MTP and Decrypt in Android 10

[Harlock1978]

I'm trying to build a TWRP recovery for my Ulefone Armor 11 5G that has Android 10 and MT6873 chipset, and you are the only one I found who was able to do that. I'm stucked while trying to load the data partition

Could not mount /data and unable to find crypto footer Failed to mount '/data' (invalid argument) Unable to recreate '/data/media' folder. Unable to mount '/data/media/TWRP/.twrps

I read your code and imported some of your lines that had very tiny difference, but I cannot solve the problem, may I ask for your suggestion?

Thanks

[ADeadTrousers]

hi.

Before you can even think of decrypting you'd need to get the three services teed, keymaster and gatekeeper up and running. For this I'd suggest you first "exclude" all of the crypto stuff fromTWRP:

TW_INCLUDE_CRYPTO := false
TW_INCLUDE_CRYPTO_FBE := false

Then copy all files needed for teed, keymaster and gatekeeper into your rom. I recently reoganized my filelist to better visualize which belongs to which: https://github.com/ADeadTrousers/twrp_device_Unihertz_Atom_LXL/blob/twrp-11.0-crypto/proprietary-files.txt

Leave out the init.rc scripts for the services for now and try to start the apps through adb shell. This way you will see what is missing.

Then you can reactivate the init.rc scripts and check with ps -Aif the programs are running on their on.

In the last step you reactivate crypto in twrp and if it's not working check adb logcat for errors with the three services.

[Harlock1978]

I did as you say and now MTP is working, but nothing is visible even if I mount system, vendor or product.

I run teed and this is the result:

INF [452] TEED:main:1005: nsclient-commit-teed-mediatek-v2.3p10.m1

INF [452] TEED:main:1025: tz dev path: /dev/tkcoredrv INF [452] TEED:main:1026: sdrpmb dev path: INF [452] TEED:main:1027: rpmb dev path: (null) INF [452] TEED:main:1029: system ta path: /system/app/t6 INF [452] TEED:main:1030: sp ta path: /data/tee/t6 INF [452] TEED:main:1032: secure fs path: /data/tee INF [452] TEED:main:1033: prebuilt data path: /vendor/app/t6/data/ INF [452] TEED:main:1034: prot data path: /protect_f/tee/ INF [452] TEED:main:1036: log path: /data/tee/tkcore.log INF [452] TEED:main:1037: prop prefix: trustkernel ERR [452] TEEC:TEEC_InvokeCommand:699: Function returns with [-65530] ERR [452] TEED:sdrpmb_early_init:1125: SDRPMB: failed to get active_id with 0xffff0006 INF [454] TEED:log_teeos:300: thread started INF [452] TEED:main:1123: teed listening on /dev/tkcoredrv INF [453] TEED:tee_userinit:32: tee_userinit enter INF [453] TEED:tee_userinit:61: DEVICE BRAND Ulefone MODEL Armor 11 5G PLATFORM mt6873

I did't understand the two errors. I notice that is looking for app/t6 in system while it is in vendor, should I move it to system and just live t6/data in vendor?

Gatekeeper and keymaster were missing three libraries that I found in system/lib64 and so I copied them. I will built a new version and see what happens.

[ADeadTrousers]

The missing libraries will mostly be missing because of the deactivated TW_INCLUDE_CRYPTO. So in order to get them properly into your recovery without TW_INCLUDE_CRYPTO you can use TW_RECOVERY_ADDITIONAL_RELINK_LIBRARY_FILES like I did it here https://github.com/ADeadTrousers/twrp_device_Unihertz_Atom_LXL/blob/master/BoardConfigCommon.mk#L112-L128

For the teed errors: I've those too even in system. The key here is that it keeps running and not shutting down. Best check your stock rom for the settings in trustkernel.rc. As far as I know A10 doesn't use --rpmbdev for example. Maybe this will fix the errors. You do use ALL of the parameters like in the script for running it via adb shell though?

Once you get all the problems sorted out for teed you can set it up to be started as a service and then get to work on gatekeeper and keymaster the same way.

[Harlock1978]

I tried to start the program without following what is written in trustkernel.rc. I'll do it again. I already add the missing library in vendor and system.

I tried to run teed like in trustkernel.rc:

/vendor/bin/teed \ --datapath /data/vendor/t6/fs \ --sptapath /data/vendor/t6/app \ --systapath /vendor/app/t6 \ --rpmbdev /dev/rpmb0 \ --prot /mnt/vendor/persist/t6 \ --logpath /data/vendor/t6/tkcore.log \ --proprefix vendor.trustkernel capabilities SYS_RAWIO user system group system class core

but I have the same error messages:

**INF [444] TEED:main:1005: nsclient-commit-teed-mediatek-v2.3p10.m1

INF [444] TEED:main:1025: tz dev path: /dev/tkcoredrv INF [444] TEED:main:1026: sdrpmb dev path: INF [444] TEED:main:1027: rpmb dev path: /dev/rpmb0 INF [444] TEED:main:1029: system ta path: /vendor/app/t6 INF [444] TEED:main:1030: sp ta path: /data/vendor/t6/app INF [444] TEED:main:1032: secure fs path: /data/vendor/t6/fs INF [444] TEED:main:1033: prebuilt data path: /vendor/app/t6/data/ INF [444] TEED:main:1034: prot data path: /mnt/vendor/persist/t6 INF [444] TEED:main:1036: log path: /data/vendor/t6/tkcore.log INF [444] TEED:main:1037: prop prefix: vendor.trustkernel INF [444] TEED:main:1047: RPMB: enabled

