Archive for January, 2016

Access samsung phone with hardware issues

Monday, January 18th, 2016

So recently i fiddled with a broken partition table in a somewhat working Samsung Galaxy S3 Mini phone.

Now imagine the phones looks like this:

broken_mini

Dropped like it’s hot, landed flat on the screen. But of course contains very important pictures without backup somewhere else. For the fun of it, lets assume the power button is broken as well.

Software configuration: stock rom, stock bootloader, stock recovery. ADB disabled.

With a combination of the following steps, it should be possible to get access to the internal memory and backup important data via ADB.

USB Jig
A custom recovery image like TWRP enables ADB access, so by flashing TWRP, we get root access to the phone and can backup the data. For flashing the recovery, you need either heimdall or odin and the images, all are linked in my previous post.

Normally you can get any turned off samsung phone into download (also called odin) mode by pressing VOLUME DOWN + HOME + POWER.

Now if some button is not working, this is a little trickier. The trick is a tool called samsung 300k or a little piece of hardware. Since the tool is windows only and didnt work for me, i had to go the hardware way.

There are multiple videos on youtube that describe how to modify an usb connector.

If you have a “power only” micro-USB cable that you can spare, things are a bit easier. These feature most likely already a resistor of around 200kOhm, so when you connect the cable only to your phone (USB end is loose) the phone will boot up. Unfortunately, with the resistor at 200kOhm, it will perform a normal boot.

So cut off the wire near the connector and carefully pry the connector open on its side with a sharp knife.

connector_01

The rubber sides now should be removable, careful not to rip any of the small cables or connectors inside.

connector_02

connector_03

Now depending if your connector already features a resistor you need to add a resistor in series (one after the other) or you need to add a new resistor so that the summed up value equals 300kOhm. Since my connector came equipped with 200kOhm, i just added another 100kOhm and soldered it in between.

connector_04

Of the micro-USB B connector, pin 4 and 5 should be connected via 300kOhm.

When inserting the connector into the phone, it should vibrate (if the vibrator still works) and boot into download mode. Now connect a working data cable and use heimdall or odin to flash TWRP with ADB enabled.

Look Ma, no power button!
But with the powerbutton not working, how can one boot the phone (hopefully into recovery)?

You could try to clean or fix the button.

If that doesnt work, there are multiple different approaches and while the ones from the videos did not work, the one in the comments worked for me:

  1. remove battery and power cable
  2. insert battery – insert power cable
  3. wait until you see the first battery logo, and the second battery logo with animation
  4. wait again, until it goes completely black. (power saving)
  5. remove your battery, reinsert your battery, take off usb cable (quickly!)

Unfortunately, there seem to be some phones which can not be boot into recovery by holding the buttons and plugging the cable in or which dont boot into recovery after flashing from download mode. In this case, you can rename the recovery.img to boot.img and flash it via heimdall/odin into the bootloader partition. This way, the system wont boot android anymore, but straight to the recovery with ADB enabled.

Once all data is retrieved, one has to replace the recovery in the bootloader partition again with a real bootloader. This must fit to the android system, so might as well wipe everything and start from scratch.

OpenWRT as internet filter for e.g. kids

Monday, January 18th, 2016

The internet is for porn.

Therefor, when some content should to be blocked from somebody (e.g. kids), an internet filter is required. If course, primarily this should be handled by talking to the kids and trust! And im not promoting monitoring!

A technical filter solution can be implemented with OpenWRT (15.05 and up). It is an open linux plattform for various WLAN routers, e.g. the TP-Link WR841ND or its bigger brother TP-Link WR1043ND (moar power!).

After following the wiki pages on where to download and how to install the firmware, OpenWRT boots on the router. On first access, the webinterface asks for a password to be set. After setting the password, one can configure the device via ssh as user “root”.

