SAR support on Android 10

[sztihamer]

Hijacker fails to show any networks with the latest version on LineageOS 17.1 on the Nexus 5.

Link to ROM: https://forum.xda-developers.com/google-nexus-5/orig-development/rom-lineageos-17-1-nexus-5-hammerhead-t4039273 https://sourceforge.net/projects/hammerhead-lineageos/files/17.1/

Logs in this post and explanation why Hijacker won't work. Because of SAR (system as root): https://forum.xda-developers.com/showpost.php?p=81807009&postcount=106

I have latest stable version of Magisk installed (20.3) but I guess tools are not loading nor the firmware is getting swapped with the Nexmon one.

[chrisk44]

System-as-root by itself has nothing to do with root access (that is, a su binary you can run to get a root shell). SAR is a Parition Layout as described here. This may make rooting more difficult (I wouldn't know, I haven't worked with it), but as long as you have found a way to root your device, somehow somewhere there should be a su binary that works.

Hijacker will call this binary, you will be asked whether you approve of this by your system/Magisk/whatever-your-rooting-solution-is, and Hijacker will have a shell with root access to run the tools it needs. As long as nothing goes wrong in the above procedure, Hijacker should work.

Now, a requirement for Hijacker to work is to have a custom firmware installed for your device's wireless adapter. I see from your logs that you tried to install it. The way Hijacker does that is simple (as it can be seen in the install() function in InstallFirmwareDialog.java, everything is done through a root shell):

1. You select where you want to install the firmware and the nexutil binary (I am assuming that these directories will be on the system partition).
2. The system partition is remounted as read-write.
3. The firmware and utility binary are extracted from the app and copied in the directories you selected.
4. The system partition is remounted as read-only.

That's probably where it all goes wrong in your case. I have no idea what has happened with SAR, but Hijacker might not be able to remount the system as read-write and write the new firmware to it. Or maybe the install directories are wrong, or the supplied firmware doesn't work on Android 10, or the specific command I used doesn't work for some reasom, or a thousand other things that can go wrong...

So what I propose is that you try to install the firmware by yourself and then try again. Also, in the app's settings you will find a "Test Tools" option. If the tests pass, then I'm probably right, the problem is with the firmware installation. If they fail try running the commands manually, see what happens and tell me so we can work it out from there.

[sztihamer]

Testing tools is like it was before. Everything has a check mark except Kali chroot which is good. Firmware Location says /system/vendor/firmware/fw_bcmdhd.bin

That is what I should replace and try again?

[chrisk44]

You should try to install the firmware manually. Find the firmware binary, find out where it is located in your device and replace it. Reboot the device and hopefully it will work.

[sztihamer]

Alright here's what I did and I failed miserably just like when I was messing with LineageOS 14.1. I replaced fw_bcmdhd.bin in /system/vendor/firmware/ and rebooted. That is where Hijacker detected the firmware. Is that location correct? Because after reboot I bricked Wifi and the the toggle went back to Off every single time I turned it on.

To fix I had to flash ROM in TWRP again and that fixed it but I am back to square one. I never had success with manual replacing only when Hijacker did it in the past.

[chrisk44]

Make sure you are using the correct firmware file and that you replace the original file with the new without changing the filename.

[sztihamer]

I took this: https://github.com/chrisk44/Hijacker/blob/master/app/src/main/assets/fw_bcmdhd_4339.bin

And renamed it to fw_bcmdhd.bin, is that the issue? Does it make a difference if I rename the file?

[chrisk44]

You should rename it to fw_bcmdhd.bin and replace the original file with it. Also, place the nexutil binary in a PATH accessible directory.

[sztihamer]

Yep. That's what I did with the firmware. Copy and replace it in /system/vendor/firmware/ or delete and paste in new file. That didn't work.

[chrisk44]

Did you run the tools manually in a terminal? What happens then?

[sztihamer]

I tried to run nexutil from /data/data/com.hijacker/files and I got this: system/bin/sh: nexutil: inaccessible or not found

[chrisk44]

nexutil must be in a PATH accessible directory and you can run it from anywhere you want. Run the test commands supplied by Hijacker.