ERR [444] TEEC:TEEC_InvokeCommand:699: Function returns with [-65530] ERR [444] TEED:sdrpmb_early_init:1125: SDRPMB: failed to get active_id with 0xffff0006 INF [444] TEED:main:1123: teed listening on /dev/tkcoredrv INF [446] TEED:log_teeos:300: thread started INF [445] TEED:tee_userinit:32: tee_userinit enter INF [445] TEED:tee_userinit:61: DEVICE BRAND Ulefone MODEL Armor 11 5G PLATFORM mt6873

ERR [445] TEEC:TEEC_InvokeCommand:699: Function returns with [-65529] ERR [445] TEED:tee_userinit:88: Bad init tee os: 0xffff0007 with 4 ERR [445] TEED:userinit:442: tee_userinit failed with -65529**

[ADeadTrousers]

Like I said: I've the same errors. Does the process keep running or does it return to the shell prompt?

[Harlock1978]

It keeps running

I have to press Control + C to have again the prompt

[ADeadTrousers]

Then include the truskernel.rc into your init.recovery.xxx.rc and have the teed service started at on post-fs. Build, flash and check with ps -A if teed is running. Next try to get keymaster and gatekeeper running the same way.

[Harlock1978]

vendor/bin/hw/android.hardware.gatekeeper@1.0-service

it says unable to open Gatekeeper HAL

/vendor/bin/hw/vendor.mediatek.hardware.keymaster_attestation@1.1-service

it repeats ERR [469] TEEC:TEEC_OpenSession:541: open session to TA UUID b46325e6 5c90 8252 failed

/vendor/bin/hw/vendor.sw.swfingerprint@1.0-service

it says No such file or directory even if the file is there

[ADeadTrousers]

Unless teed is running in the background no other of the trustkernel services is able to run. You only need gatekeeper and keymaster. keymaster_attestation and sw.fingerprint are not needed.

[Harlock1978]

I reactivated everything and now I build a new img, but still with

TW_INCLUDE_CRYPTO := false
TW_INCLUDE_CRYPTO_FBE := false

Am I right?

[ADeadTrousers]

Everything? No, just teed (trustkernel.rc).

[Harlock1978]

I activated trustkernel.rc as you said, but there is no teed service running after typing ps -A

On a first look our trustkernel.rc looks similar, but then I realised that you disabled some commend, so did I.

I dond't know whta to do with this part:

        restorecon /mnt/vendor/protect_f
    mkdir /mnt/vendor/protect_f/tee
    chown system system /mnt/vendor/protect_f/tee
    restorecon /mnt/vendor/protect_f/tee

I will disable it in the first attempt, let see.

The only tee file running right now is tee-log

[Harlock1978]

I build a new version with trustkernel modded following your version, but there is still no teed in the list of the active service.

I will try again after activating the part that I don't understand exactely

[ADeadTrousers]

You should stick to your trustkernel.rc settings as mine is for A11 already. Only thing you NEED to include is trustkernel.twrp.sh and changing the setting for --prot /mnt/vendor/persist/t6_twrp accordingly. Otherwise as soon as you decrypt with your recovery you won't be able to login into your system anymore. The keys will be updated and cannot be used by the system anymore. Learned that the hard way.

[Harlock1978]

I stay with my trustkernel.rc and I just disable the part you disabled too:

    write /proc/bootprof "tkcore: prepare system ta path"

    # restorecon /mnt/vendor/persist
    mkdir /mnt/vendor/persist/t6_twrp
    #chown system system /mnt/vendor/persist/t6
    #restorecon /mnt/vendor/persist/t6

#   restorecon /mnt/vendor/protect_f
    mkdir /mnt/vendor/protect_f/tee_twrp
#   chown system system /mnt/vendor/protect_f/tee
#   restorecon /mnt/vendor/protect_f/tee

    setprop vendor.trustkernel.fs.mode 3
    setprop vendor.trustkernel.fs.state ready   

    start teed

I also add mkdir /mnt/vendor/protect_f/tee_twrp in trustkernel.twrp.sh

Right now I cannot log anymore in my system after updating busybox script of Magisk. After the reboot it staied stucked on the Ulefone Logo a whole night. I did a complete backup of all partition with mtkclient.

Even using the original fstab I still cannot mount data in TWRP or even in Linux.

[Harlock1978]

I just installed the latest recovery with trustkernel, but again ps -A shows no teed running

[ADeadTrousers]

Does the command start teeddo any difference? Have you included/imported your trustkernel.rcinto your ìnit.recovery.xxx.rc?

[Harlock1978]

In trustkernel.rc there is start tee, but it doesn't start anything, I can start it manually.

I have import /vendor/etc/init/trustkernel.rc in my init.recovery.mt6873.rc

here you can see my trustkernel.rc if you want

[Harlock1978]

Running start teed in shell doesn't do anything.

It looks like the .rc files imported in init.recovery.xxxx.rcare not loaded.

[Harlock1978]

On another forum I found the suggestion to run readelf -a teed | grep NEEDED and I found 4 library not present in my system so I added them, but nothing changed. teed is not started.

[ADeadTrousers]

That is strange. I don't see an error in you're rc-scripts. Also the naming of init.recovery.mt6873.rc matches the TARGET_BOARD_PLATFORM in BoardConfig.mk. Did you check logcat? There should be mentionings of the starting serivices. Have you checked if the script files in the recovery.img are correct? I sometimes encountered a problem where when I change a file in my device tree the changes won't get copied into the final recovery.img unless I first clean the out dir.