In the default configuration, the LAN ports and the WLAN is put together into a virtual network called “lan”. The WAN port represents another network called “wan”. The internet filter will be set-up between those two, so that every package from the “lan” is checked against a set of criteria and then allowed (or not) to go into the “wan”. For this to work, the WAN port should be connected to the home network with internet access, the to-be-filtered clients can connect via WLAN or LAN.

First step after connecting via SSH is to install the required software (note: the WR841ND will be pretty full so if you want to install more software, get a bigger model or do some USB tricks):

# opkg update && opkg install ipset tinyproxy

Tinyproxy is used to allow access to some defined HTTP sites. It has to be enabled so /etc/config/tinyproxy has to be changed to contain option enabled 1 and it has to be started via /etc/init.d/tinyproxy start.

Next is the firewall. I am sticking to the configuration via /etc/config/firewall, although iptables can be used directly. This has the advantage of being able to use the webinterface as well to change the rules.

The order of the rules is important, as traffic is checked against all traffic until it finds a matching rule. See the attached file for reference. Some pieces are explained in more detail now.

To turn off the internet at certain times:

config rule
        option name             'time based morning'
        option src              'lan'
        option dest             'wan'
        option start_time       '00:00'
        option stop_time        '07:00'
        option weekdays         'mon tue wed thu fri'
        option proto            all
        option extra		'--kerneltz'
	option target           REJECT
        option enabled          '1'

config rule
        option name             'time based evening'
        option src              'lan'
        option dest             'wan'
        option start_time       '21:00'
        option stop_time        '00:00'
        option weekdays         'mon tue wed thu sun'
        option proto            all
        option extra		'--kerneltz'
        option target           REJECT
        option enabled          '1'

The option “–kerneltz” will make the firewall use the kernel timezone instead of the default, UTC. The kernel timezone is configured in /etc/config/system.

To redirect all webtraffic (port 80) to tinyproxy running on the router (whose ip is 172.29.0.1 here):

config redirect
        option name 		'redirect 80 to proxy'
        option src 		'lan'
        option dest 		'wan'
        option src_dport 	'80'
        option dest_ip 		'172.29.0.1'
        option dest_port 	'8888'
	option proto		'tcp'
	option target		'DNAT'

Tinyproxy can than be configured to (see option Filter) to allow certain pages. It is not possible to filter HTTPS (SSL) pages this way (as transparent proxy), recompilation of the packages with SSL support and some more tinkering is required. Squid can also be used.

For specific services, it is easier to make an ip whitelist:

config rule
        option name             'whitelist'
        option src              'lan'
        option dest             'wan'
        option proto            'tcpudp'
        option ipset            'wl'
        option target           'ACCEPT'
	option enabled		'1'

config ipset
        option external         'wl'
        option storage          'hash'
        option match            'dest_net'

This references an ipset with ips where traffic to is allowed. For this to work, /etc/rc.local should contain the following

# load the ipset for whitelisting 
/etc/init.d/firewall stop
ipset flush
ipset destroy
ipset restore < /etc/config/ipset.save
/etc/init.d/firewall start

exit 0

This script stops the firewall during startup, loads the list of ips and restarts the firewall. The ips are saved in /etc/config/ipset.save which could look like

create wl hash:net family inet hashsize 8192 maxelem 165536
add wl 127.0.0.1
add wl 172.29.0.1
add wl ......

Some companies provide their ip networks for easy addition, e.g. BlackBerry and WhatsApp.

The last rule should disallow all traffic (or make it the default behaviour).

Remember, when the “client” has physical access to the router, the failsafe mode can be used to gain access and change the config so disable it (note: be careful not to lock yourself out now).

How to fix Android Market when installed a .apk via adb

Monday, January 18th, 2016

This post is a draft from back in 2010 and assuming that you are the owner of a rooted Android device that just installed a bunch of applications (.apk) via the adb tool. This might be the case if you have a lot of packages (.apk) on your pc, and just install them via usb like:

find . -iname “*.apk” -exec adb install ‘{}’ \;

Remember that you will have to download the Android SDK for the adb tool and start the adb server as root before using it (sudo adb start-server).

