search

deviato / DroidPPPwn

PPPwn_cpp for Android + App Frontend [needs rooted device]
107 stars 5 forks source link

Android X86 device is not identified properly #24

Closed Invictaz closed 5 months ago

Invictaz commented 5 months ago

Version 1.1 I compiled Android X86 build within Termux. Now I updated to version 1.2

DroidPPPwn says my device is ARMv7l which it is not (it's Android X86). Maybe because of libhoudini it thinks it's ARM but it's not resulting in the

pppwn: not executable: 32 bit elf file.

I thought this can be solved by manually renaming the droidpppwn-1.2-debug.apk to zip and extracting the pppwn library (since it is now compiled with Android NDK) but sadly this is not an option as it produces lib86.so.

Deleting the libv7a.so and libv8a.so from /data/data/it.deviato.droidpppwn/lib/ doesn't help either.

The app still shows as armv7l.

remember that pppwn executable for Android X86 is 12 mb. The one in the app is 1mb.

I did overwrite the pppwn executable with my own (compiled in termux) and now v1.1 is working somewhat but the result is not as clean as your new compilation which includes the latest improvements by Xfangfang.

Please help. Device is GT-P5210 Samsung Tab 3 10.1

deviato commented 5 months ago

Uninstall and reinstall the app. Then go from root to /data/data/it.deviato.droidpppwn/lib/ and run this command: unzip libx86.so The three files are fake libs to trick the install system. libv7a is for 32bit arm, libv8a for 64bit arm, x86 you know

deviato commented 5 months ago

Can you tell me the output of cat /proc/cpuinfo and uname -a from a root shell?

Invictaz commented 5 months ago

> Can you tell me the output of cat /proc/cpuinfo and uname -a from a root shell?

~ $ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 53
model name      : Intel(R) Atom(TM) CPU Z2560  @ 1.60GHz
stepping        : 1
microcode       : 0x10e
cpu MHz         : 933.000
cache size      : 512 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf nonstop_tsc_s3 pni dtes64 monitor ds_cpl vmx est tm2 ssse3 xtpr pdcm movbe lahf_lm arat dtherm tpr_shadow vnmi flexpriority
bogomips        : 3194.88
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:
Serial          : 0000

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 53
model name      : Intel(R) Atom(TM) CPU Z2560  @ 1.60GHz
stepping        : 1
microcode       : 0x10e
cpu MHz         : 933.000
cache size      : 512 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 2
apicid          : 1
initial apicid  : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf nonstop_tsc_s3 pni dtes64 monitor ds_cpl vmx est tm2 ssse3 xtpr pdcm movbe lahf_lm arat dtherm tpr_shadow vnmi flexpriority
bogomips        : 3194.88
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:
Serial          : 0000

processor       : 2
vendor_id       : GenuineIntel
cpu family      : 6
model           : 53
model name      : Intel(R) Atom(TM) CPU Z2560  @ 1.60GHz
stepping        : 1
microcode       : 0x10e
cpu MHz         : 933.000
cache size      : 512 KB
physical id     : 0
siblings        : 4
core id         : 1
cpu cores       : 2
apicid          : 2
initial apicid  : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf nonstop_tsc_s3 pni dtes64 monitor ds_cpl vmx est tm2 ssse3 xtpr pdcm movbe lahf_lm arat dtherm tpr_shadow vnmi flexpriority
bogomips        : 3194.88
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:
Serial          : 0000

processor       : 3
vendor_id       : GenuineIntel
cpu family      : 6
model           : 53
model name      : Intel(R) Atom(TM) CPU Z2560  @ 1.60GHz
stepping        : 1
microcode       : 0x10e
cpu MHz         : 933.000
cache size      : 512 KB
physical id     : 0
siblings        : 4
core id         : 1
cpu cores       : 2
apicid          : 3
initial apicid  : 3
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts nonstop_tsc aperfmperf nonstop_tsc_s3 pni dtes64 monitor ds_cpl vmx est tm2 ssse3 xtpr pdcm movbe lahf_lm arat dtherm tpr_shadow vnmi flexpriority
bogomips        : 3194.88
clflush size    : 64
cache_alignment : 64
address sizes   : 32 bits physical, 32 bits virtual
power management:
Serial          : 0000
Invictaz commented 5 months ago 
$ uname -a
Linux localhost 3.4.34-lineage-01554-g634d982 #1 SMP PREEMPT Mon Apr 8 10:30:16 UTC 2019 i686 Android
~ $
Invictaz commented 5 months ago

I did the unzip libx86.so In the top right corner there is still armv7l.