[sztihamer]

Put nexutil in /system/bin and I get this now: system/bin/sh: nexutil: can't execute: Permission denied

[chrisk44]

You need to chmod +x nexutil

[sztihamer]

chmod: nexutil: No such file or directory

[sztihamer]

Alright. I chmod 755 in TWRP and now I can run nexutil --help

[chrisk44]

TWRP has nothing to do with this. I say again: Run the test commands supplied by Hijacker.

[sztihamer]

Oh I thought you asked me to put nexutil in /system/bin and chmod it and run it from there. Now you are asking me to run stuff that in the Hijacker gives me a check mark already?

Ok. I did that. I copied the first test command. su then typed /data/user/0/com.hijacker/files/bin/aircrack-ng /storage/emulated/0/Hijacker/capture_files/wpa.cap-01.cap

It clearly run but and told me that there's no such file or directory, and no networks found, exiting and, Quitting aircrack-ng...

I get what you mean. These do work. I am having issue with the the firmware. I can repeat myself again that after I replaced fw_bcmdhd.bin with the patched one then I cannot get Wifi working anymore. It just turns itself off when I try to turn it on. Maybe that is also some permission hell. I am doing some research on that right now.

[chrisk44]

Run the command for airodump-ng, not aircrack. After installing the firmware, turning the wifi on and running nexutil -m true to put the adapter in monitor mode, you have to run the airodump-ng command to see wifi activity. If it shows up in the terminal but not in the app, then there is a problem with the app. Otherwise the problem is somewhere else.

[sztihamer]

I managed to fix it. It's working. Here's what I had to do to get this bloody Nexmon firmware working. I needed to chmod fw_bcmdhd.bin to 644 to match the stock firmware (-rw-r--r--). This is why it wasn't working. For some reason it's not like that and the only way to replace the firmware right now is in TWRP. Including placing nexutil in /system/bin and chmod 755 it.

I can use Wifi now and it doesn't fail to load the firmware. Chip is in monitor mode now when I run Hijacker and I can see now my APs. Now it's your turn to have SAR support.

[chrisk44]

I'm glad it works. I'd be happy to make it work, but unfortunately I can't run LineageOS 17.1 on my device, so I can't test anything. If you want you can help me figure out what goes wrong. I'll need you to follow the instructions below and tell me what happens.

Starting conditions:

• Hijacker is installed and has ran at least once
• Default firmware is installed on the device
• The custom (Nexmon) fw_bcmdhd.bin firmware and nexutil utility are in /data/local/tmp/
• WiFi is turned off.

I'll assume that:

• the firmware is /system/vendor/firmware/fw_bcmdhd.bin
• the nexutil binary will be in /system/bin/nexutil

Procedure:

1. Start a root shell and cd to the Hijacker bin directory: cd /data/data/com.hijacker/files/bin or cd /data/user/0/com.hijacker/files/bin

2. Run busybox to make sure it works, you should see the busybox help screen. ./busybox

3. Try to move fw_bcmdhd.bin in /system/vendor/firmware, which should fail because the system is mounted as read-only. cp /data/local/tmp/fw_bcmdhd.bin /system/vendor/firmware/fw_bcmdhd.bin

4. Try to move nexutil in /system/bin, which should fail for the same reason. cp /data/local/tmp/nexutil /system/bin/nexutil

5. Remount /system as read-write. ./busybox mount -o rw,remount,rw /system

6. Try again to move the firmware and nexutil files. cp /data/local/tmp/fw_bcmdhd.bin /system/vendor/firmware/fw_bcmdhd.bin chmod 755 /system/vendor/firmware/fw_bcmdhd.bin cp /data/local/tmp/nexutil /system/bin/nexutil

7. Remount /system as read-only. ./busybox mount -o ro,remount,ro /system

8. Try to use the installed nexutil binary, you should see the nexutil help screen. nexutil --help

9. Open the Hijacker app and check if everything works.

Follow the steps above, pay attention to the starting conditions, and tell me what works and what doesn't. Steps 3 and 4 are expected to fail (would be interesting if they worked), steps 5 and 7 might fail because of SAR (?), the rest are fairly simple.

