Bad Usb Reboots Phone

[ozsteyr]

Device:

Oneplus 3

OS version (KitKat/Lollipop/Marshmallow/Nougat):

Marshmallow OOS 3.2.7 + 3.2.4

Built from repo (date and build command) or downloaded from website (links):

Repo

Output of cat /proc/version in adb shell or NetHunter Terminal:

Linux version 3.18.20-ElementalX-OP3-0.22 (root@nh-buildbox) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #3 SMP PREEMPT Wed Sep 28 00:02:55 UTC 2016

Issue:

When i start badusb my phone Reboots. There seems to be no rndis0. If i use usb tether in settings, rndis0 appears but disapears when stopping the tether. Phone still restarts when i use badusb with rndis0 interface up, just wanted to mention it. On my OP2 rndis0 shows under NH app network interfaces upon phone start without need of other input.

[ozsteyr]

Not sure if this helps but, i tried a non - NH, ElementalX .025 kernel and BadUSB works as it should.

[alcomic]

Yes, I have too this trouble, but I dont use badusb yet

[ozsteyr]

By choosing rndis0 as a usb config in dev options and using ifconfig, i can get rndis0 up without using usb tether switch, but badusb in NH app still restarts phone.

[ozsteyr]

I admit I know next to nothing about kernels and such but, because BADUSB worked with one kernel and not the other, could someone explain how to compare the two and maybe i could try and find the issue?

Thanks

[PaElodar]

I too have this problem. Its good to see the devs actively trying to help (NOT) I get that there busy and no doubt doing this for free but come on 20 days without so much as a reply? It looks as though at least one user wants to try and get it fixed but is not even given pointers to do it themselves. There are now three reported users with the same issue, could someone please look into this.

[binkybear]

@PaElodar - You are welcome to provide a logcat or last_kmsg when it's rebooting. I don't have a OnePlus3, which I've stated before. I can't recreate this issue, therefore I can only guess at solutions to fix this issue.

The OnePlus3 is a new device and each device has it's own kernel and it's own problems. None of the devs own the OnePlus3. So please, provide some type of log or offer a fix because I know as much as everyone else here in regards to the problem.

[PaElodar]

Thank you very much for the reply. cat /proc/last_kmsg no such file or directory. cat /proc/kmsg, is ok, just not sure what im looking for.

[binkybear]

A /proc/last_kmsg will generate after a "kernel oops." After the phone reboots you would have to check. Also, a logcat running when error occurs might help if its software related.

[PaElodar]

last_kmsg still says no such file or directory. So i took a kmsg before and after the BADUSB reboot. I hope this is somewhat helpful.

BEFORE http://pastebin.com/E4u7ivQr

AFTER http://pastebin.com/DtWNiSn9

[ozsteyr]

So if last_kmsg doesnt exist does this mean its not a kernel oops? Also i tried mubix lock and this too reboots the phone. There is certainly something going on with using the rndis0 interface which didnt with the non - NH kernel. What other logs would be helpful? Please, I dont like to be a nag but if somebody could please tell me some things to do that might help I would be so very gratefull.

[binkybear]

@ozsteyr - The mubixlock and badusb use the same type of script to set the usb device to rndis. Is possible to try parts of the script manually to see where it might lock up for you. My guess would be it might lock when trying to set rndis0.

[ozsteyr]

Thanks for the help. I did as you sugested and When i navigated to /sys/devices/virtual/android_usb/android0/functions the phone rebooted. Just trying to open the file reboots. This is at the begining of both scripts so i gather this is at least part of the problem? How do i go about fixing it? Thanks

[binkybear]

Looking through the source code it appears that I need to set an option in OnePlus 3 defconfig:

https://github.com/OnePlusOSS/android_kernel_oneplus_msm8996/blob/5ac8dc344aa5242cadae5f8010497e6b2869575c/drivers/usb/gadget/configfs.c#L1700

I believe option is located here in defconfig:

https://github.com/binkybear/android_kernel_oneplus_msm8996/blob/ElementalX/arch/arm64/configs/kali_defconfig#L3362

Will post updated kernel

[ozsteyr]

Cheers Binky

[binkybear]

Did not mean to close this. Pushed updated kernel. Please test when you have time.