[Harlock1978]

Also the naming of init.recovery.mt6873.rc matches the TARGET_BOARD_PLATFORM in BoardConfig.mk.

I check and it is written so TARGET_BOARD_PLATFORM := mt6873

I did a logcat, but I didn't understand it very well, I see a lot of time

01-28 02:45:46.085 427 427 D tkcore-teec: nsclient-commit-teed-mediatek-v2.3p10.m1 01-28 02:45:46.085 427 427 D tkcore-teec: 01-28 02:45:46.085 427 427 D tkcore-teec: drop privs failed

I added the logcat with system left read only or mounted read and write.

recovery-read_only.txt recovery-mount rw.txt

I assume the script files in the recovery.img are correct because I compile with an online repository and everytime is cloning my tree.

[ADeadTrousers]

tkcore-teec is the trustkernel module in the linux kernel itself. teed is using that to ensure "trustworthiness". The three reoccouring lines in the logs seem suspicious. I'd need to compare them to mine but I'm currenty on vacation so I'm lacking all my testing/logging gear. Maybe next week.

[Harlock1978]

Thank you

[ADeadTrousers]

My log includes these lines

tkcore-teec: nsclient-commit-teed-mediatek-v2.3p10.m2-1-geb11a81
tkcore-teec: 
tkcore-teec: tz dev path: /dev/tkcoredrv
tkcore-teec: sdrpmb dev path: 
tkcore-teec: rpmb dev path: /dev/rpmb0
tkcore-teec: system ta path: /vendor/app/t6
tkcore-teec: sp ta path: /data/vendor/t6/app
tkcore-teec: secure fs path: /data/vendor/t6/fs
tkcore-teec: prebuilt data path: /vendor/app/t6/data/
tkcore-teec: prot data path: /mnt/vendor/persist/t6_twrp
tkcore-teec: log path: /data/vendor/t6/tkcore.log
tkcore-teec: prop prefix: vendor.trustkernel
tkcore-teec: read extcsd failed with -1(25)
tkcore-teec: read dev info failed
tkcore-teec: teed: failed to init rpmb dev with : 246

So I think I've to take back my statement from earlier as it includes my modified path /mnt/vendor/persist/t6_twrp it is in fact from the call of the teed service.

My best guess now is that you have made an error on including the required files from your stock rom. Try NOT to uncomment the lines I commented in my twrp-10 branch or instead apply my twrp-11 branch.

[Harlock1978]

I dit what you said but I still have the same error. Could it depend that when I start TWRP I always have this error message:

Failed to mount '/data' (Invalid argument)

[ADeadTrousers]

I honestly don't know.

[Harlock1978]

Do you eventually have time and desire to check my script and see if there are some errors that I'm not able to spot?

Thanks

[iamsj7]

HI @ADeadTrousers can you drop your telegram id. i need to discusss about something related to MT8778

[ADeadTrousers]

Do you eventually have time and desire to check my script and see if there are some errors that I'm not able to spot?

Sorry, but as I don't have your device in front of me I cannot test the results of your scripts in your logs. I'd need to tinker with it myself. Also I already told you: You NEED to get trustkernel, gatekeeper and keymaster to work. All the things needed for that are inside your stock rom files. You only need to interpret the init.rc scripts. For example which files to import, which "class" the services are connected with, when theses classes are called during the boot process and so on. In the log you need to search for the services or infos related to them and see if there are errors and so on.

HI @ADeadTrousers can you drop your telegram id. i need to discusss about something related to MT8778

You already used it: @ADeadTrousers But again, I don't own a MT8778 device so I can ony advice you to follow the simple steps I allready explained: Try to get the three services trustkernel (which depends on your device), gatekeeper and keymaster to work WITHOUT decryption active in TWRP.

[Harlock1978]

I solved part of my problem. The error Failed to mount '/data' (Invalid argument) was due to the fact that the latest update of magisk modules corrupted the filesystem of the data partition. Now I restered it and I was able to try to activate decrypt again.

In adb shell ps -A there is no teed running:

