Miesięczne archiwum: Listopad 2014

Chinese techincal thought

This piece of artwork was found in android audio driver (bp_utils.c)

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

int exec_at(char *tty_dev, char *at)
{
   char cmdline[100] ={0} ;
   sprintf(cmdline, "/system/bin/busybox echo -e \"%s\r\n\" > %s", at, tty_dev);
   return  system(cmdline);
}

Busybox in this case – works as shell.

So to write data to file instead of fopen(), fwrite(), fclose() they are invoking shell to do echo to file.

Genius!

Szeregowanie loteryjne w systemie MINIX

Postawy teoretyczne, najbardziej obrazowo jak to możliwe

Szeregowanie loteryjne polega na tym, aby następny proces do uruchomienia niejako ‚wylosować’, jednak z zachowaniem możliwości ustalania priorytetu. W tym opisie priorytet będzie zależał od „ilości losów”.

Każdy proces powinien posiadać pewną liczbę losów, na potrzeby zadania przyjmiemy od 1 do 20. Liczbę losów nadaje się mu przy jego utworzeniu i będzie ona zmieniana wyłącznie na żądanie użytkownika. Liczba losów jest na poniższym obrazku tożsama z szerokością prostokąta.

minix1

Kiedy ma nastąpić wybranie nowego procesu do wykonania – losujemy liczbę od 1 do sumy losów wszystkich gotowych procesów. W tym wypadku od 1 do 11.

Następnie patrzymy na którym procesie wypadła nasza liczba i ten proces zostanie uruchomiony. Kiedy zajdzie potrzeba wybrania nowego procesu – należy powtórzyć tą procedurę.

  • Liczby 1,2,3,4,5 wypadają na procesie #1
  • Liczby 6,7,8 wypadają na procesie #2
  • Liczby 9,10 na procesie #3
  • A 11 na procesie #4

Zakładając, że wylosowanie każdej liczby jest równo prawdopodobne – proces 1 ma aż 5/11 szans na bycie wylosowanym, więc po wielu losowaniach okaże się, że dostał znacznie więcej czasu procesora niż proces 4 którego szanse były 1/11. Wychodzi na to, że będzie to 5-krotna różnica.

Dla przykładu załóżmy, że wylosowaną liczbą jest 8. Spowoduje to, że teraz uruchomionym procesem będzie proces #2. Na tym kończy się operacja wyboru procesu. Wylosowaliśmy, ustawiliśmy, gotowe.

Implementacja

Czytaj dalej

Allwinner A23 Android partitions

After few hours of working I managed to mount most of Allwinner A23 paritions.
They come from image from my previous post: http://blog.peku33.net/unpacking-q8h-allwiner-a20-a23-img-firmware/

boot.fex

This is standard boot.img Android image. It contains kernel image and ramdisk. To have it extracted I used http://forum.xda-developers.com/showthread.php?t=2319018 tools wrapped into my scripts.
This image contains linux kernel and ‚ramdisk’ – base of file system. This is ramdisk layout:

charger:                ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
data:                   directory
default.prop:           ASCII text
dev:                    directory
file_contexts:          ASCII text
fstab.sun8i:            ASCII text
init:                   ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
init.environ.rc:        ASCII text, with very long lines
initlogo.rle:           data
init.rc:                ASCII text, with very long lines
init.recovery.sun8i.rc: ASCII text
init.sun8i.rc:          ASCII text
init.sun8i.usb.rc:      ASCII text
init.sunxi.3gdongle.rc: ASCII text
init.trace.rc:          ASCII text
init.usb.rc:            ASCII text
nand.ko:                ELF 32-bit LSB relocatable, ARM, EABI5 version 1 (SYSV), BuildID[sha1]=d55c110c54b0e190801f7c0581abe2f3dcf20024, not stripped
proc:                   directory
property_contexts:      ASCII text
res:                    directory
sbin:                   directory
seapp_contexts:         ASCII text
sepolicy:               SE Linux policy v26 MLS 8 symbols 7 ocons
sys:                    directory
system:                 directory
ueventd.rc:             ASCII text
ueventd.sun8i.rc:       ASCII text

recovery.fex

This image is very similar to boot.fex. It contains some drivers not present in main ramdisk

bootloader.fex

This seems to be primary partition (nanda) of image. It is standard VFAT image. To access it I used:

mount -t vfat ImageUnpacked/bootloader.fex Mount/

It contains:

bat: directory (this directory contains battery images)
bootlogo.bmp: PC bitmap, Windows 3.x format, 120 x 120 x 32
font24.sft: data
font32.sft: data
magic.bin: ASCII text, with very long lines, with no line terminators (this looks exactly like split_xxxx.bin)
script0.bin: data (this is the same as script.bin)
script.bin: data

env.fex

Absolutely no idea how to unpack it…

system.fex

This is /system/ image in SIMG format. To unpack it use simg2img tool from android extras repository. Then mount output file as standard ext4 partition.

In system.fex you can find everything from system partition.

Unpacking Q8H / Allwinner A20 A23 .img firmware

Recently I downloaded and modified Q8H firmware.

The one, that was shipped with my tablet was lost in war with CloudsService. I was able to find new firmware on the internet, but unfortunately camera drivers were mismatched.