[ozsteyr]

Built new kernel using, ./bootstrap.sh, update, python build.py -d oneplus3 -k -m , which produced, kernel-nethunter-oneplus3-marshmallow-20161119_044014.zip. Linux version 3.18.20-ElementalX-OP3-0.15 (root@nh-buildbox) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #2 SMP PREEMPT Fri Nov 18 17:41:31 CST 2016 Problem still persists both using scripts and the function file.

[binkybear]

@ozsteyr - Can you also do a

ls /sys/devices/virtual/android_usb/android0/

[ozsteyr]

root@kali:~# ls /sys/devices/virtual/android_usb/android0/ bDeviceClass bDeviceProtocol bDeviceSubClass bcdDevice down_pm_qos_sample_sec down_pm_qos_threshold enable f_accessory f_acm f_audio f_audio_source f_ccid f_charging f_diag f_ecm f_ecm_qc f_ffs f_gps f_hid f_mass_storage f_midi f_mtp f_ncm f_ptp f_qdss f_rmnet f_rndis f_rndis_qc f_serial f_usb_mbim functions iManufacturer iProduct iSerial idProduct idVendor idle_pc_rpm_no_int_secs pm_qos pm_qos_state power remote_wakeup state subsystem uevent up_pm_qos_sample_sec up_pm_qos_threshold

[binkybear]

@ozsteyr - Yes please. Also a

cat /sys/devices/virtual/android_usb/android0/functions 

[ozsteyr]

cat /sys/devices/virtual/android_usb/android0/functions reboots the phone

[binkybear]

Was there anything from ls?

[ozsteyr]

Posted it

[jcadduono]

https://github.com/binkybear/android_kernel_oneplus_msm8996/blob/ElementalX/drivers/usb/gadget/android.c#L3395 shouldn't be there

https://github.com/binkybear/android_kernel_oneplus_msm8996/blob/ElementalX/drivers/usb/gadget/android.c#L3505 shouldn't be there either

add:

    name = "hid";
    if (conf) {
        err = android_enable_function(dev, conf, name);
        if (err)
            pr_err("android_usb: Cannot enable '%s' (%d)", name, err);
    } else {
        pr_err("android_usb: Cannot enable '%s' (conf = 0)", name);
    }

here: https://github.com/binkybear/android_kernel_oneplus_msm8996/blob/ElementalX/drivers/usb/gadget/android.c#L3495

both previous references call enable after conf is freed, that would probably cause null pointer exceptions

[binkybear]

Implemented jcad's suggested fix. Uploaded to nethunter-devices. Please try again when you have time.

[ozsteyr]

Now were getting somewhere! Phone no longer reboots when using BADUSB or mubix-lock. Although neither seem to work.

[ozsteyr]

Thankyou both so much for your help and time

[binkybear]

So rndis0 still isn't working? HID is ok?

[ozsteyr]

HID is fine, havnt had trouble with it yet. Using BADUSB and mubix-lock both start without errors that i can see but Badusb using tcpdump -vv there is no traffic and mubix lock says type screen -r but there are none.

[binkybear]

@ozsteyr - Do you see an rndis0 interface with ip? (ifconfig)

[ozsteyr]

Yes, and there is now traffic via tcpdump, not sure about before. Rndis0 seems good

[binkybear]

I've updated kernel with jcad's full HID patch and possible Drivedroid patch. I've uploaded here for now but it should be on build.nethunter eventually:

https://transfer.sh/oqTJE/kernel-nethunter-oneplus3-marshmallow-20161121-234857.zip

[ozsteyr]

Wasnt sure about drivedroid. It wasnt working a few months ago but now drivedroid free that is included in NH works as cdrom but nothing with drivedroid paid.

[jcadduono]

join drivedroid beta program and then you will get a beta page on play store where you can download drivedroid paid newer versions...i don't know why he is doing it that way, but yeah the drivedroid paid on the play store (non-beta) currently is ancient

[ozsteyr]

@jcad Thanks, had no idea.

[futurelighthouse]

oneplus2 has same problem,can you share a patch?