USER PID PPID VSZ RSS WCHAN ADDR S NAME root 1 0 51384 7472 SyS_epoll+ 0 S init root 2 0 0 0 kthreadd 0 S [kthreadd] root 3 2 0 0 worker_th+ 0 I [kworker/0:0] root 4 2 0 0 worker_th+ 0 I [kworker/0:0H] root 5 2 0 0 worker_th+ 0 I [kworker/u16:0] root 6 2 0 0 rescuer_t+ 0 I [mm_percpu_wq] root 7 2 0 0 smpboot_t+ 0 S [ksoftirqd/0] root 8 2 0 0 rcu_gp_kt+ 0 I [rcu_preempt] root 9 2 0 0 rcu_gp_kt+ 0 I [rcu_sched] root 10 2 0 0 rcu_gp_kt+ 0 I [rcu_bh] root 11 2 0 0 smpboot_t+ 0 S [migration/0] root 12 2 0 0 smpboot_t+ 0 S [cpuhp/0] root 13 2 0 0 smpboot_t+ 0 S [cpuhp/1] root 14 2 0 0 smpboot_t+ 0 S [migration/1] root 15 2 0 0 smpboot_t+ 0 S [ksoftirqd/1] root 16 2 0 0 worker_th+ 0 I [kworker/1:0] root 17 2 0 0 worker_th+ 0 I [kworker/1:0H] root 18 2 0 0 smpboot_t+ 0 S [cpuhp/2] root 19 2 0 0 smpboot_t+ 0 S [migration/2] root 20 2 0 0 smpboot_t+ 0 S [ksoftirqd/2] root 21 2 0 0 worker_th+ 0 I [kworker/2:0] root 22 2 0 0 worker_th+ 0 I [kworker/2:0H] root 23 2 0 0 smpboot_t+ 0 S [cpuhp/3] root 24 2 0 0 smpboot_t+ 0 S [migration/3] root 25 2 0 0 smpboot_t+ 0 S [ksoftirqd/3] root 26 2 0 0 worker_th+ 0 I [kworker/3:0] root 27 2 0 0 worker_th+ 0 I [kworker/3:0H] root 28 2 0 0 smpboot_t+ 0 S [cpuhp/4] root 29 2 0 0 smpboot_t+ 0 S [migration/4] root 30 2 0 0 smpboot_t+ 0 S [ksoftirqd/4] root 31 2 0 0 worker_th+ 0 I [kworker/4:0] root 32 2 0 0 worker_th+ 0 I [kworker/4:0H] root 33 2 0 0 smpboot_t+ 0 S [cpuhp/5] root 34 2 0 0 smpboot_t+ 0 S [migration/5] root 35 2 0 0 smpboot_t+ 0 S [ksoftirqd/5] root 36 2 0 0 worker_th+ 0 I [kworker/5:0] root 37 2 0 0 worker_th+ 0 I [kworker/5:0H] root 38 2 0 0 smpboot_t+ 0 S [cpuhp/6] root 39 2 0 0 smpboot_t+ 0 S [migration/6] root 40 2 0 0 smpboot_t+ 0 S [ksoftirqd/6] root 41 2 0 0 worker_th+ 0 I [kworker/6:0] root 42 2 0 0 worker_th+ 0 I [kworker/6:0H] root 43 2 0 0 smpboot_t+ 0 S [cpuhp/7] root 44 2 0 0 smpboot_t+ 0 S [migration/7] root 45 2 0 0 smpboot_t+ 0 S [ksoftirqd/7] root 46 2 0 0 worker_th+ 0 I [kworker/7:0] root 47 2 0 0 worker_th+ 0 I [kworker/7:0H] root 48 2 0 0 worker_th+ 0 I [kworker/0:1] root 49 2 0 0 worker_th+ 0 I [kworker/4:1] root 50 2 0 0 rescuer_t+ 0 I [SSPM_WQ] root 51 2 0 0 kthread 0 D [amms_task] root 52 2 0 0 kthread 0 D [pwrap_thread] root 53 2 0 0 irq_thread 0 S [irq/256-event_0] root 54 2 0 0 irq_thread 0 S [irq/256-event_1] root 55 2 0 0 irq_thread 0 S [irq/256-event_2] root 56 2 0 0 irq_thread 0 S [irq/256-event_3] root 57 2 0 0 irq_thread 0 S [irq/256-event_4] root 58 2 0 0 worker_th+ 0 I [kworker/u17:0] root 59 2 0 0 rescuer_t+ 0 I [cmdq_buf_dump] root 60 2 0 0 rescuer_t+ 0 I [cmdq_timeout_ha] root 61 2 0 0 oom_reaper 0 S [oom_reaper] root 62 2 0 0 rescuer_t+ 0 I [writeback] root 63 2 0 0 kcompactd 0 S [kcompactd0] root 64 2 0 0 rescuer_t+ 0 I [crypto] root 65 2 0 0 rescuer_t+ 0 I [kblockd] root 66 2 0 0 conn_md_t+ 0 S [conn-md-thread] root 67 2 0 0 kthread_w+ 0 S [hf_manager] root 68 2 0 0 rescuer_t+ 0 I [pool_reload_wor] root 69 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 70 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 71 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 72 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 73 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 74 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 75 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 76 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 77 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 78 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 79 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 80 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 81 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 82 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 83 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 84 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 85 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 86 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 87 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 88 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 89 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 90 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 91 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 92 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 93 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 94 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 95 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 96 2 0 0 rescuer_t+ 0 I [cmdq_auto_relea] root 97 2 0 0 rescuer_t+ 0 I [cmdq_resource] root 98 2 0 0 rescuer_t+ 0 I [cmdq_mdp_task] root 99 2 0 0 print_out+ 0 S [pd_dbg_info] root 100 2 0 0 worker_th+ 0 I [kworker/u16:1] root 101 2 0 0 rescuer_t+ 0 I [devfreq_wq] root 102 2 0 0 worker_th+ 0 I [kworker/6:1] root 103 2 0 0 rescuer_t+ 0 I [cfg80211] root 104 2 0 0 irq_thread 0 S [irq/233-mt6358-] root 105 2 0 0 rescuer_t+ 