefits. We need programmers who will make security a priority. At Microsoft I learned that “UAC is not a security boundry“. What this means is that any vulnerability allowing bypassing of UAC will not get patched. They’ve resorted to this useless stance because there are already many unpatched vulnerabilities. The net effect is users are running under admin accounts which feel like regular non-all-powerful accounts.

So if you have a chance: please enrol in CPSC 527, or a similar course if your university offers one. If enough people take courses like these maybe the next UAC will not happen.

Just bought two cheap Androids for B2G surgery

Leave a reply

I’ve been mulling the idea of buying a cheap disposable Android with which to port B2G onto. These cheap Androids can be quite cheap. One I bought was $56, the other $77. Shipping was for both.

My selection algorithm was:

  1. Order by price
  2. Filter to Android 4 or greater
  3. Check out any orange (firefox) coloured phones
  4. Find two distinct phones with the same System-on-Chip (SoC)

My final selection was the “M1 Smartphone” by “htm” , and the “Tengda H10” and by “htm”.

M1 by "htm"

M1 by “htm”

 

Tengda M10 by "htm"

Tengda M10 by “htm”

 

My last experience with cheap Chinese origin Androids was one of the first generation Android tablets. The device was a clone of the iPad and featured a resistive touch screen. Calling it slow would have been a complement. From that baseline these devices have a good chance to impress.

These devices might look quite different but they are in fact almost the exact same. The variety in the cheap android market place is misleading. Under the hood most devices are quite similar. In our case these two phones have the same SoC and camera. By having two similar devices my hope is to create a B2G configuration which will work for all MTK6572W devices. The two devices are from the same manufacturer but do differ in RAM, flash, and baseband. This should give a workable sample of similar devices.

Or maybe they’ll become paperweights!