The unzipped droidpppwn file is not cleaned up. Normally you have to run "termux-elf-cleaner" to remove the DT_FLAGS_1=0x8000001 Because for now it is compiled with the Android NDK. I'm not familiair with it you might have to adjust the compilation?

deviato commented 5 months ago

Definitely an x86. Maybe something wrong in Lineage. I get the arch from System.getProperty("os.arch") For the warning DT_FLAGS it's ok, it should work. You can clean with termux-elf-cleaner if you want, but it's not unaligned. But for me now it's more important to recognize the system. Can you try this pre-release, just to know what it shows? I'm trying a different function to get the arch, don't bother if it works or not.

app-debug.zip

Invictaz commented 5 months ago

Sadly it is even weirder now. Seems to detect all 3 architectures?

Invictaz commented 5 months ago

Screenshot_20240604-011232

deviato commented 5 months ago

I'll try another way.. please tell me the output of: getprop ro.product.cpu.abi getprop ro.product.cpu.abilist

Il mar 4 giu 2024, 01:13 Invictaz @.***> ha scritto:

Screenshot_20240604-011232.png (view on web) https://github.com/deviato/DroidPPPwn/assets/20338545/252439f8-6715-4d4d-ab7b-b23823e14539

— Reply to this email directly, view it on GitHub https://github.com/deviato/DroidPPPwn/issues/24#issuecomment-2146278397, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQFQWJJNWYQQYOPFZLGXDZFT2CRAVCNFSM6AAAAABIXIVGBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBWGI3TQMZZG4 . You are receiving this because you commented.Message ID: @.***>

Invictaz commented 5 months ago

Screenshot_20240604-015149

deviato commented 5 months ago

Thanks, cpu.abi should be fine. It's absurd that the same parameter called via the official API returns the wrong value.

Invictaz commented 5 months ago

This might be because of Libhoudini. The arm to x86 emulator? It is build into this custom rom.

I'm running version 6 which is quite old. Some people in the LineageOS community advise to upgrade it but it is unstable and untested.

deviato commented 5 months ago

This might be because of Libhoudini. The arm to x86 emulator? It is build into this custom rom.

I'm running version 6 which is quite old. Some people in the LineageOS community advise to upgrade it but it is unstable and untested.

No, I don't think so. Other users are reporting similar issues, it's due to poor Android api implementation.

deviato commented 5 months ago

Please try this new version and tell me if it works: DroidPPPwn-1.2.1-debugnew.zip

Invictaz commented 5 months ago

Screenshot_20240604-211234 Screenshot_20240604-211217 Screenshot_20240604-210929

It seems to work and displays the x86 sign in the top right corner.

There is a big warning on the specific libraries. Does this impact the performance? These warnings were present also on V1.0 so not new but I forgot to report them.

The libx86.so is now installed on your v1.21

There is a new warning for a

`Unable to normalize """

This is different from the DT Flags warning.

deviato commented 5 months ago

Yes, the last one was a little mistake in passing LD_LIBRARY_PATH, that I fixed in the official release 1.2.1, please check that, hoping to not even see the big warning anymore

Invictaz commented 5 months ago

Screenshot_20240604-212627 Screenshot_20240604-212559

This is with the final 1.2.1

Is it possible to get rid of the text relocation warnings?

deviato commented 5 months ago

Never seen that error. Searching the web I only found this: https://android.googlesource.com/platform/bionic/+/89fa81f/android-changes-for-ndk-developers.md I tried what it says: readelf -r pppwn There are no text relocations in this file.

And further reading, they say this happens on shared builds, but this is a static build.

deviato commented 5 months ago

I've found another page where they say to compile with -fPIC option. Try replacing pppwn in the usual folder with that in this archive: pppwn.zip

Invictaz commented 5 months ago

What is shared and what is static?

deviato commented 5 months ago

What is shared and what is static?

it's about compilation, when linking objects/libraries, if you link shared you do not include the library in the binary, but only a reference (the normal behaviour on a single system). When linking static all the code is built inside of the "monolitic" binary. It's bigger but has more compatibility because doesn't need the same library on different system.

When you compile with termux it's shared by default (unless you tell to the compiler), so it works for sure in your system, but probably not in another.

Invictaz commented 5 months ago

Sadly it did not solve the error

deviato commented 5 months ago

At this point, I'm thinking that libhoudini you mentioned earlier is doing something... other users didn't have the problem. I also tested on my androidx86 pc. Maybe for you it's better the shared build?

Invictaz commented 5 months ago

If you can upload it I can try.

deviato commented 5 months ago

Here it is pppwn-shared.zip

Invictaz commented 5 months ago

https://stackoverflow.com/questions/32346402/libavcodec-so-has-text-relocations

https://slowbutdeadly.blogspot.com/2015/09/javalangunsatisfiedlinkerror-dlopen.html?m=1

TargetSDK seems to be the problem. Android does some checks. The Android version I'm running is 7.0 which is API level 24.