Now the problem: the Android Market doesnt see your installed apps, so it wont look for updates and you cant easily remove/handle them. But there is an easy fix.

The Android Market keeps a list (more specific: a database, sqlite3) in

/data/data/com.android.vending/databases/assets.db

Weird thing, after looking with SQLite Browser into the database, all applications installed via adb where present. The only problem was the “install_time” value of the apps, beeing 0.

So you could either adb pull the assets.db to your PC, edit the values (e.g. UNIX timestamp of now), and push it back or use a script on the phone to do the job for you.

For the script, you will need root access, a busybox version with sqlite3 (just execute “sqlite3” on a phone shell and see if it recognizes the command)

# sqlite3 /data/data/com.android.vending/databases/assets.db
sqlite> UPDATE ASSETS SET install_time = CURRENT_TIMESTAMP WHERE install_time = 0;
sqlite> .exit
# exit

Odyssey to revive Samsung S3 mini (GT-I8190)

Friday, January 8th, 2016

The Samsung GT-I8190 (S3 mini) is a decent android phone which has been around for a while. In order to see if it can handle a current 5.1.1 android, i wanted to install a custom rom.

The phone was rooted and had an old version of TWRP installed. Fortunately, there is a big community for the phone, so instructions to root and install a custom recovery are all over the internet.

When holding Volume Up + Home + Power, the phone boots into recovery (Volume Down + Home + Power for download mode). From there i wanted to install SlimLP when things went wrong.

Suddenly, the recovery could not mount any partitions anymore, the problem is well described over on StackExchange.

Since i had a fairly old version of TWRP installed, ADB was not available directly. Luckily, when switching to “ADB Sideload” under “Advanced” and canceling that, ADB was possible. From there, i verified the situation was exactly like that on StackExchange linked above. When running fdisk /dev/block/mmcblk0 i could see, that no partition information was available (unlike on StackExchange).

Next i created a partition spanning the entire internal memory with type “ee” (EFI GPT) while still in fdisk. The commands would be:

- n
- p
- 1
- enter (default)
- enter (default)
- t
- ee
- p (to verify)
- w (to write)

Then i tried to restore the partition information via the PIT file using Heimdal, the opensource alternative to samsungs Odin software. Odin and the download mode are somewhat similar to what elsewhere is called fastboot. Its a mechanism to restore pretty much everything, so as long as the download mode works, the phone is not bricked.

Unfortunately, even when compiling heimdal from git (version 1.41), running it as superuser (for USB permissions), it could not write the PIT file, i got:

Uploading PIT
ERROR: Failed to unpack received packet.
ERROR: Failed to unpack received packet.
ERROR: Failed to confirm end of PIT file transfer!
ERROR: Failed to confirm end of PIT file transfer!
ERROR: PIT upload failed!

ERROR: PIT upload failed!

Writing the custom recovery worked with heimdal, just the PIT upload wouldnt work.

Luckily, i had a windows machine nearby, where i could run Odin to repartition with the PIT file. I had to use Odin v1.85 because the v3.x versions did not work properly. On windows, be sure to install the Samsung USB drivers properly!

Back to Heimdal, i first flashed the stock recovery because it would try to setup the partitions again. It booted up but had a problem with the encryption, offering a “system reset”. Which would loop all over, so i then flashed TWRP 2.8.6.1(mirror) (note: the partition is not called “recovery” but “Kernel2”) via:

heimdall flash --pit i8190_goldenxx.pit --verbose --stdout-errors --Kernel2 ./GT-I8190_TWRP_2.8.6.1/recovery.img

Beware, the GT-I8190 and GT-I8190N models use different PIT files.

After booting back into TWRP 2.8.6.1 (where ADB works right away btw) an advanced wipe and “Format Data” brought back the desired partitions (no errors anymore mounting them).

From there, installing the custom rom was a breeze.