0 I [lbat_service] root 106 2 0 0 bat_perce+ 0 S [bat_percent_not] root 107 2 0 0 dlpt_noti+ 0 S [dlpt_notify_thr] root 108 2 0 0 ionheap+ 0 S [ion_system_heap] root 110 2 0 0 ionheap+ 0 S [ion_mm_heap] root 112 2 0 0 ionheap+ 0 S [ion_mm_heap_for] root 113 2 0 0 ioncomm+ 0 S [ion_comm_pool] root 114 2 0 0 ionheap+ 0 S [ion_mm_heap_for] root 115 2 0 0 ioncomm+ 0 S [ion_comm_pool] root 116 2 0 0 ionheap+ 0 S [ion_mm_heap_for] root 117 2 0 0 ionheap+ 0 S [ion_carveout_he] root 118 2 0 0 ion_histo+ 0 S [ion_history] root 119 2 0 0 kthread 0 D [mdrt_thread] root 120 2 0 0 worker_th+ 0 I [kworker/1:1] root 121 2 0 0 worker_th+ 0 I [kworker/5:1] root 122 2 0 0 worker_th+ 0 I [kworker/2:1] root 123 2 0 0 worker_th+ 0 I [kworker/3:1] root 124 2 0 0 worker_th+ 0 I [kworker/7:1] root 125 2 0 0 logd 0 S [tee-log] root 146 2 0 0 kauditd_t+ 0 S [kauditd] root 147 2 0 0 kswapd 0 S [kswapd0] root 184 2 0 0 add_hwgen+ 0 S [hwrng] root 185 2 0 0 rescuer_t+ 0 I [aal_flip_sram] root 186 2 0 0 pbm_threa+ 0 S [pbm] root 187 2 0 0 btif_rx_t+ 0 S [btif_rxd] root 188 2 0 0 rescuer_t+ 0 I [apu_pwr_drv_wq] root 189 2 0 0 apusys_po+ 0 S [apu_pwr_policy] root 191 2 0 0 sched_rou+ 0 S [apusys_sched] root 192 2 0 0 tp_servic+ 0 S [apusys_worker0] root 193 2 0 0 tp_servic+ 0 S [apusys_worker1] root 194 2 0 0 tp_servic+ 0 S [apusys_worker2] root 195 2 0 0 rescuer_t+ 0 I [accdet] root 196 2 0 0 rescuer_t+ 0 I [dismicQueue] root 197 2 0 0 rescuer_t+ 0 I [accdet_eint] root 198 2 0 0 rescuer_t+ 0 I [ged_notify_sw_v] root 199 2 0 0 rescuer_t+ 0 I [ged_kpi] root 200 2 0 0 rescuer_t+ 0 I [RSC-CMDQ-WQ] root 201 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 202 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 203 2 0 0 rescuer_t+ 0 I [DPE-CMDQ-WQ] root 204 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 205 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 206 2 0 0 rescuer_t+ 0 I [MSS-CMDQ-WQ] root 207 2 0 0 rescuer_t+ 0 I [MSF-CMDQ-WQ] root 208 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 209 2 0 0 rescuer_t+ 0 I [ipi_master] root 210 2 0 0 mtk_nanoh+ 0 D [chre_kthread] root 211 2 0 0 mtk_nanoh+ 0 D [scp_power_reset] root 212 2 0 0 rescuer_t+ 0 I [mtk_vibrator] root 213 2 0 0 msleep 0 D [hang_detect] root 214 2 0 0 msleep 0 D [hang_detect1] root 215 2 0 0 wait_woken 0 S [ccu-enque] root 216 2 0 0 rescuer_t+ 0 I [cpu_freq_wq] root 217 2 0 0 rescuer_t+ 0 I [cpu_core_wq] root 218 2 0 0 rescuer_t+ 0 I [dram_vcore_wq] root 219 2 0 0 rescuer_t+ 0 I [bcct_chrlmt_wor] root 220 2 0 0 rescuer_t+ 0 I [bcct_2nd_chrlmt] root 221 2 0 0 krtatm_th+ 0 S [krtatm] root 222 2 0 0 rescuer_t+ 0 I [mt_usrtch__work] root 223 2 0 0 rescuer_t+ 0 I [pobqos_ntf_wq] root 224 2 0 0 rescuer_t+ 0 I [fpsgonotifier] root 225 2 0 0 rescuer_t+ 0 I [mt_fstb] root 226 2 0 0 rescuer_t+ 0 I [gbe_notifier_wq] root 227 2 0 0 rescuer_t+ 0 I [eara_thrm] root 228 2 0 0 rescuer_t+ 0 I [lt_wq] root 229 2 0 0 rescuer_t+ 0 I [mem_thrash_dete] root 230 2 0 0 msleep 0 D [mddp_rx] root 231 2 0 0 irq_thread 0 S [irq/186-1002700] root 232 2 0 0 irq_thread 0 S [irq/182-1002700] root 233 2 0 0 irq_thread 0 S [irq/183-1002700] root 234 2 0 0 scsi_erro+ 0 S [scsi_eh_0] root 235 2 0 0 rescuer_t+ 0 I [scsi_tmf_0] root 236 2 0 0 rescuer_t+ 0 I [ufs_clkgating] root 237 2 0 0 kthread_w+ 0 S [spi0] root 238 2 0 0 kthread_w+ 0 S [spi1] root 239 2 0 0 kthread_w+ 0 S [spi2] root 240 2 0 0 kthread_w+ 0 S [spi3] root 241 2 0 0 kthread_w+ 0 S [spi4] root 242 2 0 0 kthread_w+ 0 S [spi5] root 243 2 0 0 kthread_w+ 0 S [spi6] root 244 2 0 0 kthread_w+ 0 S [spi7] root 245 2 0 0 rescuer_t+ 0 I [uether] root 246 2 0 0 rescuer_t+ 0 I [uether_rx1] root 247 2 0 0 rescuer_t+ 0 I [uether_rps] root 248 2 0 0 ctsplat+ 0 S [chipone-touch] root 249 2 0 0 rescuer_t+ 0 I [chipone-tddi-wo] root 251 2 0 0 rescuer_t+ 0 I [esd_check] root 252 2 0 0 rescuer_t+ 0 I [bat_check] root 253 2 0 0 worker_th+ 0 I [kworker/u16:2] root 254 2 0 0 worker_th+ 0 R [kworker/u16:3] root 255 2 0 0 worker_th+ 0 I [kworker/u16:4] root 256 2 0 0 irq_thread 0 S [irq/43-5-0034] root 257 2 0 0 mt6360_ch+ 0 D [mivr_thread.mt6] root 258 2 0 0 rescuer_t+ 0 I [pe_pattern] root 259 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 260 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 261 2 0 0 rescuer_t+ 0 I [mtk-vcodec-dec] root 262 2 0 0 rescuer_t+ 0 I [mtk-vcodec-enc] root 263 2 0 0 gauge_cou+ 0 D [gauge_coulomb_t] root 264 2 0 0 battery_u+ 0 D [battery_thread] root 265 2 0 0 power_mis+ 0 D [power_misc_thre] root 266 2 0 0 rt9471_bc+ 0 D [rt9471_bc12en] root 267 2 0 0 irq_thread 0 S [irq/41-rt9471_i] root 268 2 0 0 gtimer_th+ 0 D [gauge_timer_thr] root 269 2 0 0 rescuer_t+ 0 I [dm_bufio_cache] root 270 2 0 0 rescuer_t+ 0 I [usb_extcon_work] root 271 2 0 0 rescuer_t+ 0 I [fs16xx] root 272 2 0 0 rescuer_t+ 0 I [fs16xx] root 273 2 0 0 worker_th+ 0 I [kworker/5:2] root 275 2 0 0 rescuer_t+ 0 I [ipv6_addrconf] root 