[sztihamer]

I can already see that that step 5 will fail without even trying. ROM maintainer even told which line is problematic in the code and it's the busybox one: https://github.com/chrisk44/Hijacker/blob/master/app/src/main/java/com/hijacker/InstallFirmwareDialog.java#L198

But I did try the busybox command and this is what you get: mount: can't find /system in /proc/mounts

[sztihamer]

Maybe the solution is simple: https://twitter.com/topjohnwu/status/1186808994133790720 https://twitter.com/topjohnwu/status/1186809535253499904

https://android.stackexchange.com/questions/220370/how-to-modify-system-priv-app-in-android-10

Edit: I did try this and busybox was happy. It returned nothing so I assume it worked.

su
cd /data/user/0/com.hijacker/files/bin
./busybox mount -o rw,remount,rw /
./busybox mount -o ro,remount,ro /

[chrisk44]

Ok, what about the rest?

[sztihamer]

Because this is my main phone and I needed it today. It already has the patched firmware and nexutil in the right place. First I need to revert everything and I didn't have time for that. That's all I could test. Please read the two tweets and the Stack Exchange link. It explains why this doesn't work... ./busybox mount -o rw,remount,rw /system and this does... ./busybox mount -o rw,remount,rw /

[sztihamer]

Flashed the latest ROM version in TWRP. That undo everything I did manually from TWRP. It reverted to stock firmware and it deleted nexutil from /system/bin.

I cleared data and cache for Hijacker. Ran it once and dropped the files in /data/local/tmp/, both of them.

Ran Terminal and got myself root with su then I navigated to cd /data/user/0/com.hijacker/files/bin. Then I tried ./busybox. It worked. I tried to copy both files from /data/local/tmp/ when /system was read-only. That failed for obvious reasons.

Key part here! ./busybox mount -o rw,remount,rw / and not ./busybox mount -o rw,remount,rw /system. Magisk developer topjohnwu explained why in his tweet and Magisk changelog. https://twitter.com/topjohnwu/status/1186808994133790720 https://twitter.com/topjohnwu/status/1186809535253499904 https://forum.xda-developers.com/showpost.php?s=add1626f2af5e4132b83f0b0ae2dd799&p=68966755&postcount=2

v19.4

• [MagiskInit] [SAR] Boot system-as-root devices with system mounted as /

I copied firmware cp /data/local/tmp/fw_bcmdhd.bin /system/vendor/firmware/fw_bcmdhd.bin Then I chmod 644 /system/vendor/firmware/fw_bcmdhd.bin You don't need 755 for this. It's enough to have the same permissions as stock firmware.

Copied nexutil with cp /data/local/tmp/nexutil /system/bin/nexutil. For this one I used chmod 755 /system/bin/nexutil.

Last part. Also very important. ./busybox mount -o ro,remount,ro / and not /system

nexutil --help worked and I went ahead and ran Hijacker and I see my SSIDs.

Now you must either detect SAR. ROM maintainer said something about providing a zip that you can flash in TWRP that does the same thing. Copy the files in the correct directories and do the chmod for the two files. That's also a decent fix. You just flash it from TWRP after the ROM and you don't even need to touch the Install Nexmon option from Settings.

[chrisk44]

Ok, so what you're telling is that all I have to change to fix this is to change the command to remount / instead of /system?

[sztihamer]

That's what I understand from current behavior. What I wrote worked for me and I might even create a zip for myself that does the same thing. At least on this LineageOS 17.1 ROM on hammerhead.

I will quote topjohnwu's tweet again:

SYSTEM-AS-ROOT DEVICES WILL HAVE THE SYSTEM MOUNTED TO THE FOLDER "/" INSTEAD OF "/SYSTEM" STARTING FROM MAGISK V20.0

[chrisk44]

Alright, give this a try. The changes have been pushed.

Hijacker-release-v1.5-beta.12.zip

[sztihamer]

For some reason it hangs as soon as I tap on Install when I try to install the firmware and management utility. Something is still not right.

[chrisk44]

Give me a logcat, I can't work with "it hangs".

Edit: Also, give me the output of cat /proc/mounts ran as root.

[sztihamer]

logcat.log

mounts.txt

[sztihamer]

logcat.log

This might be a better one.

[chrisk44]

Ah yeah my bad. That's what you get when you program something you can't quite test.

Hijacker-release-v1.5-beta.12.2.zip

[sztihamer]

An unknown error occurred.

logcat.log

[chrisk44]

God dammit... ok third time's the charm..

Hijacker-release-v1.5-beta.12.3.zip

[sztihamer]

report.txt logcat.log

Unexpected Error with a a restart/send via email button.