I will check your build.

deviato commented 5 months ago

I set the minimum required at 21, it's below yours so it's not the problem. Moreover it's the same of the previous builds. The only thing I changed is static vs shared build.

Invictaz commented 5 months ago

This is some info on logcat

06-04 22:17:03.425 I/ActivityManager( 2375): Start proc 27581:it.deviato.droidpppwn/u0a116 for activity it.deviato.droidpppwn/.MainActivity
06-04 22:17:03.437 I/art     (27581): Late-enabling -Xcheck:jni
06-04 22:17:03.455 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 41
06-04 22:17:03.469 D/houdini (27581): [27581] Initialize library(version: 6.1.2d_x.48748 RELEASE)... successfully.
06-04 22:17:03.538 D/ZenLog  ( 2375): intercepted: 0|android|17039403|null|1000,alarmsOnly
06-04 22:17:03.540 V/NotificationService( 2375): pkg=android canInterrupt=false intercept=true
06-04 22:17:03.966 D/AppCompatDelegate(27581): Checking for metadata for AppLocalesMetadataHolderService : Service not found
06-04 22:17:04.023 W/art     (27581): Before Android 4.1, method android.graphics.PorterDuffColorFilter androidx.vectordrawable.graphics.drawable.VectorDrawableCompat.updateTintFilter(android.graphics.PorterDuffColorFilter, android.content.res.ColorStateList, android.graphics.PorterDuff$Mode) would have incorrectly overridden the package-private method in android.graphics.drawable.Drawable
06-04 22:17:04.548 W/linker  (27581): /system/vendor/lib/hw/gralloc.clovertrail.so: unused DT entry: type 0xf arg 0x62a
06-04 22:17:04.548 W/linker  (27581): /system/vendor/lib/libpvr2d.so: unused DT entry: type 0xf arg 0x79b
06-04 22:17:04.548 W/linker  (27581): /system/vendor/lib/hw/gralloc.clovertrail.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
06-04 22:17:04.549 W/linker  (27581): /system/vendor/lib/libpvr2d.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
06-04 22:17:04.550 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 40
06-04 22:17:04.550 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 41
06-04 22:17:04.550 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 41
06-04 22:17:04.550 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 41
06-04 22:17:04.554 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 43
06-04 22:17:04.574 I/Choreographer(27581): Skipped 44 frames!  The application may be doing too much work on its main thread.
06-04 22:17:04.622 E/IMGSRV  (27581): :0: PVRDRMOpen: TP3, ret = 38
06-04 22:17:04.623 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 52
06-04 22:17:04.627 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 79
06-04 22:17:04.629 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 80
06-04 22:17:04.629 I/OpenGLRenderer(27581): Initialized EGL, version 1.4
06-04 22:17:04.629 D/OpenGLRenderer(27581): Swap behavior 1
06-04 22:17:04.629 W/OpenGLRenderer(27581): Failed to choose config with EGL_SWAP_BEHAVIOR_PRESERVED, retrying without...
06-04 22:17:04.629 D/OpenGLRenderer(27581): Swap behavior 0
06-04 22:17:04.634 W/linker  (27581): /system/vendor/lib/libPVROCL.so: unused DT entry: type 0xf arg 0x9fd
06-04 22:17:04.634 W/linker  (27581): /system/vendor/lib/libPVROCL.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
06-04 22:17:04.723 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 51
06-04 22:17:04.736 E/IMGSRV  ( 2093): :0: PVRDRMOpen: TP3, ret = 90
Invictaz commented 5 months ago

https://stackoverflow.com/questions/33206409/unused-dt-entry-type-0x1d-arg

deviato commented 5 months ago

Is it working with latest binary?

Invictaz commented 5 months ago

The shared binary gives the same text relocation errors which I displayed in the logcat above in detail

deviato commented 5 months ago

In this line /system/vendor/lib/libPVROCL.so has text relocations. This is wasting memory and prevents security hardening. Please fix.

That file is not related to my application, but is part of the operating system. Maybe something wrong in your rom. Why don't you try a cleaner one?

deviato commented 5 months ago

However... in the worst case, you can always replace the binary with the one crosscompiled that was working, or with the version you compiled with termux, remembering to put in the same folder apso the other 2 libraries, libpcap.so.1 and libstdc++...

Il mar 4 giu 2024, 22:58 Invictaz @.***> ha scritto:

The shared binary gives the same text relocation errors which I displayed in the logcat above in detail

— Reply to this email directly, view it on GitHub https://github.com/deviato/DroidPPPwn/issues/24#issuecomment-2148404959, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQFQTUDLDRXIWISGJL3KTZFYS57AVCNFSM6AAAAABIXIVGBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBYGQYDIOJVHE . You are receiving this because you commented.Message ID: @.***>