276 2 0 0 tcpc_time+ 0 S [tcpc_timer_type] root 277 2 0 0 pps_reque+ 0 S [pps_request_tas] root 278 2 0 0 kthread_w+ 0 S [type_c_port0] root 279 2 0 0 chgdet_ta+ 0 S [chgdet_thread] root 280 2 0 0 rescuer_t+ 0 I [tcpc_power_off] root 281 2 0 0 rescuer_t+ 0 I [charger_in] root 282 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 283 2 0 0 worker_th+ 0 I [kworker/5:3] root 284 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 285 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 286 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 287 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 288 2 0 0 msleep_in+ 0 S [mtk_drm_disp_id] root 289 2 0 0 mtkcrtc+ 0 S [enable_vblank] root 290 2 0 0 mtk_drm_e+ 0 S [disp_echk] root 291 2 0 0 dc_main_p+ 0 S [decouple_update] root 292 2 0 0 _mtk_crtc+ 0 S [ddp_trig] root 293 2 0 0 _mtk_crtc+ 0 S [ddp_trig_d] root 294 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 295 2 0 0 _mtk_crtc+ 0 S [ddp_trig] root 296 2 0 0 _mtk_crtc+ 0 S [ddp_trig_d] root 297 2 0 0 rescuer_t+ 0 I [cmdq_flushq] root 298 2 0 0 _mtk_crtc+ 0 S [ddp_trig] root 299 2 0 0 _mtk_crtc+ 0 S [ddp_trig_d] root 300 2 0 0 mtk_drm_f+ 0 S [fence_release_t] root 301 2 0 0 worker_th+ 0 I [kworker/u17:1] root 302 2 0 0 rescuer_t+ 0 I [kbase_job_fault] root 303 2 0 0 rescuer_t+ 0 I [mali_aeewp] root 304 2 0 0 rescuer_t+ 0 I [kbase_event] root 305 2 0 0 mtk_ipi_r+ 0 D [ipi_cpu_dvfs_rt] root 306 2 0 0 kthread_w+ 0 S [sugov:0] root 307 2 0 0 kthread_w+ 0 S [sugov:4] root 308 2 0 0 eemg_volt+ 0 S [EEMG_CTRL_GPU] root 309 2 0 0 eemg_volt+ 0 S [EEMG_CTRL_GPU_H] root 310 2 0 0 ppm_threa+ 0 S [cpuhp-ppm] root 311 2 0 0 mtk_ipi_r+ 0 D [qos_ipi_recv] root 312 2 0 0 tp_servic+ 0 S [apusys_worker3] root 313 2 0 0 tp_servic+ 0 S [apusys_worker4] root 314 2 0 0 rescuer_t+ 0 I [sys_timer_wq] root 315 2 0 0 sched_hin+ 0 S [ksched_hint] root 316 2 0 0 rescuer_t+ 0 I [mt-wdk] root 317 2 0 0 kwdt_thre+ 0 D [wdtk-0] root 318 2 0 0 kwdt_thre+ 0 D [wdtk-1] root 319 2 0 0 rescuer_t+ 0 I [boost_workq] root 320 2 0 0 kwdt_thre+ 0 D [wdtk-2] root 321 2 0 0 kwdt_thre+ 0 D [wdtk-3] root 322 2 0 0 kwdt_thre+ 0 D [wdtk-4] root 323 2 0 0 kwdt_thre+ 0 D [wdtk-5] root 324 2 0 0 kwdt_thre+ 0 D [wdtk-6] root 325 2 0 0 kwdt_thre+ 0 D [wdtk-7] root 326 2 0 0 worker_th+ 0 I [kworker/0:2] root 327 2 0 0 worker_th+ 0 I [kworker/1:2] root 328 2 0 0 worker_th+ 0 I [kworker/2:2] root 329 2 0 0 worker_th+ 0 I [kworker/3:2] root 330 2 0 0 worker_th+ 0 I [kworker/4:2] root 331 2 0 0 worker_th+ 0 I [kworker/6:2] root 332 2 0 0 worker_th+ 0 I [kworker/7:2] root 333 2 0 0 msleep 0 D [mtk_lp_plat_wai] root 334 2 0 0 charger_r+ 0 D [charger_thread] root 335 2 0 0 worker_th+ 0 I [kworker/5:1H] root 336 1 37180 5672 do_sys_po+ 0 S init root 337 1 37052 5888 do_sys_po+ 0 S init root 338 1 37052 6704 do_sys_po+ 0 S ueventd root 348 2 0 0 worker_th+ 0 I [kworker/7:1H] root 349 2 0 0 kjournald2 0 S [jbd2/sdc13-8] root 350 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 351 2 0 0 worker_th+ 0 I [kworker/4:1H] root 352 2 0 0 kjournald2 0 S [jbd2/sdc14-8] root 353 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 354 2 0 0 kjournald2 0 S [jbd2/sdc12-8] root 355 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 356 2 0 0 kjournald2 0 S [jbd2/sdc10-8] root 357 2 0 0 worker_th+ 0 I [kworker/6:1H] root 358 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 359 2 0 0 kjournald2 0 S [jbd2/sdc9-8] root 360 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 361 1 37792 5668 SyS_epoll+ 0 S hwservicemanager root 362 1 34552 2900 binder_io+ 0 S servicemanager root 363 1 34552 2788 binder_io+ 0 S vndservicemanager root 365 1 148404 5056 SyS_rt_si+ 0 S logd root 368 2 0 0 rescuer_t+ 0 I [f_mtp] root 375 1 108168 38900 do_sys_po+ 0 S recovery root 376 1 35580 4352 SyS_epoll+ 0 S android.hardware.health@2.0-service root 378 2 0 0 worker_th+ 0 I [kworker/0:1H] root 379 2 0 0 worker_th+ 0 I [kworker/3:1H] root 380 2 0 0 worker_th+ 0 I [kworker/1:1H] root 391 2 0 0 rescuer_t+ 0 I [usb_dr_workq] root 392 2 0 0 rescuer_t+ 0 I [kdmflush] root 393 2 0 0 rescuer_t+ 0 I [bioset] root 394 2 0 0 rescuer_t+ 0 I [kdmflush] root 395 2 0 0 rescuer_t+ 0 I [bioset] root 396 2 0 0 rescuer_t+ 0 I [kdmflush] root 397 2 0 0 rescuer_t+ 0 I [bioset] root 401 2 0 0 worker_th+ 0 I [kworker/2:1H] root 406 2 0 0 kjournald2 0 S [jbd2/sdc46-8] root 407 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 410 2 0 0 kjournald2 0 S [jbd2/sdc45-8] root 411 2 0 0 rescuer_t+ 0 I [ext4-rsv-conver] root 416 2 0 0 irq_thread 0 S [irq/42-11f70000] root 425 2 0 0 worker_th+ 0 R [kworker/u16:5] root 426 2 0 0 tcpc_even+ 0 S [tcpc_event_type] root 447 375 135840 27636 monitor_m+ 0 S recovery root 448 1 113428 5488 do_sys_po+ 0 S adbd root 454 2 0 0 worker_th+ 0 I [kworker/u16:6] root 463 375 0 0 0 0 Z [pigz] root 494 448 32520 2336 SyS_rt_si+ 0 S sh root 504 494 34992 3164 0 0 R ps