There are basically two ways of modifying Allwiner A20 / A23 firmware:

  1. Using DragonFace – chinese program created to easily modify some basic aspects of firmware. It loads .img file and allows to add new apps, modify init file and system configuration script. It does not provide explorer-like interface. But unfortunately all ROMs modified (or even saved without modifications) were stuck on Android logo while booting.
  2. http://forum.xda-developers.com/showthread.php?t=1753473 – imgRePacker. This tool did what I expected at first from DragonFace. It unpacked whole image to separate files / partitions. After that, I was able to find files I wanted to modify, and then, using the same tool – pack them into .img file. I had to use \skip while unpacking. I successfully flashed my tablet with image modified with this tool.

Now a few words about img content.

 

All tools used in this article are availible in A23 SDK (http://dl.linux-sunxi.org/SDK/A23-v1.0/unpacked/A23/)

  1. image.cfg is created directly by by imgRePacker to store information about files in image.
  2. sys_partition.fex is text file containing partition information for the device. It is translated using update_mbr or script (this is program name) to:
    1. dlinfo.fex – file used by PhoenixUSB, containing information about partitions and data sources for them (which file to copy where)
    2. sunxi_mbr.fex – file which is used as NAND Master Boot Record
  3. sys_config.fex is a common text configuration file for allwiner devices. It is converted to binary form (config.fex) by fex2bin availible in official linux-sunxi repository on github
  4. boot0_nand_<dev>.bin, boot0_sdcard_<dev>.bin, fes1_<dev>.bin, u-boot_<dev>.bin are stored in SDK in tools/pack/chip/<dev>/bin/. They are ‚updated’ with new config using update_filename tool (also in SDK)
  5. boot.fex, bootloader.fex, env.fex, recovery.fex and system.fex are android partitions. Their checksums are created using FileAddSum tool. Both files and checksums are present in target image. Their names are listed in sys_partition.fex, therefore they are copied to target fs to appropriate partitions.
  6. Diskfs.fex is also present in partition table, but no checksum is availible. Whole file contains of 512 bytes of zeros.
  7. cardscript.fex, cardtool.fex, split_xxxx.fex, usbtool.fex are blobs (cardscript is text) availible in SDK. Both cardtool and usbtool seems to be win32 dlls. split_xxxx.fex remains unknown.
  8. aultls32.fex and aultools.fex are unknown blobs.

If you have any information about unknown files – please do contact me.

Returning to the topic of camera drivers.

To modify camera driver a had to do two things:

  1. Modify loaded drivers in /init.sun8i.rc
  2. Modify sys_config (aka sysconfig1.lhs or script.bin)

I combined method 1 and 2 and found that after modifying sys_config following file are being altered:

  • bootloader.fex – only difference was this string
  • config.fex (this is script.bin) – only difference was this string
  • u-boot.fex – this string + some bytes in first 128 bytes
  • sys_config.fex – this basicly is the config file

Q8H (GT90h, etc) Roms – how to find them

Recently I completly destroyed one of my tablets ROM.

I was able to repair it using PhoenixSuite but first I had to find image to flash. Google wasn’t very helpful. Finally I found a thread on TechKnow http://www.techknow.me/forum/index.php?topic=8112.0

There were a few links to websites:

On baidu I was able to find latest firmwares but download speed was very low. I made a mirror for a few latest firmwares. http://d.peku33.net/public/Q8H_A23/

How to flash tablet using .img file and PhoenixUsb? You should see my post: http://blog.peku33.net/how-to-flash-alwinner-a23-q8h-tablet/

 

How to flash Allwinner A23 Q8H tablet?

Requirements:

  1. Tablet with charged battery. It can be bricked, because flashing using PhoenixUSB does not require device to have valid image installed. This is done using FEL mode that is hardcoded to chip. More about FEL: http://linux-sunxi.org/FEL
  2. PhoenixUSB, device key and image to flash. For Q8H tablet I made a mirror of all tools: http://d.peku33.net/public/Q8H_A23/
  3. USB cable

Let’s start.

  1. Open PhoenixUSB
  2. Set key file and image.
  3. Make sure tablet is turned off and disconnected. To make sure that tablet is turned off – keep power button pressed for 10 seconds.
  4. Press START in PhoenixUSB
  5. Keep pressed volume UP button on your tablet and connect USB cable.
  6. On upper right corner you should see green tick chaning into red cross
  7. Start pressing power button of your tablet about 10 times, every 1 second
  8. Red cross should change into green tick
  9. Now procedure of flashing has started, you can release volume UP and stop pressing power.
  10. It should take about 3 minutes to flash. For me it was 2min41sec.
  11. After flashing is done you should see some text on green background in right section of PhoenixUSB
  12. Press STOP, disconnect tablet.
  13. Done

Hello World! I dedicate this blog to…

Chinese software developers.

I’m starting this Category to describe my efforts in removing trojan / malware from Q8H tablet I recently bought.

This is basically what I’ve bought: http://www.ele-china.com/7-inch-Allwinner-A23-Dual-Core-Android-4-2-tablet-pc-512MB-RAM-4GB-ROM-dual-camera-multi-color-cheap-price-tablet-389.html

I ordered it through aliexpress, it came with Android 4.4.2 installed.

After a couple of days I noticed some strange behaviour of my tablet. I woke up with new applications installed: DU Battery Stats and DU something else. I also noticed that my Browser HomePage is locked to baidu.com and I’m not able to remove default browser from Launcher.

And here the story begins.