[chrisk44]

:(

Hijacker-release-v1.5-beta.12.4.zip

[sztihamer]

I need to test this last one a bit more. It said it installed the firmware and utility but it didn't work straight away. I had to do it one more time. Reflash the same ROM to undo changes and trying again.

But here's logcat just in case. logcat.log

[sztihamer]

I think this is good now. Same kind of second result. I had to run Hijacker again to show SSIDs. Which is no big deal.

Edit: I can see /system is not remounted as read-only. This is extremely dangerous. Edit 2: I might be wrong. Didn't see it mentioned in the logcat. Edit 3: Nope. All good. Redid it again and went ahead and tried to copy nexutil into /system/bin and permission and Read-only file system

I have one question still. May I ask why fw_bcmdhd.bin is chmod 755? Is execute needed? I see -rwxr-xr-x instead of -rw-r--r-- (644) like stock firmware? For nexutil that's fine but is it necessary for firmware as well?

[chrisk44]

The system is remounted as ro after the operation, but there are no messages in logcat because I assume that since the install() function passed the 'remount as rw' point, then I don't have to verify anything and print debugging messages.

I honestly can't remember why I put in 755 instead of 644. I don't even see any chmod operations in the nexmon install script here, it just copies the new firmware over the old one, which results in 600 permissions and it works fine. But now that I think about it, having exec permissions globally might be a bad idea. I'll make it 644.

Did you see any problems with this last apk?

[sztihamer]

If you mean Hijacker-release-v1.5-beta.12.4.zip then that was fine. It did what it was supposed to do and the end result was seeing SSIDs in Hijacker. This time I needed to reboot to make Hijacker work but that's not really a bug. It did copy the necessary tools.

But I might have found another bug. When I tap on watch for a 5GHz network it gives me the "Airodump is not running!" message.

[chrisk44]

I made a few more changes, please test this and if all goes well I will upload it.

Hijacker-release-v1.5-beta.12.5.zip

The issue with the 5Ghz network probably has something to do with the channel not being read correctly by airodump-ng, so the resulting command might fail. As I can't replicate this right now, I can't investigate it further. Check the reading for the channel of the network you are trying to 'Watch', if it's something weird this might be the cause.

[kimocoder]

Tag @aircrack-ng for latest note

[sztihamer]

Tried Last build you uploaded. Installed the apk, reverted changes on the ROM I have with flashing over the same ROM in TWRP, booted back in, cleared storage & cache for Hijacker, ran it, agree to things, tap on install, management utility in /system/bin, install again. Closed Hijacker, reopen it and I can see networks on the list. As for tools, I don't know what versions are they and if they are updated or not. I didn't check those yet. But I did find the other issue here that's exactly like mine so I did not find anything new.

I guess it's fine now for others as well?

@kimocoder would updating aircrack-ng binary fix this issue? I do see this is quite old. https://github.com/chrisk44/Hijacker/blob/master/app/src/main/assets/aircrack-ng

Edit: Changelog looks promising for aircrack-ng. Mainly the PMKID stuff. Another feature I'd like to see in Hijacker one day. But there's a separate issue opened for that as well.

[aircrack-ng]

I remember an old bug in airodump-ng where it couldn't get the channel correctly, and I know this has been fixed. There also has been a release recently, which include the fix for sure.

Without having the output, it's hard to know what is wrong; even just getting the CSV (or PCAP) file would help.

[sztihamer]

@aircrack-ng Thank you for confirming. I checked and Hijacker has 1.2 rc4. Very outdated. This is our only issue probably. First I would try updating it and see if the issue is resolved.

[chrisk44]

I am aware that the binaries are old. I had trouble compiling them by myself for arm as PIEs, so I used these, if I remember correctly I got them from nexmon.

[aircrack-ng]

I can try compiling new binaries if you'd like. Let me know what cross compiler, and what parameters I need.

[chrisk44]

That would be awesome, thank you. The binaries I'm using are built from here, they were built with NDK for Android, which I'm not very familiar with. @sztihamer is right, they are version 1.2-rc4. Perhaps you could start there?

[kimocoder]

The main source for the binaries, mostly used on Android project is the one below

https://github.com/kriswebdev/android_aircrack

As @chrisk44 says above, it's also used in the Nexmon repo.

However, there are newer binaries available too already, take a look in the commits on top below

https://github.com/TheMMcOfficial/nexmon/commits/master

armv8 support commit is also there