starting manually teed produce this results:

INF [1369] TEED:main:1005: nsclient-commit-teed-mediatek-v2.3p10.m1

INF [1369] TEED:main:1025: tz dev path: /dev/tkcoredrv INF [1369] TEED:main:1026: sdrpmb dev path: INF [1369] TEED:main:1027: rpmb dev path: /dev/rpmb0 INF [1369] TEED:main:1029: system ta path: /vendor/app/t6 INF [1369] TEED:main:1030: sp ta path: /data/vendor/t6/app INF [1369] TEED:main:1032: secure fs path: /data/vendor/t6/fs INF [1369] TEED:main:1033: prebuilt data path: /vendor/app/t6/data/ INF [1369] TEED:main:1034: prot data path: /mnt/vendor/persist/t6_twrp INF [1369] TEED:main:1036: log path: /data/vendor/t6/tkcore.log INF [1369] TEED:main:1037: prop prefix: vendor.trustkernel INF [1369] TEED:main:1047: RPMB: enabled

ERR [1369] TEEC:TEEC_InvokeCommand:699: Function returns with [-65530] ERR [1369] TEED:sdrpmb_early_init:1125: SDRPMB: failed to get active_id with 0xffff0006 INF [1371] TEED:log_teeos:300: thread started INF [1369] TEED:main:1123: teed listening on /dev/tkcoredrv INF [1370] TEED:tee_userinit:32: tee_userinit enter ERR [1371] TEED:get_log_fd:250: Failed to open /data/vendor/t6/tkcore.log with No such file or directory(2). Try creating one... ERR [1371] TEED:get_log_fd:261: Failed to create /data/vendor/t6/tkcore.log with No such file or directory(2). INF [1370] TEED:tee_userinit:61: DEVICE BRAND Ulefone MODEL Armor 11 5G PLATFORM mt6873

ERR [1369] TEED:read_cid_from_sysfs:280: Failed to open cid with 2 ERR [1369] TEED:read_cid_from_sysfs:281: Use empty CID ERR [1369] TEED:tee_fs_opendir:761: bad opendir ERR [1369] TEED:tee_fs_opendir:761: bad opendir ERR [1369] TEED:tee_fs_opendir:761: bad opendir

data/vendor is encrypted could it be the problem that cannot read or write the directory? Even if I find it a little bit strange while in this case how can work in the normal phone? Maybe they are FDE based encrypted

[ADeadTrousers]

data/vendor is being accessable AFTER the decryption is finished. Does teed keep running after starting it manually?

[Harlock1978]

When I start teed manually it stays on

ERR [1369] TEED:tee_fs_opendir:761: bad opendir

and I have to click Control+C to have again the command prompt, running ps -A after show no teed service running. If I run start teed, I don't have any error message, but again nothing in ps -A

I attached a new logcat, just in case. logcat.txt

[ADeadTrousers]

Open a second shell with adb. In the first start teed manually and in the second check ps -A. The same can be done for gatekeeper in a third shell and keymaster in a fourth. For the start teed not working I honestly don't know why. Your rc-scripts seem to be correct.

Your logcat also looks kinda problematic. The repeating nsclient-commit-teed-mediatek-v2.3p10.m1 lines should not be happening. Why they are happening? I don't know.

[ADeadTrousers]

Ups... clicked on the wrong button.

[ADeadTrousers]

Try to remove the start teed from trustkernel.rc. Maybe that's causing some issues with init.rc cause it is run during the boot process. After that boot into recovery and check logcat if teed is being started or not (there should be no mentioning of nsclient-commit-teed-mediatek-v2.3p10.m1). If there are no lines in the log do a manual start teed and check the logs again. If the lines now apears at least you know that the service is defined correctly although teed not working properly.

[Harlock1978]

Open a second shell with adb. In the first start teed manually and in the second check ps -A. The same can be done for gatekeeper in a third shell and keymaster in a fourth. For the start teed not working I honestly don't know why. Your rc-scripts seem to be correct.

Your logcat also looks kinda problematic. The repeating nsclient-commit-teed-mediatek-v2.3p10.m1 lines should not be happening. Why they are happening? I don't know.

If I start teed manually I can find it in the second shell with ps -A, but gatekeeper and keymaster are not working.

I will now build again with commented start teed and see what happens.

[Harlock1978]

I did what you said and without start teed I have non mention in logcat, and suddenly nsclient-commit-teed-mediatek-v2.3p10.m1 appears after running start teed. Now I have to understand what cause and what means drop privs failed

[ADeadTrousers]

Just to be sure: Do you have an A/B device OR do you have seperate recovery and boot partitions? If it is the later, do you use the same or a different kernel for both partitions?

[Harlock1978]

I have separate recovery and boot partition. I use the kernel of the receovery for TWRp and it is different then that of kernel. I was wondering if I should build twrp using the kernel of the boot image, but on another forum somebody told me that in this case TWRP would not work, so I didn't try

[ADeadTrousers]

Normally the phone vendor uses the same kernel for recovery and boot. A simple md5sum check should be enough to prove that. Therefore the recovery won't support the touchscreen as most drivers test for the boot mode in order to activate. I belive that's why you were told to not use the boot kernel. But to have a touchscreen in recovery one just needs to modify the kernel on a binary level and that's it. If the stock kernel inside boot and recovery is indeed different that means it was built seperately. This also means that more things than the touchscreen drivers could be different. For example a standard (aosp) recovery doesn't need a trustkernel environment because it isn't designed to decrypt userdata and should only modify system, vendor, oem and so on.

Out of curiosity I'd suggest you should try to built twrp with the same kernel as boot. Even if the touchscreen isn't working at least adb should and you would see if teed is working that way. Afterwards you can try to activate the touchscreen following my guide https://github.com/ADeadTrousers/twrp_device_Unihertz_Atom_LXL/blob/master/docs/HOW-TO-PATCH.md

[Harlock1978]

I realize that the first version of the ROM had different kernel for boot and recovery but the last one have the same kernel, so now I use the latest kernel, but nothing change.

[Harlock1978]

I did some experiment without success. In original uevent.rc I found these lines

trustkernel tee

/dev/tkcoredrv 0660 root system /dev/block/mmcblk0rpmb 0660 root system /dev/rpmb0 0660 root system

while in yours you have root root.

I tried both variants, but I always have the error about drop privilege.

Could also be this line a problem?

capabilities SYS_RAWIO

The other possibilities is that I have to uncomment all the restorecon and chown in trustkernel.rc, what do you think?

P.S.

why did you change all the "prepare" state to "ready" in trustkernel.rc?

[ADeadTrousers]

Do you use the SAME kernel as the 'teed' is from? As far as I know the capability SYS_RAWIO is need from A11 and onwards for services to access certain devices. restorecon is part of selinux so it's (probably) and under A10 it mostly produced errors in the logs therefore I commented these lines. The "ready" state is the last state of the property and as the others weren't triggered in TWRP I thought what the heck just set it to the last state maybe that helps. That was under A10 as I was having toubles to get decryption to work. Later on I figured it was an other problem so I never bothered to change that back.

[Harlock1978]

Do you use the SAME kernel as the 'teed' is from?

Yes I have the same kernel, everything come from the same ROM. I still have Android 10 I never installed Android 11.

The "ready" state is the last state of the property and as the others weren't triggered in TWRP I thought what the heck just set it to the last state maybe that helps. That was under A10 as I was having toubles to get decryption to work. Later on I figured it was an other problem so I never bothered to change that back.

So it doesn't matter if I don't change them

If restorecon and SYS_RAWIO are not the problem then I can't figure out where drop priv failde come from.